Security
This topic describes security features of NVIDIA® Jetson™ Linux. Below are the subtopics:
Secure Boot describes Secure Boot, a feature which ensures that the Jetson Linux boot process cannot be redirected or compromised.
Factory Secure Key Provisioning describes FSKP, a technique to securely burn fuses on the factory floor.
OP-TEE describes the Open Portable Trusted Execution Environment, a TEE provided with Jetson Linux.
Disk Encryption describes the Jetson Linux implementation of Linux Unified Key Setup (LUKS), the Linux standard for disk encryption.
Secure Storage describes Secure Storage, a feature that provides a solution to ensure the general-purpose data and key material can be stored securely.
Rollback Protection describes Rollback Protection, a feature that prevents a computing system from being downgraded (rolled back) from a later version to an earlier one.
PVA Authentication describes the Authentication feature for software that executes on the PVA.
- Secure Boot
- Overall Fusing and Signing Binaries Flow
- Prerequisites Secure Boot
- Fuses and Security
- Fuse Configuration File
- Prepare an SBK key
- Prepare K1/K2 keys
- Prepare EKB
- Prepare the Fuse Configuration file
- Burn Fuses with the Fuse Configuration file
- Read Fuses through the Linux kernel
- Sign and Flash Secured Images
- Revocation of the PKC Keys
- UEFI Secure Boot
- UEFI Payload Encryption
- UEFI Variable Protection
- UEFI Platform Vendor Key Feature
- Kernel Module Signing
- Factory Secure Key and Expansion Key Provisioning
- Requesting FSKP Expansion Keys
- Generating and Verifying the Self-Signed X.509 Certificate
- Content of the Results.zip File
- An Example: Preparing the Encrypted and Signed Blob at HSM
- An Example: Using the Encrypted and Signed Blob at the Factory
- Using the fskp_fuseburn.py File to Burn Fuses
- Preparing an Encrypted and Signed Blob
- Burning Fuses in the Factory
- OP-TEE: Open Portable Trusted Execution Environment
- Disk Encryption
- Quick Guide
- Setup Preparation
- Details of Operation
- The Threat Model
- Disk Encryption Implementation in Jetson Linux
- Layout of an Encrypted Disk
- How to Create File System Images
- Creating an Encrypted Rootfs on the Host
- How to Flash an Encrypted Rootfs to an External Storage Device
- To Enhance initrd to Unlock an Encrypted Rootfs
- To modify initrd to unlock additional encrypted file systems
- Enabling Disk Encryption Only for UDA
- Enabling Disk Encryption for Dynamically Created Partitions
- Modifying /opt/nvidia/cryptluks to Unlock Previously Created and Encrypted File Systems
- Summary
- Manufacturing process
- Secure Storage
- Rollback Protection
- Memory Encryption
- PVA Authentication