Secure boot unique keys per device

Hi,

I am working on the Jetson agx xavier board.

According to this training video, the secure boot SBK key and KEK keys are typically unique per device. My questions are:

  1. The training video suggests that the Secure Boot Key (SBK) and Key Exchange Key (KEK) typically be unique per device for optimal security. Could you please confirm whether this uniqueness is indeed imperative for ensuring the highest level of security?
  2. Assuming uniqueness is necessary, I’m curious about the practicalities of managing a large number of unique SBK and KEK keys. For instance, if we aim to enable secure boot across a substantial fleet of devices, potentially exceeding 1000 units, how does Nvidia recommend maintaining and managing the multitude of unique keys efficiently?
  3. I noted that the Public Key Certificate (PKC) key pairs can be common for all devices, as per Nvidia’s recommendation, while emphasizing uniqueness for SBK and KEK keys. Could you kindly elaborate on the rationale behind this distinction?
  4. Lastly, in the “README_Massfuse.txt” document, there is mention of generating a mass fuse blob with PKC and SBK keys for simultaneous flashing across multiple targets. However, considering the emphasis on unique SBK keys, could you provide guidance on how to effectively utilize mass fusing in such scenarios?

hello saaisanthosh.r,

>>Q1
yes, as you can see in the developer guide, Prepare an SBK key section.

We recommend that you use the Hardware Security Module (HSM) to generate a truly random number for an SBK key.

>>Q2
that’s why HSM is suggested.

>>Q3
PKC for sign, if PKC is burned, then the PKCFILE users provide is for signing the images.
SBK for encryption, if SBK is burned, then the SBKFILE users provide is for encrypting the images.

>>Q4
this is utility to generates massfuse blob, and factory floor could use this blob to fuse one or more Jetson devices simultaneously without revealing any SBK or PKC key files in human readable form.
you have to create fuse blob individually if per device unique key files were used.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.