From Fresh to Secure
Tutorial: Securing a Platform from Scratch: Step-by-Step Guide
This tutorial walks you through all the steps required to secure your embedded platform from a fresh system install, using the RidgeRun Platform Security Manual as a reference.
A secure platform follows a similar structure to the following:

1. Understand the Security Fundamentals
Before implementation, ensure you're familiar with the building blocks of platform security:
- Root of Trust (RoT): Establishes a trusted base for system validation.
- Secure Boot: Ensures only signed, verified code runs at boot.
- Trusted Execution Environment (TEE): Isolates sensitive operations in a secure CPU region.
- Disk Encryption: Keeps data secure at rest.
- Over-the-Air Updates: Keeps the system updated.
For more information on the fundamentals, please check the Platform Security section.
2. Implement Secure Boot
Secure Boot involves a series of steps. It can be considered the longest process when preparing a secure platform. Nevertheless, ensuring secure boot prevents the system from loading software components that have been altered or come from untrusted sources.
The following steps are required for NVIDIA Jetson:
- Generate cryptographic key pairs: it involves creating certificates and generating keys.
- Burn public key hashes into fuses (irreversible): it involves the use of the Factory Secure Key and Expansion Key Provisioning (FSKP) from NVIDIA and burning the fuses.
- Sign bootloaders and OS components with your private key and flash: it involves signing the bootloader, kernel, and device tree.
- Activating UEFI Secure Boot: involving the generation of the UEFI keys and the UEFI payloads.
3. Set Up a Trusted Execution Environment (TEE)
TEE Overview and Setup
- Compile OP-TEE modules and device tree: Enabling OP-TEE allows critical security components to work, from disk encryption to customer's secure apps.
- Integrate it into the build: flashing the board with the new device tree and modules, which integrate necessary parts to leverage OP-TEE.
It provides a hardware-backed, isolated environment for secure operations.
4. Enable Disk Encryption
NVIDIA Jetson Disk Encryption Setup
- Install tools like
cryptsetup
: this tool will help to encrypt the partitions. - Define encrypted partitions (rootfs, data, etc.): select whether a partition should be encrypted or not.
- Generating the EKS image: EKS is a mechanism for securely storing encryption keys, typically used in systems that employ disk or file-level encryption.
- Generate and securely manage encryption keys: generate the keys used to encrypt/decrypt the partitions.
- Implement the changes: the final step is to integrate the changes through flashing.
This ensures your stored data is protected even if the device is compromised.
5. Implement Over-the-Air (OTA) Updates
OTA Security Guide
- Choose and integrate an OTA system (e.g., Mender): the first step is to choose and integrate a method. Mender is used as an example.
- Ensure it supports authentication, rollback, and verification: authentication and rollback are essential since we want to automate the process of updates.
- Integrate with Secure Boot and TEE to maintain trust throughout the update process: the integration with all the platforms to automate the process will help to update the system and mitigate threats.
6. Add Additional Security Layers
Platform Security Extensions
- Implement Trusted Platform Module (TPM) if hardware supports it: TPM provides a way to provision, process, and store keys.
- Add Kiosk Mode to the platform (optional): Restrict the usage of the platform.
If available:
- Use a secure key management system (e.g., kernel keyring).
- Apply IMA (Integrity Measurement Architecture) for file integrity checking.
7. Test and Validate Your Security Setup
- Verify Secure Boot with unauthorized code tests (in progress)
- Test TEE applications and ensure isolation: create an app and integrate it into the system
- Confirm encryption works by examining partition data externally: check the encryption of the partition.
- Simulate OTA updates to verify rollback and signature validation: test some packages to check that OTA is working.
For detailed instructions and platform-specific steps, refer to the full RidgeRun Platform Security Manual.