RSA or ECC private key stored in FUSEs

Hi,

What is the recommendation for storing private keys (either ECC or RSA) in Jetson Nano fuses? It there a way to protect them so that only certain images can unlock the access to the keys?

Thanks,
Deyan

hi deyan,

there’s Security chapter you may check for reference.
it’s Secureboot to enable boot security, Secureboot prevents execution of unauthorized boot codes through chain of trust.
Trusty, also said SecureOS, which only applies to: Jetson Xavier NX, Jetson AGX Xavier series, and Jetson TX2 series devices.
thanks

Hi Jerry,

Right now we can’t change the hardware so we need to stick with the Jetson Nano - what would be the recommendation for storing keys in hardware on the Nano?

Thanks,
Deyan

hello deyan,

may I know what’s your use-case. can Secureboot fulfill the requirements?

Hi Jerry,

We need to generate a unique asymmetric key pair per device at manufacture time and use it to issue a certificate per device that will be used to identify each device to our IoT management system.

Ideally we’d use a TPM to store the private key, however since the Jetson Nano doesn’t have a TPM built-in, we are considering using the fuses for this. Longer term we’d probably be using another board that has the capability, however for the near future our hardware platform is already set and we can’t modify it so we need to find the most secure way to store the private key.

Thanks,
Deyan

hello deyan,

the concept of Secureboot is to prevent execution of unauthorized code during boot process through chain-of-trust;
those authenticates boot components (such as, Boot Configuration Table, bootloader binaries, and warmboot vector) were signed using private key.

FYI,
when you begin production and burn the ODM production fuse, secure boot is enabled, JTAG debug is disabled, and all the fuses become inaccessible except Reserved_ODM.
there’re Reserved_ODM fuse are programmable, it’ll be disabled after you’d program the ODM_lock fuse bit.
thanks

Hi Jerry,

We are looking for solution to store other private key not limited to secureboot key. we noticed that there are ODM reserved bit in fuse.
(FUSE_RESERVED_ODM0 [31:0])

/…/
(FUSE_RESERVED_ODM7 [31:0])

Is it NVIDIA’s recommendation to store a private key in these fuses for the Jetson Nano or is there another recommended way to store a private key?

Thanks

Please help to open a new topic for your issue. Thanks