Jetson Nano secureboot

Hi,

I would like to use secureboot on Jetson Nano L4T 32.3.1.

I generated the RSA key pair with
$ openssl genrsa -out nano_priv.pem 2048

Then I tried to burn the fuses:
sudo ./odmfuse.sh -i 0x21 -c PKC -k ../nano_priv.pem

When I restarted the device I checked the fuses with sudo ./tegrafuse.sh (on the device):

arm_jtag_disable : 0x00000000
odm_lock : 0x00000000
odm_production_mode : 0x00000000
pkc_disable : 0x00000001
sec_boot_dev_cfg : 0x00000000
sec_boot_dev_sel : 0x00000000

As I see PKC is still disabled. What did I do wrong?

If I skip the device restart and try to flash the device right after burning the fuses I get the following error message:
sudo ./flash.sh -x 0x21 -y PKC -u ../nano_priv.pem jetson-nano-qspi-sd mmcblk0p1

#########
# L4T BSP Information:# R32 , REVISION: 3.1
#########
Error: probing the target board failed.
Make sure the target board is connected through
USB port and is in recovery mode.

If I reset the device in recovery mode between burning the fuses and flashing the device I get the following error message:

#########
# L4T BSP Information:# R32 , REVISION: 3.1
#########
# Target Board Information:
# Name: jetson-nano-qspi-sd, Board Family: t210ref, SoC: Tegra 210, 
# OpMode: production, Boot Authentication: , 
#########
Error: The RSA key file is provided for non-PKC protected target board.

Could you help please what should I try?

Kind regards,
Adam

Hi,
Without -p option, pkc_disable fuse is programmed to 0x1 and the module is in NS mode. Please check


In production line, please program all fuses in single command.

Dear @DaneLLL,

I put the -p switch so my single command was (I did not deal with odm_reserved because it remains programmable after the production bit is set):

sudo ./odmfuse.sh -i 0x21 -c PKC -k ../nano_priv.pem -p

It ran without error, the output was:

*** The fuse configuration is saved in bootloader/odmfuse_pkc.xml
*** The ODM fuse has been secured with PKC keys.
*** Flash "signed BCT and bootloader(s)".
*** done.

Then I restarted the device to check if it was going to refuse to boot (because I haven’t uploaded a signed image at that time so it contained an unsigned one), but it started without error. Then I ran sudo ./tegrafuse.sh (on the device) and I got the followings:

arm_jtag_disable : 0x00000000
odm_lock : 0x00000000
odm_production_mode : 0x00000001
pkc_disable : 0x00000001
sec_boot_dev_cfg : 0x00000000
sec_boot_dev_sel : 0x00000000

It is really sad because (as far as I know) I can not change the pkc_disable fuse anymore. Could you help me what happened? I explicitly told odmfuse to use PKC (-c PKC) and provided the key (-k …/nano_priv.pem), pkc_disable should be 0x0. What did I do wrong?

Hi,
The fuse bit is irreversible. The following is from README_secureboot.txt:

Tegra devices contain multiple fuses that control different items for
security and boot. Programming a fuse, such as changing a value of a
fuse bit from 0 to 1, is non-reversible. Once a fuse bit is programmed
by setting to 1, you cannot change the fuse value from 1 to 0.
For example, a value of 1(0x01) can be changed to 3(0x03) or 5(0x5),
but not to 4(0x4) because the bit 0 is already programmed to 1.

You have to use another Nano production module.

Dear @DaneLLL

Yes, I know that it is irreversible, but could you tell me what was my mistake? If I try the same command on a different board the outcome will be the same.

Before I ran the command odm_production_mode was 0x0 (the dev board was right out of the box).
Then I ran the command (with the production flag):

sudo ./odmfuse.sh -i 0x21 -c PKC -k ../nano_priv.pem -p

Could you help please if this is the right command to put the module in production mode, enable PKC and specify the PKC key?

Hi,
The command looks fine but I would need to confirm with teams. Please attach bootloader/odmfuse_pkc.xml for reference.

Dear @DaneLLL,

Thank you for your answer, the content of bootloader/odmfuse_pkc.xml:

<genericfuse MagicId="0x46555345" version="1.0.0">
<fuse name="JtagDisable" size="4" value="0x1" />
<fuse name="PublicKeyHash" size="32" value="0xd64e......." />
<fuse name="SecurityMode" size="4" value="0x1" />
</genericfuse>

Thank you: Adam

Hi,
Would like to confirm the status.
So you have two clean Nanos(not fused yet), One is fused with

sudo ./odmfuse.sh -i 0x21 -c PKC -k ../nano_priv.pem

The other is fused with

sudo ./odmfuse.sh -i 0x21 -c PKC -k ../nano_priv.pem -p

By executing sudo ./tegrafuse.sh, you can see pkc_disable =0x1 on the two Nanos.

Please confirm above description is correct. Thanks.

I had two clean Nanos (Dev kit A02 version). One the first I tried lots of odmfuse commands but did not set the production flag.

On the second board my first command was (right out of the box)

sudo ./odmfuse.sh -i 0x21 -c PKC -k ../nano_priv.pem

then after a reboot my second command was:

sudo ./odmfuse.sh -i 0x21 -c PKC -k ../nano_priv.pem -p

Executing sudo ./tegrafuse.sh shows that pkc_disable : 0x00000001 on both devices, odm_production_mode : 0x00000001 on the second device.

Hi,
So you execute the two commands on the second board:

sudo ./odmfuse.sh -i 0x21 -c PKC -k ../nano_priv.pem
sudo ./odmfuse.sh -i 0x21 -c PKC -k ../nano_priv.pem -p

In the first command, pkc_disable is programmed to 0x1 already. It cannot be reverted by the second command.

And we only support the process on production module(jetson-nano-emmc). If you have production module, please programm all fuses in single step like:

sudo ./odmfuse.sh -i 0x21 -c PKC -p -k ../nano_priv.pem