hello tdl2,
FYI,
please see-also Jetson Orin Series Modules Fuse Update Field Services Bulletin, fuse value for boot_security_info was burned (by manufacturing) to 0x1E0 for the new Orin modules,
if you using the new modules, you must bitwise logically OR your desired value with 0x1E0 in the fuse programming flow.
you may execute script file, $ sudo nv_fuse_read.sh to read fuses on the target board for confirmation.
according to developer guide, Burn Fuses with the Fuse Configuration file.
it recommends burning all the fuses you need in a single operation, however, it’s possible to have partial fuse burning without SecurityMode.
that’s incorrect.
you should also enable bit-9 of FUSE_BOOT_SECURITY_INFO_0 since you’re having OEM_K1/K2 keys.
for instance,
BootSecurityInfo
– bit-0, for using the RSA 3K
– bit-3, for using the SBK
– bit-9, for the ODM Key Valid
– bit-11, bit-13 are also recommend to burn as well, so that when someday you needs DICE or fTPM support, you don’t have to burn BootSecurityInfo again.
you may dig into Jetson Orin Fuse Specification for OEM_K1_PURPOSE and OEM_K2_PURPOSE.
for general use-case, we recommend burning PscOdmStatic to 0x60, which sets the purpose of:
– OEM_K1 to encryption. (see-also OEM_K1_PURPOSE=0x0)
– OEM_K2 to KDK(key derive key) (see-also OEM_K2_PURPOSE=0x6)
PV it’s another new key instead of the same PKC key from solution provider.
see-also Topic 344840 for some info about Platform Vendor.