Is this page helpful?

Security Keys List#

Applies to the Jetson AGX Thor series, the Jetson AGX Orin series, the Jetson Orin NX series, and the Jetson Orin Nano series.

PKC/SBK Keys / Secure Boot (BootROM → MB stages → UEFI)#

Key / Material

Type

Applies to

Purpose

PKC key pair (RSA-3K / ECDSA P-256 / ECDSA P-521)

Asymmetric

Jetson Thor

Signs/authenticates boot components in the secure boot chain (root-of-trust ultimately anchored by fused public key hashes).

PKC key pair (RSA-3K / ECDSA P-256 / ECDSA P-521 / XMSS)

Asymmetric

Jetson Orin

Signs/authenticates boot components in the secure boot chain (root-of-trust ultimately anchored by fused public key hashes).

PublicKeyHash

SHA512

Jetson Thor

Hash of the hashes generated from 16 public keys burned to fuse; BootROM/boot chain uses it to authenticate the 16 public keys.

PublicKeyHash

SHA512

Jetson Orin

Hash of the public key burned to fuse; BootROM/boot chain uses it to authenticate the public key.

PkcPubkeyHash1 / PkcPubkeyHash2

SHA512

Jetson Orin

Additional fused public key hashes for PKC key revocation support.

SBK / SecureBootKey

Symmetric (AES key)

Jetson Orin

Encrypts bootloader components; used together with PKC in “SBKPKC” mode.

PscSecureBootKey

Symmetric (AES key)

Jetson Thor

Encrypts bootloader components; used together with PKC in “SBKPKC” mode.

OespSecureBootKey / SbSecureBootKey

Symmetric (AES key)

Jetson Thor

The secure boot key used by OESP and StrongBox. Must be programmed to the same value as PscSecureBootKey.

Reference: Fuse Configuration

UEFI Secure Boot Keys (PK/KEK/db/dbx)#

Key / Material

Type

Applies to

Purpose

UEFI Platform Key (PK) (PK.key/PK.crt)

Asymmetric

Jetson Orin and Jetson Thor

Top-level UEFI Secure Boot trust anchor; authorizes KEK updates.

UEFI Key Exchange Key (KEK) (KEK.key/KEK.crt)

Asymmetric

Jetson Orin and Jetson Thor

Authorizes updates to signature databases (db/dbx).

UEFI Signature Database (db) (certs/ESLs/auth)

Asymmetric

Jetson Orin and Jetson Thor

The db to store allowed signer certs/hashes for UEFI payloads (kernel, dtb, EFI binaries, etc.).

UEFI Forbidden Signature DB (dbx) (certs/ESLs/auth)

Asymmetric

Jetson Orin and Jetson Thor

Revocation list for forbidden signers/hashes.

UEFI Capsule Signing Keys (certificate chain)

Asymmetric

Jetson Orin and Jetson Thor

Three private keys and a certificate chain(RootCA → IntermediateCA → SigningCert) for UEFI capsule update payload. The default keys and certificates used by Jetson UEFI are in <Linux_for_Tegra>/generate_capsule/Pkcs7Sign. Must be changed for production devices.

References:

UEFI Payload Encryption and Variable Protection#

Key / Material

Type

Applies to

Purpose

UEFI payload encryption key (sym_t234.key)

Symmetric (256-bit)

Jetson Orin

Encrypts UEFI payloads (kernel/initrd/dtb); stored in EKB and used via OP-TEE TA during boot.

UEFI variable authentication key (auth_t234.key / auth_t264.key)

Symmetric (128-bit)

Jetson Orin and Jetson Thor

Used to measure/verify UEFI variable integrity (UEFI Variable Protection); stored in EKB and used via OP-TEE TA.

References:

Platform Vendor (PV) Keys#

Used to independently sign and encrypt UEFI.

Key / Material

Type

Applies to

Purpose

PV signing key pair (pv_priv.pem + cert/CRT)

Asymmetric

Jetson Orin and Jetson Thor

Platform vendor signs UEFI using the private key. Solution provider integrates the public key to MB2 so MB2 can authenticate PV-signed UEFI.

PV encryption key (pv_enc.key)

Symmetric (AES-256)

Jetson Orin

Platform vendor creates a fuse blob to burn this key to OemK2 fuse. Platform vendor encrypts UEFI using a key derived from this key. MB2 does the same key derivation from OemK2 and performs the UEFI decryption at runtime.

