How to used rsa_key to singed the boot files

How to used rsa_key to singed the boot files? we used “sudo ./flash.sh --no-flash -x 0x21 -y PKC -u jetson-nano-emmc-smpsd mmcblk0p1” to signe boot files ,after this ,I check the boot.img.encrypt with no ,they are same, where is my wrong?
Help to check the cmd run ok:

sudo ./flash.sh --no-flash -x 0x21 -y PKC -u scala_rsa.pem jetson-nano-emmc-smpsd mmcblk0p1
###############################################################################

L4T BSP Information:

R32 , REVISION: 4.2

###############################################################################
Board ID() version() sku() product_id(smpsd)
copying bctfile(/home/scala/work/NVT210_03_11/bsp/bootloader/t210ref/BCT/P3448_A00_4GB_Micron_4GB_lpddr4_204Mhz_P987.cfg)… done.
copying bootloader(/home/scala/work/NVT210_03_11/bsp/bootloader/t210ref/cboot.bin)… done.
copying initrd(/home/scala/work/NVT210_03_11/bsp/bootloader/l4t_initrd.img)… done.
populating kernel to rootfs… done.
populating initrd to rootfs… done.
populating /home/scala/work/NVT210_03_11/bsp/kernel/dtb/smpsd-tegra210-p3448-0002-p3449-0000-b00.dtb to rootfs… done.
Making Boot image… done.
Existing sosfile(/home/scala/work/NVT210_03_11/bsp/bootloader/nvtboot_recovery.bin) reused.
copying tegraboot(/home/scala/work/NVT210_03_11/bsp/bootloader/t210ref/nvtboot.bin)… done.
copying cpu_bootloader(/home/scala/work/NVT210_03_11/bsp/bootloader/t210ref/cboot.bin)… done.
copying bpffile(/home/scala/work/NVT210_03_11/bsp/bootloader/t210ref/sc7entry-firmware.bin)… done.
Existing badpagefile(/home/scala/work/NVT210_03_11/bsp/bootloader/badpage.bin) reused.
copying wb0boot(/home/scala/work/NVT210_03_11/bsp/bootloader/t210ref/warmboot.bin)… done.
Existing tosfile(/home/scala/work/NVT210_03_11/bsp/bootloader/tos-mon-only.img) reused.
Existing eksfile(/home/scala/work/NVT210_03_11/bsp/bootloader/eks.img) reused.
copying dtbfile(/home/scala/work/NVT210_03_11/bsp/kernel/dtb/smpsd-tegra210-p3448-0002-p3449-0000-b00.dtb)… done.
Copying nv_boot_control.conf to rootfs
Making system.img…
populating rootfs from /home/scala/work/NVT210_03_11/bsp/rootfs … done.
Sync’ing system.img … done.
Converting RAW image to Sparse image… done.
system.img built successfully.
Existing tbcfile(/home/scala/work/NVT210_03_11/bsp/bootloader/nvtboot_cpu.bin) reused.
copying tbcdtbfile(/home/scala/work/NVT210_03_11/bsp/kernel/dtb/smpsd-tegra210-p3448-0002-p3449-0000-b00.dtb)… done.
copying cfgfile(/home/scala/work/NVT210_03_11/bsp/bootloader/t210ref/cfg/flash_l4t_t210_emmc_p3448.xml) to flash.xml… done.
copying flasher(/home/scala/work/NVT210_03_11/bsp/bootloader/t210ref/cboot.bin)… done.
Existing flashapp(/home/scala/work/NVT210_03_11/bsp/bootloader/tegraflash.py) reused.
./tegraflash.py --bl cboot.bin --bct P3448_A00_4GB_Micron_4GB_lpddr4_204Mhz_P987.cfg --odmdata 0x94000 --bldtb smpsd-tegra210-p3448-0002-p3449-0000-b00.dtb.signed --applet nvtboot_recovery.bin --cmd “flash; reboot” --cfg flash.xml --chip 0x21 --bins “EBT cboot.bin; DTB smpsd-tegra210-p3448-0002-p3449-0000-b00.dtb” --key “/home/scala/work/NVT210_03_11/bsp/scala_rsa.pem”
saving flash command in /home/scala/work/NVT210_03_11/bsp/bootloader/flashcmd.txt
saving Windows flash command to /home/scala/work/NVT210_03_11/bsp/bootloader/flash_win.bat

hello rd1,

had you already fuse the board to enable secureBoot? please also check Secureboot chapter to program the fuse.
after that, it’s secure boot process to sign boot image files with PKC.

