Enabling Secure Boot on Jetson Xavier NX Without EEPROM Access

Autonomous Machines Jetson & Embedded Systems Jetson Xavier NX
, ,
1

I want to enable secure boot on my Jetson Xavier NX for mass production, but I’m receiving the following message: “Otherwise odmfuse needs to access on board EEPROM. Make sure the board is in recovery mode.” Is there a way to use secure boot without EEPROM?

My initial test command is:

sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./odmfuse.sh --noburn -j -i 0x19 --auth NS -p -k vio_rsa_priv.pem -S sbk.key --KEK2 kek2.key --test jetson-xavier-nx-devkit-emmc

I am using Jetson Xavier NX eMMC 16GB with JetPack 5.1.4.

3

hello user34150,

it’s the commands for sending board info.

may I have more details, you’re trying to fuse targets, right?
I assume you’re able to complete above odmfuse command-line without failures?

4

Indeed, the above command does not contain any errors; I believe it’s just testing the process to ensure everything is okay before implementing it in actual production. I’m attempting to enable secure boot for all of my company’s products, but I’m encountering many challenges. Here is my process:

  1. Test burn
sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./odmfuse.sh \
--noburn -j -i 0x19 --auth NS -p -k vio_rsa_priv.pem -S sbk.key --KEK2 kek2.txt \
--KEK2 kek2.key --test jetson-xavier-nx-devkit-emmc
  1. Run
sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./odmfuse.sh \
--noburn -j -i 0x19 --auth NS -p -k vio_rsa_priv.pem -S sbk.key \
--KEK2 kek2.key jetson-xavier-nx-devkit-emmc

3.Extract and Check Fuse

sudo tar xpf fuseblob.tbz2
cd bootloader
cat odmfuse_pkc.xml // check if required fuses are included
sudo ./fusecmd.sh
cd ../
  1. Flash
sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./flash.sh --no-flash -u rsa_priv.pem -v sbk.key jetson-xavier-nx-devkit-emmc mmcblk0p1
cd bootloader
sudo bash ./flashcmd.txt
  • Key Files
cat kek2.key 
5xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

cat sbk.key
0xfxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Do you see any issues with my process? Please provide feedback to help me improve it!

5

hello user34150,

it’s suggest to use massfuse tools to fuse multiple Jetson devices simultaneously.
you may see-also $OUT/Linux_for_Tegra/bootloader/README_Massfuse.txt

6

Currently, I only want to test with three Jetson devices. I managed to run one, but it encountered the following error:

��I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled
E/TC:? 0 jetson_user_key_pta_uefi_vars_auth:920 UEFI variable auth key not set !
E/TC:? 0 stmm_handle_variable_authentication:910 Failed to get signed CMAC ffff0008

ASSERT [FvbNorFlashStandaloneMm] /dvs/git/dirty/git-master_linux/out/nvidia/optee.t194-uefi/StandaloneMmOpt)

I tried Method link, but it didn’t work. Here is my process:

echo "5xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" > kek2.key
echo "00000000000000000000000000000000" > sym2_t194.key
 ./example.sh
cp eks_t194.img ../Linux_for_Tegra/bootloader/.
cp sym2_t194.key ../Linux_for_Tegra/.
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash --showlogs -p "-c bootloader/t186ref/cfg/flash_l4t_t194_qspi_p3668.xml" jetson-xavier-nx-devkit-emmc mmcblk0p1
sudo ./flash.sh --no-flash -k A_eks jetson-xavier-nx-devkit-emmc mmcblk0p1
sudo cp bootloader/eks_t194_sigheader.img.encrypt ./tools/kernel_flash/images/internal/.
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash -i ./sym2_t194.key -c ./tools/kernel_flash/flash_l4t_t194_nvme_rootfs_enc.xml jetson-xavier-nx-devkit-emmc mmcblk0p1
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --flash-only
cd bootloader
sudo bash ./flashcmd.txt

However, when I ran the last command:

sudo bash ./flashcmd.txt

I received the following error:

minhvo@minhvo-MS-7D17:~/DATA2/15.Secure_boot_Jetson/5.1.4_secure/Linux_for_Tegra/bootloader$ sudo bash ./flashcmd.txt
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 

 Entering RCM boot

[   0.0000 ] rcm boot with presigned binaries
[   0.0000 ] Boot Rom communication
[   0.0018 ] tegrarcm_v2 --chip 0x19 0 --rcm rcm_1_encrypt.rcm --rcm rcm_2_encrypt.rcm
[   0.0023 ] BR_CID: 0xe802191164649800140000000cff8280
[   0.7993 ] Bootrom returned error 19
[   1.6119 ] Boot Rom communication failed
[   1.6119 ] 
Error: Return value 19
Command tegrarcm_v2 --chip 0x19 0 --rcm rcm_1_encrypt.rcm --rcm rcm_2_encrypt.rcm

I need help troubleshooting this device error, and then I would like to proceed with testing on two more devices. Afterward, please guide me on how to perform mass production (with over 20 Jetson devices).

