Fuse Configuration File#
The fuse configuration file, which is an XML file, contains the fuse data, a list of fuses, and the value to be burned in each fuse.
The fskp_fuseburn.py tool uses this XML file to program the fuses.
A fuse configuration file contains a <genericfuse> </genericfuse> tag pair, which contains one <fuse/> tag for each fuse to be burned.
The following template shows the format of the file:
<genericfuse MagicId="0x45535546" version="1.0.0">
<fuse name="<name>" size="<size>" value="<value>"/>
<fuse name="<name>" size="<size>" value="<value>"/>
. . .
</genericfuse>
<name>is the name of a fuse. Supported fuse names are listed in the SoC’s Reference Fuse Configuration File.<size>is the size of the fuse in bytes.<value>is the value to be burned into the fuse, with two hexadecimal digits per byte.
The MagicId value of 0x45535546 is used by the target-binary and must not be changed.
The fskp_fuseburn.py script burns fuses in the order that they appear in the fuse configuration file. If the values of two or more fuses are interdependent, the independent fuses must be specified before the dependent one so that they are burned first. That is, if the values that can be burned into fuse Y depend on the value of fuse X, the fuse configuration file must specify fuse X first and then Y. This way, the fskp_fuseburn.py script burns fuse X first.
Caution
The fskp_fuseburn.py fuse-burning tool does not check for dependencies, so specifying a dependent fuse before the fuse on which it depends might render the target device inoperable. Carefully check the order of the fuse list before you burn the fuses.
Note
Although the fuse configuration file contains XML tags, it does not need the <?xml... ?> prolog defined by the XML standard. Fuse configurations might not have a prolog. If you want to run general purpose XML utilities on such a file, you might have to add a prolog.
Each SoC has its own specific fuses and fuse names.
For details on fuses and fuse names for each SoC, refer to the appropriate specifications in the Jetson Download Center (filtered by “fuse”).
The following sections describe the Fuse Configuration Files for each SoC.
For the Jetson Thor SoC, refer to Jetson Thor Reference Fuse Configuration File.
For the Jetson Orin SoC, refer to Jetson Orin Reference Fuse Configuration File.
Jetson Thor Fuse Configuration File#
Use the following steps to program the fuses:
Enable image signing with a PKC key:
Generate a PKC key list. For more information, refer to Generate a PKC Key List for Jetson Thor.
Generate the
PublicKeyHashvalue from the PKC key list. For more information, refer to Generate PublicKeyHash Value From a PKC Key List for Jetson Thor.
Generate an SBK key. For more information, refer to Prepare an SBK key.
Generate OEM programmable keys. For more information, refer to Prepare K1/K2/KDK1 Keys.
Create a Fuse Configuration file. For more information, refer to Examples of Jetson Thor Fuse Configuration Files.
For more information about fuses and fuse names for the Jetson Thor SoC, refer to the Jetson Thor Series Modules Fuse Specification document.
Generate a PKC Key List for Jetson Thor#
Jetson Thor series support up to 16 OEM PKC keys. The digest of all 16 public key digests are burned to the PublicKeyHash fuse. To support this, Jetson Thor devices use a PKC key list stored in form of a xml file that holds the information for up to 16 keys.
The following template shows the format of the PKC key list:
<?xml version="1.0"?>
<entry_list>
<bct active_index="<active_key_id>" chip_id="0x260" pcp_file="nv_combo.pcp" pcps_file="nv_combo.pcps" pcps_hash_file="nv_combo.pcps.hash" />
<entry hash_file="<public_key_digest_filename>" key="<private_key_filename>" key_id="0" mode="<key_mode>" pub_file="<public_key_filename>" />
<entry hash_file="<public_key_digest_filename>" key="<private_key_filename>" key_id="1" mode="<key_mode>" pub_file="<public_key_filename>" />
<entry hash_file="<public_key_digest_filename>" key="<private_key_filename>" key_id="2" mode="<key_mode>" pub_file="<public_key_filename>" />
<entry hash_file="<public_key_digest_filename>" key="<private_key_filename>" key_id="3" mode="<key_mode>" pub_file="<public_key_filename>" />
. . .
