fTPM Storage Root Key

yanlin.li · September 16, 2025, 7:00am

Hi,

How does fTPM generate or derive the Storage Root Key?

Thanks

carolyuu · September 16, 2025, 7:18am

*** Please note that this reply is generated by LLM automatically ***

The fTPM (firmware-based Trusted Platform Module) on the Jetson Orin NX series generates or derives the Storage Root Key (SRK) through a key derivation process that relies on the secure boot mechanism. Here’s a step-by-step explanation of how fTPM generates the SRK:

Secure Boot: The secure boot process is responsible for loading and verifying the firmware components during the boot process. This process establishes the Hardware Root of Trust (HROT), Root of Trust for Reporting (RTR), and Root of Trust for Measurement (RTM).
Key Derivation Process: The fTPM uses the secure boot mechanism to derive the SRK. The key derivation process involves the following steps:
- The fTPM uses the Silicon ID (SID) and the OEM (Original Equipment Manufacturer) public key to derive the SRK.
- The SID is a unique identifier for the Jetson Orin NX module, and the OEM public key is used to authenticate the firmware components.
- The fTPM uses a cryptographic algorithm (e.g., AES or RSA) to derive the SRK from the SID and OEM public key.
Storage Root Key (SRK): The derived SRK is used to encrypt and decrypt the storage devices, such as the eMMC or NVMe storage.

In comparison to other Jetson modules, the key derivation process for the SRK is similar. However, the specific implementation details may vary depending on the module and the secure boot mechanism used.

For example, on the Jetson AGX Orin series, the SRK is derived using a similar key derivation process, but with some differences in the specific implementation details.

Here’s a comparison of the key derivation process for the SRK on different Jetson modules:

Module	Key Derivation Process
Jetson Orin NX	Uses Silicon ID (SID) and OEM public key to derive SRK
Jetson AGX Orin	Uses Silicon ID (SID) and OEM public key to derive SRK, with some differences in implementation details
Jetson Orin Nano	Uses a similar key derivation process, but with some differences in implementation details

In summary, the fTPM on the Jetson Orin NX series generates the SRK through a key derivation process that relies on the secure boot mechanism, using the Silicon ID (SID) and OEM public key. The specific implementation details may vary depending on the module and the secure boot mechanism used.

*** Please give the thumbs up if you get answers you like. Or provide feedback to help us improve the answer. ***

system · October 8, 2025, 6:42am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
fTPM implementation in a Jetson Orin Nano Devkit Jetson Orin Nano nvbugs , tpm	5	445	April 22, 2025
Accessing fTPM-helper from a Trusted Application on Jetson Jetson Orin Nano security , ftpm	22	607	November 18, 2025
Access ftpm pcr registers Jetson Orin Nano security , tpm	33	724	July 21, 2025
Step-by-Step Guide to Implementing fTPM Provisioning on Jetson AGX Orin for TLS Secure Communication Jetson AGX Orin security	4	361	June 5, 2025
Question about fTPM offline provisioning Jetson Orin NX ftpm	4	196	September 11, 2025
fTPM still failing with 0xffff0008 after EKS/EKB regeneration Jetson Orin Nano security , ftpm	19	228	January 16, 2026
Orin nx communicating with dTPM Jetson Orin NX kernel	1	23	March 31, 2026
Is device id and ftpm importen for ekb Jetson Orin Nano security	6	117	November 14, 2024
Jetson Orin NX (R36.4.3) - Disk Encryption - ERROR Kernel Panic Jetson Orin NX security	40	215	March 17, 2026
fTPM handles don't persist after a reboot Jetson Orin NX security	7	186	October 8, 2025

fTPM Storage Root Key

Related topics