Secure SPI-NOR Provisioning

The SPI-NOR flash is an external secure NOR flash used by the Trusted Execution Environment on the Tegra device for persistent storage of cryptographic assets. The SPI-NOR flash supports authenticated memory access, which relies on a shared symmetric secret known by both the Trusted Execution Environment and the SPI-NOR flash. FSKP programs this shared secret and device security settings into the flash.

One time SPI-NOR provisioning occurs automatically during the next boot after the board FUSE_SECURITY_MODE is burnt. This is the recommended secure NOR provisioning flow for production boards.

However, during development phase, a MB2 BCT flag snor_provisioning_dev_only is introduced so that a customer engineer can provision the secure NOR without burning the FUSE_SECURITY_MODE, which is not desired for specific development requirements. A one-time SPI-NOR provisioning occurs during the next boot after the MB2 BCT snor_provisioning_dev_only flag is set to 1.

The flag may only be used on development system. Using this flag causes a very weak key, that adversaries can easily reproduce, to be used to protect the data in the SPI-NOR device. Only store development and testing data in such a SPI-NOR device. Do not store production data or any confidential information.

After the Secure SPI-NOR is provisioned by snor_provisioning_dev_only, do not burn the fuse keys (e.g., KDK0, KDK0_TAG), other fuses (FUSE_BOOT_SECURITY_INFO, FUSE_BOOT_SECURITY_INFO_0[4] = 0x1), or FUSE_SECURITY_MODE. Fusing these fuses will cause permanent failure of Secure SPI-NOR. For more information, refer to the Manufacture Programmable Fuses chapter in the NVIDIA DRIVE OS 6.0 PDK Developer Guide.

Caveats

  1. NOR Provisioning flow always locks down the NOR first before provisioning its keys for security reasons, so the NOR provisioning can only happen once. If a NOR is provisioned, all future triggers to provision the secure NOR are ignored.
  2. Do not modify the fuse keys after provisioning the NOR. The shared secret between the NOR and the host, as well as the data stored on the NOR, are encrypted with the keys derived from the fuse keys. Any change to the fuse keys will cause the persistent key object support to fail completely or partially.
  3. In summary, the recommended flow to provision the secure SPI-NOR is:
    For development:
    1. Trigger secure NOR provisioning using MB2 BCT flag snor_provisioning_dev_only.
    2. Start to use NVIDIA DRIVE OS? persistent key object functionalities.
    3. Do not burn fuse keys, other fuses, or FUSE_SECURITY_MODE fuse.
    For production:
    1. Run SPI-NOR Mods test.
    2. Burn fuse keys and other fuses.
    3. Burn FUSE_SECURITY_MODE, which automatically triggers NOR provisioning during first boot → Start to use NVIDIA DRIVE OS persistent key object functionalities.

Enabling Fuse Encryption and Secure NOR Provisioning Without Burning Security Mode

Precondition
  1. Fuse.xml:

    Security mode excluded; fuses needed for FEK enabling present.

