Factory Secure Key and Expansion Key Provisioning
Factory Secure Key Provisioning (FSKP) is a technique to securely burn fuses on the factory floor. The fuse data contains a sensitive device and encryption keys that establish the root of trust on the target device. FSKP protection is important because the factory floor might not have a high level of security and can pose security risks.
FSKP provides a way to securely transfer fuse data to NVIDIA® Jetson™ using encryption. This encryption is completed with a shared platform key called the FSKP key, and this key is available on the OEM’s hardware security module (HSM) server for encryption and in the chip’s internal ROM (IROM) for decryption.
Jetson devices are programmed with 64 FSKP keys, and these keys are in an array of 64 AES 256-bit symmetric keys, which are stored in internal ROM (IROM) on the chip and are referenced by an index from 0 to 63. Of these keys, 46 can be assigned to OEMs to protect their factory floor, Jetson boot images, and fuse data with a digital signature and encryption. NVIDIA generates and places the keys in the Jetson IROM to make them part of the secure boot chain of trust.
Although 46 FSKP keys are available to the OEMs, this is not enough keys to accommodate the growing number of OEMs. To solve this problem, a Key derivation key uses the Key derivation function (KDF) to generate a derived key from the root key (Key 62 or the Expansion Key). By using KDF, you can generate an unlimited number of derived keys.
Requesting FSKP Expansion Keys
Contact your NVIDIA representative to start the process.
Generate a one-time RSA key pair with a cryptographic tool (we recommend openssl, see section 1.2.2 for detailed instructions).
Send the
public_key.cer
to NVIDIA.After the request is approved, the FSKP Expansion Keys will be encrypted with the
public_key.cer
and sent back to you inside aResults.zip
file.You can use the keys to prepare your encrypted and signed blob.
Generating and Verifying the Self-Signed X.509 Certificate
The self-signed X.509 certificate is the certificate that the FSKP owner emails to the key custodian.
Here are the requirements to generate and verify the certificate:
A Linux system with the Java key tool utility (keytool) installed. Refer to keytool - Key and Certificate Management Tool for more information.
The OpenSSL toolkit. Refer to the home page of the OpenSSL Project, Welcome to Open SSL! for more information.
To generate a self-signed X.509 certificate, use keytool
or openssl
.
Generating an RSA Key Pair and Creating a Certificate with the Public Key (Option 1 with keytool)
On the Linux system, create a directory to store the private and public key:
$ mkdir ~/CKMS
Generate a Java keystore and an RSA key pair and place the key pair in the Java keystore.
A Java keystore (JKS) is a storage area in the Linux file system where the Java key tool utility stores cryptographic keys and certificates. You can use the keytool command to generate the key pair and place it in the Java keystore where <alias> is an alias that keytool uses to identify the key pair. Although the alias is arbitrary, it must be unique in the Java keystore because the alias is used as the basename of the CER (certificate) file.
To access the keystore, enter a password.
To access the RSA key pair, enter a password.
Export the public key to a certificate (CER) file:
keytool -export -alias <alias> -file ~/CKMS/<alias>.cer \\ -keystore ~/CKMS/mystore.jks
where
<alias>
is assigned to the key pair, and the keytool utility creates the CER file with the specified name and stores the certificate in the CER file and the Java keystore.Email the CER file to the NVIDIA key custodian.
Generating an RSA Key Pair and Creating a Certificate with the Public Key (Option 2 with openssl)
Generate 4096 bits RSA Public and private keys:
openssl genrsa -aes-256-cbc -out oem_rsa_priv.pem 4096
Generate RSA x509 based Certification:
openssl req -new -x509 –outform PEM -key oem_rsa_priv.pem -out oem_publickey.cer -days 365
Email the CER file to the NVIDIA key custodian.
Content of the Results.zip File
FSKP Expansion keys, which are wrapped and encrypted with the OEM
public_key.cer
, will be sent from NVIDIA in a zip file.