<entry hash_file="<public_key_digest_filename>" key="<private_key_filename>" key_id="15" mode="<key_mode>" pub_file="<public_key_filename>" />
</entry_list>
Replace the placeholders as follows:
<active_key_id>is the index of the active key that will be used to sign images.<public_key_digest_filename>is the name of the output public key digest file.<private_key_filename>is the full path and name of the input private key file.<public_key_filename>is the name of the output public key file.<key_mode>is the mode of the key:pkcfor RSA-3K keys,ecfor ECDSA P-256 keys,ec521for ECDSA P-521 keys, orxmssfor XMSS keys.
Default fields in the PKC key list:
pcp_fileis the output public cryptography parameter file of the active key.pcps_fileis the output file of the concatenation of all public key digests.pcps_hash_fileis the output digest of thepcps_file.
Note
We suggest that you generate all 16 keys. For key generation, refer to Generate a PKC Key Pair for Jetson Thor.
Note
The value of <private_key_filename> must include the full path to the private key file.
Examples of Jetson Thor Fuse Configuration Files#
Example Jetson Thor Fuse Configuration File to Program an RSA-3K Key#
Example PKC key list with only one RSA-3K key:
<?xml version="1.0"?>
<entry_list>
<bct active_index="0" chip_id="0x260" pcp_file="nv_combo.pcp" pcps_file="nv_combo.pcps" pcps_hash_file="nv_combo.pcps.hash" />
<entry hash_file="rsa3k-0.hash" key="/path/to/rsa3k-0.pem" key_id="0" mode="pkc" pub_file="rsa3k-0.pubkey" />
</entry_list>
Example fuse configuration file to enable Secure Boot with an RSA-3K key:
<genericfuse MagicId="0x45535546" version="1.0.0">
<fuse name="PublicKeyHash" size="64" value="0x18e984f7d79f7a185039ec413ed2ff86227c8f0be639edde0cf23ab1f7910b759ede8fb0c20d02c68deb04a75226d632f9fe24c71dad4b302acdba13db658130"/>
<fuse name="OptInEnable" size="4" value="0x00000001"/>
<!-- To enable revocation policy, use <fuse name="BootSecurityInfo" size="4" value="0x220"/> -->
<fuse name="BootSecurityInfo" size="4" value="0x200"/>
<fuse name="SecurityMode" size="4" value="0x1"/>
</genericfuse>
Note
The value above for PublicKeyHash is for demonstrations only. It is generated from the PKC key list shown above. You must prepare a RSA-3K key pair (.pem file). If you plan to support more than one PKC key for signing images, you must prepare all the key pairs now so that the PublicKeyHash can be generated from all supported PKC public keys. For key generation, refer to Generate a PKC Key Pair for Jetson Thor.
For more information about generating the PublicKeyHash fuse value, refer to Generate PublicKeyHash Value From a PKC Key List for Jetson Thor.
Example Jetson Thor Fuse Configuration File to Program an ECDSA P-521 Key + SBK Key#
Example ECDSA P-521 PKC key list with only one ECDSA P-521 key:
<?xml version="1.0"?>
<entry_list>
<bct active_index="0" chip_id="0x260" pcp_file="nv_combo.pcp" pcps_file="nv_combo.pcps" pcps_hash_file="nv_combo.pcps.hash" />
<entry hash_file="ecp521-0.hash" key="/path/to/ecp521-0.pem" key_id="0" mode="ec521" pub_file="ecp521-0.pubkey" />
</entry_list>
The following sample configuration file is used to enable the Secure Boot with an ECDSA P-521 key and a SBK key:
<genericfuse MagicId="0x45535546" version="1.0.0">
<fuse name="PublicKeyHash" size="64" value="0x9f0ebf0aec1e2bb30c0838096a6d9de5fb86b1277f182acf135b081e345970167a88612b916128984564086129900066255a881948ab83bebf78c7d627f8fe84"/>
<fuse name="OptInEnable" size="4" value="0x00000001"/>
<fuse name="PscSecureBootKey" size="32" value="0x123456789abcdef0fedcba987654321000112233445566778899aabbccddeeff"/>
<fuse name="OespSecureBootKey" size="32" value="0x123456789abcdef0fedcba987654321000112233445566778899aabbccddeeff"/>
<fuse name="SbSecureBootKey" size="32" value="0x123456789abcdef0fedcba987654321000112233445566778899aabbccddeeff"/>
<!-- To enable revocation policy, use <fuse name="BootSecurityInfo" size="4" value="0x228"/> -->
<fuse name="BootSecurityInfo" size="4" value="0x208"/>
<fuse name="SecurityMode" size="4" value="0x1"/>
</genericfuse>
Note
The values of PublicKeyHash and PscSecureBootKey above are for demonstrations only. The value of PublicKeyHash is generated from the PKC key list shown above. If you plan to support more than one PKC key for signing images, you must prepare all the key pairs now so that the PublicKeyHash can be generated from all supported PKC public keys. For key generation, refer to Generate a PKC Key Pair for Jetson Thor.
