Hi JerryChang,
I’m using this fuse.xml for fuse burn :
genericfuse MagicId=“0x45535546” version=“1.0.0”
fuse name=“OdmInfo” size=“4” value=“0x21”
fuse name=“OdmId” size=“8” value=“0x0000014BD5FD48C0”
fuse name=“Kdk0” size=“32” value=“0x63b6d3cab65be8bdca7743b083114023246497ddc83ff24ac305da5befd317d7”
fuse name=“OemK1” size=“32” value=“0x4fb38179d9ff6d5a33c1dbf5ac3a381a82f43a811fdce822d7350129de16b198”
fuse name=“PublicKeyHash” size=“64” value=“0x83de2ecbea32ce0fe5f06a6911a097c07b11276b6eaf0995fb7aaeb11b66025fa74bf31c22c992d445d725c02e8972f65a0965d114ead3882ffc58415d8519e5”
fuse name=“SecureBootKey” size=“32” value=“0x2a751444d1c1ccd8b49f9b57c2ca9590fa82378a5de621224616ab3c3a84c91a”
fuse name=“BootSecurityInfo” size=“4” value=“0x1E9”
genericfuse
But I want to change fuse.xml like below :
genericfuse MagicId=“0x45535546” version=“1.0.0”
fuse name=“OdmInfo” size=“4” value=“0x21”
fuse name=“PscOdmStatic” size=“4” value=“0x00000060”
fuse name=“OdmId” size=“8” value=“0x0000014BD5FD48C0”
fuse name=“Kdk0” size=“32” value=“0x63b6d3cab65be8bdca7743b083114023246497ddc83ff24ac305da5befd317d7”
fuse name=“OemK1” size=“32” value=“0x4fb38179d9ff6d5a33c1dbf5ac3a381a82f43a811fdce822d7350129de16b198”
fuse name=“PublicKeyHash” size=“64” value=“0x83de2ecbea32ce0fe5f06a6911a097c07b11276b6eaf0995fb7aaeb11b66025fa74bf31c22c992d445d725c02e8972f65a0965d114ead3882ffc58415d8519e5”
fuse name=“SecureBootKey” size=“32” value=“0x2a751444d1c1ccd8b49f9b57c2ca9590fa82378a5de621224616ab3c3a84c91a”
fuse name=“BootSecurityInfo” size=“4” value=“0x3E9”
genericfuse
I have only OemK1 key, Must I generate and use OemK2 key? If I should use OemK2 key, how can I configure to fuse.xml file?
(I want to change fuse.xml file because I want to set 1 to bit[9])
I want to ensure so I ask to you. Which command can I use for fuse burn? I dont’ want to mistake.
hello kingssize19,
as mentioned earlier in post #17. we’ve verified disk encryption is working on fused Orin-NX.
please refer to Burn Fuses with the Fuse Configuration file to have additional fuses burned.
Hi JerryChang,
I updated the BootSecurutiyInfo’s value in fuse.xml file. And I fuse burn again using this fuse.xml. The value was 0x1E0 now it is 0x3E0 so I set bit[9] to 1.
And I used yours flash steps :
1. sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --no-flash -u rsa_priv-3k.pem -v sbk.key --showlogs -p “-c bootloader/generic/cfg/flash_t234_qspi.xml” jetson-orin-nano-devkit internal
2. sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -u rsa_priv-3k.pem -v sbk.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
3. sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -u rsa_priv-3k.pem -v sbk.key --network usb0 --flash-only
The result: Flash is successfull and I saw disk encryption but I didn’t see Secure boot enabled in dmesg.
