Secure Boot Details with PKC Protection

The PKC-protected boot sequence is as follows. The sequence is part of the NVIDIA Secure Solutions infrastructure, which includes:

  • nvimageGen utility—manages the RSA key pairs or EdDSA key and produces secure data that includes the BCT, which can contain the BCT signatures and the public key.
  • PSC ROM—Tegra devices contain a PSC ROM that adds support for the PKC-protected boot sequence.
See the section Signing Algorithms under Secure Boot for details on selecting the PKC algorithm through fuse programming

PKC Secure Boot Requirements

For the PKC-secured boot process to be used, these conditions must be met. These requirements must be implemented in production because secure boot cannot be implemented using OTA onto previously non-secure boot devices.

  • The fused PKC public key hash must be non-zero.
  • The FUSE_BOOT_SECURITY_INFO set to the appropriate algorithm described in Signing Algorithms under Secure Boot
  • The OEM must amend the BCT and the software components with public keys and digital signatures. Use the nvimageGen for this task.
  • The ODM Production Mode, Security Mode, fuse must be burned and it must be the last fuse to be burned.

RSA Validation of the BCT and Boot Loader

The NVIDIA COT verification process that ensures the BCT is from the OEM, is as follows. The BootROM and PSC ROM use this sequence when the conditions in PKC Secure Boot Requirements are satisfied.

Note:

SHA-512 is the hash function used during any RSASSA-PSS operations (signature verification) in the steps below. As recommended by PKCS #1 v2.1: RSA Cryptography Standard, the manufacturer must also use SHA-512 as the same hash function applied to the message. In addition, the salt length used in the RSASSA-PSS signature verification and signature generation is the length of SHA-512 hash.

  1. The BootROM reads the BCT from secondary storage.
  2. The PSC ROM validates the BCT.
    1. Validates the public key by computing SHA-512 hash and comparing it with values in fuses. If they match, the public key is stored in the PKC SE slot for BCT verification.

      The public key as well as the RSASSA-PSS signature S is contained in the BCT.

      Note:

      The public exponent e is assumed to always be 0x10001, so it is not stored.

      For NVIDIA DRIVE AGX Orin, the public key is 3072 bits.

      • The PSC ROM performs a RSASSA-PSS-VERIFY signature verification operation of the BCT using the verified public key. This step validates the RSASSA-PSS signature S of the BCT. If the result of the signature verification step is a valid signature, it continues the secure boot process. If the hash comparison fails, the PSC ROM resets the system and subsequent reboot tries the remaining 4 redundant copies of the BCT that are supported before the boot process gives up and goes to RCM.
        Note:

        Some copies of the BCT may have failed the public key hash compare in the beginning of Step 3, so the number of redundant copies of the BCT still available may be less than the actual number of redundant copies of the BCT written to secondary storage.

  3. The BootROM reads the boot loader from secondary storage.

  4. The PSC ROM validated the boot loader using the RSA public key to verify the boot loader signature.

    1. The RSASSA-PSS signature S gets stored in the beginning of the boot loader image in the generic signature header. The PSC ROM performs a RSASSA-PSS-VERIFY signature verification operation of the boot loader. If the result of the signature verification step is a valid signature, it continues the secure boot process and the chain-of-trust is transferred to the validated boot loader. If the signature verification fails, the PSC ROM resets the system and the BootROM may attempt to load a different boot chain on reboot, depending on Boot Chain operation implemented, or go to RCM. The Boot Chain operation is described in the section Using the Bootloader Recovery Mechanism.
      Note:

      NVIDIA DRIVE AGX Orin: the signature is verified on the image header; where the header embedded the hash value of the bootloader image.

  5. The BootROM locks down security features, clears out state information, and hangs the processor.
  6. The PSC ROM sets the reset vector of the BPMP processor to the next payload start vector and resets the processor to start execution of the next payload.
  7. The boot loader continues the root of trust:
    • Write protects mass storage location of the boot loader and OS.
    • Passes execution to the validated OS image.

EdDSA Authentication of the BCT and Boot Loader

The process for EdDSA authentication is identical to the process described under the section RSA Validation of the BCT and Boot Loader.

Note:

NVIDIA DRIVE AGX Orin:

  • Support is provided for EdDSA operations (signature verification) using SHA-512 hash function.
  • Curve25519 is the elliptic curve supported.

Secured USB Recovery Mode

In DRIVE AGX Orin, the RCM boot flow has been merged with the normal cold boot flow. The RCM payloads are used by BootROM and PSC-ROM instead of images from secondary storage. The payload ordering and flow is described in RSA Validation of the BCT and Boot Loader for RSA and EdDSA Validation of the BCT and Boot Loader for EdDSA.