7

I’m confused, above is the failure about mismatch EKS image instead of fuse burning.

8

Is there anything you’re confused about? I can provide more information if needed. Currently, I have one Jetson device that is encountering an error. I want to troubleshoot this device and ensure secure boot for the remaining two devices without any further issues. I have a total of three devices.

9

hello user34150,

Secure Boot prevents execution of unauthorized boot codes through the chain of trust.
Disk encryption it uses passphrase to unlock the encrypted disk. it’s able to work without Secure Boot.

let’s keep this thread for tracking the issue as your title.
you may refer to Burn Fuses with the Fuse Configuration file.

10

I have tried again with the option -X, but there is still no progress; it still reports an error.

sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./odmfuse.sh -X /home/minhvo/DATA2/15.Secure_boot_Jetson/VIO_Keys/fuse_rsa3k.xml -j -i 0x19 --auth SBKPKC -p -k vio_rsa_priv.pem -S sbk.key jetson-xavier-nx-devkit-emmc

��I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled
E/TC:? 0 jetson_user_key_pta_uefi_vars_auth:920 UEFI variable auth key not set !
E/TC:? 0 stmm_handle_variable_authentication:910 Failed to get signed CMAC ffff0008

ASSERT [FvbNorFlashStandaloneMm] /dvs/git/dirty/git-master_linux/out/nvidia/optee.t194-uefi/StandaloneMmOpt)

minhvo@minhvo-MS-7D17:~/DATA2/15.Secure_boot_Jetson/5.1.4_secure/Linux_for_Tegra/bootloader$ sudo bash ./flashcmd.txt
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 

 Entering RCM boot

[   0.0000 ] rcm boot with presigned binaries
[   0.0000 ] Boot Rom communication
[   0.0018 ] tegrarcm_v2 --chip 0x19 0 --rcm rcm_1_encrypt.rcm --rcm rcm_2_encrypt.rcm
[   0.0023 ] BR_CID: 0xe802191164649800140000000cff8280
[   0.8168 ] Bootrom returned error 19
[   1.6252 ] Boot Rom communication failed
[   1.6252 ] 
Error: Return value 19
Command tegrarcm_v2 --chip 0x19 0 --rcm rcm_1_encrypt.rcm --rcm rcm_2_encrypt.rcm
11

@JerryChang
I have tried the second Jetson using this standard procedure, but it still encounters errors. I am stuck and don’t know if there are issues when using secure boot with Jetpack 5.1.4. Please provide me with a solution to handle this problem on the two Jetson devices that have failed.

��I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled
E/TC:? 0 jetson_user_key_pta_uefi_vars_auth:920 UEFI variable auth key not set !
E/TC:? 0 stmm_handle_variable_authentication:910 Failed to get signed CMAC ffff0008

ASSERT [FvbNorFlashStandaloneMm] /dvs/git/dirty/git-master_linux/out/nvidia/optee.t194-uefi/StandaloneMmOpt)

Here is my process:

  1. Test burn
sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./odmfuse.sh \
--noburn -j -i 0x19 --auth NS -p -k vio_rsa_priv.pem -S sbk.key --KEK2 kek2.txt \
--KEK2 kek2.key --test jetson-xavier-nx-devkit-emmc
  1. Run
sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./odmfuse.sh \
--noburn -j -i 0x19 --auth NS -p -k vio_rsa_priv.pem -S sbk.key \
--KEK2 kek2.key jetson-xavier-nx-devkit-emmc

3.Extract and Check Fuse

sudo tar xpf fuseblob.tbz2
cd bootloader
cat odmfuse_pkc.xml // check if required fuses are included
sudo ./fusecmd.sh
cd ../
  1. Flash
sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./flash.sh --no-flash -u vio_rsa_priv.pem -v sbk.key jetson-xavier-nx-devkit-emmc mmcblk0p1
cd bootloader
sudo bash ./flashcmd.txt
  • Key Files
cat kek2.key 
5xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

cat sbk.key
0xfxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
12

may I double check, you’re still able to boot into linux, right?

