AGX Orin安全启动过程中具体要对哪些文件进行签名?



  1. 安全启动
    1.1. 生成PKC密钥
    1.2. 由PKC生成PublicKeyHash
    1.3. 烧写fuse配置
    1.4. 一键签名并刷机
  2. UEFI安全启动
    2.1. 生成 PK,KEK,db Keys
    2.2. 创建uefi_keys.conf
    2.3. 使用gen_uefi_default_keys_dts.sh生成UefiDefaultSecurityKeys.dtbo和Auth文件
    2.4. 刷机时指定–uefi-keys uefi_keys.conf


./ -u pkc_rsa3k.pem --uefi-keys uefi_keys/uefi_keys.conf jetson-agx-orin-devkit mmcblk0p1


  1. 拆解的或自定义的“打包->刷机”流程。
  2. 自定义的OTA流程。


  1. 安全启动(BootRom校验UEFI)实现中,需要对哪些文件签名?签名方法或命令是什么?
  2. UEFI安全启动(UEFI校验OS)实现中,需要对哪些文件签名?签名方法或命令是什么?


hello jluysf,

PKC for sign: if PKC is burned, then the KEYFILE users provide is for signing the images.
SBK for encryption: if SBK is burned, then the SBKFILE users provide is for encrypting the images.
KEKs for encryption keys: they are keys to encrypt your keys. KEK0, KEK1, KEK2 are 128-bit key files; KEK256 is 256-bit key file. please use the commands, --KEK* to determine which key encryption key you’re going to fused.

for Orin series, it supports PKC with RSA-3K only, and 256-bit SBK only;
XML based is validated only for AGX Orin platform. odmfuse uses openssl + tegraopenssl.

you may see-also Topic 266387 for more details of fuse configuration.

Hi JerryChang,

hello jluysf,

you may see-also the binaries under… $OUT/Linux_for_Tegra/bootloader/signed/
it’s tegrasign_v3 for processing, let’s taking mb1 binary as an example,
as you can see… it’ll write A_mb1 partition with the signed/encrypted binary file.

[ 198.1644 ] Writing partition A_mb1 with mb1_t234_prod_aligned_sigheader.bin.encrypt [ 280976 bytes ]
[ 198.1647 ] [................................................] 100%

furthermore, there’re also script files for your reference,
you may check and also for more details.

Hi JerryChang,


hello jluysf,

instead of PKC, UEFI uses the PK, the KEK, and the db keys.
BTW, have you also referred to the steps in $OUT/Linux_for_Tegra/tools/README_uefi_secureboot.txt

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.