secure boot, OTA update

Autonomous Machines Jetson & Embedded Systems Jetson TX2
1

Hi,

I’m working on OTA update for our TX2 device. My current state is following:

  • No secure boot.
  • Partition APP contains only a Linux kernel and a u-boot script.
  • Another 2 partitions (OS1 and OS2) contain a root filesystem which the u-boot script alternates on update.
  • I can now update APP, kernel, kernel-dtb and OSx partitions.

We need to somehow make the system unreadable. I guess the secure boot can help.

According to this presentation

the cboot loads encrypted ROS - Linux kernel.

Question #1: Can u-boot be the ROS?

My idea is that the u-boot will load encrypted kernel/initrd and it will use LUKS to mount the root filesystem.

Lets assume I can make the u-boot decrypt and verify the kernel/initrd.

Question #2: Is this approach a good solution?

Question #3: What are other options of OTA update with a secure boot?

Thanks.

2

hello davidygjcp,

OTA update scheme should follow by: update OS1 or OS2, then update uboot script in APP.
the main reason is when updating rootfs, you should update kernel as well.
kernel and kernel modules (stored in rootfs) should always be updated at the same time.

You might follow below steps.
Step-1. updating OS1 (or OS2), please also update kernel image as well. (i.e. /boot/Image)
Step-2. make sure /boot/extlinux/extlinx.conf contains LINUX to point to the correct kernel image.
Step-3. configure U-Boot loads kernel from OS1 or OS2 instead of APP.

also, reply several of your questions as following below.
thanks

Question #1: Can u-boot be the ROS?
here shows the boot flow:
nvbootloader → uboot → APP (u-boot script and kernel) → mount OS1 or OS2

The secureboot solution NV provided is mainly authentication. (i.e. PKC)
until l4t-r32.1, we had added encryption support for TX2 and also Xavier. (i.e. PKC + SBK)
however, encryption support is only up to cboot, uboot is now excluded.

Question #2: Is this approach a good solution?
in theory it is doable.

Question #3: What are other options of OTA update with a secure boot?
we’ll have internal discussion for this item.

3

Hi,

thank you for those answers.

>>> however, encryption support is only up to cboot, uboot is now excluded.

Does it mean I can’t have a fully encrypted system because I can’t hide an initial key in the u-boot?

David