I’d like to generate a capsule for updating on a fused + SecureBoot enabled Jetson Orin Nano.
I tried and created a capsule, the device performs some update operation on reboot, but does not succeed. So I assume the capsule is rejected.
This page explains to use l4t_generate_soc_capsule.sh.
The linked document mentions to use 3 different certificate files (signer private certificate, public certificate, and trusted public certificate), but does not explain this further.
In the source code, I see this:
// Test key/certs.
// ‘test’ keys/certs that are public in the edk2 source
// They are enabled in the uefi build.
def_signer_private_cert=“${build_capsule_dir}/Pkcs7Sign/TestCert.pem”
def_other_public_cert=“${build_capsule_dir}/Pkcs7Sign/TestSub.pub.pem”
def_trusted_public_cert=“${build_capsule_dir}/Pkcs7Sign/TestRoot.pub.pem”
However, neither the documentation nor the source code tells me which certificates (i.e. from which keys) to use on a secureboot-enabled device!
My questions:
I assume UEFI checks the signed capsule data against some keys in the EKB? If so, which key(s)? db Key?
How does that map to the signer/other/trusted certificates from above?
In other words if I know to use, e.g., the db key from the EKB, how to provide the correct certificate parameters to the script which generates the capsule?
may I also confirm how you create bootloader and kernel payloads?
anyways, please share your complete steps for reference,
here’s an example, you should include PKC/SBK keys for running l4t_generate_soc_bup script,
for instance, $ sudo ./l4t_generate_soc_bup.sh -u PKC.key -v SBK.key -e t23x_3767_bl_spec t23x
Your answer has nothing to do with my initial question:
How to correctly setup the keys/certificates to create signed capsules for updating a secure boot enabled Jetson Orin Nano?
I am using an X86 host and I burned PKC/SBK/KDK0, OEMK1/2 and so on as written above.
This is not about verifying whether this succeeded, it’s simply about missing documentation how to generate correctly signed capsules that are accepted by UEFI.
After running an update, I see this message on reboot:
Jetson UEFI firmware (version v35.5.0 built on 2024-02-26T13:44:31+00:00)
ESC to enter Setup.
F11 to enter Boot Manager Menu.
Enter to continue boot.
But, as one can see in the last line, the machine does afterwards not switch from boot slot 0 to slot1. When I check with nvbootctrl dump-slots-info, slot 1 is marked as “non-bootable”. That’s why I assume signing the capsule with the test keys is not correct on a secure boot enabled device.