A/B Update & Redundancy with Secure Boot (sign and encrypt)


I recently got secure boot working with both a pkc and sbk keys, which both signs and encrypts some files before flashing, this works and I’m able to boot.

Now I’d like to implement the A/B update and redundancy feature mention here

The guide says to use the -s flag to pass in the pkc key and no mention of the sbk key, upon inspection of the build_l4t_bup.sh script, I can see it passes all arguments to the flash.sh script (and runs with --no-flash --bup args), which I know accepts -u <pkc> -v <sbk> arguments so I used those flags.

So using the latest L4T release, 32.4 with a fresh bsp and secure boot files extracted I generated the bl_update_payloadfor the jetson xavier with:
sudo BOARDID=2888 FAB=400 BOARDSKU=0004 BOARDREV=K.0 FUSELEVEL=fuselevel_production ./build_l4t_bup.sh -u <pkc.pem> -v <sbk.txt> jetson-xavier mmcblk0p1 which successfully produced the payloads.

I transferred bl_update_payload to a jetson (which was flashed with a configured smb_info.cfg to enable A/B redundancy and updates) and which also has secure boot enabled (sign and encrypted with pkc and sbk) and ran:
nv_update_engine --install which ran without errors.

But upon reboot the system is unbootable.

From the output of the bup generation process, I don’t think it’s taking the sbk into account and therefore only signing with pkc, what do you guys think?


hello yusufftran,

you may check that slot were able to boot, please print the slot information with the dump-slots-info options.
please also refer to [To show the slot status] session for reference.
in addition,
there’re messages in MB1 we might check for details, could you please also share bootloader messages about your booting failures.

Hi @JerryChang

The system is unbootable, there’s no output, so can’t run anything.
Also because it’s secure boot enabled with sbk, it’s production fused enabled, so no uart / serial output.

Guessing both A/B updates and secure boot (with sbk) are incompatible?

Having similar issue to this thread - though in addition to pkc I also flashed with sbk

@JerryChang if it helps, before applying the bl_update_payload I did check the slots were bootable, I could dump slots info, I could see there were 2 slots and I successfully tested changing and booting into each of them.

hello yusufftran,

we did not test A/B redundancy with device PKC+SBK fused.
since A/B redundancy is a feature added on top of A/B update to provide safety bootloader updates. I think A/B updates + secureBoot are incompatible.

ok, thanks for the clarification.

Do you know if it’ll ever support encryption (SBK) in future?
It seems to pass the args onto ./flash.sh which already knows how to handle -v <sbk>, guessing it just has to be implemented for the --bup process at some point?

To clarify before I proceed, if I flash and fuse with just pkc, the bup payload for a/b updates should just work?

hello yusufftran,

we had tried A/B redundancy with secureBoot (PKC only) and it worked.

we’re having internal discussion about the device with PKC+SBK.
will update the status after we come out conclusions.

thank you

hello yusufftran,

we had several changes to support SBK in BUP; also to enable the support of PKC+SBK in BUP build.
please expect these changes will be available in the next public release, i.e. l4t-r32.4.3.
stay tuned, thanks

that’s good to hear, thanks for the update


32.4.3 is out but I didn’t see any mention of sbk / bup, just want to double check with you that SBK is now supported?


hello yusufftran,

since BUP generation also calling flash.sh internally. you may also refer to flash script usage, there’re options to include PKC and SBK key files.
for example,

$ sudo ./flash.sh --help

        -u <PKC key file>----- PKC key used for odm fused board.
        -v <SBK key file>----- Secure Boot Key (SBK) key used for ODM fused board.

could you please also check the usage menu of l4t_generate_soc_bup.sh and also build_l4t_bup.sh for confirmation.

Hi @JerryChang

The scripts mentioned appear to accept -u and -v flags and I tried generating a BUP according to this guide, but no payloads get generated, guide says it saves to <top>/bootloader/payloads_t19x but no such directory exists after generating:

sudo BOARDID=2888 FAB=400 BOARDSKU=0004 BOARDREV=K.0 FUSELEVEL=fuselevel_production ./build_l4t_bup.sh -u <pkc.pem> -v <sbk.txt> jetson-xavier mmcblk0p1

Log Output bup.log (107.6 KB)

No error but no bootloader/payload_* directory

hello yusufftran,

because there may have a problem in the script,
please based-on latest release (i.e. r32.4.3), to apply --multi-spec options in the command line.
for example,

$ sudo BOARDID=2888 FAB=400 BOARDSKU=0004 BOARDREV=K.0 FUSELEVEL=fuselevel_production ./build_l4t_bup.sh --multi-spec -u <pkc.pem> -v <sbk.txt> jetson-xavier mmcblk0p1

no difference unfortunately, added the --multi-spec arg but still no payload

hello yusufftran,

could you please attach below files for checking, such as, flash.sh, bootloader/odmsign.func, and bootloader/l4t_bup_gen.func,

There’s a limitation with the file types we can upload, I’ve put them google drive:

Hi @JerryChang,

Were you guys able to replicate this at your end?

hello yusufftran,

it turns out you’re not based-on the latest release secureboot package, and it looks like r32.4.3 package is not yet published. we’re tracking on it.

ah ok, I just checked the link to confirm, it does indeed resolve to file secureboot_R32_4_2_aarch64.tbz2.

Looking forward to the update