Tales from the Crypt: Secure Boot and Disk Encryption on Tegra

“Secure boot” is not one size fits all, but rather there are different implementations on different platforms. For Tegra platforms, secure boot involves a one-time only burning of keys into the on-device fuses. We’ll share the lessons learned from turning a board into a lovely paperweight as well as the reliable approach we used to confidently secure boot into the vendor’s Ubuntu based OS before creating our own Yocto Project built OS.

For disk encryption with LUKS and dm-crypt, we extended our approach of testing the vendor’s OS before moving on to creating our own. The added complexity of unique passphrases derived from disk UUIDs and per-device HW-derived keys was an interesting challenge. We attempted to stay as close to the vendor’s tools (luks-srv and luks-srv-app) and design as we could, to hopefully future proof the implementation for newer releases of Linux for Tegra. Extending to A/B flashing for OTA updates (e.g. rauc or mender) added additional challenges, especially when trying to generalize the approach for the meta-tegra community. The end solution must address the bootloader, initramfs, kernel command line, /etc/crypttab, /etc/fstab and more. Add in the complexity of the partition table layout and flashing tools for Tegra platforms and you are in for a wild ride.