HSM image signing

tanlu · May 8, 2025, 10:43pm

Hello

Looking through the flashing procedure, it seems like flash.sh requires direct access to private keys PEM files, which presents a security risk. What concerns me also is that internally the script also seems to be calling proprietary binaries such as tegraopenssl, and tegrasign_v3. This makes porting the script to standard openssl and HSM-style signing incredibly difficult.

Does Nvidia have a solution for signing images without exposing private keys?

JerryChang · May 9, 2025, 3:21am

hello tanlu,

the security of your device depends on how securely you keep these key files.
according to developer guide, it recommends that you use the HSM to generate a truly random number for the keys.

Topic		Replies	Views
Signing firmware with an HSM protected private key Jetson Xavier NX security	8	1695	December 11, 2021
Issue when Sign and Flash Secured Images Jetson AGX Orin security	2	452	June 21, 2023
Creating fuse blobs and signed/encrypted images using HSM Jetson TX2	3	1292	October 18, 2021
Format of mb1_t194_prod.bin OEM signature header Jetson AGX Xavier boot , security , nvbugs	10	1231	March 31, 2022
Fusing file test Jetson Orin Nano security	4	293	May 7, 2024
A minimal script that only the signs Jetson boot components Jetson Orin NX security	6	57	March 25, 2025
Secure boot singing not working Jetson Nano security	4	976	March 8, 2023
Unable to sign binary files using flash.sh script Jetson Nano security	6	731	October 18, 2021
How can i flash custom img file through flash.sh Jetson Xavier NX reflash	5	1024	June 28, 2022
Questions about Orin Secure Boot Jetson AGX Orin security	2	287	June 24, 2024

HSM image signing

Related topics