Tegra Security Engine behaviour after fuse flashing

Hi.
I have been doing some exploring of the encryption engine accessed via /dev/tegra-crypto and mainly on using it with TEGRA_CRYPTO_IOCTL_NEED_SSK and it’s internal SSK.

Our test device has no fuses set, so


is set to zero and from checking two different nano modules the encryption results are different for each device, so we’re assuming some part of the SSK is device specific and not totally related to the device key, at least we are hoping so anyhow.

My question is mainly would we expect any changes between how things behave now, with no fuses set and once we blow the final production fuse and the device is in production mode? SO even if the Device Key is set to 0, the encryption is device/module specific.

My test code is below, and the “Output Data:” was what we checked, and it was symmetric, so re-encrypting it brought us back to the original and it was different across different modules.

  retcode = ioctl(crypto_dev, TEGRA_CRYPTO_IOCTL_NEED_SSK, 1);

  // Set up
  ourRequest.op = TEGRA_CRYPTO_CBC;
  ourRequest.encrypt = true;
  memset(ourRequest.key, 0 ,TEGRA_CRYPTO_KEY_128_SIZE);
  ourRequest.keylen = TEGRA_CRYPTO_KEY_128_SIZE;
  memset(ourRequest.iv, 0x55 ,TEGRA_CRYPTO_IV_SIZE);
  memcpy(ourRequest.iv, default_iv, TEGRA_CRYPTO_IV_SIZE);
  ourRequest.ivlen = TEGRA_CRYPTO_IV_SIZE;
  ourRequest.plaintext = plaintext;
  ourRequest.result = resulttext;
  ourRequest.plaintext_sz = strlen(plaintext);
  ourRequest.skip_iv = 0;
  ourRequest.skip_exit = false;

  printf("Changing skip_key to 0\n");
  ourRequest.skip_key = 0; 

  // Do the encrypt
  
  printf("Input Data  : ");
  dump_buffer(plaintext, strlen(plaintext));
  
  retcode = ioctl(crypto_dev, TEGRA_CRYPTO_IOCTL_PROCESS_REQ, &ourRequest);
  if (retcode != 0) {
    printf("ioctl(TEGRA_CRYPTO_IOCTL_PROCESS_REQ) returned %d (errNo = %s)\n", retcode, strerror(errno));
  }

  printf("Output Data : ");
  dump_buffer(resulttext, strlen(plaintext));

Regards
Marc.

hello mkelly1,

you should get the latest SecureBoot package through Jetson Linux | NVIDIA Developer.
please also refer to the developer guide, please check Security chapter for instructions to enable Jetson security.

there’s Tutorials | NVIDIA Developer page, please see Jetson Security and Secure Boot for an overview of security features for the Jetson product family and explains in detailed steps the secure boot process, fusing, and deployment aspects.
thanks