Private key stored in FUSEs

terry8uwg2 · February 22, 2021, 9:23pm

We are looking for solution to store other private key not limited to secureboot key. we noticed that there are ODM reserved bit in fuse.
(FUSE_RESERVED_ODM0 [31:0])

Repost per request
old post in RSA or ECC private key stored in FUSEs

/…/
(FUSE_RESERVED_ODM7 [31:0])

Is it NVIDIA’s recommendation to store a private key in these fuses for the Jetson Nano or is there another recommended way to store a private key?

Thanks

JerryChang · February 23, 2021, 2:26am

hello terry8uwg2,

may I know what’s your actual use-case?

terry8uwg2 · March 2, 2021, 1:58am

we have per device mqtt key and model encryption key for example we want to put into the fuse .

JerryChang · March 2, 2021, 6:31am

hello terry8uwg2,

it may not works for Jetson Nano.

the concept of Secureboot is to prevent execution of unauthorized code during boot process through chain-of-trust;
those authenticates boot components (such as, Boot Configuration Table, bootloader binaries, and warmboot vector) were signed using private key.
once the ODM production mode bit is burned, fused keys can no longer be read.

you may enable TA/CA services to perform a secure operation,
however, it’s secureOS feature and it only applies to: Jetson Xavier NX, Jetson AGX Xavier series, and Jetson TX2 series devices.
please also check developer guide, Trusty, a Trusted Execution Environment for reference,
thanks

terry8uwg2 · March 2, 2021, 7:29am

hi Jerry, I understood the secureboot is different thing . what i am asking is if i can leverage fuse to store other key if fuse is large enough . i think fuse and secureboot are different topic.

JerryChang · March 2, 2021, 8:40am

hello terry8uwg2,

it’s ODM field fuses, for example, it’s 256-bits of field programmable ODM_Reserved fuses.
you may check those fuse via sysnode, for example, /sys/devices/7000f800.efuse/7000f800.efuse:efuse-burn/reserved_odm*
note,
once the ODM production mode bit is burned, fused keys can no longer be read.
thanks

terry8uwg2 · March 2, 2021, 4:35pm

Hi Jerry
“once the ODM production mode bit is burned, fused keys can no longer be read” can you explain how to read the ODM field then ? if we put key in the ODM field and how the application read these key ?

JerryChang · March 3, 2021, 2:21am

hello terry8uwg2,

to clarify,
fused keys can no longer be read once the ODM production mode bit is burned; the only exception is the Reserved_ODM fuses; Reserved_ODM will be disabled after you’d program the ODM_lock fuse bit.

it’s Secureboot is to prevent execution of unauthorized code during boot process through chain-of-trust.
so,
you may have your use-case to store keys in fuse for using before program the ODM_lock.

terry8uwg2 · March 3, 2021, 2:32am

Hi Jerry,

what’s purpose of ODM_LOCK if we can not read them afterwards. in our case do you suggest we can use these 256-bits field but never lock the fuse bit ?

JerryChang · March 3, 2021, 3:24am

hello terry8uwg2,

these keys were actually used for Jetson security, ODM_lock being the final step for make the device for production.

terry8uwg2 · March 3, 2021, 4:50am

Hi Jerry

so i am sorry i sitll dont know how should i use these field . ? Should i store our priviate key but not lock the fuse bit ? otherwise you said i can not read them . we are looking for a place we can save priviate key and read it out after system boot up

JerryChang · March 3, 2021, 6:04am

hello terry8uwg2,

please avoid to burn ODM production and also ODM lock to program the fuse,
after system boot-up, you’re able to read the fuse (via, efuse) for your use-case.
thanks

terry8uwg2 · March 3, 2021, 6:13am

should i use sudo ./odmfuse.sh -i <chip_id> -c PKC -p -k <key.pem> [-D <DK_file>] in the factory to burn it first then after booting up the program can read via /sys/devices/7000f800.efuse/7000f800.efuse:efuse-burn/reserved_odm* ?

JerryChang · March 3, 2021, 6:24am

hello terry8uwg2,

please refer to developer guide, Secureboot.
you may exclude -p options, since it’ll sets production mode.

terry8uwg2 · March 22, 2021, 7:05am

hi Jerry,

Eventually, i wang to enable secure boot which means i need turn on the production mode . At same time i need addtioanl bit to store addtional key and I am looking at odm_reserved field. if dont set odm_production_mode to 1 but dont set odm_lock . will secureboot still work also i can still read the /sys/devices/7000f800.efuse/7000f800.efuse:efuse-burn/reserved_odm* after system boot up ?

JerryChang · March 22, 2021, 7:08am

Reserved_ODM will be disabled once you’d program the ODM_lock fuse bit.

terry8uwg2 · March 22, 2021, 7:10am

sorry i meant if i set odm_production_mode to 1 but dont set odm_lock. will secureboot still work also i can still read the /sys/devices/7000f800.efuse/7000f800.efuse:efuse-burn/reserved_odm* after system boot up ?

JerryChang · March 22, 2021, 8:04am

hello terry8uwg2,

yes, please check post #9 for the details.
thanks

Topic		Replies	Views
RSA or ECC private key stored in FUSEs Jetson Nano security	8	716	October 15, 2021
Xavier store custom key in odm_reserved Fuses Jetson AGX Xavier board-design , security	12	1291	October 18, 2021
Data encryption using secure boot and odm_reserved fuse in Jetson Nano Jetson Nano security	11	2923	August 18, 2021
Jetson nano secure boot with encrypted filesystem Jetson Nano boot , security	10	2716	October 15, 2021
Burning ODM_RESERVED fuses after ODM_PRODUCTION_MODE is not working Jetson Xavier NX security , nvbugs	25	881	March 2, 2025
Problem when trying to burn ODM Reserved fuses Jetson Nano security	8	428	November 6, 2023
Encrypted boot loader support on Jetson Nano? Jetson Nano security	5	960	October 18, 2021
Help burning fuses after PublicKeyHash fuse was burned Jetson Orin NX reflash , security , nvbugs	14	48	March 21, 2025
Jetson Nano secureboot Jetson Nano security	12	1590	October 15, 2021
How to burn ODM fuse bits? Jetson Nano	23	4204	October 14, 2021

Private key stored in FUSEs

Related topics