[Boot Secure on TX2]how to flash package on TX2 use RSA key?

Hi, all
I tried to fuse TX2 using ‘Secure boot’ package. But, the scprit (fusecmd.sh) run failed. There is a ubuntu14.04 system on my host PC.
the problem like: https://devtalk.nvidia.com/default/topic/1014161/jetson-tx2/tx2-fails-to-boot-rom-communications/

now, I still can’t solve this problem( fuse TX2 ). Meantime, I can’t flash TX2 newly when I used ‘NVIDIA TEGRA LINUX DRIVER PACKAGE’, the error is :
###############################################################################

L4T BSP Information:

R28 (release), REVISION: 2.1, GCID: 11272647, BOARD: t186ref, EABI: aarch64,

DATE: Thu May 17 07:29:06 UTC 2018

###############################################################################

Target Board Information:

Name: jetson-tx2, Board Family: t186ref, SoC: Tegra 186,

OpMode: production, Boot Authentication: PKC,

###############################################################################
Error: The RSA key file is not proviced for for PKC protected target board.

I have my RSA key file, but I don’t how to use my RSA key to flash TX2. Does anyone know how to handle this problem?

My english isn’t good. Hope you can understand.

hello Tolen4nv,

had you check [Jetson Platform Fuse Burning and Secure Boot Documentation and Tools] from https://developer.nvidia.com/embedded/downloads
there’s also [Jetson Security and Secure Boot] training video from https://developer.nvidia.com/embedded/learn/tutorials for your reference,
thanks

Hello JerryChang, thanks for your quick response

I followed the procedures from [Jetson Platform Fuse Burning and Secure Boot Documentation and Tools]. step by step. but it failed. I saw other people had the same problem from https://devtalk.nvidia.com/default/topic/1014161/jetson-tx2/tx2-fails-to-boot-rom-communications/ I didn’t solve this problem even follewed the suggestions in this topic.

So, I tried to flash ‘NVIDIA TEGRA LINUX DRIVER PACKAGE’ newly. It didn’t work. Asking me to provide RSA key, I think maybe I already burned my RSA key into TX2. I wanna try flash the package use RSA key. But I don’t know how to do it. Do you know?

Error:
###############################################################################

Target Board Information:

Name: jetson-tx2, Board Family: t186ref, SoC: Tegra 186,

OpMode: production, Boot Authentication: PKC,

###############################################################################
Error: The RSA key file is not proviced for for PKC protected target board.

hello Tolen4nv,

please check the [Jetson_Device_Secure_Boot_and_Fuse_Burning.pdf] from secure boot package,
you should be able to flash the board with the following command, thanks

sudo ./flash.sh -x <chipid> -y PKC -u <keyfile> <device name> mmcblk0p1

Thanks, JerryChang
That command dose work! now I can run the flash.sh with my RSA key. but…after generating the file system, and starting to flash…a new failure happened:

