At the moment I have issues with booting my Jetson Nano Developer Kit. Somehow I may have burned the fuses for SB with PKC in production mode. I keep the RSA key on safe location. This action should not have been supported, but I understood this latter - so I cannot flash the rest of the partitions signed with the PKC key nor boot it without SB PKC in normal non-secure NS mode.
I guess with the right fuse_bypass configuration I could be able to boot it without SB/PKC, right? Is there such sample fuse_bypass config available to bypass the SB with the PKC?
On the other hand, I’d like to test the SB with PKC for production module: can this be done on devkit device with fuse_bypass?
I cannot boot the devkit device. tegrafuse.sh should be run from the jetson nano Linux OS.
I have only access to “recovery mode” commands over the USB cable from host PC. ( I guess I should be able to flash fusebypass partition from there )
Here is the output, it went successful, but still cannot boot because the referred Topic guide is for SB PKC boot which I’m not allowed to flash on devkit version. I’d like to disable the SB PKC.
/Linux_for_Tegra# ./odmfuse.sh -i 0x21 -p -c PKC -k rsa_priv.pem --test
*** Calculating HASH from keyfile //Linux_for_Tegra/rsa_priv.pem ... done
PKC HASH: 0x8ec2677683cd8bf4d0f19df8edcc199de9c9e5c422f2b7b4f070789506d37676
*** Generating fuse configuration ... done.
Test mode: removing all lines with '<fuse name=' so no fuses will be burned.
*** Start fusing ...
./tegraflash.py --chip 0x21 --applet nvtboot_recovery.bin --cmd "blowfuses odmfuse_pkc.xml;"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
[ 0.0036 ] Parsing fuse info as per xml file
[ 0.0043 ] tegraparser --fuse_info odmfuse_pkc.xml blow_fuse_data.bin
[ 0.0051 ]
[ 0.0051 ] Generating RCM messages
[ 0.0057 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 0 --download rcm nvtboot_recovery.bin 0 0
[ 0.0062 ] RCM 0 is saved as rcm_0.rcm
[ 0.0066 ] RCM 1 is saved as rcm_1.rcm
[ 0.0067 ] List of rcm files are saved in rcm_list.xml
[ 0.0067 ]
[ 0.0067 ] Signing RCM messages
[ 0.0073 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key
[ 0.0079 ] Assuming zero filled SBK key
[ 0.0117 ]
[ 0.0117 ] Copying signature to RCM mesages
[ 0.0123 ] tegrarcm --chip 0x21 0 --updatesig rcm_list_signed.xml --pubkeyhash pub_key.key
[ 0.0132 ]
[ 0.0132 ] Boot Rom communication
[ 0.0139 ] tegrarcm --chip 0x21 0 --rcm rcm_list_signed.xml
[ 0.0145 ] BR_CID: 0x4210100164441643080000000f008340
[ 0.0150 ] RCM version 0X210001
[ 0.0313 ] Boot Rom communication completed
[ 1.0405 ]
[ 1.0406 ] Blowing fuses
[ 1.0445 ] tegrarcm --oem blowfuses blow_fuse_data.bin
[ 1.0479 ] Applet version 00.01.0000
[ 1.0656 ] Successfully burnt fuses as per fuse info blob
[ 1.0830 ]
*** The fuse configuration is saved in bootloader/odmfuse_pkc.xml
*** The ODM fuse has been burned successfully.
*** done.
Linux_for_Tegra# cat bootloader/odmfuse_pkc.xml.sav
<genericfuse MagicId="0x46555345" version="1.0.0">
<fuse name="PublicKeyHash" size="32" value="0x7676d306957870f0b4b7f222c4e5c9e99d19ccedf89df1d0f48bcd837667c28e" />
