Invalid boot.img header magic after enabling secureboot on TX2 Jetpack 4.5.1

Hello,

I’m using Jetpack 4.5.1 on custom carrier board.

I have burnt fuses with the following command:

sudo ./odmfuse.sh -i 0x18 -k ../macq_rsa_priv.pem -S ../macq.sbk --KEK2 ../macq.kek2 jetson-tx2

tx2-burn-fuse.log (43.9 KB)

I then issued the following command:

sudo BOARDID=3310 FAB=C04 ./flash.sh -y SBKPKC -u ../macq_rsa_priv.pem -v ../macq_sbk_sign.key --user_key ../macq_kek2_sign.key jetson-tx2 mmcblk0p1

flash-tx2-secureboot-ok.log (74.5 KB)

cat bootloader/odmfuse_pkc.xml
<genericfuse MagicId="0x45535546" version="1.0.0">
<fuse name="SecureBootKey" size="16" value="0x866384514bedcef843aedbab49507086" />
<fuse name="Kek2" size="16" value="0x51647dc851aebe684fac1d5dafdf84d9" />
<fuse name="PublicKeyHash" size="32" value="0x9b4cde0060381f59676c73760f6b64cf59b1a028de8dd6dbaea90fae362a6afc" />
<fuse name="BootSecurityInfo" size="4" value="0x6" />
</genericfuse>

After that, boot process just loops, here is serial line logs:

secureboot-serial.log (13.5 KB)

Can you please tell me what is wrong?

Kind regards,

Tanguy

hello TANGUY.MEZZANO,

you must also program the odm_production_mode, -p, once you program the fuse with PKC+SBK, otherwise, you’ll stuck at booting stage.
note, once odm_production_mode is fused with value of 0x1, all further fuse write requests are blocked and the fused values are available through the provided Tegra API.
thanks

Hello Jerry,

user@TaMLap:~/flash-cam5/Linux_for_Tegra$ sudo ./odmfuse.sh -i 0x18 -p -k ../macq_rsa_priv.pem -S ../macq_sbk_burn.key --KEK2 ../macq_kek2_burn.key jetson-tx2
Error: Either RSA key file is not provided or SBK key file is provided for PKC protected target board.
user@TaMLap:~/flash-cam5/Linux_for_Tegra$ sudo BOARDID=3310 FAB=C04 ./odmfuse.sh -i 0x18 -p --force -k ../macq_rsa_priv.pem -S ../macq_sbk_burn.key jetson-tx2
Error: Either RSA key file is not provided or SBK key file is provided for PKC protected target board.

Any idea?

Thanks

hello TANGUY.MEZZANO,

is this a device fused with PKC only?

may I know which authentication type, (for example, NS/ PKC/ SBKPKC) you’d enable for your Jetson platform?
you MUST determine the fuse types, (i.e. NS, PKC, PKCSBK) and burn those keys to the target for the 1st time.
due to safety concerns, you cannot have 2nd time fuse burning to program SBK into PKC fused device.

Hello Jerry,

You can find the command used to fuse and the logs in my first comment.
I did provide an SBK key so I assume it is SBKPKC.

I followed the example given in the odmfuse.sh script:

# Examples for Jetson TX2:
#   1. Secure fuse with PKC, SBK and KEK2:
#      ./odmfuse.sh -i 0x18 -k <Key file> -S <SBK file> --KEK2 <KEK2 file> jetson-tx2

Kind regards,

Tanguy

hello TANGUY.MEZZANO,

ya, that’s fuse commands to enable SBKPKC, please enable odmfuseread.sh to read the fuse info from the target board.
for example, ./odmfuseread.sh -i <chip_id> [options] target_board

Hello Jerry,

user@TaMLap:~/flash-cam5/Linux_for_Tegra$ lsusb
Bus 002 Device 004: ID 05e3:0612 Genesys Logic, Inc. 
Bus 002 Device 003: ID 05e3:0612 Genesys Logic, Inc. 
Bus 002 Device 002: ID 05e3:0617 Genesys Logic, Inc. 
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 005: ID 138a:003f Validity Sensors, Inc. VFS495 Fingerprint Reader
Bus 001 Device 003: ID 05c8:0383 Cheng Uei Precision Industry Co., Ltd (Foxlink) 
Bus 001 Device 045: ID 0955:7c18 NVidia Corp. 
Bus 001 Device 123: ID 0403:6001 Future Technology Devices International, Ltd FT232 USB-Serial (UART) IC
Bus 001 Device 007: ID 8087:0a2b Intel Corp. 
Bus 001 Device 009: ID 046d:c24d Logitech, Inc. G710 Gaming Keyboard
Bus 001 Device 008: ID 1b1c:1b05 Corsair 
Bus 001 Device 006: ID 05e3:0610 Genesys Logic, Inc. 4-port hub
Bus 001 Device 004: ID 05e3:0610 Genesys Logic, Inc. 4-port hub
Bus 001 Device 002: ID 05e3:0610 Genesys Logic, Inc. 4-port hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
user@TaMLap:~/flash-cam5/Linux_for_Tegra$ ./odmfuseread.sh -i 0x18 -k ../macq_rsa_priv.pem -S ../macq_sbk_sign.key jetson-tx2
Error: ECID read failed.
The target board must be attached in RCM mode.

