Issue with ReservedOdm[3-7] and BootSecurityInfo values after fuse

We are facing issue with fusing Jetson AGX Orin SOM.

after fusing the device , when we read back the fuses after booting system , we see reserve_odm3 to reserve_odm7 and BootSecurityInfo values are different than what we fused.

We have seen this behaviour on all units we fused.
Behaviour is consistent with Jetpack 5.1/L4T 35.2.1 + overlay patch and Jetpack 5.1.1/L4T 35.3.1

sample fuse configuration file used to fuse:

<genericfuse MagicId="0x45535546" version="1.0.0">
    <fuse name="ReservedOdm3" size="4" value="0xb81cf8ce"/>
    <fuse name="OdmLock" size="4" value="0xF"/>
    <fuse name="ReservedOdm4" size="4" value="0x1f72062c"/>
    <fuse name="BootSecurityInfo" size="4" value="0x209"/>
    <fuse name="SecurityMode" size="4" value="0x1"/>
fuse command :
./ -X config.xml -i 0x23 jetson-agx-orin-devkit
--- host log confirms it is using the intended fuse values from config.xml
Existing cpubl(/home/dsteam/devel/ocb/jetpack-5.1.1/Linux_for_Tegra/bootloader/uefi_jetson.bin) reused.
MagicId=0x45535546 version=0x1
node: name=ReservedOdm3 size=4
node: name=OdmLock size=4
node: name=ReservedOdm4 size=4
node: name=BootSecurityInfo size=4
node: name=SecurityMode size=4
size of FSKP binary 381760
size of Fuse Blob 556
File saved as fskp_t234_updated.bin

root@skye-sb-cot:~# cat /sys/devices/platform/tegra-fuse/reserved_odm3
root@skye-sb-cot:~# cat /sys/devices/platform/tegra-fuse/reserved_odm4
root@skye-sb-cot:~# cat /sys/devices/platform/tegra-fuse/boot_security_info

Could you please help us understand and fix this issue.

hello vijayaca,

could you please add --test to an command for verification.
you may also attach the complete fuse burning logs for reference, thanks

Hi Jerry,

Attached host and target logs for fusing, removed few entries for security reason.
fuses-burning-host.log (90.5 KB)
fuses-burning-serial-uart.log (28.8 KB)

Hi Jerry,
I get below error when I run with --test on fused system .

sudo ./ --test -X ../tmp_data/SKY_TEST_01-skye-fuse.xml -k ../keys/public_key0.pem -S ../keys/sbk.key -i 0x23 jetson-agx-orin-devkit
./ --chip 0x23 --applet "/opt/skye-installer/Linux_for_Tegra_r35.3.1/bootloader/mb1_t234_prod.bin" --skipuid --cfg readinfo_t234_min_prod.xml --dev_params tegra234-br-bct-diag-boot.dts --device_config tegra234-mb1-bct-device-p3701-0000.dts --misc_config tegra234-mb1-bct-misc-p3701-0000.dts --bins "mb2_applet applet_t234.bin" --cmd "dump eeprom cvm cvm.bin; dump custinfo custinfo_out.bin; reboot recovery" --encrypt_key "/opt/skye-installer/keys/sbk.key" --key "/opt/skye-installer/keys/public_key0.pem" 
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
[   0.0181 ] tegrarcm_v2 --chip 0x23 0 --ismb2applet
[   0.0183 ] File rcm_state open failed
[   0.0185 ] ERROR: failed to read rcm_state
[   0.0185 ] 
[   0.0214 ] --key /opt/skye-installer/keys/public_key0.pem --getmode mode.txt
[   0.0220 ] Key size is 384 bytes
[   0.0268 ] Pre-processing config: tegra234-mb1-bct-device-p3701-0000.dts
[   0.0723 ] Pre-processing config: tegra234-mb1-bct-misc-p3701-0000.dts
[   0.0862 ] Parsing partition layout
[   0.0867 ] tegraparser_v2 --pt readinfo_t234_min_prod.xml.tmp
[   0.0885 ] Kernel DTB used: None
[   0.0885 ] WARNING: dce base dtb is not provided

[   0.0885 ] Parsing partition layout
[   0.0889 ] tegraparser_v2 --pt readinfo_t234_min_prod.xml.tmp
[   0.0895 ] Creating list of images to be encrypted and signed
[   0.0900 ] tegrahost_v2 --chip 0x23 0 --partitionlayout readinfo_t234_min_prod.xml.bin --list images_list.xml oem-rsa
[   0.0903 ] MB1: Nvheader already present is mb1_t234_prod_aligned.bin
[   0.0928 ] Header already present for mb1_t234_prod_aligned_sigheader.bin
[   0.0931 ] MB1: Nvheader already present is mb1_t234_prod_aligned.bin
[   0.0986 ] Header already present for mb1_t234_prod_aligned_sigheader.bin
[   0.0988 ] MB1: Nvheader already present is psc_bl1_t234_prod_aligned.bin
[   0.1034 ] Header already present for psc_bl1_t234_prod_aligned_sigheader.bin
[   0.1037 ] adding BCH for mb2_t234_aligned.bin
[   0.1066 ] MB1: Nvheader already present is psc_bl1_t234_prod_aligned.bin
[   0.1188 ] Header already present for psc_bl1_t234_prod_aligned_sigheader.bin
[   0.1190 ] adding BCH for mb2_t234_aligned.bin
Traceback (most recent call last):
  File "/opt/skye-installer/Linux_for_Tegra_r35.3.1/bootloader/./", line 1383, in <module>
  File "/opt/skye-installer/Linux_for_Tegra_r35.3.1/bootloader/./", line 1217, in tegraflash_run_commands
  File "/usr/lib/python3.10/", line 217, in onecmd
    return func(arg)
  File "/opt/skye-installer/Linux_for_Tegra_r35.3.1/bootloader/./", line 855, in do_dump
    self.chip_inst.tegraflash_dump(exports, args)
  File "/opt/skye-installer/Linux_for_Tegra_r35.3.1/bootloader/", line 2390, in tegraflash_dump
  File "/opt/skye-installer/Linux_for_Tegra_r35.3.1/bootloader/", line 1856, in tegraflash_enc_and_sign_images
    for file_nodes in xml_tree.getiterator('file'):
AttributeError: 'ElementTree' object has no attribute 'getiterator'
Reading board information failed.

hello vijayaca,

reading fuses through /sys is not supported now.
for checking, you may using dd utility to export the fuse values.
for example, boot_security_info:
$ sudo dd if=/sys/bus/nvmem/devices/fuse/nvmem of=boot_security_info bs=4 count=1 skip=$((0x5a))
and… using hexdump to examine the values. $ hexdump -c boot_security_info

please expect next public release will have a new tool to read fuses.

hi Jerry,

Is it new tool? which release will have the tool?
Do you know the reason for exception we getting when we run with --test on fused device?

where can I find the mapping of nvmem to read ReservedOdm fuse values?

it’s just a sample, please wait for next public Jetpack release with tool update to read fuses.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.