Jump to content

RidgeRun Platform Security Manual/Getting Started/Secure Boot: Difference between revisions

RidgeRun Platform Security Manual/Getting Started/Secure Boot (view source)

Revision as of 16:50, 20 March 2025

5,365 bytes added ,  20 March
no edit summary
Visual
No edit summary
Line 363: Line 363:
</syntaxhighlight>
</syntaxhighlight>


With the fuse data generated, we can proceed with the encryption of it. In this process we will also activate the decryption of the fuse blob (fuse data encrypted) and the fuse burning in the board.
With the fuse data generated, we can proceed with the encryption of it. In this process we will also activate the decryption of the fuse blob (fuse data encrypted) and the fuse burning in the board. To generate the fuse blob use the following command:


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo ./fskp_fuseburn.py -b -f ~/work/devdir/security-features-RnD/nvidia-jetson4/Linux_for_Tegra/keys/fuse_config.xml -i 63 --key-exp fskp_ak.bin fskp_ek.bin --fskpcfg fskp_conf.txt -g out/ -c 0x23 -B ~/work/devdir/security-features-RnD/nvidia-jetson4/Linux_for_Tegra/jetson-orin-nano-devkit.conf --board-spec orinnano-board-spec.txt -v
sudo ./fskp_fuseburn.py -b -f ~/nvidia-jetson/Linux_for_Tegra/keys/fuse_config.xml -i 63 --key-exp fskp_ak.bin fskp_ek.bin --fskpcfg fskp_conf.txt -g out/ -c 0x23 -B ~/work/devdir/security-features-RnD/nvidia-jetson4/Linux_for_Tegra/jetson-orin-nano-devkit.conf --board-spec orinnano-board-spec.txt -v
</syntaxhighlight>
</syntaxhighlight>
* -b: Performs fuse burning. In this command, this option is used to generate a real fuse blob but the next command is the one used for actually burning the fuses.
* -f ~/nvidia-jetson/Linux_for_Tegra/keys/fuse_config.xml: specifies the fuse configuration file to generate the fuse blob.
* -i 63: Specifies the key index. This is used to select the key from the internal ROM to decrypt the information. The expansion keys are generated from this key by the NVIDIA representative, and they are the "public key " in this case and the key from the internal ROM is the private one. Key index 63 is used in this case because this is a key for debugging purposes but behaves equally to the one used for production purposes, which is key 62. 
* --key-exp fskp_ak.bin fskp_ek.bin: Specifies the expansion keys.
* --fskpcfg fskp_conf.txt: Specifies the fskp configuration file that has the expansion keys string. This file is included with the expansion keys sent by the NVIDIA representative.
* -g out/: Specifies the output directory for the fuse blob.
* -c 0x23: Specifies the chip id, which for Jetson Orin SoCs is 0x23.
* -B ~/nvidia-jetson/Linux_for_Tegra/jetson-orin-nano-devkit.conf: Specifies the board configuration file. It is already in the Linux_for_Tegra folder. Choose according to the board you are using.
* --board-spec orinnano-board-spec.txt: Specifies the board specification file previously edited.
The output should look similar to the following:
<syntaxhighlight lang="bash">
FSKP execution started 2025-03-14 12:59:55.523192
fskp_fuseburn.py script version 0.2
Parsing input arguments
fskp_fuseburn.py script version 0.2
Parsing input arguments
Setting up default paths
Setup host environment
fskp enviroment internal: False
Creating t234 fuse blob
.
.
.
Not burning fuses, exiting...
FSKP execution successful
FSKP execution time 0:00:09.341467
</syntaxhighlight>
You should get the successful message at the end of the command's output. To actually burn the fuses run the following command.


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo ./fskp_fuseburn.py --board-spec orinnano-board-spec.txt -P ./out -b -c 0x23 -B ~/work/devdir/security-features-RnD/nvidia-jetson4/Linux_for_Tegra/jetson-orin-nano-devkit.conf
sudo ./fskp_fuseburn.py --board-spec orinnano-board-spec.txt -P ./out -b -c 0x23 -B ~/work/devdir/security-features-RnD/nvidia-jetson4/Linux_for_Tegra/jetson-orin-nano-devkit.conf
</syntaxhighlight>
</syntaxhighlight>
The option added in this command is the -P option. It has the argument out/ and it is used to specify that it is no required to generate a new folder with the fuse blob but to use the out directory, that already has it. You should get an output like the following:
<syntaxhighlight lang="bash">
FSKP execution started 2025-03-14 13:43:33.137784
fskp_fuseburn.py script version 0.2
Parsing input arguments
fskp_fuseburn.py script version 0.2
Parsing input arguments
Setting up default paths
Setup host environment
Found NVIDIA device ID 0x7523
Getting target details
BR_CID: 0x80012344705DE5196C000000100102C0
ECID: 0x4705DE5196C000000100102C0
WARNING!! Burning Fuses option is selected, this operation is permanent and irreversible
if you are not sure, try with --test or -t command line option
do you want to continue burning fuses (Yes/No) yes
Downloading FSKP blob to target
WARNING!! Target will automatically reset once burning fuses is complete.
          If you are going to continue doing secure NOR provisioning, please DO NOT power off the system
FSKP execution successful
FSKP execution time 0:00:07.774871
</syntaxhighlight>
It asks if you are sure about the operation because it is irreversible, write yes if you are. If you have the UART output from the board You should look for the following messages:
<syntaxhighlight lang="bash">
I> Task: Burn fuses                                                                       
I> Index : 1    PublicKeyHash    size: 64                                                 
I> Index : 2    SecureBootKey    size: 32                                                 
I> Index : 3    BootSecurityInfo    size: 4                                               
I> Fuse Blob found                                                                       
I>                                                                                       
I> Burning fuses                                                                         
I> 1. Start PublicKeyHash burn                                                           
I> 1. PublicKeyHash burnt successfully                                                   
W> No handling of CRC-32 for PublicKeyHash                                               
I>                                                                                       
I> 2. Start SecureBootKey burn                                                           
I> 2. SecureBootKey burnt successfully                                                   
W> No handling of CRC-32 for SecureBootKey                                               
I>                                                                                       
I> 3. Start BootSecurityInfo burn                                                         
I> 3. BootSecurityInfo burnt successfully                                                 
W> No handling of CRC-32 for BootSecurityInfo                                             
I>                                                                                       
I> Successfully burnt fuses as per fuse info
</syntaxhighlight>
Secure boot is succesfully enabled. From now on, all the images and boot codes you load to the board have to be signed with the private keys created in this process.


=== UEFI Secure Boot ===
=== UEFI Secure Boot ===
Chidalgo
168

edits

Retrieved from "https://developer.ridgerun.com/wiki/index.php/Special:MobileDiff/64757"
Cookies help us deliver our services. By using our services, you agree to our use of cookies.