User Guide (Latest)
NVIDIA IGX Orin Developer Kit User Guide (Latest)

Enable Secure Boot for Pre-UEFI Phases

You can enable end-to-end secure boot for your production NVIDIA IGX device. For an overview, see Secure Boot for IGX.

Secure boot for pre-UEFI phases uses the NVIDIA SoC fuses stored root of trust to authenticate boot codes from Orin power-up to the code end before UEFI.

To enable secure boot for pre-UEFI phases, do the following steps:

To request the Factory Secure Key Provisioning (FSKP) expansion keys, contact your NVIDIA representative. Your representative also provides you with the FSKP Expansion Key Provisioning and Fuse Burning Toolkit Deployment Guide.

To generate the encrypted and signed blob, do the following steps:

A. Generate the 3 PKC Asymmetric Key Pairs

IGX Orin’s fuse supports three types of public key cryptography (PKC) keys: RSA 3K, ECDSA P-256, and ECDSA P-521. The fuse can store only store three hashed keys. Each of the three keys must use the same type of cryptography.

The following example generates keys by using RSA 3K.

  1. To generate the PKC private keys rsa3k-0.pem, rsa3k-1.pem, and rsa3k-2.pem, run the following code.

    Copy
    Copied!
                

    openssl genrsa -out rsa3k-0.pem 3072 openssl genrsa -out rsa3k-1.pem 3072 openssl genrsa -out rsa3k-2.pem 3072

  2. To generate the public key hash values from the PKC private keys, run the following code.

    Copy
    Copied!
                

    ./tegrasign_v3.py --pubkeyhash rsa3k-0.pubkey rsa3k-0.hash --key rsa3k-0.pem ./tegrasign_v3.py --pubkeyhash rsa3k-1.pubkey rsa3k-1.hash --key rsa3k-1.pem ./tegrasign_v3.py --pubkeyhash rsa3k-2.pubkey rsa3k-2.hash --key rsa3k-2.pem


Later you add the hashes to the fuse configuration file.

Caution

Guard your private keys. The security of your IGX device depends on the security of your private keys.

B. (Optional) Generate an SBK Symmetric Key

To further enhance secure boot, you can optionally encrypt bootloader components.

Note

You can’t encrypt bootloader components if secure boot is not enabled.

To encyrpt bootloader components, you use a symmetric SBK key fused to the IGX’s SoC. The SBK key is used as an encryption key when the bootloader components are generated. The SBK key is used as a decryption key when the IGX Orin is booted.

The IGX Orin SoC requires an SBK key of eight 32-bit words (32 bytes) in length. To generate a 32-byte SBK key, run the following code.

Copy
Copied!
            

openssl rand -rand /dev/urandom -hex 32 2>&1 |tee sbk.key

Later you add the key to the fuse configuration file.

We recommend that you use the Hardware Security Module (HSM) to generate a truly random number for an SBK key.

Caution

Guard your private key. The security of your IGX device depends on the security of your private key.

C. Prepare the K1 and K2 keys

The K1 (OemK1) and K2 (OemK2) keys are pre-fused 256b symmetry keys which you can use for other security applications, such as encrypted keyblob generation or device provisioning. The K1 key is reserved for generating the new EKB. You must prepare these two keys, and other ODM fuse bits, as described in the documentation for the other security application.

For IGX Orin, the fuse key names are OemK1 and OemK2, and the key length must be 32 bytes. To generate a 32-byte OemK1 key file, run the following code.

Copy
Copied!
            

openssl rand -rand /dev/urandom -hex 32 2>&1 |tee OemK1

Later you add the key to the fuse configuration file.

We recommend that you use the Hardware Security Module (HSM) to generate a truly random number for K1/K2 keys.

Caution

Guard your private key files. The security of your IGX device depends on the security of your private key files.

D. Prepare the fuse Configuration file

The fuse configuration file contains the fuse data, a list of fuses, and the value to be burned in each fuse. The FSKP tool uses the configuration file to program the fuses.

