Enable Secure-Boot - Orin NX - odmfuse.sh --test errors

salomon.ramirez · November 1, 2024, 5:50pm

Hello everyone!

I am enabling secure-boot to a Orin NX, following the Secure-Boot Documentation. I was able to create the PKC key pair, the SBK key and the KEK keys. My config file looks like this:

<genericfuse MagicId="0x45535546" version="1.0.0">
    <fuse name="PublicKeyHash" size="64" value="XXXX"/>
    <fuse name="SecureBootKey" size="32" value="XXXX"/>
    <fuse name="OemK1" size="32" value="XXXX"/>
    <fuse name="OemK2" size="32" value="XXXX"/>
    <fuse name="BootSecurityInfo" size="4" value="0x209"/>
    <fuse name="SecurityMode" size="4" value="0x1"/>
</genericfuse>

First question here, the BootSecurityInfo y set correctly? The next step would be to run the odmfuse.sh script with this command:

sudo ./odmfuse.sh --test -i 0x23 -X ~/orin_nx.xml jetson-orin-nano-devkit

For this script i got the logs seen in the odm_logs.txt.
odm_logs.txt (89.4 KB)

In the previous log, there are some errors that i want to know if they are normal, for example:

[   0.0332 ] File rcm_state open failed
[   0.0334 ] ERROR: failed to read rcm_state

Or:

[   0.1607 ] MB1-BCT version: 0.10
[   0.1609 ] ERROR: carveout /misc/carveout/aux_info@CARVEOUT_UNUSED1/ is not supported
[   0.1613 ] ERROR: carveout /misc/carveout/aux_info@CARVEOUT_UNUSED1/ is not supported
[   0.1617 ] ERROR: carveout /misc/carveout/aux_info@CARVEOUT_UNUSED1/ is not supported
[   0.1620 ] ERROR: /misc/tsc_controls/tsc_locking_config is not supported
[   0.1623 ] ERROR: /misc/tsc_controls/tsc_locking_diff_configuration is not supported
[   0.1628 ] ERROR: /misc/tsc_controls/tsc_locking_ref_frequency_configuration is not supported
[   0.1632 ] ERROR: /misc/tsc_controls/tsc_locking_control is not supported
[   0.1634 ] ERROR: /misc/tsc_controls/tsc_locking_adjust_configuration is not supported
[   0.1634 ] ERROR: /misc/tsc_controls/tsc_locking_fast_adjust_configuration is not supported
[   0.1634 ] ERROR: /misc/tsc_controls/tsc_locking_adjust_delta_control is not supported
[   0.1634 ] ERROR: /misc/tsc_controls/tsc_capture_control_ptx is not supported
[   0.1634 ] ERROR: /misc/tsc_controls/tsc_capture_config_ptx is not supported
[   0.1634 ] ERROR: /misc/tsc_controls/tsc_stscrsr is not supported
[   0.1634 ] ERROR: /misc/tsc_controls/tsc_locking_adjust_num_control is not supported

Is my config file set up correctly or the logs of the odmfuse script normal? I want to be sure before running the script without the --test flag. Also the configuration have all the keys that the documentation asks, but, i saw in this topic you added some others like the PscOdmStatic, EndorseKey or Kdk0, are they needed?

salomon.ramirez · November 1, 2024, 11:00pm

Hello, just for an update on this, i proceed to the flash script. I am using a CTI Hadron carrier board (with an Orin NX 16GB), so i downloaded the bsp and follow the corresponding instructions to install them to a JP 5.1.3. After i run the flash script, i got the log_flash_jp.txt logs erros:

sudo ./cti-flash.sh -u rsa3kpkc.pem -v sbk.key

log_flasheo_jp.txt (115.3 KB)

I think that the last log error might be the important one:

ERROR: might be timeout in USB write.

JerryChang · November 4, 2024, 2:18am

hello salomon.ramirez,

so, this is a customize board instead of Orin NX devkit?

please double check the board configuration,
you should also have another board configuration file which support your platform.

salomon.ramirez · November 4, 2024, 5:26pm

Hello @JerryChang

Thanks for the answer,

Yes, is a Hadron board that have an Orin NX as a platform. This is the board.
Are you suggesting that I should create a jetson-orin-hadron.conf file instead of using the existing jetson-orin-nano-devkit configuration, since I’m working with a custom board? I am using this doc.

JerryChang · November 5, 2024, 2:06am

hello salomon.ramirez,

it’s board configuration to list all the specific binary files for flashing onto the target.
so… had you flash this target before, may I know your flash command-line?

salomon.ramirez · November 5, 2024, 2:37pm

Hello @JerryChang,

Yes, i have flash it just before burning the fuses. I follow the instructions inside the BSP that CTI provide. Basically after an installation to the JP5.1.3 sources that i downloaded from sdkmanager i just have to run the ./cti-flash.sh script in order to flash the board (no flags needed).

JerryChang · November 6, 2024, 2:28am

hello salomon.ramirez,

you may dig into the script to understand which board configuration is used.
anyways, please also contact with vendor for further supports.

system · December 3, 2024, 1:55pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Burning fuses on secure board Jetson Orin NX security	8	405	July 2, 2024
Flash from command line is failing with Secure Boot Jetson Orin Nano security	18	71	April 28, 2025
Flash Orin NX custom board - stay in waitinng for target to boot-up Jetson Orin NX reflash , board-design	9	1418	October 2, 2023
Secure Boot for Orin NX Jetson Orin NX boot , security	30	3137	October 13, 2023
Can't boot after enable secure boot (AGX Orin) Jetson AGX Orin security	19	91	February 12, 2025
Enabling disk encryption on Jetson Orin NX Jetson Orin NX security	8	280	November 19, 2024
Orin NX disk encryption Jetson Orin NX board-design , security , nvbugs	13	1668	September 8, 2023
Orin nx disk encryption, the device cannot boot normally Jetson Orin NX security	12	80	August 29, 2024
Odmfuse.sh error Jetson AGX Orin security , nvbugs	15	886	October 2, 2022
Orin NX: Is It Bricked After Fusing an ECDSA P-256 Key Hash with a BootSecurityInfo Value of 0x20b? Jetson Orin NX security	12	57	December 17, 2024

Enable Secure-Boot - Orin NX - odmfuse.sh --test errors

Related topics