Memory Encryption

The Memory Subsystem (MSS) provides 128-bit AES-XTS encryption functionality for data stored in DRAM to protect secure content from hardware snooping attacks. Write data stored in certain regions of DRAM (MTS, TZ, VPR, and GSC carveouts) is encrypted before this data reaches the DRAM. Read data is decrypted on the way back from the DRAM, before being returned to the requesting client. Except for the increased read latency for decrypting data, this functionality is transparent to software.

A Generalized Security Carveout (GSC) is a type of aperture/carveout with configurable functionality that designates a region of the physical address space. Access from different clients to the region are controlled by registers in the Memory Controller (MC).

A T234 GSC (GSC38) is configured to cover all of DRAM (typically 2GB to 34GB on a 32GB system), and it is set to encrypt all data that comes in and decrypt all data that goes out through the MC/EMC. These processes are completed in MB1, which is the lowest level bootloader software that runs immediately after the BootROM.

BCT flags (enable_nsdram_encryption and enable_blanket_nsdram_carveout) are set by default to enable DRAM encryption on the T234 Jetson boards. Setting enable_nsdram_encryption to 1 and enable_blanket_nsdram_carveout to x uses the predefined settings for full, and setting enable_nsdram_encryption to 0 and enable_blanket_nsdram_carveout to 1 customizes the range through the mb1_bct. Both settings occur through GSC38. The bootloader (MB1 and/or UEFI) will report encryption is enabled when the flag(s) are set. The latency in encrypting/decrypting all DRAM traffic is low and should not affect DRAM performance.

T234 DRAM encryption was featured first in release 35.2.1, which was publicly available on January 24, 2023.