I am using jetson nano in my product. If i flash it once, I don’t want anybody to remove it from my product and flash it again. Is these can be achieved using secure boot? or some other provision is there? Nano didn’t wired the JTAG out, so if I keep jtag enabled while doing secure boot, will there be some security threat?
hello Shine.d,
you may enable Secure Boot, Secure Boot prevents execution of unauthorized boot codes through chain of trust.
So, does that mean somebody else cannot flash it again, right? and can you suggest something about JTAG? will it be okay if i don’t disable it as it is not wired out on jetson nano?
hello Shine.d,
here’re replies for couple of your questions.
- assume you’ve Jetson Nano fused with a PKC key, only the owner who contain the same PKC key file able to re-flash the target.
- it depends-on your use-case. JTAG is enabled by default, it’s for debug purpose, and it needs HW rework on test point.
Thank you for the reply.
Let’s say, I flashed jetson nano with secure boot enabled. Only, I have the keys used in the fuse burning process. and somebody is trying to flash it without my knowledge. so where the issue will arise?
- Will they not be able to put jetson nano into force recovery mode?
- Flashing process will give error in sdkmanager/command line?
And if they are not able to flash it, will it get booted as second time flashing is failed?
Thank you.
hello Shine.d,
>> Q1
since it’s hardware key combination. they’ll able to put Nano into forced-recovery mode.
>> Q2
flashing process will abort since a correct key has not assigned.
IIRC, device should stay-on forced-recovery mode. user may press the hardware reset button to reboot the target.
I fused the PKC key on jetson nano and flashed it. It booted properly. Secure boot was enabled, I checked the public_key value. Everything went well. But to check if secure boot is working properly, I created new OS image using sdkmanager. When I am trying to flash it again without using PKC key, it is getting flashed. What can I do now to prohibit somebody else from reflashing my jetson nano?
hello Shine.d,
please share the complete flash messages and booting logs for reference.
Here are the files for your reference.
boot_log.txt (64.3 KB)
flashing.txt (18.1 KB)
key-fusing.txt (2.1 KB)
hello Shine.d,
you’ve given the keys in the flash script. $ sudo ./flash.sh ... -u ../emi_pkc.pem
BTW, since it’ll have binaries/images stored to your local host machine once you execute flash script.
you may using another host, or, a clean-up Jetpack installation folder to test re-flash without PKC key.
Actually, I tried using another device. but it is still getting flashed and booted properly. I am sharing complete procedure I did for secure boot.
secure_boot_jetson_nano.txt (1.2 KB)
Please check it once and point out if any mistake I have done. If this is the correct procedure, then what can I do to prohibit somebody else to reflash jetson without my knowledge?
hello Shine.d,
I don’t have fused Jetson Nano for checking at the moment.
did you program the fuse correctly? please check my steps as following to examine fuse variables,
I’ve checked with Jetson AGX Xavier, note, I’ve omit some key values.
for instance,
$ cat /etc/nv_tegra_release
# R32 (release), REVISION: 7.5, GCID: 36557527, BOARD: t186ref, EABI: aarch64, DATE: Tue Jun 11 23:18:04 UTC 2024
# cat /sys/devices/platform/tegra-fuse/public_key
0xc21b............................cdb
# cat /sys/devices/platform/tegra-fuse/odm_production_mode
0x00000001
hence… based-on this SBK and PKC protected target board.
it’s not allow to re-flash if I did not assign PKC/SBK keys, it’s confirmed it cannot re-flash without assign keys.
for instance,
$ sudo ./flash.sh jetson-agx-xavier-devkit mmcblk0p1
###############################################################################
# L4T BSP Information:
# R32 , REVISION: 7.5
###############################################################################
# Target Board Information:
# Name: jetson-agx-xavier-devkit, Board Family: t186ref, SoC: Tegra 194,
# OpMode: production, Boot Authentication: SBKPKC,
# Disk encryption: disabled ,
###############################################################################
Error: Either RSA key file and/or SBK key file is not provided for SBK and PKC protected target board.
Sorry, my bad.
odm_production_mode was set to 0x00000000
so I fused key again by adding -p:
sudo ./odmfuse.sh -c PKC -i 0x21 -p -k …/emi_pkc.pem
but when i am trying to flash it again with PKC keys using,
$ sudo ./flash.sh BOARDID=3448 FAB=200 BOARDSKU=0002 -x 0x21 -y PKC -u …/emi_pkc.pem jetson-nano-emmc mmcblk0p1
giving the error:
Error: Either RSA key file is not provided or SBK key file is provided for PKC protected target board.
Even if I am adding PKC key file, it is not getting flashed. so, how can I flash it now?
hello Shine.d,
please try re-flash without -y PKC
for instance, $ sudo ./flash.sh -u …/emi_pkc.pem jetson-nano-emmc mmcblk0p1
Yes, it worked.
Thanks a lot.
okay, please refer to comment #15, based-on your fused target, it should not allow to re-flash without PKC/SBK keys.
Yes. couldn’t re-flash.
Thanks.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.