Fuse configuration for SB and FDE

Robotics & Edge Computing Jetson & Embedded Systems Jetson AGX Orin
1

Hello,

We are trying to fuse orin nx boards to enable secure boot and and full disk encryption. Initially, we have used a limited fuse configuration which appears to work (those are test keys):

<genericfuse MagicId="0x45535546" version="1.0.0">
      <fuse name="PublicKeyHash" size="64" value="0xdeb37e8970af2adc2790f5ba50fb4bbd502b457fbb5e9c62f4fa9e0b17e742a8eb06ece324823cd1df298ddc35577d99e3ff34d7a92fd4ef8c8f6f223ad04fa6"/>
      <fuse name="SecureBootKey" size="32" value="4505cb49b8d02f844bde2458aaa217c1a01b08d89e737d65b64e07e1cf95449e"/>
      <fuse name="OemK1" size="32" value="e84dec6e96a7581c2dafb815c571f72d9a1f1fb49af03da904f6c4ede4c247b7"/>
      <fuse name="BootSecurityInfo" size="4" value="0x3E9"/>
   </genericfuse>

But it appears from the documentation that PscOdmStatic is to be burnt to avoid undefined behavior, but since we add this fuse, we cannot flash the device. Would it be possible for you to validate the following fuse configuration so that we know it is valid?

<genericfuse MagicId="0x45535546" version="1.0.0">
      <fuse name="ArmJtagDisable" size="4" value="0x1"/>
      <fuse name="Apb2JtagDisable" size="4" value="0x1"/>
      <fuse name="CcplexDfdAccessDisable" size="4" value="0x1"/>
      <fuse name="OptInEnable" size="4" value="0x1"/>
      <fuse name="BootDevInfo" size="4" value="0x1"/>
      <fuse name="SecureProvisionInfo" size="4" value="0x3"/>
      <fuse name="PublicKeyHash" size="64" value="0xdeb37e8970af2adc2790f5ba50fb4bbd502b457fbb5e9c62f4fa9e0b17e742a8ea06ece324823cd1df298ddc35577d99e3ff34d7a92fd4ef8c8f6f223ad04fa6"/>
      <fuse name="PkcPubkeyHash1" size="64" value="0xd5ad5eec5525c99139d6c3f0c63dc8890021bc272f40670f9dbf8f6d85a31957220a431a5cd65770b0b03b30678ddade14cf996c09e7f6d6f312e36875338990"/>
      <fuse name="PkcPubkeyHash2" size="64" value="0x926fc01516d00f0423c23b956ec3bef718a1786dc5591e31a21fa272c91c4e09cbf30021d478c344225dd3252bf62316b375b22b440d779d53938f3c17b8e630"/>
      <fuse name="SecureBootKey" size="32" value="4505cb49b8d02f844bde2458aaa217c1a01b08d89e737d65b64e07e1cf95449d"/>
      <fuse name="Kdk0" size="32" value="0ca69ed4029b0fb1934a978985b351df2670d0219a4dd267686fd5729d02ea28"/>
      <fuse name="PscOdmStatic" size="4" value="0x60"/>
      <fuse name="OemK1" size="32" value="e84dec6e96a7581c2dafb815c571f72d9a1f1fb49af03da904f6c4ede4c247b7"/>
      <fuse name="OemK2" size="32" value="af47dfee20bbba44c5c6d417683b9dc1b702d7c4b697db474d97fabf95fd2058"/>
      <fuse name="BootSecurityInfo" size="4" value="0x3E9"/>
   `</genericfuse>`

Many thanks
1 Like
2

*** Please note that this reply is generated by LLM automatically ***

Based on the provided context, I’ll address the question about validating the fuse configuration for Jetson AGX Orin NX boards to enable secure boot and full disk encryption.

Firstly, it’s essential to understand that fuses are used to configure the Jetson Orin platform’s security features, including secure boot and encryption. The Fuse Configuration File is used to configure these fuses.

The question mentions that the initial limited fuse configuration appears to work with test keys, but adding the PscOdmStatic fuse causes issues with flashing the device. This suggests that the fuse configuration might be incorrect or incomplete.

To validate the fuse configuration, I would recommend the following steps:

  1. Review the documentation: Ensure that you have consulted the latest documentation for Jetson AGX Orin NX, including the Fuse Configuration File documentation and the Secure Boot documentation.
  2. Check the Fuse Configuration File: Verify that the Fuse Configuration File is correctly formatted and contains all the necessary fuses for secure boot and full disk encryption.
  3. Verify PscOdmStatic fuse: Double-check that the PscOdmStatic fuse is correctly set and that it is not conflicting with other fuses.
  4. Use the Burn Fuses procedure: Follow the Burn Fuses procedure to ensure that the fuses are correctly burned onto the device.
  5. Read Fuses: Use the Read Fuses procedure to verify that the fuses have been correctly set.

Comparing the provided information, I noticed that there are several discussions and issues related to fuses, secure boot, and encryption on the Jetson Orin platform. For example:

  • FUSE_RESERVED_SW_0 fuse: There is a discussion about configuring this fuse on Jetson Orin NX, which might be relevant to your issue.
  • Jetson AGX Orin BOM修改后无法正常烧写fuse: This issue mentions problems with burning fuses on Jetson AGX Orin after modifying the BOM, which might be related to your issue.
  • Secure boot on Orin and Xavier NX: This discussion provides information on secure boot on Orin and Xavier NX, which might be helpful in resolving your issue.

To further assist you, I would like to request more information about your specific fuse configuration and the errors you are encountering when trying to flash the device. Additionally, please confirm that you have consulted the latest documentation and followed the recommended procedures for burning fuses and configuring secure boot.

*** Please give the thumbs up if you get answers you like. Or provide feedback to help us improve the answer. ***

4

Hi sebastien.schertenleib,

Are you using the devkit or custom board for AGX Orin?
What’s the Jetpack version in use?

Fuse can not be reverted so that we can not verified this configuration on our module.
Have you tried to add pkc/sbk key so that you can reflash on your fused module?

5

Hi Kevin,

We use an Orin NX with a custom carrier board using 35.6.2. What we would like to know if what are the minimal set of fuses to be burnt so that SB and FDE work as expected. We want to avoid missing to set some bits in factory and be in some undefined setup. It seems the documentation is missing some information such as for fuse PscOdmStatic. Posts made by Nvidia engineers seems to always provide it in their sample fuse configuration.

Also there are some posts on the forum that indicate that if Kdk0 fuse is burnt then other keys such as oem_k1 as to be derived from it but other post says they can remain unrelated. Would it be possible to let us know which one of those two scenarios is true.

Also regarding BootSecurityInfo some post seems to suggest to burn bit 11 and 13 for dice support. It is true?

Is it possible to provide a configuration that is validated by Nvidia for both SD and FDE. Surely you must have tried on some of your modules, is it not the case?

Thanks

6

You can refer to Orin Reference Fuse Configuration File for the sample list for fuses.

Please note that SB(Secure Boot) is different from the FDE(Full Disk-Encryption).
Secure Boot is used to protect the bootloader, you can refer to Secure Boot for details. Fusing the module is the necessary step to enable secure boot.

Disk-Encryption is used to protect rootfs, you can refer to Disk Encryption for details.

It is incorrect. OEM_K1, OEM_K2, and KDK0 all are fuse keys.
They are independent to each other.

Bit [11] OEM DICE1 Feature enable
Bit [13] FMC DICE Feature enable
When bit[11] and bit[13] are burned, fTPM is enabled. Then KDK0 is used to derive EK for fTPM.
The DICE feature actually means fTPM.

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.