Secure Boot Fusing Issue on Jetson Orin Nano (L4T R36.4.3 / JetPack 6.0)

Robotics & Edge Computing Jetson & Embedded Systems Jetson Orin Nano
1

Hi all,

I’m trying to enable Secure Boot on a Jetson Orin Nano using the odmfuse.sh tool from the L4T R36.4.3 BSP. My goal is to fuse both SBK and PKC keys and later use a custom Yocto image (signed using these keys). However, during fusing, it appears that the keys were not used properly and the fuses may have been burned with zeroed keys instead of the ones I supplied.

Steps I Followed

# Generate PKC keypair
openssl genrsa -out rsa_priv.pem 2048
openssl rsa -in rsa_priv.pem -pubout -out rsa_pub.pem

# Generate public key hash

./bootloader/tegrasign_v3.py --pubkeyhash ~/secure_boot_keys/rsa_pub.pem rsa_pub.hash --key ~/ secure_boot_keys/rsa_priv.pem

# Created SBK Key

 echo -e '0x11223344\n0x55667788\n0x99aabbcc\n0xddeeff00\n0x12345678\n0x9abcdef0\n0xfedcba98\n0x76543210' > ~/secure_boot_keys/sbk.key

Created fuse_config.xml

<genericfuse MagicId="0x45535546" version="1.0.0">
<fuse name="PublicKeyHash" size="64" value="0xac0091e5159e1ca8d7c4f1bf4a0218cb686729e2bed3af0814dcab9b518e8b0d818ba1d09e509ac40a9ff80d35fef1982cdffa00001a7ac70315855f5e66d9ae"/>
<fuse name="SecureBootKey" size="32" value="0x112233445566778899aabbccddeeff00123456789abcdef0fedcba9876543210"/>
<fuse name="BootSecurityInfo" size="4" value="0x20b"/>
<fuse name="SecurityMode" size="4" value="0x1"/>
</genericfuse>

Command Used to Fuse

sudo ./odmfuse.sh \
 -X ~/secure_boot_keys/fuse_config.xml \
-i 0x23 \
-k ~/secure_boot_keys/rsa_priv.pem \
-S ~/secure_boot_keys/sbk.key \
jetson-orin-nano-devkit

Problem Observed

Even though I supplied the correct SBK and PKC files, the logs indicated that tegrasign assumed a zero-filled SBK, and that the public key hash file was not found:

[ tegrasign_v3.py --key None --list images_list.xml --pubkeyhash pub_key.key --sha sha512 ]
Assuming zero filled SBK key
Warning: pub_key.key is not found

Later lines repeated:

Assuming zero filled SBK key

Yet, the tool completed successfully and printed:

Sending bct_mem... done
Sending blob... done
Fusing complete

But now I’m worried that my board may be permanently fused with zeroed SBK and PKC keys instead of my intended ones.
full logs of error :
test1.txt (97.5 KB)
What I Need Help With

Is there a bug or mistake causing tegrasign to ignore the -k and -S arguments to odmfuse.sh?

Was my board fused with zero keys even though I supplied valid inputs?

How can I confirm exactly what values were burned into the fuses (e.g., SBK, PKC)?

1 Like
3

hello firas.loukil,

as mentioned by Jetson Orin Fuse Specification v1.5.
let me re-cap as below..

FUSE_BOOT_SECURITY_INFO_0

  • Bits [8:4] Reserved (may not be logic 0 by default)

so.. if you’re having the modules around the beginning of 2025. the BOOT_SECURITY_INFO was burned (by manufacturing) to 0x1E0 as default value.
please fuse devices with a BootSecurityInfo value of 0x3EB (an OR of 0x20B and 0x1E0) for your use-case.

4

Where is the PCN related to this change, seems we didn’t receive it.

Is there any potential issue when fusing the added 0x1e0 on older boards where these bits where not fused ?

5

hello martin.herren,

it’s not mentioned by Product Change Notifications.
since Bits [8:4] were reserved, you can fusing the added 0x1e0 on older boards, it’s okay.