Understanding Security

Note: RPMB is not supported on eMMC or UFS storage for DRIVE OS 6.0. Any data that requires RPMB protection must be on the SPI-NOR device, which does support RPMB.

NVIDIA DRIVE® OS security services ensure the confidentiality of critical system secrets such as root keys and other device configuration information. They are also responsible for providing user-space applications running in the Guest OS, the ability to offload cryptographic operations on-to SoC security hardware. These services rely on the isolation provided by the virtualization system.

This section describes the functionality and possible customization for these security services and is broadly divided into subsections.

Refer to the appropriate subsection for detailed information on the various services:

Acronyms and Abbreviations

The following acronyms are used throughout this section.

Term

Definition

ATF

ARM trusted firmware

BCT

Boot Configuration Table

BDT

Boot Device Tree

BR

BootROM

BR-BCT

BootROM Boot Configuration Table

CA

Client Applications

CBC

Cipher Block Chaining

CMAC

a block of Cipher-based Message Authentication code algorithm

EKS

Encrypted Key Store

GP API

Global Platform Application Programming Interface

HW

Hardware

JTAG

Joint Test Action Group IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture

KEK

Key Encryption Key

KROM

The Key ROM (KROM in short) primarily contains two types of keys:

• Wrapped Symmetric Keys

• Public component of Asymmetric RSA Keys (Exponent only)

ODM

Original Design Manufacturing

OEM

Original Equipment Manufacturer

OpenSSL

A general purpose cryptography library that provides an open source implementation of the Secure Sockets Layer protocol.

OS

Operating System

OSC

Oscillator

OTA

Over-the-Air

PCT

Platform Configuration Table

PKC

Public Key Cryptography

PolarSSL

also known as ARM-mbed

REE

Rich Execution Environment

PSC

Platform Security Controller

ROM

Read-only Memory

RPMB

Replay protected memory block

RSA

An encryption mechanism that uses public and private keys.

RSASSA-PSS

RSA Signature Scheme with Appendix- Probabilistic Signature Scheme (cryptography)

SBK

Secure Boot Key

SDK/PDK

Software Development Kit / Platform Development Kit

SDRAM

Synchronous Dynamic Random Access Memory

SE

Security Engine Hardware

SS

Secure Storage

TA

Trusted Applications

TEE

Trusted Execution Environment

TOS

Trusted Operating System

TSC

Tegra Secure Counter

UID

Unique Identification

UUID

Universal Unique Identification

VM

Virtual Machine