Caution

After secure boot mode is enabled, the fuse is locked and can’t be changed.

A fuse configuration file contains a <genericfuse> element, and one <fuse> element for each fuse to burn. The three PKC keys are named PublicKeyHash , PkcPubkeyHash1, and PkcPubkeyHash2, and the names are case sensitive. The fuse SecurityMode must be the last element in the file.

The fuse BootSecurityInfo contains a 4-byte value which you must set by using the following information:

  • Bit[0:2]: - set to 001b for RSA 3K - set to 010b for ECDSA P-256 - set to 011b for ECDSA P-521

  • Bit[3]: set to 1 if you are using an optional SBK key

  • Bit[9]: set to 1 for the OEM K1 and K2 keys

  • Bit[11]: set to 1

  • Bit[13]: set to 1

  • Set all other bits to 0

The following is an example of an IGX Orin fuse configuration file. The file contains three RSA 3K keys, an SBK Key, and OemK1 and OemK2 keys.

Copy
Copied!
            

<genericfuse MagicId="0x45535546" version="1.0.0"> <fuse name="PscOdmStatic" size="4" value="0x00000060"/> <fuse name="Kdk0" size="32" value="0x6208e3cd81ed0cd77b214db0c875ade40c26bca09382ad82cd0e24046cc8c64e"/> <fuse name="PublicKeyHash" size="64" value="0xad2474627c14e3f7f4944a832bd15d0640938a3dc162f558692458f3d12f9453e11bea2ec75df3f83e8b29c47fc3d2483d528d3e94a5469c4ba1ec61f1584b23"/> <fuse name="PkcPubkeyHash1" size="64" value="0xd87796fb510d79738f8509c98511be0bb79dcc17d204a2f0f0bea9680b91bd1273ee2ae7a8a6bdb8b95deb0f421e72404939ae20d12c82649712283027201f39"/> <fuse name="PkcPubkeyHash2" size="64" value="0x99a5b6eac64dfb29698cb684165529e5d8650c1aab0e18b677c5d5f0998af53f8a8a1f09ad1d79368bc500e57eb199e9108fc7b1499995d869b028fec3f367db"/> <fuse name="SecureBootKey" size="32" value="0x123456789abcdef0fedcba9876543210 00112233445566778899aabbccddeeff"/> <fuse name="OemK1" size="32" value="0xf3bedbff9cea44c05b08124e8242a71ec1871d55ef4841eb4e59a56b5f88fb2b"/> <fuse name="OemK2" size="32" value="0x76d723099bc81a39cfc8bd109deb7ef39aa1d0f5ab4658180ad33e1d983a2e84"/> <fuse name="OptInEnable" size="4" value="0x1"/> <fuse name="BootSecurityInfo" size="4" value="0x2a09"/> <fuse name="ArmJtagDisable" size="4" value="0x1"/> <fuse name="SecurityMode" size="4" value="0x1"/> </genericfuse>

Note

Although the fuse configuration file contains XML, it does not need the <?xml ?> prolog defined by the XML standard. If you want to run general purpose XML utilities on your configuration file, you can add a prolog.

E. Generate the Encrypted and Signed Blob

To generate the encrypted and signed blob with the with the Factory Secure Key Provisioning (FSKP) expansion keys, run the following code. Replace fuseblob.xml with the name of your fuse configuration file.

Copy
Copied!
            

sudo ./fskp_fuseburn.py --board-spec igx-board-spec.txt -f fuseblob.xml -i 62 -b \ --key-exp fskp_ak.bin fskp_ek.bin --fskpcfg fskp_conf.txt -g out/ -c 0x23 -B <top>/igx-orin-devkit.conf

To burn the fuses, run the following code.

