Meaning of unexplained fuses in AGX Xavier


I have a question regarding meaning of some AGX Xavier’s fuses:

  • Endorsement key`
  • ODM Fuse Encryption Key usage enable bit and selectors
  • Fuse secure provision info
  • How exactly ECC fuses are computed?

These fuses are mentioned only in fuse specification appnote, but aren’t seem to be documented elsewhere.

1 Like

hello initrd.img,

don’t there’re descriptions in Application Note, i.e. Jetson AGX Xavier Series Fuse Programming.
please share more details of your questions. thanks

No, there are no descriptions for that fuses in mentioned application note. There are mentioned, yes, but I’m unable to find their meaning.


Endorsement Key
This key might be burning in encrypted form,
with decryption performed by boot ROM.

What encryption scheme is used? How does this key affect device operation? How this key is used?

I’m building a flashing scheme where keys are generated and stored on a server and released only as a ready fuse blobs. So the ability to perform somehow secure fuse provision would be beneficial. Fuse names suggest that something like this is already present in Xavier, but unfortunately there is completely no info apart from fuse names and short descriptions.

hello initrd.img,

please check below for details…

  • Endorsement key
    • Endorsement key is a private key that system manufacturers can burn into the fuse to create an identity for the device, which used for telling if it’s a genuine device.
  • Fuse secure provision info
    • That’s factory secure provision mode. it may keep as zero generally.
  • ODM Fuse Encryption Key Select
    • These bits are not supported currently, please ignore them.
  • Fuse ECC
    • Fuse ECC is handled internally.
    • note, for the secure-boot-related fuses, which may be protected by FUSE_SECURITY_MODE. other fuses like FUSE_RESERVED_ODM, can be programmed as long as those bits are available.

Thank you for the response.

Is there any documentation or application notes regarding this mechanism?

hello initrd.img,

we don’t have public release documentation to cover this currently.

hello initrd.img,

per your questions in post #4.

What encryption scheme is used? How does this key affect device operation? How this key is used?

the encryption scheme is AES-CBC.
this key is EK, which is basically a private key and its usage can be defined by users.
the public key certificate can be used as the device’s identity (note, make sure EK key pair is unique per device).
you’ll need to encrypt it because it’s a private key.
please also see FUSE_BOOT_SECURITY_INFO [15:0] in the Fuse Programming Application Note.
if bit-[3], ODM FEK usage is enabled, the encryption key is decided by bit-[6:4], ODM Fuse Encryption Key Select.
hence, there’re only 6 keys (i.e. OEMKey1 ~ OEMKey6) which can be assigned.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.