For more information about generating the PublicKeyHash fuse value, refer to Generate PublicKeyHash Value From a PKC Key List for Jetson Thor.
For more information about generating the PscSecureBootKey, OespSecureBootKey and SbSecureBootKey fuse values, refer to Prepare an SBK key.
Example Jetson Thor Fuse Configuration File to Program an ECDSA P-521 Key + SBK Key + OemKdk0 Key + OemKdk1 Key + Enable Revocation Policy + Enable fTPM#
The following sample configuration file is used to enable the Secure Boot with an ECDSA P-521 key, a SBK key, an OemKdk0 key, an OemKdk1 key, revocation policy, and fTPM:
<genericfuse MagicId="0x45535546" version="1.0.0">
<fuse name="PublicKeyHash" size="64" value="0xaa7ab9bf57a5747af4af080b86c1b7a651f839141da6ee80ebe3c562a5a8fb34e981d964bee653e93cd56e6b0896753d191ded586a12503fc8797d3d62ac3c08"/>
<fuse name="OptInEnable" size="4" value="0x00000001"/>
<fuse name="PscOemKdk0" size="32" value="0x6208e3cd81ed0cd77b214db0c875ade40c26bca09382ad82cd0e24046cc8c64e"/>
<fuse name="OespOemKdk0" size="32" value="0xac88dead695089ed2aee491b180264873e966a61b609db4977f073aea41b132b"/>
<fuse name="SbOemKdk0" size="32" value="0x35e174674e5ab8168023b83063886ca252c018bca1015d86cfd7c0d1d09b6659"/>
<fuse name="PscOemKdk1" size="32" value="0x112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00"/>
<fuse name="OespOemKdk1" size="32" value="0xae4052f4e52541b238d6c63123e768ef519a3cdc8ff2e7cbd759e03d68a8775e"/>
<fuse name="SbOemKdk1" size="32" value="0x881b43f0d8985031df039339d4eff6b30513e272633b527513b358195821ee37"/>
<fuse name="PscSecureBootKey" size="32" value="0x123456789abcdef0fedcba987654321023456789abcdef01edcba9876543210f"/>
<fuse name="OespSecureBootKey" size="32" value="0x123456789abcdef0fedcba987654321023456789abcdef01edcba9876543210f"/>
<fuse name="SbSecureBootKey" size="32" value="0x123456789abcdef0fedcba987654321023456789abcdef01edcba9876543210f"/>
<fuse name="BootSecurityInfo" size="4" value="0x2228"/>
<fuse name="SecurityMode" size="4" value="0x1"/>
</genericfuse>
Note
The values of PublicKeyHash, PscSecureBootKey, OemKdk0, and OemKdk1 above are for demonstrations only. You must prepare a PKC key pair (.pem file) or prepare all PKC key pairs you plan to use. For key generation, refer to Generate a PKC Key Pair for Jetson Thor.
For more information about generating the PublicKeyHash fuse value, refer to Generate PublicKeyHash Value From a PKC Key List for Jetson Thor.
For more information about generating the PscSecureBootKey, OespSecureBootKey and SbSecureBootKey fuse values, refer to Prepare an SBK key.
