Secureboot on AGX with HSM


We are trying to augment the provided secure boot tooling with support for HSM-based key (specifically Amazon CloudHSM).

All of the provided tooling seems to deal with .pem file, which we cannot provide for security reasons.

So, we’re trying to understand specifically what’s in the .sig files and what’s in the so-called “public key hash” that’s burned into the fuse.


  1. How is verification of the signature performed? How is the hash of the public key (if that’s what’s in the fuse) sufficient for verification? Is the raw public key stored somewhere?
  2. What’s the format of the “.sig” files?

hello jonathan.thambidurai,

PKC key is using SHA256 hash of RSA2048 public key. btw, the 3072-bit RSA key option is only supported on Xavier series.

the concept of Secureboot is to prevent execution of unauthorized code during boot process through chain-of-trust;
those authenticates boot components (such as, Boot Configuration Table, bootloader binaries, and warmboot vector) were signed using private key. this Public Key Cryptography (PKC) keys is stored in the fused device.
PKC for sign: if PKC is burned, then the KEYFILE users provide is for signing the images.
SBK for encryption: if SBK is burned, then the SBKFILE users provide is for encrypting the images.

here’s similar thread, Topic 166401 for your reference,
you may check the Jetson Security Training video from tutorials page as see-also.

hope this helps.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.