I’ve then tried:

user@TaMLap:~/flash-cam5/Linux_for_Tegra$ lsusb
Bus 002 Device 004: ID 05e3:0612 Genesys Logic, Inc. 
Bus 002 Device 003: ID 05e3:0612 Genesys Logic, Inc. 
Bus 002 Device 002: ID 05e3:0617 Genesys Logic, Inc. 
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 005: ID 138a:003f Validity Sensors, Inc. VFS495 Fingerprint Reader
Bus 001 Device 003: ID 05c8:0383 Cheng Uei Precision Industry Co., Ltd (Foxlink) 
Bus 001 Device 048: ID 0403:6001 Future Technology Devices International, Ltd FT232 USB-Serial (UART) IC
Bus 001 Device 049: ID 0955:7c18 NVidia Corp. 
Bus 001 Device 007: ID 8087:0a2b Intel Corp. 
Bus 001 Device 009: ID 046d:c24d Logitech, Inc. G710 Gaming Keyboard
Bus 001 Device 008: ID 1b1c:1b05 Corsair 
Bus 001 Device 006: ID 05e3:0610 Genesys Logic, Inc. 4-port hub
Bus 001 Device 004: ID 05e3:0610 Genesys Logic, Inc. 4-port hub
Bus 001 Device 002: ID 05e3:0610 Genesys Logic, Inc. 4-port hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
user@TaMLap:~/flash-cam5/Linux_for_Tegra$ cd bootloader/
user@TaMLap:~/flash-cam5/Linux_for_Tegra/bootloader$ ./tegrarcm_v2 --uid
USB communication failed.Check if device is in recovery

Same cable used to set in RCM and to flash with other devices, when in RCM, serial line doesn’t output anything as expected.

hello TANGUY.MEZZANO,

could you please try again by using --auth options, it’s following the authentication status of your board.
for example,
$ sudo BOARDID=3310 BOARDSKU=1000 FAB=C04 ./odmfuse.sh --noburn -i 0x18 --auth SBKPKC -p -k <pkc> --KEK2 <kek2> -S <sbk> jetson-tx2-devkit
this is one offline approach to create fuseblob without boards connected,
please check whether you’re able to run this command-line correctly.
thanks

Hello Jerry,

sudo BOARDID=3310 BOARDSKU=1000 FAB=C04 ./odmfuse.sh --noburn -i 0x18 --auth SBKPKC -p -k ../macq_rsa_priv.pem --KEK2 ../macq_kek2_burn.key -S ../macq_sbk_sign.key jetson-tx2

tx2-burn-fuse-auth.log (52.0 KB)

It seems to have succeeded.

What should I do now?

hello TANGUY.MEZZANO,

it should generate one tbz2 file of a fuseblob. please extract that file and use the command to burn the board,
thanks

Hello Jerry

It seems it did work, here are the logs of fuseblob command:
tx2-burn-fuse-p.log (3.8 KB)

But after reboot, I still get the same cboot error:

[0003.381] I> Validate kernel ...
[0003.384] I> T18x: Authenticate kernel (bin_type 24), max size 0x4000000
[0003.390] I> cboot: Info: Handle RSA_SBK as RSA.[0003.396] I> Checking boot.img header magic ... [0003.400] E> Invalid header magic
[0003.404] E> Storage boot failed, err: 724238360
[0003.408] E> A/B loader failure
[0003.411] E> tegrabl_display_shutdown: display is not initialized

And I still have:

user@TaMLap:~/flash-cam5/Linux_for_Tegra$ sudo ./odmfuseread.sh -i 0x18 jetson-tx2
Error: Either RSA key file is not provided or SBK key file is provided for PKC protected target board.

What is going on?

Thanks for your help.

There is no update from you for a period, assuming this is not an issue any more.
Hence we are closing this topic. If need further support, please open a new one.
Thanks

hello TANGUY.MEZZANO,

actually, here’s failure for fuse burning.

[   4.5574 ] 0000000000000001: Oem commands are not supported
[   4.5585 ] Fuse burning failed

may I which TX2 platform you’re using, please share the part#,
also, could you please share the xml file for reference.

[   3.3670 ] Parsing fuse info as per xml file
[   3.3698 ] tegraparser_v2 --fuse_info odmfuse_pkc.xml blow_fuse_data.bin
...

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.