Fusing the Board with the Secure Keys

The BSP provides Fuse Burning Tool for fusing the board with the PKC hash. Sample XML files to burn secure keys and enable PKC protection are as follows.

For NVIDIA DRIVE AGX Orin RSA:

<genericfuse MagicId="0x45535546" version="1.0.0">
    <fuse name="PublicKeyHash" size="64" value="0x0123456789abcdef0123456789abcdef01234
56789abcdef0123456789abcdef0123456789abcdef0123456789abcdef01234
56789abcdef0123456789abcdef"/>
    <fuse name="BootSecurityInfo" size="4" value="0x201"/>
    <fuse name="SecurityMode" size="4" value="0x1"/> 
</genericfuse>

For NVIDIA DRIVE AGX Orin EdDSA:

<genericfuse MagicId="0x45535546" version="1.0.0">
    <fuse name="PublicKeyHash" size="64" value="0x0123456789abcdef0123456789abcdef01234
56789abcdef0123456789abcdef0123456789abcdef0123456789abcdef01234
56789abcdef0123456789abcdef"/>
    <fuse name="BootSecurityInfo" size="4" value="0x204"/>
    <fuse name="SecurityMode" size="4" value="0x1"/> 
</genericfuse>

Warning:

If used, the SecurityMode must be the last fuse command in the XML file. The FSKP fuse burning tool burns fuses in the order specified in the XML file. After burning the SecurityMode fuse, it disables fuse burning.

To set up the platform for secure boot

Generate the PKC Key and ensure ODM production fuse is burned.
- Generate a PKC Key Pair Using PolarSSL
- Generate a PKC Key Pair Using OpenSSL
- Ensure the ODM production fuse is burned.
Consult the instructions for fusing the secure keys in Factory Secure Key Provisioning.
Warning:
This step is irreversible, ensure that:
- The PKC key pair is a valid key pair.
- The PKC key pair is stored in a secure location, because all the binaries must be signed with the private key.
Sign and flash the binaries.
Use “-p <private_key_filename>” option when running the bootburn.py script.
Where <private_key_filename> depends on the tool used to generate the key:
- For PolarSSL, use rsa_priv.txt for RSA.
- For OpenSSL, use rsa_priv.pem for RSA, or keyfile.pem for EdDSA.