Copy
Copied!
            

sudo ./fskp_fuseburn.py --board-spec igx-board-spec.txt -P ./out -c 0x23 -B <top> /igx-orin-devkit.conf

To read the fuse values through the Linux kernel, use the script /usr/sbin/nv_fuse_read.sh.

To list the supported fuses, run the following code.

Copy
Copied!
            

sudo nv_fuse_read.sh -l

To read the value of a fuse, run the following code.

Copy
Copied!
            

sudo nv_fuse_read.sh <fuse name>

For example, use the following code to get the exclusive chip identification (ECID) of the IGX board.

Copy
Copied!
            

sudo nv_fuse_read.sh ecid

To read all fuse values, run the following code.

Copy
Copied!
            

sudo nv_fuse_read.sh

To generate the encrypted and signed blob, do the following steps:

A. Generate a New EKB File

Generate the EKB file after you program the IGX fuse, and before you flash the QSPI image. There are four keys included in the EKB file. The OemK1 key is fused to IGX fuse. The other three keys are generated by the NVIDIA-provided script example.sh. Any time you sign and flash the QSPI image, copy the eks_t234.img file to the <Linux_fo_Tegra>/bootloader directory.

You need the following prerequisites:

  • Python 3.9 or newer

  • pip3 install cryptography

  • pip3 install pycryptodome

  1. Download public_sources.tbz2 from the IGX Download Center.

    Copy
    Copied!
                

    wget https://developer.nvidia.com/downloads/igx/v1.0.0/public_sources.tbz2

  2. Untar public_source.tbz2, change to the folder Linux_for_Tegra/source, untar nvidia-jetson-optee-source.tbz2.

    Copy
    Copied!
                

    tar -xvf public_source.tbz2 cd Linux_for_Tegra/source tar -xvf nvidia-jetson-optee-source.tbz2

  3. Change to the folder optee/samples/hwkey-agent/host/tool/gen_ekb/.

    Copy
    Copied!
                

    cd ./optee/samples/hwkey-agent/host/tool/gen_ekb/

  4. Open the file example.sh with your text editor and make the following changes to the file.

    1. Go to the [T194 example] section and comment out the python gen_ekb.py. This section should not be run.

    2. Go to the [T234 example] section and uncomment #echo "0000000000000000000000000000000000000000000000000000000000000000" > oem_k1.key.

    3. Replace 0000000000000000000000000000000000000000000000000000000000000000 with your fused Oem K1 key.

    4. Uncomment the following lines.

      Copy
      Copied!
                  

      # openssl rand -rand /dev/urandom -hex 32 > sym_t234.key # openssl rand -rand /dev/urandom -hex 16 > sym2_t234.key # openssl rand -rand /dev/urandom -hex 16 > auth_t234.key

  5. Save your changes to example.sh and exit the file.

  6. Run ./example.sh. The file eks_t234.img is generated.

  7. Copy eks_t234.img to the folder <Linux_for_Tegra>/bootloader.

B. Flash QSPI

We recommend that you enable UEFI secure boot with QSPI secure boot at the same time. For details, see Enable UEFI Secure Boot at Flash Time.

If you want to enable QSPI secure boot only, use the following procedure.

  1. Navigate to the directory where you installed Jetson BSP.

  2. Put the IGX device into recovery mode. For details, see Put the system into recovery mode.

  3. To sign QSPI with the rsak3k-0.pem key, run the following code. To optionally encrypt the payload with an SBK key, include the -v option and the sbk.key file argument.

    Copy
    Copied!
                

    sudo ./flash.sh p3740-0002-p3701-0008-qspi external -u rsa3k-0.pem — Or — sudo ./flash.sh p3740-0002-p3701-0008-qspi external -u rsa3k-0.pem -v sbk.key

After you complete the steps in this documentation, see Enable Secure Boot for UEFI.

Previous Secure Boot for IGX
Next Enable Secure Boot for UEFI
© Copyright © 2024, NVIDIA Corporation. Last updated on Aug 23, 2024.