Add SecureBootKey to the module fused PKC

I’m working with Orin nano 4GB with Our Customboard.
I’m trying fuse SecureBootKey to the module fused PKC.

I have already fused PKC with fllowing commands.

Linux_for_Tegra$ sudo ./odmfuse.sh -X uefi_keys/keys/fuse.conf -i 0x23 jetson-orin-nano-devkit
[fuse.conf]
<genericfuse MagicId="0x45535546" version="1.0.0">
    <fuse name="PublicKeyHash" size="64" value="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"/>
    <fuse name="BootSecurityInfo" size="4" value="0x201"/>
    <fuse name="SecurityMode" size="4" value="0x1"/>
</genericfuse>

This is working fine. So, I want to add SecureBootKey.
I do following commads, but it fails.

$ sudo ./odmfuse.sh -X uefi_keys/keys/fuse.conf -i 0x23 -k uefi_keys/keys/pkc_rsa3k.pem jetson-orin-nano-devkit
<genericfuse MagicId="0x45535546" version="1.0.0">
    <fuse name="PublicKeyHash" size="64" value="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"/>
    <fuse name="SecureBootKey" size="32" value="xxxxxxxx"/>
    <fuse name="BootSecurityInfo" size="4" value="0x209"/>
    <fuse name="SecurityMode" size="4" value="0x1"/>
</genericfuse>                                       

[log]
host-pc.log (93.0 KB)
uart.log (21.5 KB)

I> Task: Burn fuses (0x50003d78)
I> Index : 1    PublicKeyHash    size: 64
I> Index : 2    SecureBootKey    size: 32
I> Index : 3    BootSecurityInfo    size: 4
I> Index : 4    SecurityMode    size: 4
I> Fuse Blob found
I>
I> Burning fuses
I> 1. Start PublicKeyHash burn
I> Fuse is already burned with the same value
I> 1. PublicKeyHash burnt successfully
I>
I> 2. Start SecureBootKey burn
E> Fuse burn failed
E> error = 0x17173002 in fuse_burn
E> Error = 0x17173002 in tegrabl_fuse_write
E> 2. Failed to burn SecureBootKey
E> Failed to burn fuses as per fuse info
E> FSKP: Failed to burn fuses.
C> Task 0x0 failed (err: 0x62173002)
E> Top caller module: FSKP, error module: FUSE, reason: 0x02, aux_info: 0x30
I> Busy Spin

Is there any mistake?
Or is it not possible to add SBK after fuse PKC?

hello S.Harumoto,

please try adding --auth commands, and it’s the options for current authentication type of the board. for instance, it’s PKC as you’ve already fused PKC.
the command should be as following, please also include --test for creating the fuse blob for confirmation.
i.e. $ sudo ./odmfuse.sh -i 0x23 --test --auth PKC -k rsa_priv-3k.pem -S sbk-256.key jetson-orin-nano-devkit

I tried your command but it fails.

Linux_for_Tegra$ sudo ./odmfuse.sh -i 0x23 --test --auth PKC -k uefi_keys/keys/pkc_rsa3k.pem -S uefi_keys/keys/sbk.key jetson-orin-nano-devkit
Error: SBK key file is provided for PKC protected target board.

Is the format of sbk.key wrong?
It is written like follows.

$ cat sample.key 
0x11111111 0x11111111 0x11111111 0x11111111 0x11111111 0x11111111 0x11111111 0x11111111

hello S.Harumoto,

it looks like odmfuse function did not recognize PKC key.
may I know which Jetpack release version you’re now using?

I fused PKC with R35.3.1.
But, I’m trying fuse SBK with R35.4.1

I tried --auth option in R35.3.1. But the same error occurred.

I checked odmfuse.func.

[odmfuse.func]
check_sbk_pkc()
{
        local __auth=$1;
        local __pkc=$2;
        local __sbk=$3;

        case ${__auth} in
        PKC)    if [ "${__pkc}" = "" ]; then
                        echo -n "Error: PKC key file is not provided for PKC protected target board.";
                        exit 1;
                fi;
                if [ "${__sbk}" != "" ]; then
                        echo -n "Error: SBK key file is provided for PKC protected target board.";
                        exit 1;
                fi;
                ;;

If __auth is PKC, it dosen’t accept sbk.
So, I can’t use --auth and -S option at the same time

What can I do next?

hello S.Harumoto,

there’s no way to add SBK key for your target.
as developer guide mentioned, Fuses and Security.

After the SecurityMode (also known as odm_production_mode) fuse is burned with a value of 0x1, all additional fuse write requests will be blocked.

the best practice is to burn all the fuse values at once.
please dig into developer guide, Secure Boot.

I understood. Thank you very much.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.