Here are the contents of the zip file:
fskp_ak.bin.rsa_wrap
: The FSKP_AK wrapped with the RSA public key (binary).fskp_ak.bin.rsa_wrap.info
: metadata, Label, and String/Context used in KDF, and KCV of FSKP_AK.fskp_ek.bin.rsa_wrap
: FSKP_EK wrapped with RSA public key (binary).fskp_ek.bin.rsa_wrap.info
: metadata, Label, and String/Context used in KDF, and the KCV of FSKP_EK.fskp_conf.txt
: includes the AK and EK strings for fskp_fuseburn.py use.
An Example: Preparing the Encrypted and Signed Blob at HSM
Here are the software requirements:
Ubuntu 18.04, 20.04, or 22.04
JetPack public release package:
Jetson_Linux_R3x.x.0_aarch64.tbz2
Tegra_Linux_Sample-Root-Filesystem_R3x.x.0_aarch64.tbz2
FSKP tool package:
fskp_partner_t234_R3x.x.0_aarch64.tbz2
Results.zip
: Obtained from NVIDIA.Openssl: https://www.openssl.org/
Untar the JetPack release and the fskp_partner_t234_R3x.x.0_aarch64.tbz2 file:
$ tar xpfv ${L4T_RELEASE_PACKAGE} $ sudo tar xpf ${SAMPLE_FS_PACKAGE} -C Linux_for_Tegra/rootfs/ # Copy fskp_partner_t234_R3x.x.0_aarch64.tbz2 to the same directory $ cd Linux_for_Tegra/ $ tar xvjf ../fskp_partner_t234_R3x.x.0_aarch64.tbz2 $ sudo ./apply_binaries.sh $ sudo ./tools/l4t_flash_prerequisites.sh $ cd l4t/tools/flashtools/fuseburn
Copy the
Results.zip
file to thel4t/tools/flashtools/fuseburn
folder and unzip it:$ unzip Results.zip
Decrypt the
*.rsa_warp
files (Encrypted keys).Navigate to the fuseburn scripts directory.
To restore keys, run the openssl command:
$ cd l4t/tools/flashtools/fuseburn/Results openssl rsautl -decrypt -inkey oem_rsa_priv.pem -in fskp_ak.bin.rsa_wrap > fskp_ak.bin openssl rsautl -decrypt -inkey oem_rsa_priv.pem -in fskp_ek.bin.rsa_wrap > fskp_ek.bin
Copy these files from the Results directory to the fuseburn directory (one level above):
$ mv fskp_ak.bin .. $ mv fskp_ek.bin .. $ mv fskp_conf.txt ..
Preparing the Encrypted and Signed Blob
Make sure the board specifications files and the board configuration files have the correct information. The board specification file contains a non-exhaustive list of environment variables to pass to the NVIDIA-provided board specifications file to generate a list of files to use for the FSKP process. We recommend that you provide the following variables for the board specification. Refer to the official Jetson documentations on how to retrieve these values:
BOARDID
CHIP_SKU
BOARDSKU
RAMCODE_ID
FAB
BOARDREV
Note
All these variables can be retrieved by
flash.sh
with the--read-info
command option.Run the following command:
cd <top>/l4t/tools/flashtools/fuseburn
Depending on your device, run the following command:
NVIDIA Orin AGX:
sudo ./fskp_fuseburn.py --board-spec orin-agx-board-spec.txt -f fuseblob.xml -i 62 --test --key-exp fskp_ak.bin fskp_ek.bin --fskpcfg fskp_conf.txt -g out/ -c 0x23 -B <top>/jetson-agx-orin-devkit.conf *fuseblob.xml is the fuse blob data to burn.
NVIDIA Orin Nano:
sudo ./fskp_fuseburn.py --board-spec orinnano-board-spec.txt -f fuseblob.xml -i 62 --test --key-exp fskp_ak.bin fskp_ek.bin --fskpcfg fskp_conf.txt -g out/ -c 0x23 -B <top>/jetson-orin-nano-devkit.conf *fuseblob.xml is the fuse blob data to burn.*
Note
This example uses the –test argument that will not burn the fuses. To burn the fuses, users need to change it to -b.
When prompted whether to continue testing the fuses, enter No:
WARNING!! Testing Fuses option is selected do you want to continue testing the fuses (Yes/No) **No** The out.tar file will be generated, and it will contain the encrypted and signed blob files that can be delivered to the factory floor.
