I am attempting to burn the PKC, SBK, and KEK2 fuses with the following command:
sudo ./odmfuse.sh -i 0x21 -k <PKC_file> -S <SBK_file> --KEK2 <KEK2_file> jetson-xavier-nx-devkit-emmc
I was able to generate the PKC_file with the following command:
openssl genrsa -out rsa_priv.pem 2048
But how do I generate the SBK_file and KEK2_file? Can you please provide an example so that I know how these files are formatted?
you’re assign incorrect chip-id for Jetson Xavier NX,
please refer to the readme file of the secureboot, the <chip_id> is 0x19 for Jetson Xavier NX.
here’s documentation, Secureboot
0x19 … You are correct. That is what I had as my command for Jetson Xavier NX.
But what about the SBK_file and KEK2_file… do I just populate these files with any data as it in Hex format like the following:
0x01234567 0x89abcdef 0xfedcba98 0x76543210
Is this correct for SBK, KEK0, KEK1, and KEK2? I am trying to make sure before I burn the fuses … because irversisable …
please also check the tables describe user-programmable fuses related to Secureboot.
Software and configuration fuses related to Secureboot for Jetson Xavier NX and Jetson AGX Xavier series (T194) and Jetson TX2 series (T186)
it’s correct you should ensure you’re doing right before fuse the board.
you may also include
--noburn options to prepares the fuse blob.
or, you could use
--test options to prevents the script from actually burning fuses.
I don’t think you are answering my main question. What should the contents of the following files: SBK, KEK0, KEK1, and KEK2?
It would be very helpful if you can provide an example.
you must prepare SBK fuse bits if you wish to encrypt bootloader (and TOS).
please create the key by yourself, it’s using HEX format, with four 32-bit words.
the contents in sbk.key key file is…
KEKs also doing the same as SBK key, KEKs are 128-bit number stored in a file in big-endian HEX format.
please check the documentation, Secureboot for more details.
Ok… I think I get it… but to be clear do all the key files (SBK and KEK[0…2]) contents are …
0x12345678 0x9abcdef0 0xfedcba98 0x76543210
The documentation for Secureboot shows both representations but is not clear which one to use…
it’s in the documentation to represent keys in four 32-bit words.
Sorry, but I don’t want to keep going back and forth over the same thing. So should the files can the format:
B) 0x12345678 0x9abcdef0 0xfedcba98 0x76543210
Does it matter which format I put the files in?
I’m used (B) for verification, but both of them are supported key formats.
Thank you for clearing that up.
Another quick question.
For the following command:
$ sudo ./flash.sh -u <pkc_keyfile> -v <sbk_keyfile> --user_key <user_keyfile> jetson-xavier-nx-devkit mmcblk0p1
What is the user_keyfile? Is this the same key file as KEK2_file that I burn into KEK2 fuses?
The following command is what I use to burn fuses on the board:
sudo ./odmfuse.sh -i 0x19 -k <PKC_file> -S <SBK_file> --KEK2 <KEK2_file> jetson-xavier-nx-devkit
those were fuses that are handled by user, here’s a session to Preparing the User Key.
note, Jetson security only support with eMMC version,
you cannot enable Secureboot on Jetson Xavier NX devkits (i.e. SD card version),
since fuse programming is non-reversible, you may broken your Xavier NX devkit if you enable that.
please also refer to Topic 158361 as see-also.