For more information about generating the PscOemKdk0, OespOemKdk0 and SbOemKdk0 fuse values, refer to Firmware TPM.
For more information about generating the PscOemKdk1, OespOemKdk1, and SbOemKdk1 fuse values, refer to Prepare K1/K2/KDK1 Keys.
Jetson Thor Reference Fuse Configuration File#
The Jetson Thor Reference Fuse Configuration file lists all fuses that are supported by the Jetson Thor SoC.
All fuse values in the reference configuration file are enclosed in XML comments. To adapt the reference file for fusing, uncomment them and replace their 0xFFFF placeholder values with the actual values for your target.
Here is the Reference Fuse Configuration File for Jetson Thor devices:
<genericfuse MagicId="0x45535546" version="1.0.0">
<!-- <fuse name="OdmId" size="8" value="0xFFFFFFFFFFFFFFFF"/> -->
<!-- <fuse name="OdmInfo" size="4" value="0xFFFF"/> -->
<!-- <fuse name="ReservedOdm0" size="4" value="0xFFFFFFFF"/> -->
<!-- <fuse name="ReservedOdm1" size="4" value="0xFFFFFFFF"/> -->
<!-- <fuse name="ReservedOdm2" size="4" value="0xFFFFFFFF"/> -->
<!-- <fuse name="ReservedOdm3" size="4" value="0xFFFFFFFF"/> -->
<!-- <fuse name="ReservedOdm4" size="4" value="0xFFFFFFFF"/> -->
<!-- <fuse name="ReservedOdm5" size="4" value="0xFFFFFFFF"/> -->
<!-- <fuse name="ReservedOdm6" size="4" value="0xFFFFFFFF"/> -->
<!-- <fuse name="ReservedOdm7" size="4" value="0xFFFFFFFF"/> -->
<!-- <fuse name="OptInEnable" size="4" value="0x00000001"/> -->
<!-- <fuse name="PublicKeyHash" size="64" value="0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"/> -->
<!-- <fuse name="PscOemKdk0" size="32" value="0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"/> -->
<!-- <fuse name="OespOemKdk0" size="32" value="0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"/> -->
<!-- <fuse name="SbOemKdk0" size="32" value="0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"/> -->
<!-- <fuse name="PscOemKdk1" size="32" value="0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"/> -->
<!-- <fuse name="OespOemKdk1" size="32" value="0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"/> -->
<!-- <fuse name="SbOemKdk1" size="32" value="0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"/> -->
<!-- <fuse name="PscSecureBootKey" size="32" value="0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"/> -->
<!-- <fuse name="OespSecureBootKey" size="32" value="0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"/> -->
<!-- <fuse name="SbSecureBootKey" size="32" value="0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"/> -->
<!-- <fuse name="BootSecurityInfo" size="4" value="0xFFFFFFFF"/> -->
<!-- <fuse name="SecurityMode" size="4" value="0x1"/> -->
</genericfuse>
Note
Although the size of the OdmInfo fuse is 4, only the last two bytes are programmable. OptInEnable and SecurityMode are both 1-bit fuses despite their sizes.
Generate a PKC Key Pair for Jetson Thor#
Jetson Thor series targets support the PKC of RSA 3K, ECDSA P-256, ECDSA P-521, and XMSS.
Enter one of the following commands to generate a PKC key pair:
To generate an ECDSA P-256 key:
$ openssl ecparam -name prime256v1 -genkey -noout -out ecp256.pem
To generate an ECDSA P-521 key:
$ openssl ecparam -name secp521r1 -genkey -noout -out ecp521.pem
To generate an RSA 3K key:
$ openssl genrsa -out rsa_priv.pem 3072
To generate an XMSS key:
$ ./bootloader/xmss-sign generate --privkey xmss_v3.key -pubkey xmss_v3.pub
Rename and save the key file.
The key file is used to burn fuses and sign boot files for Jetson devices.
Caution
Avoid generating and storing the key pair under bootloader/ directory but a secure location instead.