An Example: Using the Encrypted and Signed Blob at the Factory
Here are the software requirements:
Ubuntu 18.04, 20.04, or 22.04
JetPack public release package:
Jetson_Linux_R3x.x.0_aarch64.tbz2
Tegra_Linux_Sample-Root-Filesystem_R3x.x.0_aarch64.tbz2
FSKP tool package:
fskp_partner_t234_R3x.x.0_aarch64.tbz2
Out.tar
: Generated in 1.4 and is delivered to the factory floor.
Untar the JetPack release and the
fskp_partner_t234.tbz2
file:$ tar xpfv ${L4T_RELEASE_PACKAGE} $ sudo tar xpf ${SAMPLE_FS_PACKAGE} -C Linux_for_Tegra/rootfs/ # Copy fskp_partner_t234_R3x.x.0_aarch64.tbz2 to the same directory $ cd Linux_for_Tegra/ $ tar xvjf ../fskp_partner_t234_R3x.x.0_aarch64.tbz2 $ sudo ./apply_binaries.sh $ sudo ./tools/l4t_flash_prerequisites.sh $cd l4t/tools/flashtools/fuseburn
Here is the Tegra UART output:
sudo minicom -D /dev/ttyACM0
You need to capture the Tegra UART output to determine whether the burn fuse process was successful.
Place the Tegra in Recovery mode:
cd <top>/Linux_for_Tegra/tools/board_automation sudo ./boardctl -t topo recovery
Navigate to the fuseburn scripts directory:
cd <top>/l4t/tools/flashtools/fuseburn
Copy the
out.tar
file that was delivered to the factory:#Untar the out.tar tar xpfv out.tar
Burn the fuses.
NVIDIA Orin AGX:
sudo ./fskp_fuseburn.py --board-spec orin-agx-board-spec.txt -P ./out -c 0x23 -B <top>/jetson-agx-orin-devkit.conf
NVIDIA Orin Nano:
sudo ./fskp_fuseburn.py --board-spec orinnano-board-spec.txt -P ./out -c 0x23 -B <top>/jetson-orin-nano-devkit.conf
Note
The
jetson-agx-orin-devkit.conf
file is used for NVIDIA Orin AGX, so you need to modify the board spec file with the correct information for your Tegra Hardware.When prompted about continuing to test the fuses, enter Yes:
WARNING!! Testing Fuses option is selected do you want to continue testing the fuses (Yes/No) **Yes**
Burn Status
To determine the burn status:
On the Linux Host, verify that the following message is displayed:
FSKP execution successful
On the target (Tegra UART output), here is a sample fuseblob.xml result:
I> Task: Burn fuses (0x500039e4) I> Index : 1 Kdk0 size: 32 I> Index : 2 OemK1 size: 32 I> Index : 3 PublicKeyHash size: 64 I> Index : 4 SecureBootKey size: 32 I> Index : 5 BootSecurityInfo size: 4 I> Index : 6 OdmId size: 8 I> Index : 7 OdmInfo size: 4 I> Fuse Blob found I> I> ... I> **Successfully burnt fuses as per fuse info**
Action |
Result |
---|---|
Burned successfully |
On the host Find this text: FSKP execution successful |
On the target (Tegra UART output), find this text: Successfully burnt fuses as per fuse info. |
|
Failed to Burn |
If missing either of the texts from the host or the target. |
Using the fskp_fuseburn.py File to Burn Fuses
The FSKP fusing scripts include the following:
fskp_fuseburn.py
: Provides a high-level script that is invoked by the user. The script prepares encrypted and signed blobs, performs fuse burning, and invokes other tools based on the input parameters.fskp_helper.py
,fskp_parser.py
, andfskp_shell_helper.py
: helper scripts for thefskp_fuseburn.py
scripts.