*** Flashing target device started. ***
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands

[   0.0036 ] tegrasign_v2 --key None --getmode mode.txt
[   0.0047 ] Assuming zero filled SBK key
[   0.0061 ] 
[   0.0062 ] Generating RCM messages
[   0.0082 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x18 --download rcm mb1_recovery_prod.bin 0 0
[   0.0091 ] RCM 0 is saved as rcm_0.rcm
[   0.0114 ] RCM 1 is saved as rcm_1.rcm
[   0.0114 ] List of rcm files are saved in rcm_list.xml
[   0.0114 ] 
[   0.0114 ] Signing RCM messages
[   0.0124 ] tegrasign_v2 --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0132 ] Assuming zero filled SBK key
[   0.0198 ] 
[   0.0199 ] Copying signature to RCM mesages
[   0.0214 ] tegrarcm_v2 --chip 0x18 --updatesig rcm_list_signed.xml
[   0.0233 ] 
[   0.0234 ] Parsing partition layout
[   0.0267 ] tegraparser_v2 --pt flash.xml.tmp
[   0.0299 ] 
[   0.0300 ] Creating list of images to be signed
[   0.0324 ] tegrahost_v2 --chip 0x18 --partitionlayout flash.xml.bin --list images_list.xml zerosbk
[   0.1139 ] 
[   0.1140 ] Generating signatures
[   0.1154 ] tegrasign_v2 --key None --list images_list.xml --pubkeyhash pub_key.key
[   0.1165 ] Assuming zero filled SBK key
[   0.3971 ] 
[   0.3971 ] Generating br-bct
[   0.4016 ] Updating dev and MSS params in BR BCT
[   0.4017 ] tegrabct_v2 --dev_param emmc.cfg --sdram P3310_A00_8GB_Samsung_8GB_lpddr4_204Mhz_A02_l4t.cfg --brbct br_bct.cfg --chip 0x18
[   0.4316 ] 
[   0.4316 ] Updating bl info
[   0.4328 ] tegrabct_v2 --brbct br_bct_BR.bct --chip 0x18 --updateblinfo flash.xml.bin --updatesig images_list_signed.xml
[   0.4348 ] 
[   0.4348 ] Updating smd info
[   0.4361 ] tegrabct_v2 --brbct br_bct_BR.bct --chip 0x18 --updatesmdinfo flash.xml.bin
[   0.4378 ] 
[   0.4379 ] Updating Odmdata
[   0.4392 ] tegrabct_v2 --brbct br_bct_BR.bct --chip 0x18 --updatefields Odmdata =0x1090000
[   0.4409 ] 
[   0.4409 ] Get Signed section bct
[   0.4423 ] tegrabct_v2 --brbct br_bct_BR.bct --chip 0x18 --listbct bct_list.xml
[   0.4438 ] 
[   0.4439 ] Signing BCT
[   0.4469 ] tegrasign_v2 --key None --list bct_list.xml --pubkeyhash pub_key.key
[   0.4487 ] Assuming zero filled SBK key
[   0.4491 ] 
[   0.4491 ] Updating BCT with signature
[   0.4511 ] tegrabct_v2 --brbct br_bct_BR.bct --chip 0x18 --updatesig bct_list_signed.xml
[   0.4533 ] 
[   0.4533 ] Generating coldboot mb1-bct
[   0.4553 ] tegrabct_v2 --chip 0x18 --mb1bct mb1_cold_boot_bct.cfg --sdram P3310_A00_8GB_Samsung_8GB_lpddr4_204Mhz_A02_l4t.cfg --misc tegra186-mb1-bct-misc-si-l4t.cfg --scr mobile_scr.cfg --pinmux tegra186-mb1-bct-pinmux-quill-p3310-1000-c03.cfg --pmc tegra186-mb1-bct-pad-quill-p3310-1000-c03.cfg --pmic tegra186-mb1-bct-pmic-quill-p3310-1000-c04.cfg --brcommand tegra186-mb1-bct-bootrom-quill-p3310-1000-c03.cfg --prod tegra186-mb1-bct-prod-quill-p3310-1000-c03.cfg
[   0.4574 ] MB1-BCT version: 0xe
[   0.4578 ] Copying Sdram info from 2 to 3 set
[   0.4822 ] Packing sdram param for instance[0]
[   0.4824 ] Packing sdram param for instance[1]
[   0.4826 ] Packing sdram param for instance[2]
[   0.4828 ] Packing sdram param for instance[3]

[   0.4830 ] Parsing config file :tegra186-mb1-bct-pinmux-quill-p3310-1000-c03.cfg 
[   0.4833 ] Appending platform config data of size :- 2904

[   0.4835 ] Parsing config file :mobile_scr.cfg 
[   0.4837 ] Appending platform config data of size :- 12240

[   0.4863 ] Parsing config file :tegra186-mb1-bct-pad-quill-p3310-1000-c03.cfg 
[   0.4867 ] Appending platform config data of size :- 24

