How to verify that flashing of secure boot worked?

tinhest · May 31, 2021, 9:31am

Dear NVIDIA Team!

I followed all the steps in your security guide for securing my jetson nano.

Details are also given in another entry in this forum here

In short:
Host PC: Lenovo Think pad, Ubuntu 18.04
Target: Jetson nano eMMC tegra210-p3448-0002-p3449-0000-b00

I burned the E Fuses according to my needs using a PKC key. Afterwards, I could see the correctly burned odm key. So this steps looks fine.

Afterwards I flashed the signed OS using the following command:
sudo ./flash.sh BOARDID=3448 BOARDSKU=0002 FAB=400 -x 0x21 -y PKC -u rsa_priv.pem jetson-nano-emmc mmcblk0p1

The jetson nano boots afterwards. So it seems to be fine.

Now, I wanted to see if the secure boot really works and tried to repeat the flash step without PKC key using the following command:

sudo ./flash.sh jetson-nano-emmc mmcblk0p1

And, also this worked and the jetson nano booted fine.

Is this the expected behaviour? My understanding was, that I should not be able to flash something to the jetson nano without using the PKC key. Or am I wrong?
If my understanding is wrong, then how can I test if the secure boot step really worked?

JerryChang · June 1, 2021, 2:30am

hello tinhest,

since the fuse programming is non-reversible, you could just check the fuse values as following,
for example, $ ls -al /sys/devices/7000f800.efuse/7000f800.efuse:efuse-burn/

secureboot is to ensure trusted code running at Jetson device and prevents execution of unauthorized boot codes through chain of trust. please check the logs from bootloader side, it should report related errors.
thanks

tinhest · June 1, 2021, 11:19am

hello JerryChang!

Thank you for your reply!
I checked the fuses, they look fine.

Can you tell me for what I shall look to see if the secureboot did work? I checked the bootloader log with the command journalctl -b. The log is quite long and there not many errors when I flashed without PKC key before.

Is it alright that I can flash without the PKC key and its bootign afterwards? I thought the idea is that the PKC key is required to flash bootable files!

JerryChang · June 1, 2021, 11:52am

hello tinhest,

actually, you should setup serial console to gather bootloader logs while system boot-up.

Topic		Replies	Views
Secure Boot confirmation Jetson Nano security , nvbugs	7	852	October 18, 2021
Jetson Nano (4gb ) production kit issues after successfully fuse burning with PKC i am unable to flash the jetson with PKC key Jetson Nano security	2	400	October 27, 2022
Jetson nano reflashing Jetson Nano reflash	18	76	January 23, 2025
Question regarding Flashing and Fusing Jetson Nano security	2	501	June 23, 2022
Jetson Nano secureboot Jetson Nano security	12	1590	October 15, 2021
Jetson Nano does not load my kernel in secure boot mode Jetson Nano	10	597	June 7, 2023
SecureBoot on Jetson Nano, stuck at sign/flash the bootloader part Jetson Nano security	7	1087	October 15, 2021
SecureBoot with PKC only? Jetson Orin Nano security	2	273	February 15, 2024
Secure boot capabilties for Jetson Nvidia Nano Jetson Nano boot	4	27	January 8, 2025
How to _verify_ secureboot is active? Jetson Orin Nano security	2	288	February 15, 2024

How to verify that flashing of secure boot worked?

Related topics