Public_key_hash fuse

Hello. I have some doubts about the public_key_hash fuse. I noticed that public_key_hash is “RSA public key hash” in NVIDIA Jetson Linux Developer Guide . But why do we need a hash of a public key? Where is the PKC_key? Is it also in fuse devices? And is the public_key_hash and the PKC_key burned when we bought the Jetson Xavier/Xavier NX or we need to burn them ourselves?

hello gfan100,

Secureboot is to prevent execution of unauthorized code during boot process through chain of trust;
it uses key pairs of Public Key Cryptography (PKC) to protected the boot sequence for SecureBoot.

SecureBoot did not enabled by default,
you may also access Jetson Platform Fuse Burning and Secure Boot Documentation and Tools via download center for the package.
please also check developer guide, SecureBoot chapter for reference,

hello Chang,
I thought trusted apps could also use the PKC_key in fuse devices. Is the PKC_key only used for Secureboot?

hello gfan100,

The root-of-trust is on-die bootROM code that authenticates boot codes such as BCT, bootloader, and warmboot vector using Public Key Cryptography (PKC) stored in write-once-read-multiple fuse devices.

there’re also Secure Boot Key (SBK), Key Encryption Key (KEK) you may fused while enabling SecureBoot,
for example,
SBK with AES encryption key for other security applications.
KEK be used to encode some Key Encryption Key and/or Key Seed.

here’s TA example, hwkey-agent.
TA based on this reference for any device that burns AES keys into fuses (KEK, SBK, etc.). if the device is to be provisioned with an encrypted blob containing keys or other encrypted content.

please also access Jetson AGX Xavier Fuse Specification App Note,
you should check [Table 1. Fuse Names and Descriptions] for the details.