The FSKP tools include the following:
tegraparser_v2
: Parses a fuse XML configuration file and uses it to generate a blob that contains the fuse data and an FSKP target-binary.tegrarcm_v2
: Manages communication between the host and the target and exchanges data and commands over USB with target’s BootROM and bootloader.tegrasign_v3.py
: Encrypts and signs an input image with the specified key.tegrabct_v2
: Creates BR_BCT, MB1_BCT, and the derivatives key binaries are used to encrypt and sign the fskp_blob.tegrahost_v2
: Appends the necessary header and brushes binaries to help sign and encrypt the binary.fskp.bin
: This FSKP target-binary is a minimal bootloader that is used to burn fuses and write to storage. Optionally, it also completes RPMB provisioning.Fuse configuration file: An XML file that contains the fuse list that is read by the tegraparser_v2 tool. The fuse list specifies the name, length, and value of each fuse to be burned in the order in which they are listed.
Here is the FSKP fuse flow:
Prepare the fuse data and the fskp binary blob in a secure environment.
Fuse the hardware fuses on the target chip in the factory where the environment might not be secure.
FSKP Fuse Burn Script
Before you can use the fskp_fuseburn.py
tool, the Python programming
software must be installed on the host system.
The tool completes the following tasks:
Parses the fuse configuration file and prepares a blob that contains the fuse data and an FSKP target-binary.
Encrypts and signs the blob with the input key.
Signs MB1 and optionally creates MB1-BCT.
Downloads MB1 to the target and optionally downloads MB1-BCT on the target using USB recovery mode commands.
Downloads the blob to the target using USB Recovery Mode commands and performs fuse burning.
Optionally completes RPMB provisioning.
Before you begin, create a flashing environment that can be used with this tool. Refer to To Flash the Jetson Developer Kit Operating Software <> for more information.
After you create the flashing environment, verify that the following folder exists:
./Linux_for_Tegra
To access the tool, extract fskp_partner_t234.tbz2:
sudo tar xpfv fskp_partner_t234.tbz2 The script is in the following directory, executes on the host, and accepts the arguments in Table 2‑1. l4t/tools/flashtools/fuseburn
Here is an example of how the script is used:
$ sudo <BOARD_SPEC> ./fskp_fuseburn.py --board-spec <board_spec> -f <fuse_config> -i <key_index> -k <FSKP_key> -g <out> -c <chip> -B <board>
Argument |
Description |
---|---|
–help (or -h) |
Displays the help menu. |
–burnfuse (or -b) |
Performs fuse burning. |
–board (or -B) |
Board name for which you want to create a fuse blob or program fuses. Check help for the default supported boards. |
–chip (or -c) <chip> |
Sets tegra chipid, for example, 0x23 for NVIDIA Orin SoC. |
–fskpcfg (or -C) <file> |
Sets the derivation strings values from a text file instead of using the default values. |
–ecid (or -e) |
Gets the ECID of the target. |
–fusefile (or -f) <file> |
Specifies the fuse configuration file. |
–outdir (or g) <path> |
Generates a blob at <path> and does not perform a burn. |
–keyindex (or -j) <index> |
SoC FSKP key index allotted to the OEM. |
–key (or -k) |
FSKP key file provided to OEMs as per keyindex. |
–key-exp <AK_keyfile> <EK_keyfile> |
FSKP expansion key file pair that is provided to OEMs as per the key index. |
–board-spec <file> |
A board specification contains the BOARDSKU, FAB, and other board specific values. For examples, default_board_spec.txt contains the following:
|
–skipconfirmation (or -s) |
Skips the confirmation message while burning the fuse. |
–test (or -t) |
Performs a dummy operation and does not burn fuses. |
–skipuid (or -u) |
Skips querying the UID of the target. |
–verbose (or -v) |
Enables verbose logs. |
–skipfskpkey (or -K) |
Use FSKP without using a FSKP key. |
–prebuilt (or -P) <path> |
Picks a prebuilt blob from <path> and does not generate a blob. |
–version (or -V) |
Identifies the version number. |
Fuse Configuration File
The fuse configuration file is an XML file that contains the fuse data.
The tegraparser_v2
tool parses this file and uses it to generate a blob
of fuse configuration data.
Note
Although the fuse configuration file contains XML tags, it does
not need the <?xml...?>
prolog defined by the XML standard because the
fuse configurations might not have a prolog. To run general XML
utilities on this file, you might have to add a prolog.
For information about the format of the fuse configuration file, refer to Format of the Fuse Configuration File.
