Secure Boot

NVIDIA^® Jetson™ Linux provides boot security. Secure Boot prevents execution of unauthorized boot codes through the chain of trust. The root-of-trust is an on-die BootROM code that authenticates boot codes such as BCT, Bootloader, and warm boot vector using Public Key Cryptography (PKC) keys stored in write-once-read-multiple fuse devices. On Jetson platforms that support Secure Boot Key (SBK), you can use it to encrypt Bootloader images.

NVIDIA SoCs contain multiple fuses that control different items for security and boot.

The Jetson BSP package contains program scripts/tools and instructions to provide security services during the booting.

The root-of-trust that uses the NVIDIA SoCs fuses to authenticate boot codes ends at the Bootloader. After this, the current Bootloader (UEFI) will use UEFI’s Security Keys scheme to authenticate its payloads.

To enable UEFI Secure Boot, refer to UEFI Secure Boot.

Note

Jetson Thor series highlights:

• Supports 16 PKC keys. The PublicKeyHash fuse is the hash of all 16 PKC hashes.

• The first 15 PKC keys are revocable.

• Any of the 16 keys can be used to sign a boot image.

• The authentication scheme is no longer specified in the BootSecurityInfo fuse. It is determined at image signing based on the type of the signing key and is stored into the PCP.

Overall Fusing and Signing Binaries Flow

The Secure Boot process with PKC and SBK requires you to

• Generate a PKC key pair.

• Prepare an SBK key.

• Prepare Kdk0/Kdk1 keys. (Jetson Thor series only)

• Prepare K1/K2 keys. (Jetson Orin series only)

• Prepare EKB.

• Prepare the Fuse Configuration file.

• Burn fuses using fskp_fuseburn.py script with a Fuse Configuration file.

• Flash the device with secured images (using l4t_initrd_flash.sh with the -u and -v options).

Quick Start Guides

The following Quick Start guides outline the steps to enable Secure Boot on Jetson Thor and Jetson Orin devices. Detailed descriptions for each step are provided after the Quick Start guides.

Jetson Thor

• Quick Start Guide to Enable Secure Boot for Jetson Thor
  • Environment Setup
  • Requirements
  • Pre-UEFI
  • Prepare the EKB Image
  • Secure UEFI
  • Create UEFI Keys and Enroll Keys to Key Configuration File
  • Flash the Jetson Thor Device
  • Reboot the Jetson Thor Device

Jetson Orin

• Quick Start Guide to Enable Secure Boot for Jetson Orin
  • Environment Setup
  • Requirements
  • Pre-UEFI
  • Preparing the EKB Image
  • Secure UEFI
  • Create UEFI Keys and Enroll Keys to Key Configuration File
  • Flash the Jetson Orin Device
  • Reboot the Jetson Orin Device

Prerequisites for Secure Boot

• libftdi-dev for USB debug port support.

• openssh-server package for OpenSSL.

• Full installation of the latest Jetson Linux release on the host.

• A USB cable connecting the Jetson device to the host.

• If necessary, a USB cable that connects the Jetson device’s debug serial port to the host.

Fuses and Security

NVIDIA SoCs contain multiple fuses that control different items for security and boot. Once a fuse bit is set to 1, you cannot change its value back to 0. For example, a fuse value of 1 (0x01) can be changed to 3 (0x03) or 5 (0x05), but not to 4 (0x4) because bit 0 is already programmed to 1.

After the SecurityMode (also known as odm_production_mode) fuse is burned with a value of 0x1, all additional fuse write requests will be blocked.

However, some of the ODM fuses are still writable. For more details, refer to the specific SoC fuses documents.

To burn fuses, you can use the fskp_fuseburn.py script with a fuse configuration file.

The fuse configuration file is an XML file that contains the fuse data to be burned.