fuses are designed to be inaccessible for production.
the concept of Secureboot is to prevent execution of unauthorized code during boot process through chain-of-trust;
those authenticates boot components (such as, Boot Configuration Table, bootloader binaries, and warmboot vector) were signed using private key.
PKC for sign:
if PKC is burned, then the KEYFILE users provide is for signing the images.
SBK for encryption:
if SBK is burned, then the SBKFILE users provide is for encrypting the images.
KEKs for encryption keys:
they are keys to encrypt your keys. KEK0, KEK1, KEK2 are 128-bit key files; KEK256 is 256-bit key file. please use the commands, --KEK* to determine which key encryption key you’re going to fused.
you cannot burn unencrypted/unsigned binaries.
by default, it’s using all zero keys to encrypted/signed binaries locally and then flashing to the target.
once Jetson security has enabled, those binaries must process by the same keys on the target, please check again with above for the description of different keys.
FYI, Orin supports up-to three PKC keys. Images can be signed by any of the keys.
there’s PKC key revocation feature on Orin series.
PKC key revocation is through settings in mb1_bct and fuse burned by mb2 during boot.
2 revoke fuses (i.e. FUSE_REVOKE_PK_H0_0 & FUSE_REVOKE_PK_H1_0) are used to revoke (i.e. FUSE_PUBLIC_KEY0_x and FUSE_PK_H1_0_x)
please see-also developer guide, Revocation of the PKC Keys.