Do we can change the signed key of MB1?

Hi,

In the https://docs.nvidia.com/jetson/archives/l4t-archived/l4t-3231/index.html#page/Tegra%20Linux%20Driver%20Package%20Development%20Guide%2Fbootflow_jetson_xavier.html%23
we see that MB1 is signed and encrypted by an NVIDIA owned key.Can we change the key?what’s the algorithm and key length the key use?

hello Username1,

it’s by default using zero encrypt for the security flow.
you may enable Secureboot to do the same with your own keys.
thanks

if I use our own key ,where is the key store in the device and how the bootrom find this key?

hello Username1,

there’re loading and authentication flow for MB1, and copies MB1 into SysRAM. MB2 also had similar flows for authentication, but MB1 copy it into DRAM. after that, BPMP-FW own the controls. there’s hardware crypto security engine key slot for storing SBK, KEK, SSK…etc.

you may access Jetson AGX Xavier Series Module Data Sheet, check [Chapter-1.7.1 Security Controller (TSEC)] for more details.
please also check Tutorials page, expand [Developer Tools] and refer to [Jetson Security and Secure Boot] training video for an overview of security features.
thanks

I did not find the answer in the data sheet.The key use by the bootrom is the same with the key use by MB1 and MB2 .I ge the deatil in the https://docs.nvidia.com/jetson/archives/l4t-archived/l4t-3231/index.html#page/Tegra%20Linux%20Driver%20Package%20Development%20Guide%2Fbootloader_secure_boot.html%23. it show that the public_key_hash and secure_boot_key is in the fuse.