I am planning to use PKC signing to prevent manipulation read/write of partitions once a xavier agx was deployed.
While reading Secure Boot — Jetson Linux Developer Guide documentation to prepare for writing fuses ive noticed a different value for “BootSecurityInfo” when writing a 2k public key hash to PKH fuse (0x01) and when writing 3k PKH and other fuses (0x06).
Unfortunately i cant find any real documentation of the “BootSecurityInfo” fuse. So i have two questions:
Q1: Which value should i use for “BootSecurityInfo” if i only want to write a 3k PKH without the other fuses?
Q2: Is there any more documentation of “BootSecurityInfo”?
Because of the high risk of bricking a 2000 or so dollars device when writing to the fuses register i also have another question or idea: wouldn’t it be more dev friendly if one is free to write whatever he wants into those registers and only after the final fuse was written (odm_production_mode aka SecurityMode) the whole register gets immutable?
Ah i already was writing a comment, but forgot to send it:
After thinking about the problem a littlebit, am i right to assume that:
`0x01` stands for 2k rsa key
`0x02` stands for 3k rsa key
`0x04` stands for SBK
So `0x06` enables 3k PKC+SBK and `0x02` would allow me to use 3k PKC without SBK?
Thanks for your fast reply.
I am question myself now why those helpful documents aren’t linked in the developer documentation?
I was also missing a Note for disk-encryption on the specific page, that it is not secure without doing some kind of secure boot because the boot partition is unencrypted and anybody can read the partition back and write its own initrd which then prints the luks keys on screen or even on a attached usb-stick or so.
For details on fuses and fuse names for each SoC, refer to the following documents:
For Jetson Orin series: Jetson Orin Series Fuse Specification Application Note
For Jetson Xavier series: Jetson Xavier Series Fuse Programming Application Note
Maybe one last question which is not related to the main question:
Did i understand it correctly hat if i only write to the PKC fuse with the public key hash noone without the priv/pub key can read and write the partitions of the xavier?
FYI, PKC for sign: if PKC is burned, then the KEYFILE users provide is for signing the images. SBK for encryption: if SBK is burned, then the SBKFILE users provide is for encrypting the images. KEKs for encryption keys: they are keys to encrypt your keys. KEK0, KEK1, KEK2 are 128-bit key files; KEK256 is 256-bit key file. please use the commands, --KEK* to determine which key encryption key you’re going to fused.