Hi. I worry that I can kill the device and nothing can be changed.
I want Jetson TX2 to be able to flash only our firmware (system.img, tos.img *.img …) signed with our key (pkc_keyfile rsa 2048, sbk_keyfile).
I use TOS.img to access the key uint8_t ekb_ek[AES_KEY_128_SIZE] = {0};
to decrypt the data.
EKB_EK = AES-128-ECB(FV, EKB_RK)
Question(1): EKB_RK =? sbk_keyfile ??? Is that the key?
I made an instruction:
- Sew a key in Jetson TX2.
Question(2): After that, it will not be possible to change anything? The-p
key?
sudo ./odmfuse.sh -i 0x18 -c PKC -p -k rsa_priv.pem -S sbk_keyfile jetson-tx2
- To sign the image with the PKC and SBK key in one step and flash.
sudo BOARDID=3310 FAB=C04 ./flash.sh -u rsa_priv.pem -v sbk_keyfile jetson-tx2 mmcblk0p1
-
Question(3): Again translate into production mode? The
-p
key? The-p
switch was in step 1. ???
sudo ./odmfuse.sh -i 0x18 -c NS -p jetson-tx2
Question (4): Is that all? Apart from me, no one can flash the device without the secret keys rsa_priv.pem and sbk_keyfile?
Or am I forgetting something? Is my instruction correct?
Will the tos.img and “file system” image be encrypted and signed, or will only tos.img be encrypted. The “file system” will be signed?
rsa_priv.pem = Generated file `openssl genrsa -out rsa_priv.pem 2048`
sbk_keyfile = Looks like `0x12345678 0x9abcdef0 0xfedcba98 0x76543210`
version 32.2.3
Question(5): Jetson nano will not support TOS.img? TrustedOS is a TX2 and Xavier only feature? Or are there any plans for the future at Jetson Nano?
Thanks