0;ekin@OrinNX-16GB: ~ekin@OrinNX-16GB:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 16M 1 loop
zram0 252:0 0 978.5M 0 disk [SWAP]
zram1 252:1 0 978.5M 0 disk [SWAP]
zram2 252:2 0 978.5M 0 disk [SWAP]
zram3 252:3 0 978.5M 0 disk [SWAP]
zram4 252:4 0 978.5M 0 disk [SWAP]
zram5 252:5 0 978.5M 0 disk [SWAP]
zram6 252:6 0 978.5M 0 disk [SWAP]
zram7 252:7 0 978.5M 0 disk [SWAP]
nvme0n1 259:0 0 1.9T 0 disk
├─nvme0n1p1 259:1 0 400M 0 part /boot
├─nvme0n1p2 259:2 0 54.6G 0 part
│ └─crypt_root 253:0 0 54.6G 0 crypt /
├─nvme0n1p3 259:3 0 128M 0 part
├─nvme0n1p4 259:4 0 768K 0 part
├─nvme0n1p5 259:5 0 31.6M 0 part
├─nvme0n1p6 259:6 0 128M 0 part
├─nvme0n1p7 259:7 0 768K 0 part
├─nvme0n1p8 259:8 0 31.6M 0 part
├─nvme0n1p9 259:9 0 80M 0 part
├─nvme0n1p10 259:10 0 512K 0 part
├─nvme0n1p11 259:11 0 64M 0 part /boot/efi
├─nvme0n1p12 259:12 0 80M 0 part
├─nvme0n1p13 259:13 0 512K 0 part
├─nvme0n1p14 259:14 0 64M 0 part
├─nvme0n1p15 259:15 0 400M 0 part
│ └─crypt_UDA 253:1 0 384M 0 crypt /mnt/crypt_UDA
└─nvme0n1p16 259:16 0 479.5M 0 part
0;ekin@OrinNX-16GB: ~ekin@OrinNX-16GB:~$ sudo -s
0;root@OrinNX-16GB: ~root@OrinNX-16GB:~# dmesg | grep “Secure boot”
[ 0.000000] secureboot: Secure boot disabled
0;root@OrinNX-16GB: ~root@OrinNX-16GB:~#
58636369920 bytes (59 GB, 55 GiB) copied, 1289.07 s, 45.5 MB/s
writing item=18, 9:0:secondary_gpt, 61203267072, 16896, gpt_secondary_9_0.bin, 16896, fixed–0, b6fec83595c1baefd0ee58f37bbe0b462476a9f0
[ 1334]: l4t_flash_from_kernel: Successfully flash the external device
[ 1334]: l4t_flash_from_kernel: Flashing success
[ 1334]: l4t_flash_from_kernel: The device size indicated in the partition layout xml is smaller than the actual size. This utility will try to fix the GPT.
Flash is successful
Reboot device
Cleaning up…
Log is saved to Linux_for_Tegra/initrdlog/flash_3-6_0_20260128-091914.log
hello kingssize19,
please refer to Jetson Orin Fuse Specification.
as you can see..
it’s Bits [2:0] mapped to Secure Boot Authentication Scheme.
it’s Bit [3] secure boot encryption scheme (SBK) enable.
since you’ve 0x3e0, it’s all 0s for your authentication scheme
Hello JerryChang,
I’m so sorry I said it wrong. It was 0x1E9 but now it’s 0x3E9 .
hello kingssize19,
FYI,
the root-of-trust that uses the NVIDIA SoCs fuses to authenticate boot codes ends at the Bootloader.
here’s an approach to test secure boot by using wrong sbk.key for image flashing.
it should report below errors refusing board communication.
for instance,
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
[ 0.0121 ] Parsing partition layout
[ 0.0143 ] tegraparser_v2 --pt secureflash.xml.tmp
[ 0.0157 ]
[ 0.0158 ] Boot Rom communication
[ 0.0179 ] tegrarcm_v2 --chip 0x18 0 --rcm rcm_1_signed.rcm
[ 0.0186 ] BR_CID: 0xe1801001647007c314000000050403c0
[ 0.0193 ] Bootrom returned error 10
[ 0.0268 ] Boot Rom communication failed
[ 0.0268 ]
Error: Return value 10
Command tegrarcm_v2 --chip 0x18 0 --rcm rcm_1_signed.rcm
Hi JerryChang,
I have flash successful. Yours flash steps are right but I added different options for QSPI and NVME part.
