Re-fusing keys

We have a few boards that have been fused with the following command

FUSELEVEL=fuselevel_production ./nvmassfusegen.sh -i 0x19 -c PKC -p -k myPrivatePkc.pem -S mySBK.key -KEK2 myKek2.key jetson-xavier-nx-devkit-emmc

1- Does this command burn two keys (PKC and SBK) or 3 keys? What is KEK2 option for?

2- I have read that it may be possible to change the fused keys on the device by refusing them (changing some of the zeros to ones). Is this possible and do you have any examples on how to do this? If possible, I would like to see examples on how we convert our existing keys to binary and then change the bits.

Thanks,
Kaveh

hello KavehA,

as mentioned by L4T developer guide, for instance, Burn Fuses with the Fuse Configuration file.

Fuse burning operations are high-risk because they cannot be reversed.

let’s taking your fuse command-line as an example,
actually, it looks incorrect…

the authentication type should be SBKPKC, since you’re given PKC and SBK keys.
besides, KEK2, which is the key encryption key, please also note that KEK2 is a 128-bit key file.

Thank you Jerry, is it possible to re-fuse a device that has already been fused (by converting some of the zeros to 1s). Any instructions on how to do this?

hello KavehA,

it’s suggest to program fuse variables at once,
anyways, may I know which fuse variable you would like to re-fuse?

Thank you Jerry, I assume above command is burning SKB, PKC and KEK keys so we want to change all those 3 keys if possible.

hello KavehA,

honestly, I’ve never test it before.
you may test below to re-fuse by your own risk.
$ ./odmfuse.sh -i <TegraID> --auth SBKPKC [options]

hello KavehA,

I did not realize that you’ve -p option enabled, (the ODM production mode fuse, aka. “Security Mode”)
it’s the fuse to lock the values of the other manufacturing fuses.
you cannot change them (SKB, PKC and KEK keys) once the ODM production mode fuse has been programmed.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.