hello rayees.shamsuddin,
you may also refer to Boot Flow.
there’re loading and authentication flow for MB1, and copies MB1 into SysRAM.
MB2 also had similar flows for authentication, but MB1 copy it into DRAM. after that, BPMP-FW own the controls.
there’s hardware crypto security engine key slot for storing SBK, KEK, SSK…etc.
it’s flash script to handle sign and encryption; you may enable secureboot and check the flashing messages.
for example,
[ 3.1481 ] PKC key in Open SSL format
[ 3.1484 ] Key size is 256 bytes
[ 3.1485 ] Valid PKC key
[ 3.1486 ] Saving pkc public key in pub_key.key
[ 3.2069 ]
[ 3.2097 ] tegrahost_v2 --updatesigheader cboot_sigheader.bin.encrypt.signed cboot_sigheader.bin.encrypt.sig oem-rsa --pubkeyhash pub_key.key
[ 3.2135 ]
[ 3.2170 ] tegrahost_v2 --chip 0x18 --align cboot_sigheader.bin.encrypt
[ 3.2192 ]
[ 3.2218 ] tegrasign_v2 --key /home/linuxdev/Nvidia/Linux_for_Tegra/rsa_priv.pem --pubkeyhash pub_key.key --list cboot_sigheader.bin.encrypt_list.xml