Is this page helpful?

Key Preparation#

Prepare an SBK key#

An SBK key is used to encrypt Bootloader components. The same SBK key has to be fused to the Jetson’s SoC fuses, so the key can be used to decrypt the Bootloader components when the Jetson device boots up.

Note

You can only use the SBK key with the PKC key. The encryption mode that uses these two keys together is called SBKPKC.

Both the Thor and Orin SoCs require an SBK key be of eight 32-bit words (32 bytes).

The SBK key file is stored in big-endian hexadecimal format.

Here is an example of a 32-byte SBK key file:

0x12345678 0x9abcdef0 0xfedcba98 0x76543210 0x23456789 0xabcdef01 0xedcba987 0x6543210f

This type of file format is used in l4t_initrd_flash.sh command with -v option.

The same SBK representation used in the “SecureBootKey” fuse value field of a Fuse Configuration XML file is:

0x123456789abcdef0fedcba987654321023456789abcdef01edcba9876543210f

Caution

For the Jetson Thor series, the three SBK fuses, PscSecureBootKey, OespSecureBootKey and SbSecureBootKey, must be programmed with the same value.

Note

Hexadecimal numbers must be presented in big-endian format. The leading 0x or 0X can be omitted. The Jetson Secure Boot software converts the big-endian hexadecimal format to the format that the Jetson device expects. All standard OpenSSL utilities output in big-endian format.

We recommend that you use the Hardware Security Module (HSM) to generate a truly random number for an SBK key.

Caution

The security of your device depends on how securely you keep the key file.

Prepare K1/K2/KDK1 Keys#

For the Jetson Thor series#

The KDK1 key is the fuse key used for other security applications, such as deriving other usage root keys. The fuse key name is PscOemKdk1, and the key length is 32 bytes.

For example, you can use the KDK1 key as the EKB fuse key. (For details, refer to EKB Generation.) You must prepare this key and other ODM fuse bits as described in the documentation for the other security applications.

For the Jetson Orin series#

The K1/K2 keys are the fuse keys used for other security applications. The fuse key names are OemK1 and OemK2, and the key length is 32 bytes.

For example, you can use the K1 key as the EKB fuse key. (For details, refer to EKB Generation.) You must prepare these keys and other ODM fuse bits as described in the documentation for the other security applications.

Sample Fuse Key#

A key consists of eight 32-bit words stored in a file in the big-endian hexadecimal format.

Note

You can omit the leading 0x or 0X of a hexadecimal number. The Jetson Secure Boot software converts the big-endian hexadecimal format to the format that the Jetson device expects.

The following is an example of a fuse key file:

0x11223344 0x55667788 0x99aabbcc 0xddeeff00 0xffeeddcc 0xbbaa9988 0x77665544 0x33221100

The same key representation in the fuse value field in the Fuse Configuration XML file is as follows:

0x112233445566778899aabbccddeeff00ffeeddccbbaa99887766554433221100

Note

We recommend that you use the HSM to generate a truly random number for K1/K2/KDK1 keys.

Caution

The security of your device depends on how securely you keep these key files.

Prepare EKB#

When the PscOemKdk1 fuse (for the Jetson Thor series) or the OemK1/OemK2 fuse (for the Jetson Orin series) is burned, you must set your own UEFI variable authentication key (the auth key) in the EKB. Without the auth key, UEFI fails to authenticate the UEFI variable and fails to boot. For more details, refer to EKB Generation.

The UEFI variable authentication key is a 128-bit key stored in a file in the big-endian hexadecimal format.

Here is an example of an auth key file:

0x00000000000000000000000000000000

Note

We recommend that you use the HSM to generate a truly random number for the auth key.

For the Jetson Thor series#

When the PscOemKdk1 fuse is burned, generate your own EKB authenticated and encrypted with keys derived from PscOemK1.

The following example shows you how to generate the EKB for the Jetson Thor series:

$ python3 gen_ekb.py -chip t264
                     -oem_kdk1_key <oem_kdk1.key> \
                     -in_auth_key <auth_t264.key> \
                     -out <eks_t264.img>

For the Jetson Orin series#

When the OemK1 fuse is burned, generate your own EKB authenticated and encrypted with keys derived from OemK1.

The following example shows you how to generate the EKB for the Jetson Orin series:

$ python3 gen_ekb.py -chip t234
                     -oem_k1_key <oem_k1.key> \
                     -in_auth_key <auth_t234.key> \
                     -out <eks_t234.img>

Prepare the Fuse Configuration file#

To modify the SoC’s Reference Fuse Configuration file, uncomment the fuses you need, and enter information in the correct fuse data fields for your target Jetson device.

The next section provides information about how to burn fuses with the prepared Fuse Configuration file.

Caution

The security of your device depends on how securely you keep the Fuse Configuration file.