Reading CVM on PKC/SBK or PKC+SBK fused devices without supplying the keys

Hi,

flash.sh has --no-flash option to provide flashcmd.txt which contains command to flash device in production without exposing PKC/SBK keys there.

However is there similar system for reading eeproms on fused devices?

hello jsabzk6o,

as mentioned by Flashing Script Usage.
the option --no-flash it performs all steps except physically flashing the board. The script creates a system.img file.

it’s flash script to parse EEPROM for those environment variables,
however, you may assign them into flash command-line to override EEPROM values. or, there’s an option, SKIP_EEPROM_CHECK=1 to bypass checking.
for instance,
$ sudo SKIP_EEPROM_CHECK=1 BOARDID="3701" FAB="300" BOARDSKU="0004" BOARDREV="C.2" CHIP_SKU=00:00:00:D2 ./flash.sh jetson-agx-orin-devkit internal

Hi JerryChang,

This is known, but there is need to read CVM eeprom on fused device, issue is that it can be done via flash.sh but but as far as I have checked, it is only possible to do if one supplies used PKC/SBK keys as parameters to the script. This is bit of problem from key management point of view.

–no-flash generated flash script that does flashing without exposing full keys, I was just wondering if this would be possible to do for --read-info command?

I gather that it seems not to be the case, but can you confirm this ?

hello jsabzk6o,

is it a must to read CVM eeprom through host machine? (via RCM mode)
is it accept to boot-up the target and retrieve the content through bootloader?

Hi JerryChang,

In current situation CVM needs to be read through host machine. This is due the fact that we cannot rely on situation where system would actually bootup far enough to get CVM eeprom read via other means.

hello jsabzk6o,

may I have more details, or, could you please give an example, what’s the board info you’re checking by reading eeprom?

Hi JerryChang,

We are parsing from CVM eeprom following data:

  • Module serial
  • Ethernet mac

Module serial is most important.

hello jsabzk6o,

sorry, it cannot read CVM without PKC/SBK keys.
furthermore, that’s why we can use those keys (i.e. PKC/SBK) to protect the fused board.

please see-also, To Determine Whether the Developer Kit Is in Force Recovery Mode.
you may check via lsusb for different modules, is this sufficient for your use-case?

Hi JerryChang,

So there is no possibility to craft reading script much like flash.sh generates flashing command when PKC/SBK keys are used ? (By using --no-flash parameter)

Sorry to say, but due device and module recognition there is need for module serial to be available when fuses are burnt .

hello jsabzk6o,

is there more background details for this approach.
for instance, are you looking for key management/deployment in the factory floor?

Hi JerryChang,

We want to keep keys out of factory/service premises and limit access to PKC/SBK keys in general. Total elimination was would be nice from factory/service premises.

Flashing can be currently done without divulging keys to factory/service premises, but currently reading CVM from non-bootable device is not possible without keys in factory/service premises.

From your answers I gather this this is not possible at all without PKC/SBK keys, which is bit problematic but need to be somehow sorted out.

technically that is feasible, but, unfortunately our flashing tools don’t support that so far.