Jetson Orin Disk Encyrption fuse related question

I guess i"m having similar question of this thread.

In the OPTEE example, EKS gen part, there is a prefilled OEM_K1,

# [T234 example]
# Fill your OEM_K1 fuse key value
echo "2d4a614e645267556b58703273357638792f423f4428472b4b6250655368566d" > oem_k1.key

Surprisingly this key is working, and I’m using a non-fused device. When I fill the oem_k1.key with 0s, it fails to boot.
Could you help me understand where this non-zero ID is from?

hello user16748,

I assume you’re using l4t-r35.5.0 release version.
there’re default keys within gen_ekb example, because user key is specified in eks.img, (they’re using all 0s in Xavier series, but Orin series not)
for instance, $public_sources/r35.5.0/atf_and_optee/optee/samples/hwkey-agent/host/tool/gen_ekb/

please re-generate a new EKS image by flashing JP-5.1.3 with all the security features once you’re using customize keys.

Hi Jerry,
Thanks for the prompt response. Sorry forgot to mention my JP version. I’m using L4T 35.4.1 i.e. JP5.1.2.
Indeed I’m looking at the file you mentioned.
What I don’t understand is that my Orin AGX device does not get fused. Therefore I assume the OEM_K1 fuse on my device would be all zeros, i.e. “0000000000000000000000000000000000000000000000000000000000000000”
However, what’s strange is that the default key in the which is 2d4a614e645267556b58703273357638792f423f4428472b4b6250655368566d works while the all 0s does not.

Could you please explain that?
Thanks in advance

hello user16748,

there’s an issue with using zero keys, so for that reason, we used a sample key with a specific value for rel-35 release version at the moment.

Thanks for the context. Assuming when I fused the device with specific value, I can just overwrite with the specific value and it will work. I will try out later.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.