    Sample fuse.xml:
    <genericfuse MagicId="0x45535546" version="2.0.0">
<fuse name="SecureProvisionInfo" size="4" value="0x1"/>
<fuse name="OdmId" size="8" value="4f444d4944303132"/>
<fuse name="OdmInfo" size="4" value="30313233"/>
<fuse name="BootDevInfo" size="4" value="0x100"/>
<fuse name="OemFuseIv" size="12" value="0x9ea10a5e1136190a6f3cc3a7"/>
<fuse name="FkddSk" size="32" value="0x80c3cdb6b95727e34911bb99aa0e4b067926ad45d938d006582ecccc3cf2c400"/>
<fuse name="FkddAk" size="32" value="0x1bb0abfa640f4b5835178065ae757d0003d04806a014629d53fe9947aae584ad"/>
<fuse name="SecureBootKey" size="32" value="0x812a733c5e43ab8d77e82aed7b3df14d6e9c91519551b3b4fca789a02e2a11f6"/>
<fuse name="SecureBootKeyTag" size="16" value="0x8805da1f1f5bd3f79dfbf28c3b9bff1b"/>
<fuse name="Kdk0" size="32" value="0x7b131d810a8b640f11e8c6b8b2fd7ecdd60ae207ecd7b353ca8f0fe48d9b97ea"/>
<fuse name="Kdk0Tag" size="16" value="0x3230345c36c1cb2b22b60e3bb6c663e2"/>
<fuse name="EndorseKey" size="68" value="0x58726bcf820458523fb071bcb8a0ea08f8d81231a0073af374ecdfb37ea11fcd11ee8065eba91115f2e1863bd700f6b228e0a41d9339a0b5b4ed14a1c408d8ae2cb5411e"/>
<fuse name="EndorseKeyTag" size="16" value="0x6dd0a36e950892f9f10cc9a3b36f6859"/>
<fuse name="OemK1" size="32" value="0xdb1754737526d1d4c3b88d546d366e3fae2f3703b8cbed1b13f5dd0114c9e5e7"/>
<fuse name="OemK1Tag" size="16" value="0xdaa1b805ac44dd656e6be2aa06e2e25f"/
>
<fuse name="OemK2" size="32" value="0xd255dd2f9d05e8a6b90ecf944da2387c506a0d83322c70ec2dbd91feaeb7cd94"/>
<fuse name="OemK2Tag" size="16" value="0x6a32b6f2c58734a9b55f6dd81ad46915"/
>
<fuse name="EvitaIdk" size="32" value="0x354e506fdd060d55ac8c6f26ad8ccba8cc889492851a35c000b070de50b3609a"/>
<fuse name="EvitaIdkTag" size="16" value="0x738878439f2a7d27da8dbf4b5b5272c6"/>
<fuse name="PkcPubkeyHash1" size="64" value="0x508f3b33995f56ea45de78f5108798c06a7c50399ee708418119ac9a5a0d2ebfb92dc148cd05446a43f055a837bf5be053c71d17a1e238790d3df84de82df219"/>
<fuse name="PkcPubkeyHash2" size="64" value="0x181bbc8ce81b093f40faa4b16e08d131623968a83809cd7f4630c98e586a169a17a7040814cf1497a356afbadb1e81075fd730cafb5aa0eb7c30efb5d99ee1be"/>
<fuse name="SwReserved" size="4" value="0x340009"/>
<fuse name="OptInEnable" size="4" value="0x1"/>
<fuse name="PscOdmStatic" size="4" value="0x00000D03"/>
<fuse name="PublicKeyHash" size="64" value="0xb81440956f92df3cbb60c4990ed52102e79465365531679499bf8fc8356e22e7689ef68060158947f7e662fae213d0be78897b51e5880495800ad54f0a76a266"/>
<fuse name="BootSecurityInfo" size="4" value="0x21C"/>
</genericfuse>
  2. Private and encryption key available for PKC and Boot Security Info fuses picked.
  3. PDK extracted.
Steps
  1. Edit the following file to provision secure NOR without burning the Security_Mode fuse:
    <top>drive-foundation/platform-config/hardware/nvidia/platform/t23x/common/bct/misc/tegra234-mb2-bct-auto-common.dtsi
    Changes required in the file:
    1. Make the disable_snor_provisioning field 0:
      disable_snor_provisioning = <0>;
    2. Make the snor_provisioning_dev_only field 1:
      snor_provisioning_dev_only = <1>;
  2. Enable FEK by burning fuses. Put the device in recovery mode:
    NvShell>tegrarecovery x1 on 
NvShell>tegrareset x1
  3. Create the fuse blob by executing the following command on the host at <top>/drive-foundation/tools/flashtools/fuseburn:
    python3 ./fskp_fuseburn.py -c 0x23 -f sample_fskp_fuse.xml -k fskp_kdk_hsm.key -g out_t0 -v -i 63 -B p3710 -b
  4. Burn the fuses using the command below at the same path on the host:
    python3 ./fskp_fuseburn.py -c 0x23 -f sample_fskp_fuse.xml -k fskp_kdk_hsm.key -g out_t0 -v -i 63 -B p3710 -b
  5. Check the BPMP logs to confirm that fuse burning is successful.
    Sample Logs
    FSKP (version: 0.0.0.0-t234-54845784-1bf0faab) 
|> t234-A01-0-Silicon (0x12347)
|> Emulation:
|> Entry timestamp: 0x061afaf0
|> Regular heap: [base:0x40040000, size:0x10000]
|> DMA heap: [base:0xbc000000, size:0x800000]
|> Task: Burn fuses (0x50003120)
|> Index : 1 PublicKeyHash size: 64
|> Index : 2 BootSecurityInfo size: 4
|> ...
|> Fuse Blob found.
|> ...
|> Burning fuses.
|> 1. Start PublicKeyHash burn
|> 1. PublicKeyHash burnt successfully
|> ...
|> 2. Start BootSecurityInfo burn
|> 2. BootSecurityInfo burnt successfully
|> ...
|> Successfully burnt fuses as per fuse info
|> FSKP finished.
  6. After burning the fuses (which includes PKC fuses + authentication fuse), the device automatically tries to cold boot but fails because the images flashed in the device previously are unsigned/non-encrypted.
  7. Flash the device with signed and encrypted images. Cold boot the device.
  8. Secure NOR provisioning is invoked, and you can confirm it is successful through the logs below in the Guest OS console:
    |> Task: Start secure NOR provision
|> Sending opcode 0x46534b50 to psc 
|> Received ACK from psc
The MB2 BCT flag can be found at the following location:
drive-foundation/platform-config/hardware/nvidia/platform/<board>/common/bct/misc/tegra234-mb2-bct-auto-common.dtsi