0;root@OrinNX-16GB: ~root@OrinNX-16GB:~# dmesg | grep “Secure boot”
[ 0.000000] secureboot: Secure boot enabled
0;ekin@OrinNX-16GB: ~ekin@OrinNX-16GB:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 16M 1 loop
zram0 252:0 0 1.9G 0 disk [SWAP]
zram1 252:1 0 1.9G 0 disk [SWAP]
zram2 252:2 0 1.9G 0 disk [SWAP]
zram3 252:3 0 1.9G 0 disk [SWAP]
nvme0n1 259:0 0 1.9T 0 disk
├─nvme0n1p1 259:1 0 400M 0 part /boot
├─nvme0n1p2 259:2 0 54.6G 0 part
│ └─crypt_root 253:0 0 54.6G 0 crypt /
├─nvme0n1p3 259:3 0 128M 0 part
├─nvme0n1p4 259:4 0 768K 0 part
├─nvme0n1p5 259:5 0 31.6M 0 part
├─nvme0n1p6 259:6 0 128M 0 part
├─nvme0n1p7 259:7 0 768K 0 part
├─nvme0n1p8 259:8 0 31.6M 0 part
├─nvme0n1p9 259:9 0 80M 0 part
├─nvme0n1p10 259:10 0 512K 0 part
├─nvme0n1p11 259:11 0 64M 0 part /boot/efi
├─nvme0n1p12 259:12 0 80M 0 part
├─nvme0n1p13 259:13 0 512K 0 part
├─nvme0n1p14 259:14 0 64M 0 part
├─nvme0n1p15 259:15 0 400M 0 part
│ └─crypt_UDA 253:1 0 384M 0 crypt /mnt/crypt_UDA
Now I want to set ROOTFS_SIZE to 80GiB. How can I do this? I think, I should change ROOTFS_SIZE in flash_l4t_t234_nvme_rootfs_enc.xml file. Which value should I set?
hello kingssize19,
please see-also readme file for reference,
for instance, $OUT/Linux_for_Tegra/tools/kernel_flash/README_initrd_flash.txt
it’s the option, -S <APP-size> to assign the APP partition size, and EXT_NUM_SECTORS to allocate number of sectors of partition layout.
FYI,
for Generate images for external storage device, the EXT_NUM_SECTORS size need smaller than your NVMe actual size and bigger than APP size.
here’s an example, assume your NVMe SSD is.. 128GiB.
Set EXT_NUM_SECTORS=240000000 (about 114GiB) → smaller than NVMe actual size.
Set -S = 100GiB → bigger than APP size.
flash command-line,
$ sudo ROOTFS_ENC=1 EXT_NUM_SECTORS=240000000 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -S 100GiB -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
here’s test result after image flashing.
$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/crypt_root 98G 5.7G 87G 7% /
/dev/mapper/crypt_UDA 374M 14K 350M 1% /mnt/crypt_UDA
Hi JerryChang,
Thanks for the response.
I’m encountering a new issue with my two Orin NX modules. Previously, I could flash Secure Boot and Disk Encryption images successfully. Now, using the same scripts and environment, the process fails with a “USB write timeout” during the RCM boot phase (specifically when sending mb1).
Since the hardware and scripts haven’t changed, could this be related to a corruption within the L4T (Linux for Tegra) folder or a host-side driver conflict?
hello kingssize19,
it’s by default to have unique ECID to enable disk encryption. it generates per-device encrypted disk images.
please see-also Topic 291335 to create encrypted images with a generic key (--generic-passphrase).
Hi JerryChang,
Actually I wanted to say this :
I couldn’t flash secure boot after flashing disk encryption. But I always flash Disk encryption to OrinNX. Is issue about BootSecurityInfo value? Because I setted this value 0x3E9 from 0x1E9. Do you have any think?
Note: Disk Encryption and Secure Boot have different scripts.
hello kingssize19,
as mentioned earlier, please dig into Jetson Orin Fuse Specification.
the difference between 0x1e9 and 0x3e9 is bit-9, which means OEM key has burned into this target.
it shows it’s a target fused with PKC+SBK+OEM keys. you should also re-generate EKS image to include OEM keys for your real use-case.
Hello Jerry Chang,
I would like to sign to Image, dtb and extlinux files on Orin NX 16GB also that has secure boot and disk encryption.
Already, I made it this for only secure boot.
