How to verify that flashing of secure boot worked?

Dear NVIDIA Team!

I followed all the steps in your security guide for securing my jetson nano.

Details are also given in another entry in this forum here

In short:
Host PC: Lenovo Think pad, Ubuntu 18.04
Target: Jetson nano eMMC tegra210-p3448-0002-p3449-0000-b00

I burned the E Fuses according to my needs using a PKC key. Afterwards, I could see the correctly burned odm key. So this steps looks fine.

Afterwards I flashed the signed OS using the following command:
sudo ./ BOARDID=3448 BOARDSKU=0002 FAB=400 -x 0x21 -y PKC -u rsa_priv.pem jetson-nano-emmc mmcblk0p1

The jetson nano boots afterwards. So it seems to be fine.

Now, I wanted to see if the secure boot really works and tried to repeat the flash step without PKC key using the following command:

sudo ./ jetson-nano-emmc mmcblk0p1

And, also this worked and the jetson nano booted fine.

Is this the expected behaviour? My understanding was, that I should not be able to flash something to the jetson nano without using the PKC key. Or am I wrong?
If my understanding is wrong, then how can I test if the secure boot step really worked?

hello tinhest,

since the fuse programming is non-reversible, you could just check the fuse values as following,
for example, $ ls -al /sys/devices/7000f800.efuse/7000f800.efuse:efuse-burn/

secureboot is to ensure trusted code running at Jetson device and prevents execution of unauthorized boot codes through chain of trust. please check the logs from bootloader side, it should report related errors.

hello JerryChang!

Thank you for your reply!
I checked the fuses, they look fine.

Can you tell me for what I shall look to see if the secureboot did work? I checked the bootloader log with the command journalctl -b. The log is quite long and there not many errors when I flashed without PKC key before.

Is it alright that I can flash without the PKC key and its bootign afterwards? I thought the idea is that the PKC key is required to flash bootable files!

hello tinhest,

actually, you should setup serial console to gather bootloader logs while system boot-up.