Note
- There will be 3 files generated by
xmss-signthat need to be saved: xmss_v3.key
xmss_v3.key.cache
xmss_v3.pub
Note
To generate a truly random number key, use the Hardware Security Module (HSM).
Generate PublicKeyHash Value From a PKC Key List for Jetson Thor#
Instead of fusing 16 public keys of each key pair, only the digest of all 16 public key digests is burned to the PublicKeyHash fuse.
The following steps show how to generate the PublicKeyHash value from a PKC key list:
Generate a PKC key list. For more information, refer to Generate a PKC Key List for Jetson Thor.
Run the following command to generate the
PublicKeyHashvalue:$ sudo ./tegrasign_v3.py --key <pkc_key_list> --pubkeyhash <active_pkc.pcp> <pkc_key_list.hash>
Where:
<pkc_key_list>is the name of the PKC key list file generated in the previous step.
<active_pkc.pcp>is the name of the output public cryptography parameter file of the active key.
<pkc_key_list.hash>is the name of the output public key digest of all the public keys in the PKC key list.
The hexadecimal value shown on the screen after tegra-fuse format (big-endian): can be used directly as the PublicKeyHash fuse data of a Fuse Configuration file.
Here are some sample outputs after running tegrasign_v3.py to generate PublicKeyHash for a key list with 16 keys:
$ sudo ./tegrasign_v3.py --key key_list.xml --pubkeyhash pub_key.pcp pcps.hash
Key size is 384 bytes
Key size is 384 bytes
Key size is 384 bytes
Key size is 384 bytes
Valid ECC key
Valid ECC key
Valid ECC key
Valid ECC key
Valid ECC key. Key size is 521
Valid ECC key. Key size is 521
Valid ECC key. Key size is 521
Valid ECC key. Key size is 521
WARNING: Can't create EVPKey object from ECKey object
WARNING: Can't create EVPKey object from ECKey object
Warning: Can't create EVPKey object from EDKey object
Warning: xmss_v3_0.key is not valid ed25519 key in Open SSL format
Warning: Can not extract key from xmss_v3_0.key
Assuming XMSS key
WARNING: Can't create EVPKey object from ECKey object
WARNING: Can't create EVPKey object from ECKey object
Warning: Can't create EVPKey object from EDKey object
Warning: xmss_v3_1.key is not valid ed25519 key in Open SSL format
Warning: Can not extract key from xmss_v3_1.key
Assuming XMSS key
WARNING: Can't create EVPKey object from ECKey object
WARNING: Can't create EVPKey object from ECKey object
Warning: Can't create EVPKey object from EDKey object
Warning: xmss_v3_2.key is not valid ed25519 key in Open SSL format
Warning: Can not extract key from /xmss_v3_2.key
Assuming XMSS key
WARNING: Can't create EVPKey object from ECKey object
WARNING: Can't create EVPKey object from ECKey object
Warning: Can't create EVPKey object from EDKey object
Warning: xmss_v3_3.key is not valid ed25519 key in Open SSL format
Warning: Can not extract key from xmss_v3_3.key
Assuming XMSS key
Saving public key in pub_key.key for LIST
pub_key.key is produced from copying nv_combo.pcp
pcps.hash is produced from copying nv_combo.pcps.hash
tegra-fuse format (big-endian): 0xaa7ab9bf57a5747af4af080b86c1b7a651f839141da6ee80ebe3c562a5a8fb34e981d964bee653e93cd56e6b0896753d191ded586a12503fc8797d3d62ac3c08
Note
The actual output may vary from the examples shown here based on the BSP version and the key type.
Jetson Orin Fuse Configuration File#
For more information about fuses and fuse names for the Jetson Orin SoC, refer to Jetson Orin Fuse Specification (Covers Jetson AGX Orin Series, Jetson Orin NX Series, and Jetson Orin Nano Series modules).
