Jetson Nano Secure Boot

ridwanriley · May 24, 2023, 5:52pm

Greetings,

I managed to enable secure boot on a Jetson Nano using Jetpack and it works and boots fine.

However, I used the same key to build the images in Yocto by setting the following variable in my local.conf

TEGRA_SIGNING_ARGS = “-u conf/machine/rsa_priv.pem”

The build was successful, but I can’t even flash the image to the board. I get the following error when I attempt to flash.

Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands

[ 0.0040 ] Parsing partition layout
[ 0.0064 ] tegraparser --pt flash.xml.tmp
[ 0.0073 ]
[ 0.0074 ] Updating BFS information on RCM BCT
[ 0.0091 ] tegrabct --bct jetson-nano-sig.bct --chip 0x21 0 --updatebfsinfo flash.xml.bin
[ 0.0095 ] File jetson-nano-sig.bct open failed
[ 0.0096 ]
Error: Return value 19
Command tegrabct --bct jetson-nano-sig.bct --chip 0x21 0 --updatebfsinfo flash.xml.bin

Thanks in advance.

@llewellyn.fernandes @linuxdev @JerryChang

llewellyn.fernandes · May 24, 2023, 6:10pm

According to the wiki page on secureboot

you also need to provide the -v <encryption_key>

ridwanriley · May 24, 2023, 7:17pm

@llewellyn.fernandes

Thanks for your response.

from here the -v flag is for secure boot key file which only applies to Jetson Xavier NX series, Jetson AGX Xavier series, and Jetson TX2 series. But I am using Jetson Nano in this case.

Moreover, I didn’t use the -v flag when I flashed with Jetpack but I would try it anyways and give feedback.

Thanks again.

linuxdev · May 24, 2023, 7:34pm

I don’t have experience flashing for secure boot, but if this is a Jetson Nano SD card version, then secure boot is not supported. If this is an eMMC model, then it should be supported. I couldn’t say why the flash fails if this is an eMMC model.

ridwanriley · May 24, 2023, 7:37pm

@linuxdev

It’s an eMMC version. works with Jetpack but can’t flash yocto built image, despite using the same keyfile.

JerryChang · May 25, 2023, 2:37am

hello ridwanriley,

this should be an issue on Yocto side.
may I know what’s your commands for running image flash; could you please gather the complete flashing messages as single text file for reference.

ridwanriley · May 25, 2023, 6:30am

@JerryChang ,

Thanks for your response.

Surprisingly, that’s the short log I got, it fails immediately after I start the flash process. See attached.
failed_yocto_log (526 Bytes)

Thanks in advance.

ridwanriley · May 25, 2023, 6:55am

@llewellyn.fernandes,

As promised, I tried recompiling Yocto with the flag and I got an invalid argument error. I guess the -v flag does not work with Jetson Nano.

I used it this way:

TEGRA_SIGNING_ARGS = “-u conf/machine/rsa_priv.pem -v conf/machine/secure_boot_key”

in my local.conf

See attached log
yocto_flash_with _v_flag (10.8 KB)

JerryChang · May 29, 2023, 6:18am

may I know what’s the secure types you’ve enabled? for example, is there only PKC key, or, you’re adding some other keys to fuse the target?
could you please share the complete flash messages, and also the bootloader logs to indicate you could boot-up the target.
furthermore, may I also know which JetPack release you’re using? thanks

ridwanriley · May 29, 2023, 10:51am

@JerryChang ,

I used PKC when fusing the device.

See attached successful bootlogs.

I used Jetpack 4.6.2.

Looking forward to your response.

Thanks.
boot_log_3 (12.9 KB)

JerryChang · May 29, 2023, 2:39pm

that’s right, it seems you’ve Nano fused with PKC. for example, Verifying boot image in SecurePKC mode
since the fuse burning and image flashing works, this should be an issue on Yocto side.
sorry that I don’t have much experience with Yocto. may other expertise for checking this.

system · June 21, 2023, 5:08am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.