The fuse burn script burns fuses in the order in which they are specified in the fuse configuration file. It does not check for fuse dependencies. You must ensure that the fuse configuration file specifies fuses in an order that does not burn the dependent fuses before the fuses on which they depend.
Format of the Fuse Configuration File
A fuse configuration file contains a <genericfuse>… </genericfuse>
tag
pair that contains one <fuse/>
tag for each fuse that will be burned.
The following template shows the format of the file:
<genericfuse MagicId="0x45535546" version="1.0.0">
<fuse name="<name>" size="<size>" value="<value>"/>
<fuse name="<name>" size="<size>" value="<value>"/>
. . .
</genericfuse>
Where:
<name>
is the name of a fuse and these names are documented in the table under Manufacture Programmable Fuses.<size>
is the size of the fuse in bytes.<value>
is the value to be burned into the fuse, with two hexadecimal digits per byte.
MagicID is used by the FSKP target-binary and must not be changed.
fskp.bin
burns fuses in the order in which they appear in the
fuse configuration file. If the value of two or more fuses are
interdependent, the independent fuses must be specified before the
dependent fuses so that the independent fuses are burned first. That is,
if the values that can be burned into fuse Z depend on the value of fuse
Y, and the values that might be burned into fuse Y depend on the value
of fuse X, the fuse configuration file must specify and burn the fuses
in the following order:
Fuse X
Fuse Y
Fuse Z
Caution
The FSKP fuse burning tool does not check for dependencies, so specifying a dependent fuse before the fuse on which it depends, might render the target device inoperable. Check the fuse list’s order carefully before you burn the fuses.
To use RPMB provisioning, the tool supports fusing the RPMB key on eMMC storage. The version field must be 2.0.0 for RPMB. This requires the OEM_K1 key to be present in the fuse configuration file:
<genericfuse MagicId="0x45535546" version="2.0.0">
<rpmb provisioning = "0x1" dev_type = "0x2"/>
<fuse name="<name>" size="<size>" value="<value>"/>
<fuse name="<name>" size="<size>" value="<value>"/>
. . .
</genericfuse>
A Reference Fuse Configuration File
The Jetson Linux platform provides a fuse configuration file for use as a reference, and the file is located here:
<top>/l4t/tools/flashtools/fuseburn
The fuse list for this file is ordered correctly to allow for fuse dependencies.
Some fuse values in the reference configuration file are enclosed in XML comments, as in the following example. To adapt the reference file for your use, uncomment them and replace the 0xFFFF… placeholder values with the actual key index values for your target:
<genericfuse MagicId="0x45535546" version="1.0.0"> <!-- <fuse
name="OdmId" size="8" value="0xFFFFFFFFFFFFFFFF"/> --> <!-- <fuse
name="ReservedOdm0" size="4" value="0xFFFFFFFF"/> --> <!-- <fuse
name="ReservedOdm1" size="4" value="0xFFFFFFFF"/> --> <!-- <fuse
name="ReservedOdm2" size="4" value="0xFFFFFFFF"/> --> <!-- <fuse
name="ReservedOdm3" size="4" value="0xFFFFFFFF"/> --> <!-- <fuse
name="ReservedOdm4" size="4" value="0xFFFFFFFF"/> --> <!-- <fuse
name="ReservedOdm5" size="4" value="0xFFFFFFFF"/> --> <!-- <fuse
name="ReservedOdm6" size="4" value="0xFFFFFFFF"/> --> <!-- <fuse
name="ReservedOdm7" size="4" value="0xFFFFFFFF"/> --> <!-- <fuse
name="OdmInfo" size="4" value="0x0000FFFF"/> --> <!-- <fuse
name="SecureProvisionInfo" size="4" value="0x1"/> --> <!-- <fuse
name="PublicKeyHash" size="64"
value="0x00000000111111112222222233333333444444445555555566666666777777778888888899999999aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffff"/>
--> <!-- <fuse name="BootSecurityInfo" size="4" value="0x1"/> -->
<!-- <fuse name="SecurityMode" size="4" value="0x1"/>
--></genericfuse>
Note
Although its size is 4, only the last two bytes in the Odminfo are allowed to be programmed.
