Questions regarding secure boot

I have three questions regarding secure boot.
I’m using L4T 35.4.1 with Orin AGX 32 GB custom carrier board.

  1. does odmfuseread.sh work for Orin? Experiment shows it doesn’t, the help information also shows it supports 0x18 and 0x19 only?

  2. I can successfully burn fuse with PKC, SBK and OEMK1. However in linux usermode I can only read PKC_HASH as others might be hidden. How do I know if the boot partitions, e.g. TOS, EKS are encrypted? Because even without fused/secure boot enabled device the flashing log also names the TOS with something like:

[ 268.6981 ] Writing partition A_secure-os with tos-optee_t234_sigheader.img.encrypt [ 1064752 bytes ]
[ 280.6089 ] [................................................] 098%
[ 280.6089 ] [................................................] 100%
[ 293.5135 ] Writing partition A_eks with eks_t234_sigheader.img.encrypt [ 9232 bytes ]
  1. Why only hash of PKC is needed to be fused? I thought one need pubkey to check signature generated by private key?

hello user16748,

>>Q1
it should help info did not updated, you may try with below to parse fuse variables.
$ sudo ./odmfuseread.sh -i 0x23 jetson-agx-orin-devkit

>>Q2
did you check /sys/devices/platform/tegra-fuse for fuse variables?
did you have SecurityMode has burned? if yes, due to security concern, you will get 0xffff… when reading these fuses.

>>Q3
please refer to Orin Reference Fuse Configuration File. there’re several fuse variable for Orin series.
please also check Jetson Orin Fuse Specification to have more details.

Thanks Jerry for the reply.

A1-> I will try and feed back
A2-> this is helpful information, it does not have ALL the fuses, which is probably expected. This does not answer my original question tho. And it prompt me asking another Q4 in the follow part
A3-> I referenced those documents, it tells me how to use it but did not answer the question why a “hash” of a “pubkey” is enough to verify a signature, I thought you need the “pubkey” itself. I will also do my own research.

Q4: I have the security_info as 0s, but in my fuse.xml I had 0x209

/sys/devices/platform/tegra-fuse# cat boot_security_info 
0x00000000

Part of fuse.xml
<fuse name="BootSecurityInfo" size="4" value="0x209"/>
The bootsecurityinfo is fused at the same time as the PKC-hash and SBK, no reason this not fused and be 0.

is it possible to share your full fuse-burning/image-flashing steps for reference, you may omitting those keys for sharing.