[   0.4870 ] Parsing config file :tegra186-mb1-bct-pmic-quill-p3310-1000-c04.cfg 
[   0.4874 ] Appending platform config data of size :- 708

[   0.4877 ] Parsing config file :tegra186-mb1-bct-bootrom-quill-p3310-1000-c03.cfg 
[   0.4878 ] Appending platform config data of size :- 64
[   0.4878 ] 
[   0.4878 ] Parsing config file :tegra186-mb1-bct-prod-quill-p3310-1000-c03.cfg 
[   0.4878 ] Appending platform config data of size :- 1652
[   0.4878 ] 
[   0.4879 ] Updating mb1-bct with firmware information
[   0.4894 ] tegrabct_v2 --chip 0x18 --mb1bct mb1_cold_boot_bct_MB1.bct --updatefwinfo flash.xml.bin
[   0.4906 ] MB1-BCT version: 0xe
[   0.4912 ] 
[   0.4912 ] Updating mb1-bct with storage information
[   0.4933 ] tegrabct_v2 --chip 0x18 --mb1bct mb1_cold_boot_bct_MB1.bct --updatestorageinfo flash.xml.bin
[   0.4955 ] MB1-BCT version: 0xe
[   0.4962 ] 
[   0.4976 ] tegrahost_v2 --align mb1_cold_boot_bct_MB1.bct
[   0.4991 ] 
[   0.5005 ] tegrahost_v2 --appendsigheader mb1_cold_boot_bct_MB1.bct zerosbk
[   0.5020 ] 
[   0.5039 ] tegrasign_v2 --key None --list mb1_cold_boot_bct_MB1_sigheader.bct_list.xml
[   0.5053 ] Assuming zero filled SBK key
[   0.5092 ] 
[   0.5117 ] tegrahost_v2 --updatesigheader mb1_cold_boot_bct_MB1_sigheader.bct.encrypt mb1_cold_boot_bct_MB1_sigheader.bct.hash zerosbk
[   0.5139 ] 
[   0.5141 ] Generating recovery mb1-bct
[   0.5159 ] tegrabct_v2 --chip 0x18 --mb1bct mb1_bct.cfg --sdram P3310_A00_8GB_Samsung_8GB_lpddr4_204Mhz_A02_l4t.cfg --misc tegra186-mb1-bct-misc-si-l4t.cfg --scr minimal_scr.cfg --pinmux tegra186-mb1-bct-pinmux-quill-p3310-1000-c03.cfg --pmc tegra186-mb1-bct-pad-quill-p3310-1000-c03.cfg --pmic tegra186-mb1-bct-pmic-quill-p3310-1000-c04.cfg --brcommand tegra186-mb1-bct-bootrom-quill-p3310-1000-c03.cfg --prod tegra186-mb1-bct-prod-quill-p3310-1000-c03.cfg
[   0.5177 ] MB1-BCT version: 0xe
[   0.5181 ] Copying Sdram info from 2 to 3 set
[   0.5453 ] Packing sdram param for instance[0]
[   0.5456 ] Packing sdram param for instance[1]
[   0.5459 ] Packing sdram param for instance[2]
[   0.5461 ] Packing sdram param for instance[3]

[   0.5464 ] Parsing config file :tegra186-mb1-bct-pinmux-quill-p3310-1000-c03.cfg 
[   0.5468 ] Appending platform config data of size :- 2904

[   0.5471 ] Parsing config file :minimal_scr.cfg 
[   0.5473 ] Appending platform config data of size :- 12240

