Is this page helpful?

UEFI Variable Protection#

UEFI Variable Protection secures UEFI variables against tampering. This security measure requires the use of a specific UEFI variable authentication key, which is user-defined and stored in the EKB then flashed onto EKS partition.

When the system boots into OP-TEE, the user key PTA extracts this key from EKB. When the system boots into UEFI, UEFI will call the TA to use the UEFI variable authentication key for calculating a measurement that verifies the integrity of UEFI variables. As a result of this process, any tampering with UEFI variables is detectable.

The UEFI Variable Protection implementation includes the UEFI, user key, and the TA:

  • UEFI: Compares the measurements and aborts the boot if an attack is detected.

  • User Key: A user-defined UEFI variable authentication key that is stored in EKB.

  • Trusted Application (TA): Calculates measurements against the UEFI variables using the UEFI variable authentication key.

To activate UEFI Variable Protection, create a unique user key, generate a custom EKB, and enable UEFI Variable Protection during the flashing process.

Prepare the UEFI Variable Authentication Key#

  1. Generate a random UEFI variable authentication key (128 bits long) with random number generator.

  2. Save the output to user_authentication.key in big-endian hex format.

Generate the EKB#

  1. Generate the EKB (refer to EKB Generation for more information).

  2. Copy the EKB to the <Linux_for_Tegra>/bootloader folder.

Enable UEFI Variable Protection During the Flashing Process#

  1. Issue the following command:

    • For the Jetson AGX Orin series:

      $ sudo ./flash.sh -u <pkc_keyfile> [-v <sbk_keyfile>] --uefi-keys uefi_keys/uefi_keys.conf <target> mmcblk0p1

    • For the Jetson Orin NX series and the Orin Nano series:

      $ sudo ./l4t_initrd_flash.sh -u <pkc_keyfile> [-v <sbk_keyfile>] --uefi-keys uefi_keys/uefi_keys.conf jetson-orin-nano-devkit external

For more information about pkc_keyfile and sbk_keyfile, refer to Sign and Flash Secured Images.

After flashing is complete, your target will have UEFI Secure Boot and UEFI Variable Protection enabled.