<fuse name="SecurityMode" size="4" value="0x1" />
</genericfuse>
Linux_for_Tegra# ./odmfuse.sh -i 0x21 -p -c PKC -k rsa_priv.pem
*** Calculating HASH from keyfile /Linux_for_Tegra/rsa_priv.pem ... done
PKC HASH: 0x8ec2677683cd8bf4d0f19df8edcc199de9c9e5c422f2b7b4f070789506d37676
*** Generating fuse configuration ... done.
*** Start fusing ...
./tegraflash.py --chip 0x21 --applet nvtboot_recovery.bin --cmd "blowfuses odmfuse_pkc.xml;"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
[ 0.0037 ] Parsing fuse info as per xml file
[ 0.0046 ] tegraparser --fuse_info odmfuse_pkc.xml blow_fuse_data.bin
[ 0.0053 ]
[ 0.0053 ] Generating RCM messages
[ 0.0059 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 0 --download rcm nvtboot_recovery.bin 0 0
[ 0.0064 ] RCM 0 is saved as rcm_0.rcm
[ 0.0069 ] RCM 1 is saved as rcm_1.rcm
[ 0.0070 ] List of rcm files are saved in rcm_list.xml
[ 0.0070 ]
[ 0.0070 ] Signing RCM messages
[ 0.0076 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key
[ 0.0083 ] Assuming zero filled SBK key
[ 0.0128 ]
[ 0.0129 ] Copying signature to RCM mesages
[ 0.0146 ] tegrarcm --chip 0x21 0 --updatesig rcm_list_signed.xml --pubkeyhash pub_key.key
[ 0.0156 ]
[ 0.0156 ] Boot Rom communication
[ 0.0162 ] tegrarcm --chip 0x21 0 --rcm rcm_list_signed.xml
[ 0.0168 ] BR_CID: 0x4210100164441643080000000f008340
[ 0.0173 ] RCM version 0X210001
[ 0.0338 ] Boot Rom communication completed
[ 1.0437 ]
[ 1.0439 ] Blowing fuses
[ 1.0478 ] tegrarcm --oem blowfuses blow_fuse_data.bin
[ 1.0513 ] Applet version 00.01.0000
[ 1.0691 ] Successfully burnt fuses as per fuse info blob
[ 1.0817 ]
*** The fuse configuration is saved in bootloader/odmfuse_pkc.xml
*** The ODM fuse has been burned successfully.
*** done.
# md5sum bootloader/nvtboot*
65b95bd63ceebf8974b0903de5265c88 bootloader/nvtboot.bin
3a97283d250f00b6f1ba7776f5dc57f4 bootloader/nvtboot.bin.signed
a6d10bc8760041ba0e03ec3959f971ce bootloader/nvtboot_cpu.bin
ff17e52b1096ff930115bcff0b947d0b bootloader/nvtboot_cpu.bin.signed
13f9c5212dc5fac8685ba028dcc3c457 bootloader/nvtboot_recovery.bin
4fed21347f336748827489eb9f860fe5 bootloader/nvtboot_recovery_cpu.bin
/zipfile/Linux_for_Tegra# md5sum ../t/nvtboot*
65b95bd63ceebf8974b0903de5265c88 ../t/nvtboot.bin
a6d10bc8760041ba0e03ec3959f971ce ../t/nvtboot_cpu.bin
13f9c5212dc5fac8685ba028dcc3c457 ../t/nvtboot_recovery.bin
4fed21347f336748827489eb9f860fe5 ../t/nvtboot_recovery_cpu.bin
if the image has create successfully, there should be flashcmd.txt generated,
please have image flashing with that. for example, $ sudo bash ./flashcmd.txt
thanks
Flash is not working.
jetson-nano-emmc has different partition layout (internal emmc ) compared to jetson-nano-devkit ( qspi + sd )
Is there a similar to tegrafuse.sh command which can be run from ‘recovery mode’ Host PC via the USB cable?
Shall we test with fusebypass partition to disable SB PKC?
It is somehow misleading for newcommers into the community:
“Production module” is quite close as naming convention to “production mode” of the “fuses” and I got initially devkit device (having no detailed idea what production module is )
Devkit is for development needs, I tought it has all options to test all capabilities. I still do not understand why it has limited PKC SB capabilities. It make no sence to me becouse of the different flash layout to remove the option to test SB.
Jetson Nano CPU looks the same in devkit module and production module, so I have not questioned its fuse capabilities are the same.
odmfuse.sh command should have rejected the “fuse” burning, if it was not supported, right?
Please provide answers to my developers questions:
Is there any similar to tegrafuse.sh command but to be able to run it from “recovery mode” via the USB calble from host PC - I’d like to see the status of the fuses?
Is there a way to use fusebypass partition to disable the PKC with SB? I need sample commands/configurations for fusebypass partition, please elaborate more on this.
If there is not way to bring my devkit back to live:
can I get replacement devikit board becouse of faulty software “odmfuse.sh” have not rejected the fuse burrning for the not supported devkit board? :( :( :(
or Jetson security to release updates to L4T secboot to include devkit into the SB supported devices. So that all developers can test SB boot. ( preferred option )
please check Topic 165151, and Topic 165661 for reference,
production module means the platform based-on eMMC; please check the secureboot readme file, it shows as following,
- Jetson Nano Production Module: jetson-nano-emmc
BTW,
please initial RMA process if you believe that your Jetson product is defective.
thanks