Unfortunately i cant find any real documentation of the “BootSecurityInfo” fuse. So i have two questions:
Q1: Which value should i use for “BootSecurityInfo” if i only want to write a 3k PKH without the other fuses?
Q2: Is there any more documentation of “BootSecurityInfo”?
Because of the high risk of bricking a 2000 or so dollars device when writing to the fuses register i also have another question or idea: wouldn’t it be more dev friendly if one is free to write whatever he wants into those registers and only after the final fuse was written (odm_production_mode aka SecurityMode) the whole register gets immutable?
Ah i already was writing a comment, but forgot to send it:
After thinking about the problem a littlebit, am i right to assume that:
`0x01` stands for 2k rsa key
`0x02` stands for 3k rsa key
`0x04` stands for SBK
So `0x06` enables 3k PKC+SBK and `0x02` would allow me to use 3k PKC without SBK?
Thanks for your fast reply.
I am question myself now why those helpful documents aren’t linked in the developer documentation?
I was also missing a Note for disk-encryption on the specific page, that it is not secure without doing some kind of secure boot because the boot partition is unencrypted and anybody can read the partition back and write its own initrd which then prints the luks keys on screen or even on a attached usb-stick or so.
For details on fuses and fuse names for each SoC, refer to the following documents:
For Jetson Orin series: Jetson Orin Series Fuse Specification Application Note
For Jetson Xavier series: Jetson Xavier Series Fuse Programming Application Note
FYI, PKC for sign: if PKC is burned, then the KEYFILE users provide is for signing the images. SBK for encryption: if SBK is burned, then the SBKFILE users provide is for encrypting the images. KEKs for encryption keys: they are keys to encrypt your keys. KEK0, KEK1, KEK2 are 128-bit key files; KEK256 is 256-bit key file. please use the commands, --KEK* to determine which key encryption key you’re going to fused.