I have example part of code for sign to dtb I am showing the below. (it was success for only Secure boot/FTPM)
./scripts/l4t_uefi_sign_image.sh \
–image “$conf_file” \
–key uefi_keys/db_2.key \
–cert uefi_keys/db_2.crt \
–mode split
But it didn’t work on Orin NX (it have Secure boot and Disk encryption).
The Error (In boot time):
Press 0-1 to boot selection within 3.0 seconds.
Press any other key to boot default (Option: 1)
��E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0006
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
��OpenAndReadFileToBuffer: \boot\dtb\orin_nx_super_wifi_uart_tpm0.dtb failed signa
ture verification: Unsupported
ExtLinuxBoot: Failed to authenticate boot\extlinux\extlinux.conf (Unsupported)
hello kingssize19,
you’ve to generate eks_t234.img with your user key, such as OEM_K1, sym2_t234
for instance,
python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key \
-in_sym_key sym_t234.key \
-in_sym_key2 sym2_t234.key \
-in_auth_key auth_t234.key \
-out eks_t234.img
please update the EKS image, and then perform image flashing.
here’re brief steps to have disk encryption on fused Orin-NX.
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --no-flash -u rsa_priv-3k.pem -v sbk.key --showlogs -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" jetson-orin-nano-devkit internal
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -u rsa_priv-3k.pem -v sbk.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -u rsa_priv-3k.pem -v sbk.key --network usb0 --flash-only
Hi JerryChang,
You couldn’t understant to me. System is already opening after boot time. But I want the system to stay internal using the DTBs I want. Bu it desn’t like that so I should sing to dtb, extlinux and Image files for need to use Mipi cameras on the OrinNX (FTPM+Disk Enc.)
hello kingssize19,
you may ignore extlinux.conf the FDT entry, it’ll load device tree blob via partition.
please check the partitions for DTB file, it’s already signed and written to the partitions.
for instance,
$ ls -al /dev/disk/by-partlabel/
...
lrwxrwxrwx 1 root root 15 Aug 26 2025 A_kernel-dtb -> ../../mmcblk0p3
lrwxrwxrwx 1 root root 15 Aug 26 2025 B_kernel-dtb -> ../../mmcblk0p6
Hello JerryChang,
I have two important questions.
Firstly, How can I write Image File and DTB file to A_kernel-dtb or B_kernel-dtb or both of them.
Secondly, How can I sign to dtb and Image file? In addition, I should write only dtb file or write dtb and Image.
hello kingssize19,
you’ll need to update dtb binary file under $OUT/Linux_for_Tegra/bootloader/ and then perform image flashing, it’s internal script to handle the process.
besides.. partition update has disabled for secureboot devices, you’ll need to perform full flash.
"Hello JerryChang,
That sounds terrible for development. I need to be able to do this at runtime or use a method like extlinux.conf because I have many combinations for MIPI cameras, meaning I have a lot of different DTB and Image files to test.
Doing a full flash for every change is not feasible. Is there any different method to bypass the full flash requirement just to update the signed kernel and DTB?"
hello kingssize19,
please give it a try with below..
$ sudo EXTOPTIONS="-r" FAB=000 BOARDID=3767 BOARDSKU=0005 CHIP_SKU=00:00:00:D5 ./tools/kernel_flash/l4t_initrd_flash.sh -u ~/Desktop/Keys/Orin_Nano-8GB_key/ecp521_v3_0.pem -v ~/Desktop/Keys/Orin_Nano-8GB_key/sbk-256.key --no-flash -k A_kernel-dtb jetson-orin-nano-devkit internal
I’ve tested it, it should create sign/encrypt dtb by running that command.
for instance,
./tegraflash.py --chip 0x23 --cmd "sign kernel_tegra234-p3768-0000+p3767-0005-nv.dtb kernel_dtb" --key "/home/jerry/Desktop/Keys/Orin_Nano-8GB_key/ecp521_v3_0.pem" --encrypt_key "/home/jerry/Desktop/Keys/Orin_Nano-8GB_key/sbk-256.key" --bct_backup --boot_chain A
*** kernel_tegra234-p3768-0000+p3767-0005-nv.dtb has been signed successfully. ***