Preparing an Encrypted and Signed Blob
The FSKP blob encryption and signing is completed by using derived keys, and here is the process:
To parse the fuse configuration file and prepare a blob that contains fuse data and an FSKP target-binary, call
tegraparser_v2
.To generate the derived string binaries, call
tegrabct_v2
to parse thedev_param
and the br-bct dts files.To create
BR-BCT
,MB1-BCT
, andMEM-BCT
, calltegrabct_v2
.To append the BCH header and sign the BCT binaries in step 3, call
tegrasign_v3.py
.To align the FSKP blob, call
tegrahost_v2
.To append the BCH header on FSKP blob, call
tegrahost_v2
.To encrypt the FSKP blob with the encryption key and sign it next, call
tegrasign_v3.py
.To sign MB1, PSC-BL1 binaries, call
tegrasign_v3.py
.To append and fill the signature on the MB1 and PSC-BL1 binaries, call
tegrahost_v2
.For the binaries to be included in the blob, cpu-bootloader, MB2, bpmp firmware, bpmp-dtb, spe firmware, mts, and psc firmware, complete the following tasks:
To align, call each one with
tegrahost_v2
.To append the BCH header, call each one with
tegrahost_v2
.To sign, call
tegrasign_v3.py
.To generate the blob, call each one with
tegrahost_v2
.
Preparing the Encrypted and Signed Blob
The Results.zip file includes a fskp_conf.txt file that can be used
as the -fskpcfg
fskpcfg argument.
If the fskp_conf.txt
file is not provided, users can create this file
with the strings from fskp_ak.bin.rsa_wrap.info
and
fskp_ek.bin.rsa_wrap.info
and place them in a configuration file of
the following fixed format.
The content of the strings are 32 bytes in hex, and here is an example:
sec_provision_derivation_string1 |
Encryption Key (EK) |
---|---|
sec_provision_derivation_string2 |
Authentication Key (AK) |
sec_provision_derivation_string1 =
"0x0000000000000000000000000000000000000000000000000000000000000001";
sec_provision_derivation_string2 =
"0x0000000000000000000000000000000000000000000000000000000000000002";
Navigate to the fuseburn scripts directory:
<top>/l4t/tools/flashtools/fuseburn
Run the fuseburn command:
$ sudo <BOARD_SPEC> ./fskp_fuseburn.py [-b] -f <fuse_config> -i <key_index> -k <FSKP_key> -g <out> -c <chip> --fskpcfg <fskp_cfg> -B <board> [--board-spec <board-spec-file>]
Where:
<fuse_config>
is the fuse configuration file.<key_index>
is the FSKP key index.<FSKP_key>
is the FSKP key.<out>
is the directory where the command will write the output.<chip>
is the chip for which the FSKP blob is generated. For example, 0x23 is for NVIDIA Orin.<fskp_cfg>
is optionally generated by the OEM in step 1 to overwrite the default derivation strings. If you want default derivation strings, omit this argument.<board>
is the board config file in the Linux_for_Tegra folder. For example,Linux_for_Tegra/jetson-agx-orin-devkit.conf
.-g
indicates that you need to use burn setting, but fuse burning does not take place.-b
indicates that you want to generate the fuse blob that burns the fuses. Without-b
, the generated fuse blob will only do a dry run on the target when trying to burn fuses with the -p option.<BOARD_SPEC>
is the board information environment variables, such as BOARD_SKU, FAB, and so on.This will be provided for NVIDIA developer kits.
