How to prevent SBK from being read?

Hi,we want to check the secure boot to make sure it comply with company safety requirements.
So there Some details need to be worked out.
Secureboot Key (SBK) is fuse to the 128 efuse directly,How do I protect the key from being read?
because when someone read the SBK, the images will be decryption.

hello Username1,

when the ODM production mode bit is burned, SBK key fuses can no longer be read.

hello JerryChang,

Did the bootrom and tos also could not read it?

hello Username1,

bootrom is Jetson’s root of trust, and the fuses are designed to be inaccessible for production.
under Trust Zone environment, application will use crypto API to gain access to secret and the key is not readable by any software.

Hello JerryChang,

It’s that means bootrom and image run in Trust Zone(like MB1,TOS) can use the SBK by crypto API ? and the rsa publick key efuse can read by all the sofeware?

hello Username1,

once you put your device into ODM production mode, it’s also disable fuses access.

Trust Zone is secure OS afterwards and that’s the trusted executed environment (TEE) where trusted application is running at to gain access security assets securely.
It won’t decrypt encrypted boot code as it already passes boot stage but it does allow your apps to access secure assets.

Hello JerryChang
The “disable fuses access” is just means could not write to fuses or also could not read from the fuse,because the cboot verify the boot.img also need to read the efuse of rsa publick key hash .

hello Username1,

I think you had concerned about SBK key reading, right?
actually, SBK is only used by the ROM to decrypt the boot binary and cannot be read back on the device.