Can we build and use the RPMB without programming fuses for development and test purposes in some shape or form? Are there any instructions to how we can accomplish that? Also, what is the difference between the EKB and the RPMB?
hello kenng7183,
please see-also developer guide, EKB Key Management.
you cannot use the RPMB without programming fuses for development and test purposes.
HI Jerry, is FSPK needed to program relevant EKB / RPMB fuses or can we do so with NVIDIA flash programming scripts without going through NVIDIA?
hello megamanx
I assume you’re talking about FSKP, (i.e. Factory Secure Key Provisioning), right?
yes.. you’re able to burn fuses with odmfuse.sh script file,
see-also developer guide, Burn Fuses with the Fuse Configuration file for the steps.
are there instructions on how to enable the RPMB / disable the REE_FS?
hello kenng7183,
you’ll need to fuse a target for adding RPMB keys, see-also RPMB Key Management.
and also.. Example Orin Fuse Configuration File to Program an OemK1 Key + RPMB Key.
I’m still confused on how the rpmb is enabled. By burning the rpmb key fuse, does it automatically enable the RPMB and disable to REE_FS? There is the configuration file Linux_for_Tegra/jetson-orin-srcs/optee/optee_os/config.mk. Does this need to be manually modified in order to use the rpmb within optee? If we were to use the pkcs11-tool to read/write keys would it just default to the rpmb?
hello kenng7183,
may I know what’s the actual use-case to enable the RPMB, disable the REE_FS?
is it related to secure storage?
Ideally we don’t want keys to be stored in the rootfs. I am under the impression that any pkcs11 tools check if the RPMB is available and the REE FS is used when the RPMB fails. The documentation doesn’t really address behavior of the RPMB.