Boot ROM

The boot ROM is hard-wired in the NVIDIA Orin chip to:

  • Initialize the necessary registers to access the desired boot media.
  • Load the boot components according to the boot sequence.

The initial boot medium is selected by using the strap resistor configuration BOOT-SELECT_CODE or by setting the RESERVED_SW and optionally BOOT_DEVICE_INFO fuse fields.

The PSC-ROM is also hard-wired in the NVIDIA Orin chip to:
  • Securely load the OEM keys from fuses and the NVIDIA keys from RTL into the Security Engine.
  • Authenticate and decrypt the binaries loaded by the boot ROM.

The early boot flow sequence is as follows:

media/image3.png
Note: MB1-BCT is optionally decrypted depending on the BOOT_SECURITY_INFO fuse setting.
The boot ROM and PSC-ROM use the boot configuration table named BR_BCT, which contains information such as:
  • Storage location of BCH for MB1, PSC-BL1, and MB1-BCT
  • Boot chain parameters
  • Debug flags used by PSC-ROM
  • Validation

    Verify the SHA-512 hash in the BCH/BCT that matches the computed value.

  • Authentication

    Verify public signature by using the public key in the BCH/BCT, which is verified against its digest in fuses. The BCH contains the SHA-512, which is then validated again by PSC-ROM. For authentication and validation information, see Understanding Security.

  • BR_BCT is not customer configurable except the customer_data fields.