Jetson Nano – Enabling Secure Boot

Jetson Nano

This article explains how to set up Secure Boot for the Jetson Nano.


The Jetson Nano has a fuse that enables Secure Boot. fuse is a feature that allows the rewriting of bit 0 to 1 and does not allow the rewriting of bit 1 to 0. The written value is stored even when the power is turned off. The Jetson Nano’s fuse has a lock feature, and if the lock is written to 1, the fuse to be locked cannot be changed. See more details.

The fuse related to Secure Boot in Jetson Nano is as follows

secure boot fuse

Enabling Secure Boot

To enable Secure Boot, put the Jetson Nano into Recovery Mode and run the fuse write command. See this article how to put the Nano into Recovery Mode. Download the fuse write tool from and extract it to the Linux_for_Tegra directory.

Subsequent operations are performed in the Linux_for_Tegra directory.

Create the RSA private key required for Secure Boot. Jetson Nano requires a 2048-bit RSA key.

openssl genrsa -out jetson_rsa_private.pem 2048
Code language: Bash (bash)

Write fuse.

Once this operation is performed, Secure Boot is always enabled. It cannot be reverted back to the original state.

If you lose the jetson_rsa_priv.pem, you will never be able to rewrite the internal ROM again.

sudo ./ -i 0x21 -c PKC -k jetson_rsa_priv.pem -p --disable-jtag
Code language: Bash (bash)

-c PKC: Specify Public Key Cryptography
-p: odm_production_mode has lock functionality, writing 1 makes public_key_hash unwritable.
-k jetson_rsa_priv.pem: Write sha256 value of jetson_rsa_priv.pem to public_key_hash fuse
–disable-jtag: JTAG is set to disabled from a Secure Boot perspective.

The above operation enables Jetson Nano to be Secure Boot enabled.

Finally, write an image with Secure Boot enabled.

sudo ./ -x 0x21 -u jetson_rsa_priv.pem jetson-nano-devkit mmcblk0p1

That’s all.