Fuses and Security, TOS Jetson TX2

Hi. I worry that I can kill the device and nothing can be changed.
I want Jetson TX2 to be able to flash only our firmware (system.img, tos.img *.img …) signed with our key (pkc_keyfile rsa 2048, sbk_keyfile).

I use TOS.img to access the key uint8_t ekb_ek[AES_KEY_128_SIZE] = {0}; to decrypt the data.


Question(1): EKB_RK =? sbk_keyfile ??? Is that the key?

I made an instruction:

  1. Sew a key in Jetson TX2.
    Question(2): After that, it will not be possible to change anything? The -p key?
sudo ./odmfuse.sh -i 0x18 -c PKC -p -k rsa_priv.pem -S sbk_keyfile jetson-tx2
  1. To sign the image with the PKC and SBK key in one step and flash.
sudo BOARDID=3310 FAB=C04 ./flash.sh -u rsa_priv.pem -v sbk_keyfile jetson-tx2 mmcblk0p1
  1. Question(3): Again translate into production mode? The -p key? The -p switch was in step 1. ???
sudo ./odmfuse.sh -i 0x18 -c NS -p jetson-tx2

Question (4): Is that all? Apart from me, no one can flash the device without the secret keys rsa_priv.pem and sbk_keyfile?
Or am I forgetting something? Is my instruction correct?
Will the tos.img and “file system” image be encrypted and signed, or will only tos.img be encrypted. The “file system” will be signed?

rsa_priv.pem = Generated file `openssl genrsa -out rsa_priv.pem 2048`                                                                         
sbk_keyfile = Looks like `0x12345678 0x9abcdef0 0xfedcba98 0x76543210`   
version 32.2.3

Question(5): Jetson nano will not support TOS.img? TrustedOS is a TX2 and Xavier only feature? Or are there any plans for the future at Jetson Nano?


hello exitstop,

odmfuse script with “-p” options would fuse the device as production mode.
once the production mode is fused, all further fuse write requests are blocked.
you might refer to Secureboot chapter for the details to fuse the board.

according to Trusty, a Trusted Execution Environment chapter, currently secure OS only applies to: Jetson AGX Xavier and TX2 devices.


  1. I read the comments in ./odmfuse.sh and realized that only 2 steps needed to be done.
sudo ./odmfuse.sh -i 0x18 -j -c PKC --noburn -k rsa_priv.pem -S sbk_key.txt --KEK0 kek0_key.txt --KEK1 kek1_key.txt --KEK2 kek2_key.txt jetson-tx2
sudo BOARDID=3310 FAB=C04 ./flash.sh -u rsa_priv.pem -v sbk_keyfile jetson-tx2 mmcblk0p1

2. Instruction Jetson Nano Boot Flow contains TOS. This is not a lot of confusion.