Build the Massfuse Blob failed

Robotics & Edge Computing Jetson & Embedded Systems Jetson AGX Xavier
1

Hi, everyone:

I want to build the Massfuse Blob offline for Jetson AGX Xavier with L4T R32.5.1 and secureboot , but I failed.

I build like this:

sudo FAB=400 BOARDID=2888 BOARDSKU=0004 BOARDREV=L.0 FUSELEVEL=fuselevel_production ./nvmassfusegen.sh -i 0x19 -auth SBKPKC -p -k xxx/rsa_pri.pem -S xxx/SBK --KEK2 xxx/KEK2 jetson-agx-xavier-devkit

I got failed at step 1, the error is:

Error: command file generation failed.

Any help would be much appreciated.

Thanks.

3

hello zjfsharp,

please check developer guide for the odmfuse.sh Switches.
it’s double - for the authentication options, i.e. --auth SBKPKC.
thanks

5

Sorry, I wrote the wrong of --auth in the blog.

I checked my command is :
sudo FAB=400 BOARDID=2888 BOARDSKU=0004 BOARDREV=L.0 FUSELEVEL=fuselevel_production ./nvmassfusegen.sh -i 0x19 --auth SBKPKC -p -k xxx/rsa_pri.pem -S xxx/SBK --KEK2 xxx/KEK2 jetson-agx-xavier-devkit

Error: command file generation failed.
6

hello zjfsharp,

it’s fuse commands generation filed. since --auth is included in r32.5, could you please have a try with below for confirmation?
for example,
$ sudo FAB=400 BOARDID=2888 BOARDSKU=0004 BOARDREV=L.0 FUSELEVEL=fuselevel_production ./nvmassfusegen.sh -i 0x19 -c SBKPKC -p -k xxx/rsa_pri.pem -S xxx/SBK --KEK2 xxx/KEK2 jetson-agx-xavier-devkit

7

Not work, Error is:

*** Error: --auth is missing
*** Error: fusecmd.sh generation failed

I used L4T R32.5.1 and secureboot_R32.5.0_aarch64.tbz2 that downloaded from https://developer.nvidia.com/embedded/linux-tegra-r3251

Can this problem be reproduced at your place?

10

hello zjfsharp,

could you please have a try to include below patch to nvmassfusegen.sh, and test again,
it extracts xml file from fuseblob.
thanks

@@ -28,6 +28,7 @@ FUSECMD="fusecmd.sh";
 MFGENCMD="mfgencmd.txt";
 mfusedir="mfuse_${ext_target_board}";
 mfusetmpdir="mfusetmp_${ext_target_board}";
+FUSEBLOB="${curdir}/fuseblob.tbz2";

 gen_afuse_sh_v1()
 {
@@ -983,11 +984,17 @@ odmfuse_args="$@";
 if [ "${CHIPID}" = "0x21" ] || [ "${CHIPID}" = "0x12" ]; then
        odmfuse_args=$(echo "${odmfuse_args}" | sed -e s/${ext_target_board}//);
 fi;
+rm -f "${FUSEBLOB}"
 BOARDID=${BOARDID} BOARDSKU=${BOARDSKU} FAB=${FAB} BOARDREV=${BOARDREV} FUSELEVEL=${FUSELEVEL} ${curdir}/odmfuse.sh --noburn ${odmfuse_args}
 if [ $? -ne 0 ]; then
        echo "*** Error: ${FUSECMD} generation failed.";
        exit 1;
 fi;
+if [ ! -f "${FUSEBLOB}" ]; then
+       echo "*** Error: fuseblob file generation failed.";
+       exit 1;
+fi;
+tar xjf "${FUSEBLOB}" "${BLDIR}/odmfuse_pkc.xml" "${BLDIR}/${FUSECMD}"
 if [ ! -f "${BLDIR}/${FUSECMD}" ]; then
        echo "*** Error: command file generation failed.";
        exit 1;
11

Not work, error in step 2:

Error: Return value 4
Command tegrahost_v2 --chip 0x19 --align encrypted_signed_t19x/nvboot_recovery_t194.bin_signheader.encrypt.signed
Keep temporary directory /home/tmp/Linux_for_Tegra/bootloader/8968
Error: Signing binaries failed
12

hello zjfsharp,

could you please delete the temporary directory to have another trial.
please also check to execute nvmassfusegen.sh with ONLINE approach, i.e. without BOARDID=2888 BOARDSKU=0004 FAB=400 BOARDREV=H.0
thanks

14

I have only one device and burned it, so I can’t check to execute nvmassfusegen.sh which i will get error of Production mode is set, you can't burn any manufacturing fuses now.

