Startup mode of Jetson TX1

I’ve been interested in getting a Jetson TX1 for a project that requires the support for ARM hypervisor mode. While I’m aware that the SoC itself supports it, as far as I know, with previous Jetson boards (including the TK1 model) one of the secure bootloaders dropped down to supervisor (EL1) mode before passing off control to user code, making any sort of hypervisor experiments impossible. So my main questions (about SoC configuration/fusing used in Jetson TX1 specifically) are:

  • Does it have some form of a signed second stage bootloader?
  • Which mode does that bootloader/bootROM start executing user (untrusted) code in? Is it EL2 or EL1?
  • Is there any possibility of running code in EL3 (ie. in secure/TZ monitor mode)?

I know the SoC itself supports many configurations but I’m not sure what the consumer level fusing used in Jetson TX1 and/or the second stage bootloader restrict it to.

From looking into the TegraBoot process more, it seems that TOS (Trusted OS?) is the default EL3 monitor. Is that correct? In which case, is there a way of running something else in place of TOS on Jetson TX1 boards or would NVIDIA not allow that? (ie. providing an NvTBoot that doesn’t cryptographically check TOS, allowing users to use a custom secure monitor)

I always wanted to find an ARM board that didn’t lock users out of EL3 so it’d be nice if there was a way of running a custom TOS on Jetson TX1.