[   0.5486 ] Parsing config file :tegra186-mb1-bct-pad-quill-p3310-1000-c03.cfg 
[   0.5489 ] Appending platform config data of size :- 24
[   0.5489 ] 
[   0.5489 ] Parsing config file :tegra186-mb1-bct-pmic-quill-p3310-1000-c04.cfg 
[   0.5489 ] Appending platform config data of size :- 708
[   0.5489 ] 
[   0.5490 ] Parsing config file :tegra186-mb1-bct-bootrom-quill-p3310-1000-c03.cfg 
[   0.5490 ] Appending platform config data of size :- 64
[   0.5490 ] 
[   0.5490 ] Parsing config file :tegra186-mb1-bct-prod-quill-p3310-1000-c03.cfg 
[   0.5490 ] Appending platform config data of size :- 1652
[   0.5490 ] 
[   0.5491 ] Updating mb1-bct with firmware information
[   0.5501 ] tegrabct_v2 --chip 0x18 --mb1bct mb1_bct_MB1.bct --updatefwinfo flash.xml.bin
[   0.5511 ] MB1-BCT version: 0xe
[   0.5521 ] 
[   0.5522 ] Updating mb1-bct with storage information
[   0.5543 ] tegrabct_v2 --chip 0x18 --mb1bct mb1_bct_MB1.bct --updatestorageinfo flash.xml.bin
[   0.5557 ] MB1-BCT version: 0xe
[   0.5562 ] 
[   0.5576 ] tegrahost_v2 --align mb1_bct_MB1.bct
[   0.5589 ] 
[   0.5603 ] tegrahost_v2 --appendsigheader mb1_bct_MB1.bct zerosbk
[   0.5618 ] 
[   0.5635 ] tegrasign_v2 --key None --list mb1_bct_MB1_sigheader.bct_list.xml
[   0.5648 ] Assuming zero filled SBK key
[   0.5687 ] 
[   0.5714 ] tegrahost_v2 --updatesigheader mb1_bct_MB1_sigheader.bct.encrypt mb1_bct_MB1_sigheader.bct.hash zerosbk
[   0.5738 ] 
[   0.5739 ] Copying signatures
[   0.5759 ] tegrahost_v2 --chip 0x18 --partitionlayout flash.xml.bin --updatesig images_list_signed.xml
[   0.6554 ] 
[   0.6554 ] Boot Rom communication
[   0.6568 ] tegrarcm_v2 --chip 0x18 --rcm rcm_list_signed.xml
[   0.6580 ] BootRom is not running
[   1.6583 ] 
[   1.6611 ] tegrarcm_v2 --isapplet
[   1.6636 ] Applet version 01.00.0000
[   1.6774 ] 
[   1.6777 ] Retrieving board information
[   1.6813 ] tegrarcm_v2 --oem platformdetails chip chip_info.bin
[   1.6832 ] Applet version 01.00.0000
[   1.7089 ] Saved platform info in chip_info.bin
[   1.7103 ] Chip minor revision: 2
[   1.7109 ] 
[   1.7109 ] Sending BCTs
[   1.7130 ] tegrarcm_v2 --download bct_bootrom br_bct_BR.bct --download bct_mb1 mb1_bct_MB1_sigheader.bct.encrypt
[   1.7148 ] Applet version 01.00.0000
[   1.7444 ] Sending bct_bootrom
[   1.7446 ] [................................................] 100%
[   1.7545 ] 000000002005411c: Failed to verify br bct
[   1.7604 ] 
Error: Return value 28
Command tegrarcm_v2 --download bct_bootrom br_bct_BR.bct --download bct_mb1 mb1_bct_MB1_sigheader.bct.encrypt
Failed flashing t186ref.

Failed flashing t186ref!
I searched some relevant topic on the forum. I tried more a few times to change the USB port. But, it still didn’t work.
I think there are some problems when the device tries to communicate with my PC. Do you have any new suggestions?

hello Tolen4nv,

seems here’s failure in the BR BCT verification,
could you please narrow down the issue by enter “–no-flash” options as below,
thanks

sudo ./flash.sh <b>--no-flash</b> -x <chipid> -y PKC -u <keyfile> <device name> mmcblk0p1

Thanks! Jerry
I will try this command later.

I have encountered the same problem as you. Have you solved it?

Hi Jerry,

I tried to flash only the tos-trusty.img for the Jeston TX2, unfortunately, this is not working.