Examples of Jetson Orin Fuse Configuration Files#
Example Jetson Orin Fuse Configuration File to Program an RSA-3K Key#
Example fuse configuration file to enable Secure Boot with an RSA-3K key:
<genericfuse MagicId="0x45535546" version="1.0.0">
<fuse name="PublicKeyHash" size="64" value="0x18e984f7d79f7a185039ec413ed2ff86227c8f0be639edde0cf23ab1f7910b759ede8fb0c20d02c68deb04a75226d632f9fe24c71dad4b302acdba13db658130"/>
<fuse name="BootSecurityInfo" size="4" value="0x1"/>
<fuse name="SecurityMode" size="4" value="0x1"/>
</genericfuse>
Note
The preceding value for PublicKeyHash is for demonstration only. You must prepare a PKC key pair (.pem file). For key generation, refer to Generate a PKC Key Pair for Jetson Orin.
For more information about generating the PublicKeyHash fuse value, refer to Generate PublicKeyHash Value from a PKC Key Pair for Jetson Orin.
Example Jetson Orin Fuse Configuration File to Program an ECDSA P-256 Key#
Example fuse configuration file to enable Secure Boot with an ECDSA P-256 key:
<genericfuse MagicId="0x45535546" version="1.0.0">
<fuse name="PublicKeyHash" size="64" value="0x3c67c6446176bab0a35c09fa77c77c14f2c690dad4f5afcbc6a5ac3c39a0231e192eea1aab469e086ffd42eded658d2317583d6b39bedb2e2ca3c5d0d09bcbea"/>
<fuse name="BootSecurityInfo" size="4" value="0x2"/>
<fuse name="SecurityMode" size="4" value="0x1"/>
</genericfuse>
Note
The preceding value for PublicKeyHash is for demonstration only. You must prepare a PKC key pair (.pem file). For key generation, refer to Generate a PKC Key Pair for Jetson Orin.
For more information about generating the PublicKeyHash fuse value, refer to Generate PublicKeyHash Value from a PKC Key Pair for Jetson Orin.
Example Jetson Orin Fuse Configuration File to Program an XMSS Key#
Example fuse configuration file to enable Secure Boot with an XMSS key:
<genericfuse MagicId="0x45535546" version="1.0.0">
<fuse name="PublicKeyHash" size="64" value="0x4e2efd7e0f4faada127a428f860e9a7a0b30f6cc520797bf93409f937d023eabb85e3909ece5420fd4bda82852daf13488f8345df85ab5d2aa8ad6181eef7124"/>
<fuse name="BootSecurityInfo" size="4" value="0x5"/>
<fuse name="SecurityMode" size="4" value="0x1"/>
</genericfuse>
Note
The preceding value for PublicKeyHash is for demonstration only. You must prepare an XMSS key pair. For key generation, refer to Generate a PKC Key Pair for Jetson Orin.
For more information about generating the PublicKeyHash fuse value, refer to Generate PublicKeyHash Value from a PKC Key Pair for Jetson Orin.
Example Jetson Orin Fuse Configuration File to Program an ECDSA P-521 Key + SBK Key + OemK1 Key#
The following sample configuration file is used to enable the Secure Boot with an ECDSA P-521 key, an SBK key, and an OemK1 key:
<genericfuse MagicId="0x45535546" version="1.0.0">
<fuse name="PublicKeyHash" size="64" value="0x9f0ebf0aec1e2bb30c0838096a6d9de5fb86b1277f182acf135b081e345970167a88612b916128984564086129900066255a881948ab83bebf78c7d627f8fe84"/>
<fuse name="SecureBootKey" size="32" value="0x123456789abcdef0fedcba987654321000112233445566778899aabbccddeeff"/>
<fuse name="OemK1" size="32" value="0xf3bedbff9cea44c05b08124e8242a71ec1871d55ef4841eb4e59a56b5f88fb2b"/>
<fuse name="BootSecurityInfo" size="4" value="0x20b"/>
<fuse name="SecurityMode" size="4" value="0x1"/>
</genericfuse>
Note
The preceding values of PublicKeyHash, SecureBootKey, and OemK1 are for demonstration only. You must prepare a PKC key pair (.pem file). For key generation, refer to Generate a PKC Key Pair for Jetson Orin.
For more information about generating the PublicKeyHash fuse value, refer to Generate PublicKeyHash Value from a PKC Key Pair for Jetson Orin.
