Xavier store custom key in odm_reserved Fuses

I have read multiple forum questions and documentation regarding the Fuse burn process on the xavier or nano . I am still unclear on certain things:
Problem: i want to burn a custom key into the odm_reserved fuse.
questions:

  1. can I rewrite over and over again in the same odm_reserved fuse?
  2. can I read the value from device if I don’t lock the odm_production or odm_lock fuses?
  3. is there any other way that i can store changing keys securely and read them frequently

I’m moving this topic to Xavier series.

hello Ashja,

when you begin production and burn the ODM production fuse, secure boot is enabled, JTAG debug is disabled, and all the fuses become inaccessible except Reserved_ODM.
however, Reserved_ODM fuse are programmable until it disabled by the ODM_lock fuse.

I don’t understand your question clearly. are you asking for ways to store the keys?
thanks

Hey @JerryChang ,
thanks for the reply .

does this nullify this statement from the developer guide:

NVIDIA SoCs contain multiple fuses that control different items for security and boot. Once a fuse bit is set to 1, you cannot change its value back to 0. For example, a fuse value of 1 (0x01) can be changed to 3 (0x03) or 5 (0x05), but not to 4 (0x4) because bit 0 is already programmed to 1.

  1. I want to know is there a location like a secure element where keys can be stored which are inaccessible to read without decryption

hello Ashja,

no, that specify for the manufacturing programmable fuses, check fuse specification for the details.
the odm_production_mode can help control the write protection for the other fuses except for odm_reserved and odm_lock.

you may check flashing logs, some of them were actually sign and encrypt with your own keys.
for example,

[ 105.4015 ] tegradevflash_v2 --write MB1_BCT mb1_cold_boot_bct_MB1_sigheader.bct.encrypt
[ 105.7205 ] tegradevflash_v2 --write MEM_BCT mem_coldboot_sigheader.bct.encrypt
...

there’s secure engine (SE) to store the keys, and it’s bootrom always tries to verify the PKC hash first to communicate with the board.
please refer to training video, Jetson Security and Secure Boot via Tutorials | NVIDIA Developer for more details.
thanks

hey @JerryChang ,
so according to the Fuse specifications ,programmable fuses can be altered upon demand eg. 0 bit can be flipped to 1 bit vice versa ?
also where can i find the actual implementation guideline for the Secure Engine

hello Ashja,

to clarify,
for ALL fuse bits, you can’t change its value back to 0 once it gets programmed to 1.

there more details about ODM_Reserved,

  • ODM_Reserved0 - ODM_Reserved3:
    you can program them multiple times (please make sure you only burn the “0” bits) unless the corresponding bits in odm_lock are burned.
  • ODM_Reserved4 - ODM_Reserved7:
    you can program them multiple times (make sure you only burn the “0” bits).
  • ODM_Reserved8 - ODM_Reserved11 (note, these were Xavier series only)
    you should NOT burn them because they’re reserved for rollback protection.

hey @JerryChang ,
Thank you this is helpful.
can you please provide some info on secure engine?

please access Jetson AGX Xavier Series Module Data Sheet and check [1.7.2 Security Engine] for more details.

hey @JerryChang ,
it only lists the feature set. There is no information regarding the actual implementation

it’s hardware, please refer to training video, Jetson Security and Secure Boot. thanks

hey @JerryChang ,
ok ill go over it again to see if I miss something thanks for your help