13

this is log

[0003.552] I> Welcome to NVDisp-Init
[0003.552] I> NVDisp-Init version: t194-51f071e0
[0003.553] I> CPU-BL Params @ 0xca020000
[0003.553] I>  0) Base:0x00000000 Size:0x00000000
[0003.553] I>  1) Base:0xc8100000 Size:0x00100000
[0003.554] I>  2) Base:0xc9800000 Size:0x00200000
[0003.554] I>  3) Base:0xc8600000 Size:0x00200000
[0003.556] I>  4) Base:0xc8000000 Size:0x00100000
[0003.561] I>  5) Base:0xc7f00000 Size:0x00100000
[0003.565] I>  6) Base:0xc9400000 Size:0x00400000
[0003.570] I>  7) Base:0xc9000000 Size:0x00400000
[0003.574] I>  8) Base:0xc7e00000 Size:0x00100000
[0003.579] I>  9) Base:0xc7d00000 Size:0x00100000
[0003.583] I> 10) Base:0xca800000 Size:0x00800000
[0003.588] I> 11) Base:0x40000000 Size:0x00040000
[0003.592] I> 12) Base:0xc7c00000 Size:0x00100000
[0003.597] I> 13) Base:0x40046000 Size:0x00002000
[0003.601] I> 14) Base:0x40048000 Size:0x00002000
[0003.605] I> 15) Base:0xaf000000 Size:0x00004000
[0003.610] I> 16) Base:0x4004a000 Size:0x00002000
[0003.614] I> 17) Base:0xc7a00000 Size:0x00100000
[0003.619] I> 18) Base:0x4004c000 Size:0x00002000
[0003.623] I> 19) Base:0xc9a00000 Size:0x00600000
[0003.628] I> 20) Base:0x4004e000 Size:0x00002000
[0003.632] I> 21) Base:0xc7bc0000 Size:0x0000c000
[0003.637] I> 22) Base:0x00000000 Size:0x00000000
[0003.641] I> 23) Base:0xc7be0000 Size:0x00020000
[0003.646] I> 24) Base:0xcc000000 Size:0x02000000
[0003.650] I> 25) Base:0x40050000 Size:0x00002000
[0003.655] I> 26) Base:0x40040000 Size:0x00006000
[0003.659] I> 27) Base:0xc8c00000 Size:0x00400000
[0003.663] I> 28) Base:0xc8400000 Size:0x00200000
[0003.668] I> 29) Base:0xc8800000 Size:0x00400000
[0003.672] I> 30) Base:0xc7bd0000 Size:0x00010000
[0003.677] I> 31) Base:0x00000000 Size:0x00000000
[0003.681] I> 32) Base:0xf8000000 Size:0x08000000
[0003.686] I> 33) Base:0xce000000 Size:0x2a000000
[0003.690] I> 34) Base:0xcb000000 Size:0x01000000
[0003.695] I> 35) Base:0xae000000 Size:0x01000000
[0003.699] I> 36) Base:0xa0000000 Size:0x0e000000
[0003.704] I> 37) Base:0xca000000 Size:0x00800000
[0003.708] I> 38) Base:0x80000000 Size:0x20000000
[0003.713] I> 39) Base:0xb0000000 Size:0x08000000
[0003.717] I> 40) Base:0x00000000 Size:0x00000000
[0003.722] I> 41) Base:0x00000000 Size:0x00000000
[0003.726] I> 42) Base:0xc8200000 Size:0x00200000
[0003.730] I> 43) Base:0x00000000 Size:0x00000000
[0003.735] I> 44) Base:0x00000000 Size:0x00000000
[0003.739] I> 45) Base:0x00000000 Size:0x00000000
[0003.744] GIC-SPI Target CPU: 0
[0003.747] Interrupts Init done
[0003.750] calling constructors
[0003.753] initializing heap
[0003.755] I> Heap: [0xa0a60000 ... 0xadf00000]
[0003.759] initializing threads
[0003.762] initializing timers
[0003.765] creating bootstrap completion thread
[0003.769] top of bootstrap2()
[0003.772] CPU: MIDR: 0x4E0F0040, MPIDR: 0x80000000
[0003.777] initializing platform
[0003.780] E> DEVICE_PROD: Invalid value data = 0, size = 0.
[0003.785] W> device prod register failed
[0003.789] I> Bl_dtb @0xadf00000
[0003.792] I> gpio framework initialized