I built the ATF and Trusty, then I create my tos-trusty image for Jetson TX2 (t186ref) by using the python script gen_tos_part_img.py.

For your information, I have the secure boot activated.

I tried with the following commands:

  • The first one is used to sign the images.
  • The second command is to flash only the secure-os partition.
$ sudo BOARDID=3310 FAB=C04 ./flash.sh --no-flash -u /home/ilieschergui/my_privkey.pem -v /home/ilieschergui/my_sbk.key jetson-tx2 mmcblk0p1
...
*** no-flash flag enabled. Exiting now... *** 

User can run above saved command in factory environment without 
providing pkc and sbk keys to flash a device

Example:

    $ cd bootloader 
    $ sudo bash ./flashcmd.txt

$ sudo BOARDID=3310 FAB=C04 ./flash.sh -u /home/ilieschergui/my_privkey.pem -v /home/ilieschergui/my_sbk.key -k secure-os jetson-tx2 mmcblk0p1

I got this:

Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0102 ] tegrasign_v2 --key /home/ilieschergui/my_privkey.pem --getmode mode.txt
[   0.0110 ] PKC key in Open SSL format
[   0.0111 ] Key size is 256 bytes
[   0.0112 ] Valid PKC key
[   0.0122 ] 
[   0.0123 ] sign_type   : 0
[   0.0123 ] header_magic: 4e56544f
[   0.0130 ] tegrahost_v2 --chip 0x18 --align 1_tos-trusty.img
[   0.0137 ] 
[   0.0144 ] tegrahost_v2 --appendsigheader 1_tos-trusty.img oem-rsa
[   0.0155 ] 
[   0.0164 ] tegrasign_v2 --key /home/ilieschergui/my_privkey.pem --list 1_tos-trusty_sigheader.img_list.xml
[   0.0170 ] PKC key in Open SSL format
[   0.0172 ] Key size is 256 bytes
[   0.0174 ] Valid PKC key
[   0.0642 ] 
[   0.0652 ] tegrahost_v2 --updatesigheader 1_tos-trusty_sigheader.img.signed 1_tos-trusty_sigheader.img.sig oem-rsa
[   0.0663 ] 
[   0.0663 ] Generating RCM messages
[   0.0670 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x18 0 --download rcm mb1_recovery_prod.bin 0 0
[   0.0677 ] RCM 0 is saved as rcm_0.rcm
[   0.0679 ] RCM 1 is saved as rcm_1.rcm
[   0.0679 ] List of rcm files are saved in rcm_list.xml
[   0.0679 ] 
[   0.0679 ] Signing RCM messages
[   0.0685 ] tegrasign_v2 --key /home/ilieschergui/my_privkey.pem --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0691 ] PKC key in Open SSL format
[   0.0695 ] Key size is 256 bytes
[   0.0696 ] Valid PKC key
[   0.0703 ] Saving pkc public key  in pub_key.key
[   0.1573 ] 
[   0.1573 ] Copying signature to RCM mesages
[   0.1580 ] tegrarcm_v2 --chip 0x18 0 --updatesig rcm_list_signed.xml --pubkeyhash pub_key.key
[   0.1589 ] 
[   0.1589 ] Boot Rom communication
[   0.1595 ] tegrarcm_v2 --chip 0x18 0 --rcm rcm_list_signed.xml --skipuid
[   0.1601 ] RCM version 0Xa
[   0.4884 ] Boot Rom communication failed
[   5.6463 ] 
Error: Return value 3
Command tegrarcm_v2 --chip 0x18 0 --rcm rcm_list_signed.xml --skipuid
Failed to flash/read t186ref.

Would you be able to confirm if this is the correct way to flash the secure-os partition only ?

Any help would be appreciated.

Best regards,
Ilies

hello ilies.chergui,

to clarify, since partial update should NEVER be used in factory environment.
please perform a clean full flashing all the time with a fused device.

due to this thread were verify RSA keys,
you may initial another new discussion thread for further supports,
thanks