So, How can I fix the problem to build mass fuse blob offline?

15

hello zjfsharp,

may I know what’s the secure mode enabled, is it PKC or PKC+SBK? is it possible to share the fuse commands for reference?

16

Thanks for your reply.

PKC+SBK

commands:

OFFLINE:

sudo BOARDID=2888 BOARDSKU=0004 FAB=400 BOARDREV=L.0 FUSELEVEL=fuselevel_production ./nvmassfusegen.sh -j -i 0x19 --auth SBKPKC -p -k 
 rsa_priv.pem  -S SBK --KEK0 KEK0 --KEK1 KEK1 --KEK2 KEK2 jetson-agx-xavier-devkit

I have enabled secureboot with PKC+SBK, so i got error of Production mode is set, you can’t burn any manufacturing fuses now when build fuse blob ONLINE, command:

sudo ../nvmassfusegen.sh -j -i 0x19 --auth SBKPKC -p -k 
 rsa_priv.pem  -S SBK --KEK0 KEK0 --KEK1 KEK1 --KEK2 KEK2 jetson-agx-xavier-devkit
17

hello zjfsharp,

it looks you’re confused with nvmassfusegen.sh and odmfuse.sh,
please check the readme file, it’s massflashing tool generates massflash blob in trusted environment. so, you should at least exclude -p options in your command line.

18

I don’t really understand what you mean.

I want to generate massfush blob in trusted environment so that I can give massflash blob to my customers who can burn fuse without private key and SBK. I have read bootloader/README_Massfuse.txt that indicate how to generate massblob ONLINE or OFFLINE, but all need -p option. You can check it.

19

hello zjfsharp,

may I know which JetPack release version you’re using?
I’ve check README_Massflash.txt from JetPack-4.5.1 release, and the -p options doesn’t shown in the sample command-line.
for example,

   To generate jetson-agx-xavier-devkit (16GB) SBK encrypted + PKC signed massflash blob:
     sudo BOARDID=2888 BOARDSKU=0001 FAB=400 BOARDREV=H.0 \
     FUSELEVEL=fuselevel_production ./nvmassflashgen.sh -x 0x19 -y SBKPKC \
     -u <pkc_keyfile> -v <sbk_keyfile> jetson-agx-xavier-devkit mmcblk0p1
20

I download secureboot_R32.5.0_aarch64.tbz2 from https://developer.nvidia.com/embedded/linux-tegra-r3251.

MD5 (secureboot_R32.5.0_aarch64.tbz2) = 3baf9536ae69506e65defc3ef87e145e

You can read Linux_for_Tegra/bootloader/README_Massfuse.txt.

But I don’t think the -p option is the cause of the error, can you share your relative package of secureboot_xxxx.tbz2

21

hello zjfsharp,

oh, I see that -p options is actually there from readme file of secureBoot package. what I’m referring to is the file installed by NVIDIA SDK Manager | NVIDIA Developer.

nevertheless, it’s not the -p options to cause the failure.
could you please execute odmfuseread.sh to parse the fuse info of your Jetson AGX Xavier.
thanks

22

Hi,JerryChang

Currently I only have NX devices around, no agx devices. Let’s take the NX device as an example (both NX and agx devices have secureboot enabled), the error is reported as follows:

$ sudo ./odmfuseread.sh -i 0x19 -k rsa_priv.pem -S SBK  jetson-xavier-nx-devkit
Error: return value 3
Command tegrarcm_v2 --chip 0x19 0 --rcm rcm_list_signed.xml --skipuid
Reading board information failed

As I know that odmfuseread.sh can’t read device fuse information which enabled secureboot with production mode. And I generate mass fuse blob **offline** without device on, so I thintk if I can get fuse information no help.

Thanks.

23

hello zjfsharp,

what’s the actual platform you’re using now?
don’t this topic filed for Jetson AGX Xavier, let’s keeping the discussion for the same platform, initial new topic if necessary.

BTW, is this Xavier NX with eMMC module? note, secureBoot only supported with production modules.

24

Sorry, Sorry

Currently, I have an NX device on hand, and the AGX device is not around, but there are problems experimenting with either device. so I take the NX device as an example now.

I just want to generate massfuse blob OFFLINE, So what I mean is that you can experiment even if you don’t have the devices.

Thanks

25

FYI,
here’s another thread I’ve just verified with the offline approach, by generating Massflash image on the host machine.
it’s able to generate Mass Flashing tarball for Jetson Xavier NX, i.e. mfi_jetson-xavier-nx-devkit-emmc.tbz2
please check this thread for details. Build the massflash blob tarball failed - #26 by JerryChang
thanks