[0003.805] I> tegrabl_gpio_driver_register: register 'nvidia,tegra194-gpio' driver
[0003.811] I> tegrabl_gpio_driver_register: register 'nvidia,tegra194-gpio-aon' driver
[0003.816] I> fixed regulator driver initialized
[0003.833] I> register 'maxim' power off handle
[0003.836] I> virtual i2c enabled
[0003.836] I> registered 'maxim,max20024' pmic
[0003.836] I> tegrabl_gpio_driver_register: register 'max20024-gpio' driver
[0003.837] I> Boot-device: QSPI
[0003.837] I> Boot_device: QSPI_FLASH instance: 0
[0003.841] I> configure_qspi_clk: qparams clk_src = 5, clk_div = 0, clk_src_freq = 800000000, interface_fre0
[0003.851] I> configure_qspi_clk: FORCING INTERFACE_FREQ TO 133000000!!
[0003.859] I> QSPI source rate = 204000 Khz
[0003.862] I> Requested rate for QSPI clock = 34000 Khz
[0003.867] I> BPMP-set rate for QSPI clk = 34000 Khz
[0003.872] I> tx_clk_tap_delay : 0
[0003.875] I> rx_clk_tap_delay : 16
[0003.878] I> QSPI Flash Size = 32 MB
[0003.886] I> Qspi initialized successfully
[0003.886] I> qspi flash-0 params source = boot args
[0003.891] W> No board IDs available
[0003.893] E> Failed to get board id info!
[0003.899] I> sdmmc-3 params source = safe params
[0003.906] I> Found 41 partitions in QSPI_FLASH (instance 0)
[0003.907] W> Cannot find any partition table for 00000003
[0003.912] E> Failed to publish 00000003
[0003.917] I> Found 22 partitions in SDMMC_USER (instance 3)
[0003.938] I> regulator 'vdd-hdmi-5v0' already enabled
[0003.944] I> regulator 'vdd-hdmi-5v0' already enabled
[0003.945] I> hdmi cable connected
[0003.951] W> set volts not configured for 'vdd-1v0'
[0003.957] W> set volts not configured for 'vdd-1v8-hs'
[0003.957] I> retrieved tmds range from prod_list_hdmi_soc
[0003.958] E> cannot find any other nvdisp nodes
[0003.975] I> edid read success
[0003.987] I> edid read success
[0003.988] I> width = 640, height = 480, frequency = 25174825
[0003.988] I> width = 640, height = 480, frequency = 25174825
[0003.988] I> width = 1024, height = 768, frequency = 65000000
[0003.989] I> width = 1024, height = 768, frequency = 65000000
[0003.989] I> width = 1920, height = 1080, frequency = 148500000
[0003.993] I> width = 1920, height = 1080, frequency = 148500000
[0003.999] I> width = 1920, height = 1080, frequency = 148351648
[0004.005] I> width = 1280, height = 720, frequency = 74175824
[0004.010] I> width = 720, height = 480, frequency = 26973026
[0004.016] I> width = 720, height = 480, frequency = 26973026
[0004.021] I> width = 640, height = 480, frequency = 25174825
[0004.027] I> width = 1920, height = 1080, frequency = 148351648
[0004.033] I> width = 720, height = 576, frequency = 26973026
[0004.038] I> width = 1280, height = 720, frequency = 74175824
[0004.044] I> Best mode Width = 1920, Height = 1080, freq = 148351648
[0004.055] I> hdmi_enable, starting HDMI initialisation
[0004.060] I> hdmi_enable, HDMI initialisation complete
[0004.069] initializing target
[0004.070] calling apps_init()
[0004.070] starting app kernel_boot_app
[0004.071] I> Kernel type = Normal