you may enable --noburn options for odmfuse.sh script file to prepare the fuse blob, it’ll generate fuseblob.tbz2 for testing and verification.
thanks

I try to sign boot files with the PKC offline, after this ,I will burn fuse ,and then ,flash all the image, so do my option tosign boot files right ?

hello rd1,

Secureboot is to prevent execution of unauthorized code during boot process through chain of trust. it use key pairs of Public Key Cryptography (PKC) stored in fused device.
please also check Jetson Nano Fuse Specification Application Note for more details.
thanks

JerryChang:
Thank you,
1.I mean after burn the PKC fuse,How to sign the boot image files with PKC offline, I used “sudo ./flash.sh --no-flash -x 0x21 -y PKC -u jetson-nano-emmc-smpsd mmcblk0p1”, but It seems not signed.
2. If I just burn the PKC fuse, but not used the PKC to sign the boot image files,
and flashed the no signed boot image files, does the target boot normally?

hello rd1,

(1) I’ve try locally by adding --no-flash options, and it seems it did not generate boot.img.encrypt or other sign binaries. you may perform flash script to flash the board directly in order to generate those sign/encrypt binaries for flashing the board. please also check Topic 170411 as see-also,

(2) you may not able to complete the flashing process since not assign a key.

Hi JerryChang:
To protect ODM production fuse ,used the cmd “sudo ./odmfuse.sh -i <chip_id> -c NS -p <device_name>” . It means just burning odm_production_mode fuse? not burning
public_key_hash? Did I get that right?

hello rd1,

yes, please check more details as following,
thanks

assign -p options to the odmfuse script will burn odm_production_mode = 0x1, once odm_production_mode is fused with value of 0x1, all further fuse write requests are blocked and the fused values are available through the provided Tegra API;

by using -c NS switch, it will configure the bit, pkc_disable = 0x1. this lock fuse without PKC encryption.

ok, thank you JerryChang!
We had a problem: we flash signed image to no fuse board, after this ,the target board cann’t boot and we cann’t flash again. what should we do?

hello rd1,

had you save those flash messages, could you please attach them for reference?

regarding to this,
could you please setup serial console to check bootloader messages.
thanks

we didn’t save the messages. we will create a new topic when resolve this problem.
and ,we used " ./nvmassflashgen.sh -x 0x21 -y PKC -u rsa_priv.pem jetson-nano-emmc-smpsq mmcblk0p1 " to generate the image ,then used "sudo ./nvmflash.sh --showlogs"to flash, but it didn’t work, cann’t flash.
20210323-160551_24964_flash_1-2.log (1.9 KB)

hello rd1,

these flash log did not show errors.
may I know what happened if you perform it again with flash script, flash.sh
thanks

used flash.sh to flash ,it is ok.
so I think nvmflash.sh is not work for secure image, could you used nvmflash.sh to test in your side?

Dear Jerry:
我们用flash.sh烧录是可以的,但用nvmflash.sh不行,没有什么反应。
请帮忙确认下nvmflash.sh是否可以烧录secute版本

hello rd1,

could you please also have a try with offline method for the nvmassflashgen script.
for example,

 BOARDID={} BOARDSKU={} FAB={} FUSELEVEL=fuselevel_production ./nvmassflashgen.sh -u rsa_priv.pem -v sbk.key jetson-nano-emmc mmcblk0p1

we used " ./nvmassflashgen.sh -x 0x21 -y PKC -u rsa_priv.pem jetson-nano-emmc-smpsq mmcblk0p1 " to generate the image is offline.

hello rd1,

offline approach means you may generating massflash command without Jetson device connected, by assign board info into command-line.

Yes ,we always used nvmassflashgen.sh offline.