For more information about generating the SecureBootKey fuse value, refer to Prepare an SBK key.
For more information about generating the OemK1 fuse value, refer to Prepare K1/K2/KDK1 Keys.
Example Jetson Orin Fuse Configuration File to Program an OemK1 Key + RPMB Key#
Use the following sample configuration file to enable Secure Storage with an OemK1 key and RPMB key:
<genericfuse MagicId="0x45535546" version="2.0.0">
<fuse name="OemK1" size="32" value="0xf3bedbff9cea44c05b08124e8242a71ec1871d55ef4841eb4e59a56b5f88fb2b"/>
<fuse name="BootSecurityInfo" size="4" value="0x200"/>
<rpmb provisioning="0x1" dev_type="0x2"/>
</genericfuse>
Note
The value OemK1 is for demonstration purposes only. For more information about generating the OemK1 fuse value, refer to Prepare K1/K2/KDK1 Keys.
To enable RPMB provisioning, the tool supports fusing the RPMB key onto eMMC storage. The version field must be 2.0.0 for RPMB. This requires the OemK1 key to be present in the fuse configuration file or already burned.
Jetson Orin Reference Fuse Configuration File#
The Jetson Orin Reference Fuse Configuration file lists all fuses that are supported by the Jetson Orin SoC.
All fuse values in the reference configuration file are enclosed in XML comments. To adapt the reference file for fusing, uncomment them and replace their 0xFFFF placeholder values with the actual values for your target.
Here is the Reference Fuse Configuration File for Jetson Orin devices:
<genericfuse MagicId="0x45535546" version="1.0.0">
<!-- <fuse name="OdmId" size="8" value="0xFFFFFFFFFFFFFFFF"/> -->
<!-- <fuse name="OdmInfo" size="4" value="0xFFFF"/> -->
<!-- <fuse name="ArmJtagDisable" size="4" value="0x1"/> -->
<!-- <fuse name="ReservedOdm0" size="4" value="0xFFFFFFFF"/> -->
<!-- <fuse name="ReservedOdm1" size="4" value="0xFFFFFFFF"/> -->
<!-- <fuse name="ReservedOdm2" size="4" value="0xFFFFFFFF"/> -->
<!-- <fuse name="ReservedOdm3" size="4" value="0xFFFFFFFF"/> -->
<!-- <fuse name="ReservedOdm4" size="4" value="0xFFFFFFFF"/> -->
<!-- <fuse name="ReservedOdm5" size="4" value="0xFFFFFFFF"/> -->
<!-- <fuse name="ReservedOdm6" size="4" value="0xFFFFFFFF"/> -->
<!-- <fuse name="ReservedOdm7" size="4" value="0xFFFFFFFF"/> -->
<!-- <fuse name="OptInEnable" size="4" value="0x1"/> -->
<!-- <fuse name="PublicKeyHash" size="64" value="0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"/> -->
<!-- <fuse name="PkcPubkeyHash1" size="64" value="0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"/> -->
<!-- <fuse name="PkcPubkeyHash2" size="64" value="0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"/> -->
<!-- <fuse name="SecureBootKey" size="32" value="0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"/> -->
<!-- <fuse name="Kdk0" size="32" value="0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"/> -->
<!-- <fuse name="PscOdmStatic" size="4" value="0xFFFFFFFF"/> -->
<!-- <fuse name="OemK1" size="32" value="0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"/> -->
<!-- <fuse name="OemK2" size="32" value="0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"/> -->
<!-- <fuse name="BootSecurityInfo" size="4" value="0xFFFFFFFF"/> -->
<!-- <fuse name="SecurityMode" size="4" value="0x1"/> -->
</genericfuse>
Note
Although the size of the OdmInfo fuse is 4, only the last two bytes are programmable. OptInEnable and SecurityMode are both 1-bit fuses despite their sizes.
Generate a PKC Key Pair for Jetson Orin#
Jetson Orin series targets support the PKC of RSA 3K, ECDSA P-256, ECDSA P-521, and XMSS.
Note
The 2048-bit RSA key option is no longer supported on Jetson Orin series.
