How to used rsa_key to singed the boot files? we used “sudo ./flash.sh --no-flash -x 0x21 -y PKC -u jetson-nano-emmc-smpsd mmcblk0p1” to signe boot files ,after this ,I check the boot.img.encrypt with no ,they are same, where is my wrong?
Help to check the cmd run ok:
had you already fuse the board to enable secureBoot? please also check Secureboot chapter to program the fuse.
after that, it’s secure boot process to sign boot image files with PKC.
you may enable --noburn options for odmfuse.sh script file to prepare the fuse blob, it’ll generate fuseblob.tbz2 for testing and verification.
thanks
Secureboot is to prevent execution of unauthorized code during boot process through chain of trust. it use key pairs of Public Key Cryptography (PKC) stored in fused device.
please also check Jetson Nano Fuse Specification Application Note for more details.
thanks
JerryChang:
Thank you,
1.I mean after burn the PKC fuse,How to sign the boot image files with PKC offline, I used “sudo ./flash.sh --no-flash -x 0x21 -y PKC -u jetson-nano-emmc-smpsd mmcblk0p1”, but It seems not signed.
2. If I just burn the PKC fuse, but not used the PKC to sign the boot image files,
and flashed the no signed boot image files, does the target boot normally?
(1) I’ve try locally by adding --no-flash options, and it seems it did not generate boot.img.encrypt or other sign binaries. you may perform flash script to flash the board directly in order to generate those sign/encrypt binaries for flashing the board. please also check Topic 170411 as see-also,
(2) you may not able to complete the flashing process since not assign a key.
Hi JerryChang:
To protect ODM production fuse ,used the cmd “sudo ./odmfuse.sh -i <chip_id> -c NS -p <device_name>” . It means just burning odm_production_mode fuse? not burning
public_key_hash? Did I get that right?
yes, please check more details as following,
thanks
assign -p options to the odmfuse script will burn odm_production_mode = 0x1, once odm_production_mode is fused with value of 0x1, all further fuse write requests are blocked and the fused values are available through the provided Tegra API;
by using -c NS switch, it will configure the bit, pkc_disable = 0x1. this lock fuse without PKC encryption.
ok, thank you JerryChang!
We had a problem: we flash signed image to no fuse board, after this ,the target board cann’t boot and we cann’t flash again. what should we do?
we didn’t save the messages. we will create a new topic when resolve this problem.
and ,we used " ./nvmassflashgen.sh -x 0x21 -y PKC -u rsa_priv.pem jetson-nano-emmc-smpsq mmcblk0p1 " to generate the image ,then used "sudo ./nvmflash.sh --showlogs"to flash, but it didn’t work, cann’t flash. 20210323-160551_24964_flash_1-2.log (1.9 KB)