I am trying to evaluate FTPM on AGX Orin using the 36.4 SDK.
I took the reference config at Firmware TPM — NVIDIA Jetson Linux Developer Guide 1 documentation and make the following changes
With few exceptions (eg ECDSA-P256 PKC), keep keys as all zeros to avoid blowing fuses
Remove OptInEnable
option. Setting OptInEnable
to 0x1 enables anti-rollback and we do not need this now.
- Remove
ArmJtagDisable
option. SettingArmJtagDisable
to 0x1 permanently prevents any JTAG access to the debug access port - Remove
SecurityMode
option. SettingSecurityMode
to 0x1 locks the values of the other manufacturing fuses. - Remove
PkcPubKeyHash1
andPkcPubKeyHash2
. These are spare keys in the case of PKC revocation, do not need this now for testing. - Set
BootSecurityInfo
to 0x020A
[BIT] 15 14 13 12 11 10 09 08 07 06 05 04 03 02 01 00
[VAL] 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0
Bits [2:0] mapped to Secure Boot Authentication Scheme, where 010b: ECDSA P-256 Curve
Bit [3] secure boot encryption scheme (SBK), where 1b: enable
Bit [9] ODM Key Valid, where 0b: This bit should be enabled only when OEM_K1 and OEM_K2 are burned.
Set this to 0 since we have OEM_K1 and OEM_K2 equal to all zeros
Since programming the fuses is a one-time operation, I want to err on the side of caution. My goal is to do just enough to enable FTPM, while still remain as flexible as possible.
Can I get some eyes on to review the attached fuse configuration file before I go ahead?
<genericfuse MagicId="0x45535546" version="1.0.0">
<fuse name="OdmInfo" size="4" value="0x0000"/>
<fuse name="OdmId" size="8" value="0x0000000000000000"/>
<fuse name="Kdk0" size="32" value="0x0000000000000000000000000000000000000000000000000000000000000000"/>
<fuse name="PublicKeyhash" size="64" value="redacted-ecdsa-p256-pubkey-hash"/>
<fuse name="SecureBootKey" size="32" value="0x0000000000000000000000000000000000000000000000000000000000000000"/>
<fuse name="OemK1" size="32" value="0x0000000000000000000000000000000000000000000000000000000000000000"/>
<fuse name="OemK2" size="32" value="0x0000000000000000000000000000000000000000000000000000000000000000"/>
<fuse name="PscOdmStatic" size="4" value="0x00000060"/>
<fuse name="BootSecurityInfo" size="4" value="0x000A"/>
</genericfuse>