Xavier agx 3k rsa pkc config.xml

brootux · April 13, 2023, 1:09pm

I am planning to use PKC signing to prevent manipulation read/write of partitions once a xavier agx was deployed.

While reading Secure Boot — Jetson Linux Developer Guide documentation to prepare for writing fuses ive noticed a different value for “BootSecurityInfo” when writing a 2k public key hash to PKH fuse (0x01) and when writing 3k PKH and other fuses (0x06).

Unfortunately i cant find any real documentation of the “BootSecurityInfo” fuse. So i have two questions:

Q1: Which value should i use for “BootSecurityInfo” if i only want to write a 3k PKH without the other fuses?

Q2: Is there any more documentation of “BootSecurityInfo”?

Because of the high risk of bricking a 2000 or so dollars device when writing to the fuses register i also have another question or idea: wouldn’t it be more dev friendly if one is free to write whatever he wants into those registers and only after the final fuse was written (odm_production_mode aka SecurityMode) the whole register gets immutable?

JerryChang · April 14, 2023, 6:51am

hello brootux,

please refer to Jetson AGX Xavier Series Fuse Programming Application Note.
you may see-also fuse name, FUSE_BOOT_SECURITY_INFO for details.
for example,

Bits [1:0] mapped to Secure Boot Authentication Scheme, where
00b: SHA2 Hash
01b: 2048 bit RSA
10b: 3072 bit RSA
...

brootux · April 14, 2023, 7:03am

Ah i already was writing a comment, but forgot to send it:

After thinking about the problem a littlebit, am i right to assume that:
`0x01` stands for 2k rsa key
`0x02` stands for 3k rsa key
`0x04` stands for SBK

So `0x06` enables 3k PKC+SBK and `0x02` would allow me to use 3k PKC without SBK?

Thanks for your fast reply.

I am question myself now why those helpful documents aren’t linked in the developer documentation?

I was also missing a Note for disk-encryption on the specific page, that it is not secure without doing some kind of secure boot because the boot partition is unencrypted and anybody can read the partition back and write its own initrd which then prints the luks keys on screen or even on a attached usb-stick or so.

JerryChang · April 14, 2023, 7:56am

it’s actually mentioned here… SecureBoot

For details on fuses and fuse names for each SoC, refer to the following documents:
For Jetson Orin series: Jetson Orin Series Fuse Specification Application Note
For Jetson Xavier series: Jetson Xavier Series Fuse Programming Application Note

brootux · April 14, 2023, 8:01am

Ah okay probably have missed it because its between two notes and a caution box and it has no links to click :)

Thank you very much.

brootux · April 14, 2023, 8:10am

Maybe one last question which is not related to the main question:

Did i understand it correctly hat if i only write to the PKC fuse with the public key hash noone without the priv/pub key can read and write the partitions of the xavier?

JerryChang · April 17, 2023, 5:59am

FYI,
PKC for sign: if PKC is burned, then the KEYFILE users provide is for signing the images.
SBK for encryption: if SBK is burned, then the SBKFILE users provide is for encrypting the images.
KEKs for encryption keys: they are keys to encrypt your keys. KEK0, KEK1, KEK2 are 128-bit key files; KEK256 is 256-bit key file. please use the commands, --KEK* to determine which key encryption key you’re going to fused.

system · May 10, 2023, 1:44am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.