Secureboot questions

 Hello.

Release 32.6.1

I have a few questions regarding security.

odmfuse.sh options.

  1. -p ----------------------- sets production mode.

What does this option mean? I didn’t find explanation of it.

  1. -S ------------ 128bit Secure Boot Key file in HEX format.
    What is format of this file ?
    This?
    0x12345678 0x9abcdef0 0xfedcba98 0x76543210
    Or this?
    0x123456789abcdef0fedcba9876543210

Thank you.

Hi,
Please note we don’t support secureboot on Xavier NX sdcard. Please enable it on Xavier NX emmc(production module). For steps in detail, please refer to
Unable to burn fuses (dev kit) / no more output (serial/hdmi) / bricked? - #89 by DaneLLL

The -p option is to loock the PKC and SBK key. Without it, if the bits of PKC and SBK are 0, they can still be programmed to 1. However, there is an issue of programming PKC + SBK without -p, so please always set the option on Xavier and Xavier NX.

The layout of SBK key is:

$ cat sbk.key
0x12345678 0x9abcdef0 0xfedcba98 0x76543210
1 Like

Thank you for explanation.

And another one question about user_key option.

Additionally, I can sign and burn images with help of user_key option:

sudo ./flash.sh -u <pkc_keyfile> -v <sbk_keyfile> --user_key <user_keyfile> <device_name> mmcblk0p1

But I can sign images in separate step:

./l4t_sign_image.sh --file <filename> --chip 0x19 --key <keyfile>] --encrypt_key <encrypt_keyfile>

What is the reason for it?
How can I use signed images without burning?