Secure SPI-NOR Provisioning

The SPI-NOR flash is an external secure NOR flash used by the Trusted Execution Environment on the Tegra device for persistent storage of cryptographic assets. The SPI-NOR flash supports authenticated memory access, which relies on a shared symmetric secret known by both the Trusted Execution Environment and the SPI-NOR flash. FSKP programs this shared secret and device security settings into the flash.

One time SPI-NOR provisioning occurs automatically during the next boot after the board FUSE_SECURITY_MODE is burnt. This is the recommended secure NOR provisioning flow for production boards.

For customer development, a MB2 BCT flag snor_provisioning_dev_only is introduced so that a customer engineer can provision the secure NOR without burning the FUSE_SECURITY_MODE, which is not desired for specific development requirements. A one-time SPI-NOR provisioning occurs during the next boot after the MB2 BCT snor_provisioning_dev_only flag is set to 1.

Caveats

  1. NOR Provisioning flow always locks down the NOR first before provisioning its keys for security reasons, so the NOR provisioning can only happen once. If a NOR is provisioned, all future triggers to provision the secure NOR are ignored.
  2. Do not modify the fuse keys after provisioning the NOR. The shared secret between the NOR and the host, as well as the data stored on the NOR, are encrypted with the fuse keys. Any change to the fuse keys will cause the persistent key object support to fail completely or partially.
  3. The recommended flow to provision the secure SPI-NOR is:
    1. For developers:Burn fuse keys → Trigger secure NOR provisioning using MB2 BCT flag snor_provisioning_dev_only→ Start to use NVIDIA Drive OS® persistent key object functionalities → Burn FUSE_SECURITY_MODE if needed → Continue to use NVIDIA Drive OS persistent key object functionalities (the filesystem and stored objects will persist)
    2. For production: Run SPI-NOR Mods test → Burn fuse keys and other fuses → Burn FUSE_SECURITY_MODE, which automatically triggers NOR provisioning during first boot → Start to use NVIDIA Drive OS persistent key object functionalities