Hello,
Our team encountered the following issues while developing secure boot.
First, we configured PKC, PKC1, and PKC2 in the fuse_config.xml file and set bootsecurityinfo to 1. After using odmfuse and flashing, the process completed successfully, and all information was correct.
Next, we set the value of the SBK key and changed bootsecurityinfo to 9. After using odmfuse, the odmfuse message showed that bootsecurityinfo was set to 9. However, after flashing, bootsecurityinfo remained at 1.
We suspect that the final bootsecurityinfo setting might not have been applied successfully. Therefore, we commented out other settings in the fuse_config.xml file, leaving only bootsecurityinfo set to 9, and attempted to update it again. Unfortunately, we found that the system is now unable to boot.
The log attachment is as follows:
log.log (15.8 KB)
hello Scott_LAI,
may I know what’s your command-line to fuse additional SBK keys?
for instance, there’s --auth options to set the current authentication type, it should be --auth PKC since it’s the target fused with PKC only.
We use the following command to fuse additional SBK keys.
sudo ./odmfuse.sh -X fuse_config.xml -i 0x23 -k pkc_keyfile jetson-agx-orin-devkit
hello Scott_LAI,
as mentioned, there’s --auth options to set the current authentication type.
please try with following to fuse additional SBK keys.
note, you may adding --test options for checking first.
for instance,
$ sudo ./odmfuse.sh -X fuse_config.xml -i 0x23 --auth PKC -k pkc_keyfile jetson-agx-orin-devkit --test
It’s not working. This is the only result:
Error: Either PKC or SBK key is not provided for SBK+PKC protected target board.
BTW, We have one questions to ask:
Q1: If we set the SBK value in fuse_config.xml but keep the bootsecurityinfo set to 1, will the SBK value still be fused during execution? Or will it only be fused when bootsecurityinfo is set to 9?
Our assumption is that the value of bootsecurityinfo only determines whether this feature is enabled and does not affect whether the SBK value is fused. Therefore, we believe that when it is set to 1, the SBK value will still be fused, but it will only activate the SBK functionality when set to 9.
hello Scott_LAI,
this means it has recognize the target as SBKPKC.
yes, you’re correct.
We would like to ask if the settings already fused in fuse_config.xml need to be commented out before performing the next fuse operation?
Here’s our situation:
During the first fuse operation, we only fused the PKC key and set bootsecurityinfo to 1. For the second operation, we modified fuse_config.xml to include both the PKC and SBK setting and changed bootsecurityinfo to 9. The odmfuse command indicated success, but after flashing, running sudo nv_fuse_read.sh showed bootsecurityinfo=1.
To address this, we commented out all other settings in fuse_config.xml except for bootsecurityinfo=9 and performed odmfuse again.
It seems that we may have enabled the SBK functionality without setting an SBK value. In this situation, is there a default SBK value that can be used?
Thank you.
hello Scott_LAI,
honestly, the recommended way is to burn all fuses together instead of burning fuses step-by-step.
are you able to run odmfuseread.sh? please share the results for reference.