Error while flashing secure boot files after burning fuses

Host PC: Lenovo Think pad, Ubuntu 18.04
Target: Jetson nano eMMC tegra210-p3448-0002-p3449-0000-b00

  1. I flashed OSto the jetson nano using the SDK Manager. Everythng went fine!
  2. I followed the instructions from NVIDIA security instructions

Which means I first installed the necessary tools, then generated a key. Then I burned the fuses using the following command:

sudo ./odmfuse.sh -c PKC -k rsa_prv.pem -i 0x21 -o <mySecretKey>

No error returned. So I think this went fine.

The command sudo ./tegrafuse.sh reveals:

arm_jtag_disable : 0x00000001
odm_lock : 0x00000000
odm_production_mode : 0x00000000
pkc_disable : 0x00000000
sec_boot_dev_cfg : 0x00000000
sec_boot_dev_sel : 0x00000000

Then, I wanted to sign and flash the secure boot file using the following command:
ubuntu@ubuntu:~/Downloads/Linux_for_Tegra$ sudo ./flash.sh BOARDID=3448 BOARDSKU=0002 FAB=400 -x 0x21 -y PKC -u -r rsa_prv.pem jetson-nano-emmc mmcblk0p1

The result is the following:

###############################################################################

L4T BSP Information:

R32 , REVISION: 5.0

###############################################################################

Target Board Information:

Name: jetson-nano-emmc, Board Family: t210ref, SoC: Tegra 210,

OpMode: production, Boot Authentication: ,

Disk encryption: disabled ,

###############################################################################
./tegraflash.py --chip 0x21 --applet “/home/ubuntu/Downloads/Linux_for_Tegra/bootloader/nvtboot_recovery.bin” --skipuid --cmd “dump eeprom boardinfo cvm.bin”
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands

[ 0.0019 ] Generating RCM messages
[ 0.0027 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 0 --download rcm /home/ubuntu/Downloads/Linux_for_Tegra/bootloader/nvtboot_recovery.bin 0
0
[ 0.0034 ] RCM 0 is saved as rcm_0.rcm
[ 0.0039 ] RCM 1 is saved as rcm_1.rcm
[ 0.0039 ] List of rcm files are saved in rcm_list.xml
[ 0.0039 ]
[ 0.0039 ] Signing RCM messages
[ 0.0048 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key
[ 0.0055 ] Assuming zero filled SBK key
[ 0.0111 ]
[ 0.0111 ] Copying signature to RCM mesages
[ 0.0120 ] tegrarcm --chip 0x21 0 --updatesig rcm_list_signed.xml
[ 0.0134 ]
[ 0.0135 ] Boot Rom communication
[ 0.0145 ] tegrarcm --chip 0x21 0 --rcm rcm_list_signed.xml --skipuid
[ 0.0154 ] RCM version 0X210001
[ 0.0583 ] Boot Rom communication completed
[ 1.0648 ]
[ 1.0648 ] dump EEPROM info
[ 1.0660 ] tegrarcm --oem platformdetails eeprom /home/ubuntu/Downloads/Linux_for_Tegra/bootloader/cvm.bin
[ 1.0669 ] Applet version 00.01.0000
[ 1.0834 ] Saved platform info in /home/ubuntu/Downloads/Linux_for_Tegra/bootloader/cvm.bin
[ 1.1599 ]
[ 1.1610 ] tegrarcm --reboot recovery
[ 1.1620 ] Applet version 00.01.0000
[ 1.1797 ]
Board ID(3448) version(400)
copying bctfile(/home/ubuntu/Downloads/Linux_for_Tegra/bootloader/t210ref/BCT/P3448_A00_lpddr4_204Mhz_P987.cfg)… done.
copying bootloader(/home/ubuntu/Downloads/Linux_for_Tegra/bootloader/t210ref/cboot.bin)… done.
copying initrd(/home/ubuntu/Downloads/Linux_for_Tegra/bootloader/l4t_initrd.img)… done.
populating kernel to rootfs… done.
populating initrd to rootfs… done.
populating /home/ubuntu/Downloads/Linux_for_Tegra/kernel/dtb/tegra210-p3448-0002-p3449-0000-b00.dtb to rootfs… done.
Making Boot image… done.
Existing sosfile(/home/ubuntu/Downloads/Linux_for_Tegra/bootloader/nvtboot_recovery.bin) reused.
copying tegraboot(/home/ubuntu/Downloads/Linux_for_Tegra/bootloader/t210ref/nvtboot.bin)… done.
copying cpu_bootloader(/home/ubuntu/Downloads/Linux_for_Tegra/bootloader/t210ref/cboot.bin)… done.
copying bpffile(/home/ubuntu/Downloads/Linux_for_Tegra/bootloader/t210ref/sc7entry-firmware.bin)… done.
Existing badpagefile(/home/ubuntu/Downloads/Linux_for_Tegra/bootloader/badpage.bin) reused.
copying wb0boot(/home/ubuntu/Downloads/Linux_for_Tegra/bootloader/t210ref/warmboot.bin)… done.
Existing tosfile(/home/ubuntu/Downloads/Linux_for_Tegra/bootloader/tos-mon-only.img) reused.
Existing eksfile(/home/ubuntu/Downloads/Linux_for_Tegra/bootloader/eks.img) reused.
copying dtbfile(/home/ubuntu/Downloads/Linux_for_Tegra/kernel/dtb/tegra210-p3448-0002-p3449-0000-b00.dtb)… done.
Copying nv_boot_control.conf to rootfs
sed: can’t read /home/ubuntu/Downloads/Linux_for_Tegra/rootfs/etc/nv_boot_control.conf: Not a directory
sed: can’t read /home/ubuntu/Downloads/Linux_for_Tegra/rootfs/etc/nv_boot_control.conf: Not a directory
sed: can’t read /home/ubuntu/Downloads/Linux_for_Tegra/rootfs/etc/nv_boot_control.conf: Not a directory
sed: can’t read /home/ubuntu/Downloads/Linux_for_Tegra/rootfs/etc/nv_boot_control.conf: Not a directory
sed: can’t read /home/ubuntu/Downloads/Linux_for_Tegra/rootfs/etc/nv_boot_control.conf: Not a directory
sed: can’t read /home/ubuntu/Downloads/Linux_for_Tegra/rootfs/etc/nv_boot_control.conf: Not a directory
sed: can’t read /home/ubuntu/Downloads/Linux_for_Tegra/rootfs/etc/nv_boot_control.conf: Not a directory
sed: can’t read /home/ubuntu/Downloads/Linux_for_Tegra/rootfs/etc/nv_boot_control.conf: Not a directory
Making system.img…
/home/ubuntu/Downloads/Linux_for_Tegra/rootfs/boot/extlinux/extlinux.conf is not found, exiting…

So it seams that the population of the rootfs/boot didnt work. But what did I do wrong?

Additional information:
The same happens if I use the flash command without option -r

hello tinhest,

are you able to generate image blob successfully by using --no-flash options?
for example,
$ sudo ./flash.sh BOARDID=3448 BOARDSKU=0002 FAB=400 --no-flash -x 0x21 -y PKC -u rsa_prv.pem jetson-nano-emmc mmcblk0p1

Hi JerryChang,

thanks for your suggestion.
Unfortunately, it doesnt work. I get the result as shown above.

hello tinhest,

could you please check you’re having nv_boot_control.conf under your root filesystem?
thanks

HiJerryChang,

yes, the file is in principle there:

ubuntu@ubuntu:~/Downloads/Linux_for_Tegra$ find . -name nv_boot_control.conf ./bootloader/nv_boot_control.conf

Sorry, the formatting got wrong:

ubuntu@ubuntu:~/Downloads/Linux_for_Tegra$ find . -name nv_boot_control.conf

./bootloader/nv_boot_control.conf

hello tinhest,

are you using default JetPack release, or, you’re generated your own root filesystem?
the default path should be ~/nvidia/nvidia_sdk/ if you install JetPack release via NVIDIA SDK Manager | NVIDIA Developer

Hi JettyChang,

thank you very much for that hint! Actually, I have two Linux_for_Tegra folders:

ubuntu@ubuntu:~$ sudo find . -name nv_boot_control.conf
./Downloads/Linux_for_Tegra/bootloader/nv_boot_control.conf
./nvidia/nvidia_sdk/JetPack_4.5.1_Linux_JETSON_NANO/Linux_for_Tegra/rootfs/etc/nv_boot_control.conf

So, I tried to execute the command in the other location, and now it seems to run :-)