Is this page helpful?

Secure Storage#

Applies to the Jetson AGX Thor series, Jetson AGX Orin series, the Jetson Orin NX series, and the Jetson Orin Nano series.

Secure Storage in Jetson Linux#

The Jetson Linux implementation of Secure Storage is provided by OP-TEE. Secure Storage is a solution to store general-purpose data and key material and guarantees confidentiality and integrity of the data stored and the atomicity of the operations that modifies the storage. Atomicity means that either the entire operation completes successfully or no write is done.

Hardware Unique Key (HUK)#

The HUK is the root key for deriving Secure Storage keys. For more information about HUK in OP-TEE, refer to Hardware Unique Key in the OP-TEE documentation.

Jetson Linux supports a HUK implementation for the Jetson Orin series and the Jetson AGX Thor series. The HUK generation flow depends on the platform.

Warning

Changing the HUK KDF algorithms or parameters can break compatibility between components that derive or consume secure storage keys. If you must change them, coordinate updates across all producers and consumers, document and test a migration plan, version the new key derivation flow, and be aware that previously stored data might become unreadable without migration.

For the Jetson Orin Series#

OP-TEE derives the HUK from the OEM K1 with the following formulas:

  • HUK_RK = AES-ECB-ENC(<fuse-key>, <fv>)

    • <fuse-key> is the OEM_K1 fuse key.

    • <fv> is the fixed vector with the following value:

      static uint8_t fv_for_huk_rk[] = {
        0x89, 0x49, 0xb3, 0xe0, 0x65, 0xeb, 0x58, 0x85,
        0x16, 0x39, 0x22, 0x24, 0x66, 0xe1, 0x48, 0x65
};

  • HUK = NIST-SP-800-108(<key>, <context>, <label>)

    • <key> is the HUK_RK.

    • <context> is the ECID of the Jetson Orin device.

    • <label> is “tee-hw-unique-key”.

For the Jetson AGX Thor Series#

OP-TEE derives the HUK from the TZ root key (TZ_RK) with the following formulas:

  • HUK_RK = HMAC-SHA256-KDF(<key>, <label>, <context>)

    • <key> is the TZ_RK.

    • <label> is “TEGRA_HUK_RK_LABEL”.

    • <context> is the ECID of the Jetson Thor device.

  • HUK = HMAC-SHA256-KDF(<key>, <label>, <context>)

    • <key> is the HUK_RK.

    • <label> is “TEGRA_HUK_LABEL”.

    • <context> is “TEGRA_HUK_CONTEXT”.

For more information about TZ_RK and the Jetson AGX Thor series key hierarchy, refer to EKB Key Hierarchy and Derivation.

Secure Storage Implementations#

OP-TEE currently has two Secure Storage implementations. For more information, refer to Secure Storage in the OP-TEE documentation.

REE FS Secure Storage#

The REE FS Secure Storage solution relies on the normal world (REE) file system. The default setting of the current Jetson Linux release is to use this solution.

RPMB Secure Storage#

The RPMB Secure Storage solution uses the Replay Protected Memory Block (RPMB) partition of an eMMC device. The current Jetson Linux release supports RPMB for the Jetson AGX Orin series, but RPMB is not supported in the Jetson AGX Thor series, the Jetson Orin NX series, or the Jetson Orin Nano series.

RPMB key management has two parts:

  • RPMB key provision: Generate your RPMB key and burn it to the eMMC using your preferred tools. Jetson Linux also supports RPMB key provisioning.

    The Secure Boot document has a detailed description about how to prepare your own Fuse Configuration File for RPMB key provisioning.

  • RPMB key generation in OP-TEE: To create RPMB data frames, a RPMB key is needed in OP-TEE. This key must be exactly the same as the one that was provisioned to the eMMC device. The algorithm to generate the RPMB key in the current Jetson Linux release is as follows:

    RPMB key = AES-CBC(<source>, <key>, <iv>)

    • <source> is the source key for AES encryption. In the current Jetson Linux release, it is

      static uint8_t rollbackkeysrc[TEGRA_SE_AES_BLOCK_SIZE * 2] = {
        0x81, 0x2A, 0x01, 0x43, 0x6B, 0x7C, 0x19, 0xAA,
        0xFF, 0x22, 0x38, 0x82, 0x0A, 0x67, 0x74, 0x08,
        0x30, 0x06, 0xCA, 0x11, 0x41, 0x49, 0x80, 0xED,
        0xE7, 0xBB, 0x61, 0x01, 0x2F, 0x56, 0x9D, 0xD3
};

    • <key> is the AES encryption key. For Jetson AGX Orin, this is a key that is burned into the OEM_K1 fuse.

    • <iv> is the initial vector. In the current Jetson Linux release, it is the ECID of the Jetson device.

Note

The RPMB key generation in OP-TEE is enabled only when bit 9 (OEM Key Valid) of the BootSecurityInfo fuse is burned.