Fuseblob to enable FTPM

I am trying to evaluate FTPM on AGX Orin using the 36.4 SDK.

I took the reference config at Firmware TPM — NVIDIA Jetson Linux Developer Guide 1 documentation and make the following changes

With few exceptions (eg ECDSA-P256 PKC), keep keys as all zeros to avoid blowing fuses
Remove OptInEnable option. Setting OptInEnable to 0x1 enables anti-rollback and we do not need this now.

  • Remove ArmJtagDisable option. Setting ArmJtagDisable to 0x1 permanently prevents any JTAG access to the debug access port
  • Remove SecurityMode option. Setting SecurityMode to 0x1 locks the values of the other manufacturing fuses.
  • Remove PkcPubKeyHash1 and PkcPubKeyHash2. These are spare keys in the case of PKC revocation, do not need this now for testing.
  • Set BootSecurityInfo to 0x020A
[BIT]  15 14 13 12 11 10 09 08 07 06 05 04 03 02 01 00
[VAL]   0  0  0  0  0  0  0  0  0  0  0  0  1  0  1  0
Bits [2:0] mapped to Secure Boot Authentication Scheme, where 010b: ECDSA P-256 Curve
Bit [3] secure boot encryption scheme (SBK), where 1b: enable
Bit [9] ODM Key Valid, where 0b: This bit should be enabled only when OEM_K1 and OEM_K2 are burned.
        Set this to 0 since we have OEM_K1 and OEM_K2 equal to all zeros

Since programming the fuses is a one-time operation, I want to err on the side of caution. My goal is to do just enough to enable FTPM, while still remain as flexible as possible.

Can I get some eyes on to review the attached fuse configuration file before I go ahead?

<genericfuse MagicId="0x45535546" version="1.0.0">
   <fuse name="OdmInfo" size="4" value="0x0000"/>
   <fuse name="OdmId" size="8" value="0x0000000000000000"/>
   <fuse name="Kdk0" size="32" value="0x0000000000000000000000000000000000000000000000000000000000000000"/>
   <fuse name="PublicKeyhash" size="64" value="redacted-ecdsa-p256-pubkey-hash"/>
   <fuse name="SecureBootKey" size="32" value="0x0000000000000000000000000000000000000000000000000000000000000000"/>
   <fuse name="OemK1" size="32" value="0x0000000000000000000000000000000000000000000000000000000000000000"/>
   <fuse name="OemK2" size="32" value="0x0000000000000000000000000000000000000000000000000000000000000000"/>
   <fuse name="PscOdmStatic" size="4" value="0x00000060"/>
   <fuse name="BootSecurityInfo" size="4" value="0x000A"/>
</genericfuse>

Hi tanlu,

Are you using the devkit or custom board for AGX Orin?

Could you elaborate on this about “remain as flexible”?

hello tanlu,

it’s crucial to double check your BootSecurityInfo.
please refer to Jetson Orin Fuse Specification to review FUSE_BOOT_SECURITY_INFO_0.
for instance, although you’ve BootSecurityInfo=0x000A, but you’ve all 0s SBK keys…

anyways,
as mentioned by developer guide, Burn Fuses with the Fuse Configuration file.
it’s recommends burning all the fuses you need in a single operation.

1 Like