How to protect odmfuse_pkc.bin in factory?

Hi all,

While the documentation goes into detail on how to avoid exposing encryption keys in the factory during flashing, there is nothing about how to protect the keys when they initially get fused in the factory. I do not currently see any proper way of keeping odmfuse_pkc.bin (SBK, KEKn) from prying eyes.

One approach I could’ve seen, would have been to have done the fusing using a pre-fused, encrypted Xavier NX as the host, but I have not seen any aarch64 versions of the necessary tegra binaries to allow such a setup (they’re all x86_64 only).

The fuse application note also mentioned an Endorsement Key fuse block, which can supposedly be written in encrypted form, but I find no further information on that anywhere.

What am I missing? How is this meant to be done?

Thanks in advance.

hello jmattsson,

you should maintain keys by your own,
you may singed binaries using HSM, (i.e. Hardware Security Module). please also dig into TegraSign_v3 for the info of support HSM key generation;

endorsement key, which is a private key that system manufacturers can burn into the fuse, these are keys to encrypt the fuses. however, currently the fuse encryption feature is not supported.
although fuse encryption feature is not supported, it does not prevent customers from using EK.

Hi Jerry,

It sounds like currently it is not possible to securely fuse devices in the factory and we will have to do it in-house instead.

This was the missing piece of the puzzle then:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.