Flashing and SecureBoot test before burning ODM Production Mode FUSE

akudo · January 17, 2025, 11:47am

I need to restore all partitions from non-SecureBoot enabled device (no fuse burnt) to SecureBoot enabled device (fuse burnt). I am using Orin Nano devkit with Jetpack 6.0.

[ Orin Nano (No FUSE burnt) ] ==> [ Orin Nano (SecureBoot with FUSE enabled) ]

I guess it is possible to do it with backup restore tool if I use PKC file and SBK file with -u and -v option. But could you please confirm this before I actually consume another device FUSE?

# Backup
sudo ./tools/backup_restore/l4t_backup_restore.sh -e nvme0n1 -b jetson-orin-nano-devkit

# Restore
sudo ./tools/backup_restore/l4t_backup_restore.sh -e nvme0n1 -r \
    -u pkc.key -v sbk.key jetson-orin-nano-devkit

Suppose I have mfi tar ball from the non-SecureBoot enabled device, I guess it is not possible to flash the mfi image to the SecureBoot enabled device. However, will it turn possible if I don’t burn ODM Production Mode FUSE but only PKC/SBK/OEM_K1 FUSE?
```
# Will this work if ODM Production Mode FUSE is not burnt?
cd mfi_jetson-orin-nano-devkit
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only
```
Related to the above question, is it possible to test SecureBoot without burning ODM Production Mode FUSE? Actually I have verified with burning ODM Production Mode FUSE that I can enable SecureBoot with FUSE as follows. But I’d like to know whether the same can be tested without ODM Production Mode FUSE or not before consuming another device FUSE.

# Generate keys and EKS
python3 gen_ekb.py \
        -chip t234 \
        -oem_k1_key oem_k1.key \
        -in_sym_key sym_t234.key \
        -in_sym_key2 sym2_t234.key \
        -in_auth_key auth_t234.key \
        -out eks_t234.img

# oem_k1.key contains the same value as OEM_K1 FUSE
# sym_t234.key, sym2_t234.key, and auth_t234.key includes randomly generated Hex strings
# Copy to eks_t234.img to Linux_for_Tegra/bootloader
# Copy sym_t234.key and sym2_t234.key to Linux_for_Tegts

sudo ./tools/kernel_flash/l4t_initrd_flash.sh \
        --network usb0 -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" \
        -u pkc.key -v sbk.key --uefi-keys uefi_keys/uefi_keys.conf --uefi-enc sym_t234.key \
        --erase-all --no-flash jetson-orin-nano-devkit internal

sudo cp bootloader/eks_t234_sigheader_encrypt.img.signed ./tools/kernel_flash/images/internal/

sudo ./tools/kernel_flash/l4t_initrd_flash.sh \
        --erase-all --no-flash --external-device nvme0n1p1 \
        -c ./tools/kernel_flash/flash_l4t_t234_nvme.xml \
        -u pkc.key -v sbk.key --uefi-keys uefi_keys/uefi_keys.conf --uefi-enc sym_t234.key \
        --external-only --append jetson-orin-nano-devkit external

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only

JerryChang · January 20, 2025, 2:31am

hello akudo,

actually, you may using backup/restore script after secure boot has enabled.
for instance,
$ sudo ./tools/backup_restore/l4t_backup_restore.sh -u <PKC> -v <SBK> -b <Jetson-platform>

however,
there’s security concern to backup/restore an encrypted disk, (i.e. ROOTFS_ENC).
please refer to Topic 291335 to create encrypted images with a generic key,
so that you may create a massflash (i.e. mfi_*.tar.gz) package to flash multiple devices simultaneously.

akudo · January 20, 2025, 2:51am

Hello JerryChang,

Yes, I will use the generic key solution in the end for mass production.
I have verified it works as well.
For R&D phase, I sometimes create an image without --massflash option because it can save time from creating mfi.

What about my question when FUSE is burnt without ODM Production Mode flag?

I have mfi tar ball from the non-SecureBoot enabled device, I guess it is not possible to flash the mfi image to the SecureBoot enabled device. However, will it turn possible if I don’t burn ODM Production Mode FUSE but only PKC/SBK/OEM_K1 FUSE?

is it possible to test SecureBoot without burning ODM Production Mode FUSE?

Thank you.

akudo · January 20, 2025, 7:08am

I have schedule constraints and so I will try the ODM Production Mode test myself.
Thank you for all the information, anyway.

system · February 3, 2025, 7:08am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Questions about Orin Secure Boot Jetson AGX Orin security	2	270	June 24, 2024
Disk Encryption on Jetson Orin Nano Without Secure Boot or UEFI Secure Boot Jetson Orin Nano security	6	154	July 31, 2024
[L4T 35.4.1] How to verify is SecureBoot is running Jetson Orin Nano security	10	440	April 23, 2024
How to prevent efuse/no efuse flash and update problem Jetson Nano security	22	2070	October 15, 2021
Implement Jetson Secure Boot without UEFI Secure Boot on Jetson AGX Orin Jetson AGX Orin security	8	132	October 8, 2024
SecureBoot on Jetson Orin : Flash Successfull but uefi firmware error Jetson Orin NX security	5	54	February 4, 2025
[L4T 35.4.1] How to get both UEFI SecureBoot and burning software fuses Jetson Orin Nano security	7	333	May 22, 2024
Secure boot on Jetson Orin Nano 4GB-DRAM (P3767-0004) board not booting [part 2] Jetson Orin Nano security	8	28	February 20, 2025
SecureBoot validation Jetson AGX Orin security	4	256	July 3, 2024
Firmware with daisk encryption Jetson Orin NX security	8	270	April 15, 2024

Flashing and SecureBoot test before burning ODM Production Mode FUSE

Related topics