Our team encountered the following issues while developing secure boot.
First, we configured PKC, PKC1, and PKC2 in the fuse_config.xml file and set bootsecurityinfo to 1. After using odmfuse and flashing, the process completed successfully, and all information was correct.
Next, we set the value of the SBK key and changed bootsecurityinfo to 9. After using odmfuse, the odmfuse message showed that bootsecurityinfo was set to 9. However, after flashing, bootsecurityinfo remained at 1.
We suspect that the final bootsecurityinfo setting might not have been applied successfully. Therefore, we commented out other settings in the fuse_config.xml file, leaving only bootsecurityinfo set to 9, and attempted to update it again. Unfortunately, we found that the system is now unable to boot.
The log attachment is as follows: log.log (15.8 KB)
may I know what’s your command-line to fuse additional SBK keys?
for instance, there’s --auth options to set the current authentication type, it should be --auth PKC since it’s the target fused with PKC only.
as mentioned, there’s --auth options to set the current authentication type.
please try with following to fuse additional SBK keys.
note, you may adding --test options for checking first.
for instance, $ sudo ./odmfuse.sh -X fuse_config.xml -i 0x23 --auth PKC -k pkc_keyfile jetson-agx-orin-devkit --test
It’s not working. This is the only result: Error: Either PKC or SBK key is not provided for SBK+PKC protected target board.
BTW, We have one questions to ask:
Q1: If we set the SBK value in fuse_config.xml but keep the bootsecurityinfo set to 1, will the SBK value still be fused during execution? Or will it only be fused when bootsecurityinfo is set to 9?
Our assumption is that the value of bootsecurityinfo only determines whether this feature is enabled and does not affect whether the SBK value is fused. Therefore, we believe that when it is set to 1, the SBK value will still be fused, but it will only activate the SBK functionality when set to 9.
We would like to ask if the settings already fused in fuse_config.xml need to be commented out before performing the next fuse operation?
Here’s our situation:
During the first fuse operation, we only fused the PKC key and set bootsecurityinfo to 1. For the second operation, we modified fuse_config.xml to include both the PKC and SBK setting and changed bootsecurityinfo to 9. The odmfuse command indicated success, but after flashing, running sudo nv_fuse_read.sh showed bootsecurityinfo=1.
To address this, we commented out all other settings in fuse_config.xml except for bootsecurityinfo=9 and performed odmfuse again.
It seems that we may have enabled the SBK functionality without setting an SBK value. In this situation, is there a default SBK value that can be used?
honestly, the recommended way is to burn all fuses together instead of burning fuses step-by-step.
are you able to run odmfuseread.sh? please share the results for reference.
could you please try using --read-info from flash.sh to retrieve the info.
for instance, $ sudo ./flash.sh --read-info -u <pkc> -v <sbk> <target_conf> <rootdev>
info.log (21.8 KB)
Sorry, I just noticed that some of the output is in stderr, here is the full log.
Then I noticed that the part you mentioned has the error cat:/mnt/nvme1n1p3/b110/6.1/dev_kit/Linux_for_Tegra/bootloader/fuse_t234.bin: No such file or directory.
Is there anything else I can provide or what I can do?
please see-also Topic 263458, we’ve check and confirm fuse burning, and image flashing on Orin NX with a success.
anyways, could you please share the fuse xml file for checking.