Is this page helpful?

Memory Encryption#

Applies to the Jetson AGX Orin series, Jetson Orin NX series, Jetson Orin Nano series, and Jetson AGX Thor series.

The Memory Subsystem (MSS) provides 128-bit AES-XTS encryption functionality for data stored in DRAM to protect secure content from hardware snooping attacks. Write data stored in certain regions of DRAM (MTS, TZ, and GSC carveouts on Jetson Orin and TZ and GSC carveouts on Jetson Thor) is encrypted before reaching the DRAM. Read data is decrypted on its way back from the DRAM before being returned to the requesting client. Except for the increased read latency for decrypting data, this functionality is transparent to software.

A Generalized Security Carveout (GSC) is a type of aperture/carveout with configurable functionality that designates a region of the physical address space. Access from different clients to the region are controlled by registers in the Memory Controller (MC).

Jetson Orin Memory Encryption#

A T234 GSC (GSC38) is configured to cover all of DRAM (typically 2GB to 34GB on a 32GB system), and it is set to encrypt all data that comes in and decrypt all data that goes out through the MC/EMC. These processes are completed in MB1, which is the lowest level bootloader software that runs immediately after the BootROM.

BCT flags (enable_nsdram_encryption and enable_blanket_nsdram_carveout) are set by default to enable DRAM encryption on the T234 Jetson boards. Setting enable_nsdram_encryption to 1 and enable_blanket_nsdram_carveout to x uses the predefined settings for full, and setting enable_nsdram_encryption to 0 and enable_blanket_nsdram_carveout to 1 customizes the range through the mb1_bct. Both settings occur through GSC38. The bootloader (MB1 and/or UEFI) will report encryption is enabled when the flag(s) are set. The latency in encrypting/decrypting all DRAM traffic is low and should not affect DRAM performance.

T234 DRAM encryption was featured first in release 35.2.1, which was publicly available on January 24, 2023.

Jetson Thor Memory Encryption#

In T264, DRAM not protected by TZ and GSC carveouts (non-secure DRAM) can also be set to encrypt all data that comes in and decrypt all data that goes out through the MC/EMC.

BCT flag enable_nsdram_encryption is set by default to enable DRAM encryption on the T264 Jetson boards. When the flag is set, the bootloader (MB1 or UEFI) reports encryption is enabled. The latency in encrypting and decrypting all DRAM traffic is low and unlikely to affect DRAM performance.