Enter one of the following commands to generate a PKC key pair:
To generate an ECDSA P-256 key:
$ openssl ecparam -name prime256v1 -genkey -noout -out ecp256.pem
To generate an ECDSA P-521 key:
$ openssl ecparam -name secp521r1 -genkey -noout -out ecp521.pem
To generate an RSA 3K key:
$ openssl genrsa -out rsa_priv.pem 3072
To generate an XMSS key:
$ ./bootloader/xmss-sign generate --privkey xmss_v3.key -pubkey xmss_v3.pub
Rename and save the key file.
The key file is used to burn fuses and sign boot files for Jetson devices.
Caution
The security of your device depends on how securely you keep the key file.
Note
There will be 3 files generated by xmss-sign that need to be saved:
xmss_v3.key
xmss_v3.key.cache
xmss_v3.pub
Note
After the XMSS key pair is generated, copy the public key file into the bootloader folder:
$ cp xmss_v3.pub bootloader/
Note
To generate a truly random number key, use the Hardware Security Module (HSM).
Generate PublicKeyHash Value from a PKC Key Pair for Jetson Orin#
Instead of fusing the public key of a PKC key pair, only the hash of the public key is burned to the PublicKeyHash fuse field.
To generate the PublicKeyHash value, use the tegrasign_v3.py program:
$ ./tegrasign_v3.py --pubkeyhash <pkc.pubkey> <pkc.hash> --key <pkc.pem>
Where:
<pkc.pem>is the input PKC key pair (.pem file) file.
<pkc.pubkey>is the output public key of the<pkc.pem>key pair
<pkc.hash>is the output public key hash of the<pkc.pem>key pair
The hexadecimal value shown on the screen after tegra-fuse format (big-endian): can be used directly as the PublicKeyHash fuse data of a Fuse Configuration file.
Here are some sample outputs after running tegrasign_v3.py to generate PublicKeyHash for an ECDSA P-521 key:
$ ./tegrasign_v3.py --pubkeyhash ecp521.pubkey ecp521.hash --key ecp521.pem
Valid ECC key. Key size is 521
Valid ECC key. Key size is 521
Saving public key in ecp521.pubkey for ECC
Sha saved in pcp.sha
tegra-fuse format (big-endian): 0x9f0ebf0aec1e2bb30c0838096a6d9de5fb86b1277f182acf135b081e345970167a88612b916128984564086129900066255a881948ab83bebf78c7d627f8fe84
Here are some sample outputs after running tegrasign_v3.py to generate PublicKeyHash for an RSA 3k key:
$ ./tegrasign_v3.py --pubkeyhash rsa3k.pubkey rsa3k.hash --key rsa3k.pem
Key size is 384 bytes
Key size is 384 bytes
Saving pkc public key in rsa3k.pubkey
Sha saved in pcp.sha
tegra-fuse format (big-endian): 0xad2474627c14e3f7f4944a832bd15d0640938a3dc162f558692458f3d12f9453e11bea2ec75df3f83e8b29c47fc3d2483d528d3e94a5469c4ba1ec61f1584b23
Here are some sample outputs after running tegrasign_v3.py to generate PublicKeyHash for an XMSS key:
$ ./bootloader/tegrasign_v3.py --key xmss_v3.key --pubkeyhash xmss-pub-key xmss-pub-key.hash
WARNING: Can't create EVPKey object from ECKey object
Warning: Can't create EVPKey object from EDKey object
Warning: xmss_v3.key is not valid ed25519 key in Open SSL format
Warning: Can not extract key from xmss_v3.key
Assuming XMSS key
Saving public key in xmss-pub-key for XMSS
Sha saved in pcp.sha
tegra-fuse format (big-endian): 0x4e2efd7e0f4faada127a428f860e9a7a0b30f6cc520797bf93409f937d023eabb85e3909ece5420fd4bda82852daf13488f8345df85ab5d2aa8ad6181eef7124
Note
RSA2K is not supported on the Jetson AGX Orin series, the Jetson Orin NX, and the Jetson Nano series.
tegrakeyhashhas been deprecated. Please usetegrasign_v3.pyto generate thePublicKeyHashnow.