<board-spec-file>
is like<BOARD_SPEC>
, you can specify a shell script to define BOARD_SKU, FAB, and so on. NVIDIA provides the default_board_spec.txt file as an example for the AGX specification file.This command prepares an encrypted and signed blob and binaries and stores the binaries and the encrypted FSKP blob in the <out> directory. The directory can be used on the factory floor for fuse burning. The tool also conveniently generates a tarball (
<out>.tar
) so you can move the directory to other machines.For example, to generate a test fuse blob for Jetson AGX NVIDIA Orin devkit board, run the following fuse burn command with the debug key use index 63:
$ sudo ./fskp_fuseburn.py -f fuse.xml -i 63 -k debug.key -g out/ -c 0x23 -B /home/user/Linux_for_Tegra/jetson-agx-orin-devkit.conf --board-spec orin-agx-board-spec.txt
To generate a test fuse blob for Jetson AGX NVIDIA Orin devkit board, run the following fuse burn command with the debug key use index 63 x:
$ sudo ./fskp_fuseburn.py -f fuse.xml -b -i 63 -k debug.key -g out/ -c 0x23 -B /home/user/Linux_for_Tegra/jetson-agx-orin-devkit.conf --board-spec orin-agx-board-spec.txt
To use the FSKP expansion by using derived key pair AK and EK, run the following commands:
$ sudo <BOARD_SPEC> ./fskp_fuseburn.py -f <fuse_config> -i <key_index> --key-exp <AK_key> <EK_key> -g <out> -c <chip> --fskpcfg <fskp_cfg> -B <board> [--board-spec <board-spec-file>]
Where:
<fuse_config>
is the fuse configuration file.<key_index>
is the FSKP key index (should be 62).<AK_key>
is the FSKP derived authentication key.<EK_key>
is the FSKP derived encryption key.<out>
is the directory where the command will write the output.<chip>
is the chip for which the FSKP blob is generated. For example, 0x23 is for NVIDIA Orin.<fskp_cfg>
is mandatory. The fskp_cfg expansion key is provided by NVIDIA, and its content cannot be modified by the OEM.<board>
is the board config file in theLinux_for_Tegra
folder. For example,Linux_for_Tegra/jetson-agx-orin-devkit.conf
.-g``
indicates that you need to use burn setting, but fuse burning does not take place. Do not use-s
to skip the fuse burning confirmation.-b
indicates that you want to generate the fuse blob that burns the fuses. When trying to burn fuses with the -p option, without the -b option, the generated fuse blob will only complete a dry run on the target.<BOARD_SPEC>
is the board information environment variables, such asBOARD_SKU
,FAB
, and so on. These variables will be provided for NVIDIA developer kits.<board-spec-file>
is like<BOARD_SPEC>
you can specify a shell script to defineBOARD_SKU
,FAB
, and so on. NVIDIA provides the orin-agx-board-spec.txt file as an example for the AGX specification file.
This command prepares an encrypted and signed blob and binaries as described earlier. It stores the binaries and the encrypted FSKP blob in the <out> directory, and this directory can be used on the factory floor for fuse burning. The tool also conveniently generates a tarball (<out>.tar) so you can move the directory to other machines.
For example, to generate a test fuse blob for the Jetson AGX NVIDIA Orin devkit board:
Run the following fuseburn command with expansion key pair use index 62:
$ sudo ./fskp_fuseburn.py -f fuse.xml -i 62 –key-exp AK.key EK.key --fskpcfg fskp_conf.txt -g out/ -c 0x23 -B /home/user/Linux_for_Tegra/jetson-agx-orin-devkit.conf --board-spec orin-agx-board-spec.txt
Run the following fuseburn command with expansion key pair use index 62 to generate a real fuse blob for the Jetson AGX NVIDIA Orin devkit board:
$ sudo ./fskp_fuseburn.py -b -f fuse.xml -i 62 –key-exp AK.key EK.key --fskpcfg fskp_conf.txt -g out/ -c 0x23 -B /home/user/Linux_for_Tegra/jetson-agx-orin-devkit.conf --board-spec default_board_spec.txt
Burning Fuses in the Factory
Use the fskp_fuseburn.py fuse burn script to burn fuses in the factory.
The script uses tegrarcm_v2
to communicate with the target over USB and
sends the blob to the target.
Preparing a System to Burn Fuses
Download the encrypted and signed blob from the secure facility and store it in the
<top>/out
directory.Place the target in the USB Recovery mode.
Burning the Fuses
Navigate to the fuseburn scripts directory:
<top>/l4t/tools/flashtools/fuseburn
Execute the fuseburn command:
sudo ./fskp_fuseburn.py --board-spec <board_spec> -P ./out -b -c 0x23 -B <board>
When the command successfully executes, here is the printout for the
fskp_fuseburn.py
script:On the host:
FSKP execution successful
On the target (Tegra UART output):
Successfully Burnt Fuses as per fuse inf