Jetson UEFI firmware (version 6.0-37391689 built on 2024-08-28T08:47:11+00:00)
��I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled
E/TC:? 0 jetson_user_key_pta_uefi_vars_auth:920 UEFI variable auth key not set !
E/TC:? 0 stmm_handle_variable_authentication:910 Failed to get signed CMAC ffff0008

ASSERT [FvbNorFlashStandaloneMm] /dvs/git/dirty/git-master_linux/out/nvidia/optee.t194-uefi/StandaloneMmOpt)

I tried again with version 5.1.3 on the devkit, and the issue didn’t occur anymore. I’m guessing my issue could be due to two possible reasons:

  1. Our custom board might be missing something - I am currently checking this.
  2. Version 5.1.4 may not be able to fix the UEFI protection feature issue like version 5.1.3.

I hope this information can be helpful to you

14

hello user34150,

it’s due to UEFI variable protection feature is always enabled,
you should provide UEFI variable authentication key (auth_t234.key) in EKS image.
otherwise UEFI will block the booting.

anyways,
please re-generate a new EKS image by flashing JP-5.1.4 with all the security features.

15

@JerryChang I’ve tried multiple times with version 5.1.4, but it didn’t work. Why is it using auth_t234.key? My device is a Jetson Xavier NX, and I’m only using two files: eks_t194.img and sym2_t194.key. In version 5.1.3, the issue was resolved, but it’s not working in 5.1.4.

Additionally, I would like to know the process for creating a backup and flashing the backup onto a secure boot-enabled device. I’m currently using the following command to create a backup:

sudo ./flash.sh -u vio_rsa_priv.pem -v sbk.key -r -k APP -G backup.img jetson-xavier-nx-devkit-emmc mmcblk0p1

However, I’m unsure how to flash the backup back, as I’m concerned that if I follow the UEFI error fix procedure, my backup might be lost. Do you have any solutions? Is there a way to flash the backup without needing to fix the UEFI error?

17

Just to clarify, we are using Jetson Xavier NX module, P/N: 900-83668-0000-000.
The key should be auth_t194.key instead of auth_t234 as reference link: link
So could you please help to double check on this ?
image

18

I think I’ve solved the issue on version jetpack 5.1.4 by adding -u vio_rsa_priv.pem -v sbk.key to all commands.
But I don’t know the reason why I had to include those flags together. Could you explain it to me? @JerryChang

Here are the steps I followed to successfully flash JetPack 5.1.4:

tar -xpvf Jetson_Linux_R35.6.0_aarch64.tbz2

cd Linux_for_Tegra/rootfs/

sudo tar -xpvf ../../Tegra_Linux_Sample-Root-Filesystem_R35.6.0_aarch64.tbz2

cd .. # in Linux_for_Tegra folder

sudo ./apply_binaries.sh # Copy NVIDIA user space libraries into target file system

sudo ./tools/l4t_flash_prerequisites.sh # Install the prerequisite dependencies for flashing just one time


vim example.sh to edit kek2.key as following.
echo "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" > kek2.key
./example.sh
  • File example.sh:
#!/bin/bash

# [T194 example]
# This is default KEK2 root key for unfused board
echo "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" > kek2.key

# This is the fixed vector for deriving EKB root key from fuse.
# It is expected user to replace the FV below with a user specific
# FV, and code the exact same user specific FV into OP-TEE.
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t194

# Generate user-defined symmetric key files
# For each key, uncomment the random generate key and comment out the next line for production
# openssl rand -rand /dev/urandom -hex 16 > sym_t194.key
echo "00000000000000000000000000000000" > sym_t194.key
# openssl rand -rand /dev/urandom -hex 16 > sym2_t194.key
echo "00000000000000000000000000000000" > sym2_t194.key
# openssl rand -rand /dev/urandom -hex 16 > auth_t194.key
echo "00000000000000000000000000000000" > auth_t194.key

python3 gen_ekb.py -chip t194 -kek2_key kek2.key \
        -fv fv_ekb_t194 \
        -in_sym_key sym_t194.key \
        -in_sym_key2 sym2_t194.key \
        -in_auth_key auth_t194.key \
        -out eks_t194.img

cp eks_t194.img ./Linux_for_Tegra/bootloader/.

cp sym2_t194.key ./Drivers/Linux_for_Tegra/.
cp kek2.key sbk.key vio_rsa_priv.pem ./Linux_for_Tegra/.
  • (1) Reattach the device to the host in RM mode
sudo ./tools/kernel_flash/l4t_initrd_flash.sh -u vio_rsa_priv.pem -v sbk.key --no-flash --showlogs -p "-c bootloader/t186ref/cfg/flash_l4t_t194_qspi_p3668.xml" jetson-xavier-nx-devkit-emmc mmcblk0p1
  • (2) Reattach the device to the host in RM mode
sudo ./flash.sh -u vio_rsa_priv.pem -v sbk.key --no-flash -k A_eks jetson-xavier-nx-devkit-emmc mmcblk0p1
  • (3)
sudo cp bootloader/eks_t194_sigheader.img.encrypt ./tools/kernel_flash/images/internal/.
  • (4) Reattach the device to the host in RM mode
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -u vio_rsa_priv.pem -v sbk.key -p --no-flash -i ./sym2_t194.key -c ./tools/kernel_flash/flash_l4t_t194_nvme_rootfs_enc.xml jetson-xavier-nx-devkit-emmc mmcblk0p1

Done!

19

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.