Secure Boot on Jetson Xavier AGX

hello AbdulWasey,

you’ll see fuse commands, after un-tar the fuse blob.
for your reference, here’s thread we had confirmed fuse and flashing works on Xavier NX,

Thanks I will go through this and let you if I have any other question thanks again

hello AbdulWasey,

to clarify, it’s odmfuse to enable secureBoot, which fuse the keys to the target.
once you enable Jetson security, you’ll need to assign keys into flash script to flash the board.

Hi @JerryChang I have a question what will happen if I will reflash my board afterwards. Do I have to assign Keys on every flash?

hello AbdulWasey,

yes, you’ll need to assign keys to your target once the board is fused.

partially flash the partition is not supported with the fused platform. (i.e. -k options),
please perform a whole flash if you need to re-flash the target.

Hi @JerryChang
I want to implement the disk encryption as well

I have gone through that but haven’t fused the board yet. I was wondering what will be further if I want to encrypt the Xavier as well.
My Commands are as follow
To genrate fuseblob.tbz2
Sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./ --noburn -j -i 0x19 -c PKC -p -k <pkc_file> -S <sbk_file> --KEK2 <kek2_file> jetson-agx-xavier-devkit
To sign the boot files
Sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./ --no-flash -u <pkc_file> -v <sbk_file> jetson-agx-xavier-devkit

Kindly guide me what should I add to implement disk encryption of Xavier at this stage.

hello AbdulWasey,

if you wish to encrypt bootloader and TOS, you must prepare SBK fuse bits, and it’s -S <sbk_file> you’d done.

Hi @JerryChang
I was asking about

In documentation the disk encryption implementation is some thing like that

# the disk encryption key in the EKB partition
$ echo "00000000000000000000000000000000" > ekb.key
$ sudo ROOTFS_ENC=1 ./ -i "./ekb.key" <board> <rootdev>

so is there anything else that I have to add in sign boot files command

Sudo ROOTFS_ENC=1 BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./ --no-flash -i <ekb.key> -u <pkc_file> -v <sbk_file> jetson-agx-xavier-devkit mmcblk0p1


hello AbdulWasey,

KEKs were Key Encryption Keys, they’re using as key seed to encode keys.
for example, KEK2 can be used as a key seed to encrypt and decrypted the Encrypted Key Blob (EKB) when TOS is enabled.

there’s user key stored in the Encrypted Key Blob (EKB), the Secure Engine (SE) retrieves the user key from the EKB and uses it to decrypt the kernel image files.
please also refer to below two topics, they’re supported by default on r32.5.

here’s a bug fix in decrypting buffer, Black Screen after enable SecureBOOT and disk encryption - #3 by JerryChang
you should also apply this patch for the cboot sources.

Hi @JerryChang

$ python3 -kek2_key <kek2_fuse_key_file> \
    -fv <fv_for_ekb_ek> \
    -in_sym_key <sym_key_file> \
    -in sym_key2 <sym2_key_file> \
    -out <eks_image_file>

In EKB Generation

  • <sym_key_file> This is user key right?
  • <sym2_key_file> how to create this not clear kindly guide.


hello AbdulWasey,

as you can see in the developer guide, sym_key_file is the kernel encryption key, KEKs.

Hi @JerryChang where is I could not find it in Linux_for_Tegra/source/

hello AbdulWasey,

assume you’d download r32.5.1 L4T Driver Package (BSP) Sources,
please un-tar trusty_src.tbz2 package, and you’ll see as following,
for example,

Hi @JerryChang

kindly guide me from where I can get trusty_src.tbz2

please download L4T Driver Package (BSP) Sources package. you’ll see trusty package included.

Hi @JerryChang

2.Enter this command:

$ ./ --file <binary_file> --chip 0x19 --key <keyfile> --encrypt_key <encrypt_keyfile>


•<binary_file> is a kernel, kernel-dtb, or initrd binary file to be signed.

The binary file mentioned here is located where i can see multiple binary files in /kernel/dtb/ do I have to encrypt all the binary files in kernel/dtb/? are there any other binaries files as well. kindly guide me.

hello AbdulWasey,

you may refer to flash messages to confirm the binary files your target is using.
for example,
[ 219.9638 ] Writing partition kernel-dtb with kernel_tegra194-p2888-0001-p2822-0000_sigheader.dtb.encrypt

Hi @JerryChang

How to apply patch does it mean to follow these instructions in CBoot_Standalone_Readme_t194.txt that you suggested?


hello AbdulWasey,

yes, please dig into CBoot sources and apply the patch.
you should follow the readme file for the instructions to build CBoot binary; please rename the binary lk.bin to cboot_t194.bin to use with the Jetson Xavier,
please overwrite it with $OUT/Linux_for_Tegra/bootloader/cboot_t194.bin, you need to enable flash script to Flashing a Specific Partition instead of flashing the whole device by using the command line, ‑k switch.
for example, $ sudo ./ -r -k cpu-bootloader jetson-xavier mmcblk0p1

Hi @JerryChang

1. Regarding eks.img I was creating the <fv_for_ekb_ek> using command mentioned in guide
$ openssl rand -rand /dev/urandom -hex 16 > fv_ekb.txt
which gives me a random 16 bytes hex i-e 7fac7cc40b7ff9e9b0102cafc3ee0164
but here in this

Kindly tell me which fv_ekb should I use?

2. Regarding <key2_fuse_key_file> that was in my case is

which in hex is 0x2fbed7068a6aceb4c9e06bbbc6798589while using to generate fuseblob.tbz2
and for <key2_fuse_key_file> it will be '2fbed7068a6aceb4c9e06bbbc6798589` right?

3. Regarding <sym_key_file>which is user key and has 16 bytes hex which I created through same command
$ openssl rand -rand /dev/urandom -hex 16 > sym_key.txt
which i have to use to sign boot files right?

i-e in this command like that--user_key sym_key.txt
4. Regarding

it will be any 16 bytes hex key or it has be used To generate fuseblob.tbz2 in this command

or use in To sign the boot file like user key

5. Regarding

This image file i-e eks.img will be intended to flashed onto EKS partition HOW? Where do I have to put this eks.img? kindly guide me about this