Jetson Nano Secure Boot


I managed to enable secure boot on a Jetson Nano using Jetpack and it works and boots fine.

However, I used the same key to build the images in Yocto by setting the following variable in my local.conf

TEGRA_SIGNING_ARGS = “-u conf/machine/rsa_priv.pem”

The build was successful, but I can’t even flash the image to the board. I get the following error when I attempt to flash.

Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands

[ 0.0040 ] Parsing partition layout
[ 0.0064 ] tegraparser --pt flash.xml.tmp
[ 0.0073 ]
[ 0.0074 ] Updating BFS information on RCM BCT
[ 0.0091 ] tegrabct --bct jetson-nano-sig.bct --chip 0x21 0 --updatebfsinfo flash.xml.bin
[ 0.0095 ] File jetson-nano-sig.bct open failed
[ 0.0096 ]
Error: Return value 19
Command tegrabct --bct jetson-nano-sig.bct --chip 0x21 0 --updatebfsinfo flash.xml.bin

Thanks in advance.

@llewellyn.fernandes @linuxdev @JerryChang

According to the wiki page on secureboot

you also need to provide the -v <encryption_key>


Thanks for your response.

from here the -v flag is for secure boot key file which only applies to Jetson Xavier NX series, Jetson AGX Xavier series, and Jetson TX2 series. But I am using Jetson Nano in this case.

Moreover, I didn’t use the -v flag when I flashed with Jetpack but I would try it anyways and give feedback.

Thanks again.

I don’t have experience flashing for secure boot, but if this is a Jetson Nano SD card version, then secure boot is not supported. If this is an eMMC model, then it should be supported. I couldn’t say why the flash fails if this is an eMMC model.


It’s an eMMC version. works with Jetpack but can’t flash yocto built image, despite using the same keyfile.

hello ridwanriley,

this should be an issue on Yocto side.
may I know what’s your commands for running image flash; could you please gather the complete flashing messages as single text file for reference.

@JerryChang ,

Thanks for your response.

Surprisingly, that’s the short log I got, it fails immediately after I start the flash process. See attached.
failed_yocto_log (526 Bytes)

Thanks in advance.


As promised, I tried recompiling Yocto with the flag and I got an invalid argument error. I guess the -v flag does not work with Jetson Nano.

I used it this way:

TEGRA_SIGNING_ARGS = “-u conf/machine/rsa_priv.pem -v conf/machine/secure_boot_key”

in my local.conf

See attached log
yocto_flash_with _v_flag (10.8 KB)

may I know what’s the secure types you’ve enabled? for example, is there only PKC key, or, you’re adding some other keys to fuse the target?
could you please share the complete flash messages, and also the bootloader logs to indicate you could boot-up the target.
furthermore, may I also know which JetPack release you’re using? thanks

@JerryChang ,

I used PKC when fusing the device.

See attached successful bootlogs.

I used Jetpack 4.6.2.

Looking forward to your response.

boot_log_3 (12.9 KB)

that’s right, it seems you’ve Nano fused with PKC. for example, Verifying boot image in SecurePKC mode
since the fuse burning and image flashing works, this should be an issue on Yocto side.
sorry that I don’t have much experience with Yocto. may other expertise for checking this.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.