How to prevent efuse/no efuse flash and update problem

we have some cases to protect:

  1. if no burn efuse,but image is encrypt by PKC ,how to prevent
  2. if burn efuse , but image is encrypt by wrong PKC, how to prevent
    for the two problems ,when flash or update ,how to prevent

hello rd1,

in theory, you may able to flash the images since the secureBoot did not enabled.
but I do not sure your system able to boot-up or not, due to I’ve never test this use-case before.
however, you may re-flash the board again to recover that.

device may not boot-up due to key mismatch.
the concept of Secureboot is to prevent execution of unauthorized code during boot process through chain-of-trust; those authenticates boot components (such as, Boot Configuration Table, bootloader binaries, and warmboot vector) were signed using private key.
PKC public key hash (stored in fuse) is validated by BootROM when it loads in BR-BCT (where public key is stored).

how to check whether the device had burn efuse or not ,when the device cann’t boot

hello rd1,

assume device still able to enter forced-recovery mode.
you may enable, to read the fuse info from the target board.

how to enable ,we didn’t find it in our code

hello rd1,

please access download center, it’s included in the SecureBoot Tools,

I download the newest tools, didn’t find the file

are you sure it is include in the SecureBoot Tools for Jetson Nano emmc ?

hello rd1,

sorry, it only supports Jetson TX2 series and Jetson Xavier series platforms so far.

Hi Jerry:
I used “sudo ./ --noburn -i 0x21 -c PKC -p -k rsa_priv.pem” to generate efuse blob,
and then used"sudo ./" to burn efuse blob ,it is successful , but I try to flash no signed image ,however it unexpectedly flashed ok,
after boot.I checked “sudo ./”
It return:
arm_jtag_disable : 0x00000000
odm_lock : 0x00000000
odm_production_mode : 0x00000001
pkc_disable : 0x00000001
sec_boot_dev_cfg : 0x00000000
sec_boot_dev_sel : 0x00000000
I see odm_production_mode had changed 1, but pkc_disable is not 0, I think it should 0.
what is the problem?

hello rd1,

may I know which JetPack release and which secureBoot package you’re working with?

we used jetson nano emmcsecureboot.rar (303.2 KB)

L4T BSP Information:

R32 , REVISION: 4.2

Hi Jerry:
I had update our secureboot package ,please help to check the problem.

hello rd1,

could you please share your TNSPEC of your board, i.e. $ cat /etc/nv_boot_control.conf

there’s known issue that pkc_disable fuse is programmed to 0x1 with -p option enabled.
please also check Topic 144888 to download nvtboot binaries to correct the issue for fuse burn.

hello rd1,

is this a duplicate issue with Topic 173794 Flash failed after burnned efuse?
please check post #3 for the suggestions to handle your efuse/no efuse scenarios.
let’s keep Topic 173794 for tracking device disconnected issue for further supports.

Hi Jerry:
$ cat /etc/nv_boot_control.conf
TNSPEC 3448-400-0002–1-0-jetson-nano-emmc-smpsq-mmcblk0p1
TEGRA_OTA_BOOT_DEVICE /dev/mmcblk0boot0
TEGRA_OTA_GPT_DEVICE /dev/mmcblk0boot1

I see Topic 14888, you mean we should:

  1. download (211.1 KB) for nvtboot binaries.
    where these files download to? secureboot dir? to generate fuse blob ?
    also used “sudo ./ --noburn -i 0x21 -c PKC -p -k rsa_priv.pem” ?

hello rd1,

you should have flashing environment for JetPack release image,
please update those nvtboot*.bin binaries with the attachment.
for example,


if you’re installing the latest JetPack release, (i.e. JetPack-4.5) it will already include those nvtboot fixes.

thank you Jerry,
I download these files,and if we generate fuse blob ,shoud we use -p or not use -p?
you mean our JetPack is old ,te old JetPack had the bug of pkc_disable fuse not programmed to 0x1 used the same method “-p” ?

hello rd1,

there’s an issue with fusing utility, which burn PKC Disable accidently. you should apply nvtboot fixes to address them.
this is a bug for the early JetPack releases on the Nano platform, (i.e. before JetPack-4.5).

it’s up to your decision after you’d include the fix.
note, program fuse is non-reversible. Once odm_production_mode (-p options) is fused with value of 0x1, all further fuse write requests are blocked.

thank you, the corrcet PKC Disable efsue value is 0 or 1 for T210?
For T210,
|bitsize| name | default value set by |
| 1| odm_production_mode | 0x1 |
| | | |
| 256| public_key_hash | RSA Public Key Hash |
| | | |
| 1| pkc_disable | PKC - 0x0, NS - 0x1 |
| | | |
| 128| secure_boot_key | Secure Boot Key (SBK) |
| | | AES encryption key for other |
| | | security applications. If no |
| | | other security application is |
| | | used, leave it untouched. |
| 32| device_key | Device key for other security |
| | | applications. If no other |
| | | security applications are |
| | | used, leave it untouched. |

I mean if we used “sudo ./ -i 0x21 -c PKC -p -k rsa_priv.pem” to burn efuse,
then after boot,used “sudo ./” to check.
the pkc_disable should 0x00000001 or 0x00000000, I am puzzled for this.