PKC revocation question

Robotics & Edge Computing Jetson Systems Jetson Orin NX
1

Hello,

I’m looking at the revocation of PKC and I would like some confirmation on my understanding.
Can I revoke a PKC using only a capsule update?

In the example provide in the documentation ( Secure Boot — NVIDIA Jetson Linux Developer Guide ), It mention this:

  1. Add revoke_pk_h0 = <1> to tegra234-br-bct-p3767-0000-l4t.dts:

  2. Flash with rsa3k-1.pem or rsa3k-2.pem:

  3. Use the UEFI Capsule update to revoke the first PKC key.

Does that mean a flash is needed in all case?
Does flashing the modified br-bct does not revoke the PKC after the flash directly?

Best regards

Alexandre

5

hello AFR,

you would like to have PKC key revocation without a host machine, right?
it should works via OTA or firmware capsule update though we did not actually test it.

in general,
you should prepare the OTA payload with proper mb1_bct.
here’re brief steps for your reference,
(1) Please update DEV_PARAMS, i.e. $OUT/Linux_for_Tegra/bootloader/generic/BCT/tegra234-br-bct-p3701-0000.dts for adding revoke_pk_h0 = <1> to revoke the first PKC (FUSE_PUBLIC_KEY) key.
(2.1) You should also visit L4T page to download same release version [OTA Tools] package.
(2.2) You may refer to developer guide for [Preparing the OTA Payload Package] section to prepare the OTA payload.
(3) Running below commands to generate an OTA payload package to only update Bootloader.
for example, $ sudo -E ./tools/ota_tools/version_upgrade/l4t_generate_ota_package.sh -b jetson-agx-orin-devkit R36-4

6

Hello,

If it’s not really tested, does the recommended way to revoke the PKC is to use a host machine?

Using a host machine is possible if it’s safer.

Best regards

7

hello AFR,

please refer to developer guide, Revocation of the PKC Keys.

8

Hello,

I mean my original use extract of this link, why in the example a flash and capsule are used?

From my understanding, if you flash with a br-bct with “revoke_pk_h0 = <1>”, the capsule should not be needed, or is there something I do not see in you example?

Best regards

Alexandre

9

hello AFR,

PKC key revocation is through settings in mb1_bct and fuse burned by mb2 during boot.

10

Hello,

Does that mean the example is incorrect and step 1,2 or 1,3 are enough?

An Example: Revoking the First PKC key (rsa3k-0.pem)

  1. Add revoke_pk_h0 = <1> to tegra234-br-bct-p3767-0000-l4t.dts:
  2. Flash with rsa3k-1.pem or rsa3k-2.pem:
  3. Use the UEFI Capsule update to revoke the first PKC key.

I will try on one of the board we have but as revocation is definitive I want to make sure I have the correct procedure.

Best regards

Alexandre

11

hello AFR,

it’s assume image flashed with 1st PKC before (rsa3k-0.pem), and you should follow those step-1,2,3 to revoke the 1st PKC key.

13

Hello,

FYI, I tested the revocation of PKC using the capsule update of the bootloader and it work.

Best regards