In Jetpack 36.3, the example.sh in nvidia-jetson-optee-source/optee/samples/hwkey-agent/host/tool/gen_ekb used OEM_K2 as the source key used to derive the EKB AK key.
In Jetpack 36.4 this has changed to use OEM_K1 and the doc explicitly states " We recommend that you use the OEM_K1 fuse as the EKB fuse key.".
I cannot see in the doc that OEM_K2 is used for anything related to Secureboot or encryption.
Looking at jetson_user_key_pta.c in JP36.4, it seems both K1 and K2 are now used to derive the root key that is then used to calculate the derived keys that are used to decrypt and authenticate the EKB. This is different from JP36.3:
se_aes_keyslot_t fuse_key_for_ekb[] = { SE_AES_KEYSLOT_OEM_K1, SE_AES_KEYSLOT_OEM_K2 };
se_aes_keyslot_t fuse_key_for_ssk = SE_AES_KEYSLOT_OEM_K2;
ekb_extraction_process()
...
for (i = 0; i < ekb_rks_num; i++) {
....
This seems to conflict with the recommendation in the doc of only using OEM_K1, so what, if anything should we program in OEM_K2? Is it safe to leave it unprogrammed? Are we better off programming it in case it is used in the future?
In the Jetson Orin Fuse Specification, I came across fuses “FUSE_KEYS_PSC_STATIC_OEM_0_0_0” and “FUSE_KEYS_PSC_STATIC_OEM_0_1_0” which contain bits OEM_K1_PURPOSE and OEM_K2_PURPOSE:
[3:0]: OEM_K1_PURPOSE, defines the exact usage for key OEM_K1
[7:4]: OEM_K2_PURPOSE, defines the exact usage for key OEM_K2
How is this fuse used exactly? The list of values for OEM_K1_PURPOSE and OEM_K2_PURPOSE just contains acronyms. Does it need to be burnt to enable full Secureboot?
they’re all ODM fuse bits, for Jetson Orin SoC, there’re OemK1 and OemK2, both of the keys length is 32 bytes.
they’re used to generate the EKB image, as you can see per Tool for EKB Generation section.
re-cap as below.
the EKS image is encrypted and signed by the OEM_K1 (or OEM_K2 in earlier releases).
I know the OEM_Kx is used to derive a root key which is itself used to sign and encrypt the EKB.
But in JP36.3 it was OEM_K2 that was used, now in JP36.4 they are both used to try and ‘open’ the EKB. I don’t know what future JP releases will do. So what is NVidia’s recommendation? Is it safe to program them both and say use OEM_K1 as per the current recommendation?
Could you address my other questions (copied below for convenience)?
In the Jetson Orin Fuse Specification, I came across fuses “FUSE_KEYS_PSC_STATIC_OEM_0_0_0” and “FUSE_KEYS_PSC_STATIC_OEM_0_1_0” which contain bits OEM_K1_PURPOSE and OEM_K2_PURPOSE:
[3:0]: OEM_K1_PURPOSE, defines the exact usage for key OEM_K1
[7:4]: OEM_K2_PURPOSE, defines the exact usage for key OEM_K2
How is this fuse used exactly? The list of values for OEM_K1_PURPOSE and OEM_K2_PURPOSE just contains acronyms. Does it need to be burnt to enable full Secureboot?
For context, I am need to understand exactly what fuses to burn so we can manufacture/ship our product.
FYI. OEM_K1, it is the root of trust of EKB, and it is used to derive the RPMB key too. OEM_K2, it is to derive the PV encryption key. If you don’t need to encrypt CPUBL with a PV key, you don’t need to care about OEM_K2.