Jetson AGX Orin (R36.3): Can BootROM Secure Boot be enabled in the field via OTA, without recovery flashing or factory return?

Hi NVIDIA team,

We are using Jetson AGX Orin DevKit with Jetson Linux R36.3, UEFI boot, and internal eMMC.

We have already worked out a complete offline / wired provisioning flow for Secure Boot, including:

• PKC / PublicKeyHash
• SBK
• OemK1 / EKB
• UEFI PK / KEK / db
• flashing signed images
• burning fuses with odmfuse.sh
• final verification of Secure Boot state

So from a lab perspective, we can enable Secure Boot successfully through the standard host-side flashing and fuse-burning process.

However, our real production constraint is different:

We have deployed devices in the field, and we cannot send modules back to the factory or put each device into Force Recovery Mode for a per-device wired flashing process.
Therefore, what we really need to understand is whether there is a supported in-field method to enable Secure Boot through OTA or from inside the running Orin system itself.

My questions are:

1. BootROM Secure Boot / fuse level

• Is there any NVIDIA-supported way to enable BootROM Secure Boot on Jetson AGX Orin without recovery flashing and without factory return?
• More specifically, can the required fuse programming steps for items such as:

  • PublicKeyHash

  • SecureBootKey

  • OemK1

  • BootSecurityInfo

  • optionally SecurityMode

    be triggered from the running system, or through an OTA workflow?

2. UEFI Secure Boot vs BootROM Secure Boot

• My understanding is that UEFI Secure Boot may be handled separately from low-level bootloader secure boot, and documentation/forum posts mention target-side UEFI utilities or capsule-based flows in some cases.
• But for BootROM Secure Boot, I only see documented flows based on host tools + Recovery Mode + flash/odmfuse.
• Is that understanding correct for AGX Orin on R36.3?

3. Officially supported migration path

• If a device is already deployed and currently running a non-fused image, what is the officially supported path to move it to:
  • UEFI Secure Boot enabled
  • BootROM Secure Boot enabled
  • fully signed / encrypted boot chain
• Can this be done partially by OTA and partially by some one-time provisioning step?
• Or is host-side recovery flashing + fuse burning mandatory for BootROM Secure Boot?

4. If OTA is not supported for BootROM Secure Boot

• Can NVIDIA confirm clearly that there is no supported method to enable BootROM Secure Boot in the field on AGX Orin without recovery/host intervention?
• If so, is the recommended production approach to provision all fuses before deployment, and only use OTA afterward for signed image updates?

5. If there is a supported method

• Could you please point us to the exact documentation, tools, and constraints?
• In particular, we would like to know:
  • whether it applies to Jetson AGX Orin
  • whether it applies to R36.3
  • whether it works with internal eMMC
  • whether it is compatible with A/B OTA
  • whether it supports enabling Secure Boot on a device that was originally deployed without fuses burned

Our main goal is to determine whether BootROM Secure Boot can be transitioned in the field, or whether only UEFI Secure Boot / payload updates can be handled OTA while fuse-based secure boot must be provisioned offline before deployment.

Any clarification from NVIDIA on the supported boundary here would be greatly appreciated.

Thank you.

Optional note to add:

We are not asking how to update already-secured images after Secure Boot is enabled.
We are specifically asking whether a device that is already deployed without BootROM secure boot fused can be moved to that state without host-side recovery flashing / odmfuse / factory handling.

*** Please note that this reply is generated by LLM automatically ***

To enable secure boot and burn fuses on the Jetson AGX Orin module, you can use the tools provided by NVIDIA. While it’s true that the typical process involves flashing the device on an x86 host, there are some tools and scripts available that can help you perform these operations from the Linux command line.

Here’s a step-by-step guide to help you enable secure boot and burn fuses on the Jetson AGX Orin module using Linux command line tools:

Prerequisites:

1. Make sure you have the JetPack 6.0 software installed on your Jetson AGX Orin module.
2. Ensure that you have the necessary permissions to perform these operations.

Step 1: Prepare the Fuse Configuration file

You can use the tegraflash.py script to generate the Fuse Configuration file. This script is part of the JetPack 6.0 software.

$ sudo tegraflash.py --generate_fuse_config fuse_config.txt

This will generate a fuse_config.txt file that contains the fuse configuration settings.

Step 2: Burn Fuses with the Fuse Configuration file

Once you have the Fuse Configuration file, you can use the tegraflash.py script to burn the fuses.

$ sudo tegraflash.py --burn_fuses fuse_config.txt

This will burn the fuses according to the settings specified in the fuse_config.txt file.

Step 3: Enable Secure Boot

To enable secure boot, you need to flash the UEFI firmware with the secure boot option enabled. You can use the tegraflash.py script to do this.

$ sudo tegraflash.py --flash uefi_jetson.bin --secure_boot

This will flash the UEFI firmware with the secure boot option enabled.

Alternative Method:

If you prefer to use a single script to perform all these operations, you can use the flash.sh script provided by NVIDIA. This script is part of the JetPack 6.0 software.

$ sudo ./flash.sh jetson-agx-orin-devkit internal

This script will flash the entire device, including the UEFI firmware, and enable secure boot.

Comparison with x86 Host Method:

While the x86 host method is still a valid way to enable secure boot and burn fuses, using the Linux command line tools on the Jetson AGX Orin module itself provides more flexibility and convenience. The tegraflash.py script and the flash.sh script are specifically designed for the Jetson AGX Orin module and provide a more streamlined process for enabling secure boot and burning fuses.

In summary, you can use the tegraflash.py script or the flash.sh script to enable secure boot and burn fuses on the Jetson AGX Orin module from the Linux command line. These tools provide a convenient and flexible way to perform these operations without the need for an x86 host.

*** Please give the thumbs up if you get answers you like. Or provide feedback to help us improve the answer. ***

I may have misstated. I need to know how to enable secure boot in the cmdline on the Orin system, without using another host

hello YuanliFu,

no, it’s not supported. it’s a must to put device enter forced-recovery mode, and having wired flashing process to enable bootloader secure boot.

here’re bootloader SecureBoot and UEFI SecureBoot.
for instance, according to developer guide, Secure Boot — NVIDIA Jetson Linux Developer Guide
the root-of-trust that uses the NVIDIA SoCs fuses to authenticate boot codes ends at the Bootloader. After this, the current Bootloader (UEFI) will use UEFI’s Security Keys scheme to authenticate its payloads.
we strongly recommend that users enable fuse-based bootloader secure boot so that the root-of-trust can start from the BootROM.
And, we have already supported OTA with all security features enabled except for the UEFI secure boot.

it’s not supported to enable bootloader secure boot via OTA.
however, you may Enable the UEFI Secure Boot via Capsule Update.