Failed to write fuses on jetson orin nx 16GB

We have problems with enabling security options with the new Jetson Orin NX 16GB. Our goal is to enable secure boot and disk encryption following the manual of nvidia (Secure Boot — NVIDIA Jetson Linux Developer Guide).

In order to do this, we have to write some options in to the fuse registers. In the old batch we can write to these fuses without any problem. The new batch, however, fails.

After some investigation with some ‘blanc’ boards, we discovered that the new batch already has some value in a fuse called BootSecurityInfo, which already enables and disables some security options. This fuse, a said before, is write-once. So we are not able to modify the value of it, furthermore, since secure boot and disk encryption is not enabled by the current value, we are not able to enable it.

However, as you can see the new board has a value 0x1e0, where the old one has a value 0x000. The value we have to write according to the documentation is 0x209.

We saw in topic Question about fuse and flashing that this is a new procedure to deliver the board with 0x01e. We also tried the manual of first writing the image of the qspi. Dis still didn’t work.

The log at the moment when writing the fuses is:
I> 1. Start PublicKeyHash burn
I> Fuse is already burned with the same value
I> 1. PublicKeyHash burn skipped
I>
I> 2. Start SecureBootKey burn
E> FUSE: Failed to burn fuse addr: 0x2fe.
E> FUSE: Could not write Fuse: 0x66.
E> FUSE: Could not write Fuse: 0x66.
E> FUSE: Failed burn fuses as per fuse info.
E> FSKP: Failed to burn fuses.
C> Task 0x0 failed (err: 0x62170302)
E> Top caller module: FSKP, error module: FUSE, reason: 0x02, aux_info: 0x03

The public key hash is burned successfully in previous trials. The values we try to write are:

Of coure PKH, SBK and SBK are replaced by the actual values. When we read the fuses, only the public key hash is written (with our value), and of course the value of the BootSecurityInfo (0x1E0). The other values are still ‘0’.

Can you help us how to solve this?

Ingo

The xml of the fue config was removed, so, I added this image ;)

Screenshot 2025-06-12 at 10.58.321060×354 50.5 KB

Seems we got it work by combining the info of several forums:
1 Instead of writing 0x209, write 0x3E9 (the or-ed value of both)
2 Remove line-by-line the ones that fail to write. Seems that those are already written (it is not possible to see the secure boot key and the oem k1).

Seems that secure boot and encryption is working again…

@nvidia_user_1234, could you please update the xml config on your page so other people will know they have to write a different value for BootSecurityInfo?

hello ingo.wassink,

it’s mentioned by Jetson Orin Fuse Specification v1.5.
let me re-cap as below..

FUSE_BOOT_SECURITY_INFO_0

• Bits [8:4] Reserved (may not be logic 0 by default)

it’s also mentioned by Jetson Orin Nano HW FAQ.

Q31: FUSE_BOOT_SECURITY_INFO_0 have a pre-fused Boot Security Info value of 0x000001e0.

BOOT_SECURITY_INFO was burned (by manufacturing) to 0x1E0 as default value.
here’s related topic, Question about fuse and flashing - #3 by JerryChang

since they’re “Reserved”, for those reserved bits as 0x0 or 0x1E0 modules, you may program boot_security_info as 0x3E9 directly.
regarding to 0x3E9.. you’ve correct approach to fuse devices with a BootSecurityInfo value of 0x3E9 (an OR of 0x209 and 0x1E0) for your use-case.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.