Reading FUSE_PK_H1 and FUSE_PK_H2 from Linux

sarah.newman · February 16, 2024, 4:56am

Hi,

In jetpack 5.1.2 there is this sysfs entry for FUSE_PUBLIC_KEY:

	FUSE_BURN_DATA(public_key, 0xbc, 21, 512, 0x64, false, true),

What should we add to be able to read FUSE_PK_H1 and FUSE_PK_H2 the same way? Or do we need to use /sys/bus/nvmem/devices/fuse/nvmem?

JerryChang · February 19, 2024, 3:36am

hello sarah.newman,

may I know the actual use-case for reading those? is it for examination?
you may check /sys/devices/platform/tegra-fuse for fuse variables.
note, as long as SecurityMode has burned, you will get 0xffff… when reading fuses. that is expected for security concern.

sarah.newman · February 19, 2024, 6:06pm

On Jetson AGX with SecurityMode set, only sensitive fuses like encryption keys were kek2 and secure_boot_key were 0xfff…, the other fuses were readable. Are you saying that’s different for AGX Orin?

What I am asking about is there are entries for some but not all of the fuses in /sys/devices/platform/tegra-fuse and I am asking how to add entries for some of the missing fuses.

JerryChang · February 20, 2024, 3:07am

had you try odmfuseread.sh for reading fuse values.

sarah.newman · February 20, 2024, 8:49pm

Thank you for the suggestion. My understanding is odmfuseread.sh reads the values via USB and is therefore not a replacement for reading the fuses on-device.

sarah.newman · February 21, 2024, 12:49am

I found nv_fuse_read.sh in nvidia-l4t-tools_35.4.1-20230801124926_arm64.deb which we don’t normally fully install. That does use /sys/bus/nvmem/devices/fuse/nvmem.

I had to change it to work on our systems since it uses some shell functionality we don’t have available, but it solves the immediate issue.

My reading of the orin fuse specification is only the security sensitive fuses should be read as 0xff… IE

FUSE_KEYS_SBK_0
FUSE_KEYS_SBK_0_TAG
FUSE_KEYS_FKDD_SK_0
FUSE_KEYS_FKDD_SK_0_TAG
FUSE_KEYS_FKDD_AK_0
FUSE_KEYS_FKDD_AK_0_TAG
FUSE_KEYS_OEM_FUSE_IV_0
FUSE_KEYS_OEM_FUSE_IV_0_TAG
FUSE_KEYS_OEM_EK_0
FUSE_KEYS_OEM_EK_0_TAG
FUSE_KEYS_KDK0_0
FUSE_KEYS_KDK0_0_TAG
FUSE_KEYS_OEM_K1_0
FUSE_KEYS_OEM_K1_0_TAG
FUSE_KEYS_OEM_K2_0
FUSE_KEYS_OEM_K2_0_TAG
FUSE_KEYS_PSC_STATIC_OEM

And this does not include FUSE_PK_H1 or FUSE_PK_H2.

JerryChang · February 21, 2024, 6:47am

don’t it support reading PK_H1 fuses in the target board.? i.e. /usr/sbin/nv_fuse_read.sh pk_h1

system · March 27, 2024, 2:07am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Questions regarding secure boot Jetson AGX Orin boot , security	4	247	April 8, 2024
SecureBoot validation Jetson AGX Orin security	4	246	July 3, 2024
Issue with ReservedOdm[3-7] and BootSecurityInfo values after fuse Jetson AGX Orin security	8	569	July 14, 2023
Orin NX: Is It Bricked After Fusing an ECDSA P-256 Key Hash with a BootSecurityInfo Value of 0x20b? Jetson Orin NX security	12	52	December 17, 2024
Fuseblob to enable FTPM Jetson AGX Orin tpm	2	12	February 3, 2025
Burning fuses on secure board Jetson Orin NX security	8	335	July 2, 2024
Reading OemK1 and OemK2 fuses from board Jetson AGX Orin security	2	271	May 7, 2024
Kernel crash on reading nvmem Jetson AGX Orin security	6	473	September 27, 2023
Can't boot after enable secure boot (AGX Orin) Jetson AGX Orin security	18	72	February 12, 2025
Odmfuse.sh error Jetson AGX Orin security , nvbugs	15	862	October 2, 2022

Reading FUSE_PK_H1 and FUSE_PK_H2 from Linux

Related topics