Attempting to burn fuses on board (Jetson Xavier NX)

I am attempting to burn the PKC, SBK, and KEK2 fuses with the following command:

sudo ./ -i 0x21 -k <PKC_file> -S <SBK_file> --KEK2 <KEK2_file> jetson-xavier-nx-devkit-emmc

I was able to generate the PKC_file with the following command:

openssl genrsa -out rsa_priv.pem 2048

But how do I generate the SBK_file and KEK2_file? Can you please provide an example so that I know how these files are formatted?

hello dcapers44,

you’re assign incorrect chip-id for Jetson Xavier NX,
please refer to the readme file of the secureboot, the <chip_id> is 0x19 for Jetson Xavier NX.

here’s documentation, Secureboot

0x19 … You are correct. That is what I had as my command for Jetson Xavier NX.

But what about the SBK_file and KEK2_file… do I just populate these files with any data as it in Hex format like the following:

0x01234567 0x89abcdef 0xfedcba98 0x76543210

Is this correct for SBK, KEK0, KEK1, and KEK2? I am trying to make sure before I burn the fuses … because irversisable …

hello dcapers44,

please also check the tables describe user-programmable fuses related to Secureboot.
for example,
Software and configuration fuses related to Secureboot for Jetson Xavier NX and Jetson AGX Xavier series (T194) and Jetson TX2 series (T186)

it’s correct you should ensure you’re doing right before fuse the board.
you may also include --noburn options to prepares the fuse blob.
or, you could use --test options to prevents the script from actually burning fuses.

I don’t think you are answering my main question. What should the contents of the following files: SBK, KEK0, KEK1, and KEK2?

It would be very helpful if you can provide an example.

hello dcapers44,

you must prepare SBK fuse bits if you wish to encrypt bootloader (and TOS).
please create the key by yourself, it’s using HEX format, with four 32-bit words.
for example,
the contents in sbk.key key file is… 0x123456789abcdef0fedcba9876543210
KEKs also doing the same as SBK key, KEKs are 128-bit number stored in a file in big-endian HEX format.

please check the documentation, Secureboot for more details.

Ok… I think I get it… but to be clear do all the key files (SBK and KEK[0…2]) contents are …


and not

0x12345678 0x9abcdef0 0xfedcba98 0x76543210

The documentation for Secureboot shows both representations but is not clear which one to use…

hello dcapers44,

it’s in the documentation to represent keys in four 32-bit words.

Sorry, but I don’t want to keep going back and forth over the same thing. So should the files can the format:

A) 0x123456789abcdef0fedcba9876543210


B) 0x12345678 0x9abcdef0 0xfedcba98 0x76543210

Does it matter which format I put the files in?

hello dcapers44,

I’m used (B) for verification, but both of them are supported key formats.

Thank you for clearing that up.

Another quick question.

For the following command:
$ sudo ./ -u <pkc_keyfile> -v <sbk_keyfile> --user_key <user_keyfile> jetson-xavier-nx-devkit mmcblk0p1

What is the user_keyfile? Is this the same key file as KEK2_file that I burn into KEK2 fuses?

The following command is what I use to burn fuses on the board:
sudo ./ -i 0x19 -k <PKC_file> -S <SBK_file> --KEK2 <KEK2_file> jetson-xavier-nx-devkit

hello dcapers44,

those were fuses that are handled by user, here’s a session to Preparing the User Key.

hello dcapers44,

note, Jetson security only support with eMMC version,
you cannot enable Secureboot on Jetson Xavier NX devkits (i.e. SD card version),

since fuse programming is non-reversible, you may broken your Xavier NX devkit if you enable that.
please also refer to Topic 158361 as see-also.

1 Like