Reference: UEFI Platform Vendor Key Feature

Factory Secure Key Provisioning (FSKP)#

Key / Material

Type

Applies to

Purpose

FSKP_AK / FSKP_EK

Symmetric (AES-256)

Jetson Orin

Two “expansion keys” for Jetson Orin FSKP flows (used by fskp_fuseburn.py).

fskp_conf.txt

Config

Jetson Orin

Includes the AK and EK strings for use by fskp_fuseburn.py.

FSKP key

Symmetric (AES-256)

Jetson Thor

A derived key for Jetson Thor FSKP flows (used by fskp_fuseburn.py).

fskp_select.txt

Config

Jetson Thor

A file that includes the FSKP context string to be used by fskp_fuseburn.py.

Reference: Factory Secure Key and Expansion Key Provisioning

EKB (Encrypted Key Blob) Generation Keys#

Key / Material

Type

Applies to

Purpose

EKB fuse key

Symmetric (AES)

Jetson Orin

Hardware-backed root-of-trust used to derive EKB encryption and authentication keys; Must be burned into OemK1 or OemK2 fuse.

EKB fuse key

Symmetric (AES)

Jetson Thor

Hardware-backed root-of-trust used to derive EKB encryption and authentication keys; Must be burned into PscOemKdk1 fuse.

Reference: EKB: Encrypted Key Blob

OP-TEE Keys#

Key / Material

Type

Applies to

Purpose

TA signing key (<optee_src>/keys/default_ta.pem)

Asymmetric

Jetson Orin and Jetson Thor

A develop key used to sign TAs. Must be changed or adopt OP-TEE subkey for production devices.

References (in OP-TEE documentation):

Secure Storage Keys#

Key / Material

Type

Applies to

Purpose

RPMB key

Symmetric

Jetson Orin

The key for Replay Protected Memory Block storage. Must be provisioned to eMMC device in advance. OP-TEE generates the RPMB key (derived using OemK1 + ECID) that matches the provisioned eMMC RPMB key at runtime.

Reference: Secure Storage

Disk Encryption (LUKS/dm-crypt)#

Key / Material

Type

Applies to

Purpose

Disk encryption key (sym2_t234.key / sym2_t264.key)

Symmetric

Jetson Orin and Jetson Thor

Input key material used by Jetson tooling or TA to derive LUKS key and passphrase (per-device unique derivations). Stored in EKB.

Reference: Disk Encryption

Hwkey Agent Sample Application#

Key / Material

Type

Applies to

Purpose

Key for hwkey agent sample application (hwkey_t234.key / hwkey_t264.key)

Symmetric

Jetson Orin and Jetson Thor

Input key material used by Hwkey Agent sample application to demonstrate data encryption and decryption. Stored in EKB.

Reference: HWKEY AGENT CA and TA

Firmware TPM (fTPM) Keys#

Key / Material

Type

Applies to

Purpose

KDK0

Symmetric (256-bit)

Jetson Orin

Hardware-backed root-of-trust used to derive TPM EPS and EK key. Must be burned into Kdk0 fuse.

KDK0

Symmetric (256-bit)

Jetson Thor

Hardware-backed root-of-trust used to derive TPM EPS and EK key. Must be burned into PscOemKdk0 fuse.

EK key(s) (RSA and EC)

Asymmetric

Jetson Orin and Jetson Thor

Endorsement keys for TPM identity and attestation; pre-generated in offline flow. The certificate of EK keys is stored in EKB, and OP-TEE verifies the certificate to decide whether fTPM can be enabled.

Reference: Preparation Before Provisioning (Offline Method)

Kernel Module Signing (Linux)#

Key / Material

Type

Applies to

Purpose

Kernel signing private key

Asymmetric

Jetson Orin and Jetson Thor

Signs kernel, kernel-dtb and initrd. The public key is stored in UEFI Signature Database(db).

Kernel module signing private key (CONFIG_MODULE_SIG_KEY, PEM)

Asymmetric

Jetson Orin and Jetson Thor

Signs kernel modules. Kernel verifies signature when loading modules (if enabled). Need to enroll the key into UEFI when UEFI Secure Boot is enabled.

References: