Is there a detailed explanation of Jetson Orin boot flow similar to this video Jetson Security and Secure Boot ? I am aware of this Jetson AGX Orin, Orin NX and Orin Nano Boot Flow — Jetson Linux Developer Guide documentation but it lacks when describing where components are loaded from. I find the video much more descriptive but it is for Tx devices. I am hoping for a similar resource for the Nvidia jetson orin.
hello jamestabourne,
for Orin series, the boot flow is.. MB1 → MB2 → UEFI → Kernel
you may refer to developer guide for checking details.
Okay thank you , I have another question regarding the secure boot process. Do we need to generate a custom QSPI tarball that will be subsequently flashed ourselves if we want it to be signed and encrypted ?OR Does flash.h do that ?
hello jamestabourne,
is a platform fused already? you’ll need to setup USB cable connecting the Jetson device to the host for burning the fuse variables.
assume you’ve fused a target with SBKPKC, you may running l4t_initrd_flash to create sing/encrypt blob to flash a target.
let me share some steps for you reference.
fuse burning: $ sudo ./odmfuse.sh -X fuses.xml -i 0x23 jetson-orin-nano-devkit
l4t_initrd_flash to create sigbed/encrypted image blob:
$ sudo ADDITIONAL_DTB_OVERLAY_OPT="BootOrderNvme.dtbo" ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash --external-device nvme0n1p1 -c tools/kernel_flash/flash_l4t_external.xml -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" -u rsa_priv-3k.pem -v sbk.key --showlogs --network usb0 jetson-orin-nano-devkit internal
l4t_initrd_flash to flash a target:
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only -u rsa_priv-3k.pem -v sbk.key jetson-agx-orin-devkit internal
Hi Jerry,
No my fuse variables are not burned yet. I am also going to be flashing the internal mmc. After setting everything up I plan on running the following command to get signed and encrypted boot imgs..
sudo ./flash.sh -u rsa.pem -v sbk.key --uefi-keys uefi_keys/uefi_keys.conf –uefi-enc user_encryption.key jetson-agx-orin-devkit mmcblk0p1
While looking through directories I found Linux_for_Tegra/tools/qspi_flash/README which details building a QSPI image a tarball. This seems like something that would useful in a scenario where you already flashed the board but my board has not been flashed yet so I would assume the prior command would handle signing and encrypting the qspi imag.
Does this command also sign and encrypt the qspi image or do i need to add the additional steps in Linux_for_Tegra/tools/qspi_flash/README of signing and encrypting the image myself.
Also while I have you, when burning fuses for the first time whilst enabling secure boot with PKCSBK, does the -S and -k need to be specified with the odmfuse.sh command? The documentations states only -k is needed when the PKC use has already been burned. Furthermore looking into the odmfuse.sh file reveals that sbk file is regarded as a 128bit sbk when in the documentation it states Orin SoC only uses 32-byte sbk key files. Secure Boot — NVIDIA Jetson Linux Developer Guide
hello jamestabourne,
may I know what’s the real use-case to get signed and encrypted boot imgs?
you may see-also Topic 328104 for a minimal script that only the signs Jetson boot components.
To burn fuses, you can use the odmfuse.sh script with a fuse configuration (*.xml) file.
Hi jerry,
I need this information for a testing environment that will go on to production. i am in the defense industry. I just want to know if I run “flash.sh” do I need to run additional flashing through “l4t_flash.sh” to get ecrypted/signed qspi images or does flash.sh do that itself.
hello jamestabourne,
it’s flash.sh to do sign/encrypt during the process.
BTW,
that’s supported (Massflash/Massfuse), you may create mass fuse blob, and using it to fuse multiple Jetson devices simultaneously.
there’s documentation for your reference, i.e. $OUT/Linux_for_Tegra/bootloader/README_Massfuse.txt