We are looking to enable secure boot on the Xavier NX and the fuse specification indicates the Xavier NX supports RSA 3072 bit public keys.
FUSE_BOOT_SECURITY_INFO [15:0]Boot Security InfoBits interpreted by boot software with following mapping: Bits [1:0] mapped to Secure Boot Authentication Scheme, where 00b: SHA2 Hash 01b: 2048 bit RSA **10b: 3072 bit RSA** 11b: ECC (Elliptic Curve, see also bit 7)
Based on this info it appears that the NX target device supports 3072 bit keys and we we should be able to sign images with keys of this length giving us 128 bit effective security (Keylength - NIST Report on Cryptographic Key Length and Cryptoperiod (2020))
However, with Jetpack 4.5.1 it looks like the Nvidia tools do not support RSA 3072, specifically the tegrasign_v2 tool. Attached is log output from l4t_sign_image.sh using both an RSA 2048 bit key (successful) and an RSA 3072 bit key (failure).
Is there a change to the Jetpack tools we can make to the jetpack tools in order to use RSA 3072 bit keys? tegrasign_v2 is a binary executable so it is difficult to determine the proper inputs to make this work.
l4t_sign_image.sh_log.txt (13.5 KB)