Jetson Orin Nano SBKPKC Fused USB_TIMEOUT Cannot Flash

Hi forum,

I generated keys and fused my Jetson Orin 64GB Devkit using L4T Version 35.6.0 with PKC, SBK and BootSecurityInfo using the documented process from here - Secure Boot — NVIDIA Jetson Linux Developer Guide 1 documentation

I fused the board successfully with the below fuse.xml. Followed this doc/section to burn fuse - Secure Boot — NVIDIA Jetson Linux Developer Guide 1 documentation i.e Linux_for_Tegra$ sudo ./odmfuse.sh -X fuse.xml -i 0x23 jetson-agx-orin-devkit

fuse.xml:

<genericfuse MagicId="0x45535546" version="1.0.0">
    <fuse name="PublicKeyHash" size="64" value="0x<REDACTED>"/>
    <fuse name="SecureBootKey" size="32" value="0x<REDACTED>"/>
    <fuse name="BootSecurityInfo" size="4" value="0x1E9"/>
</genericfuse>

Host Setup:
Native Ubuntu 20.04
USB Autosuspend -1 set
Many different cables tried - 3.0 and 2.0

• I’m certain the keys are correct (pkc is rsa3072)
• I’m certain the SBK keys are correct

Fusing Log Snippet:

odm_lock: 0x00000000
revoke_pk_h0: 0x00000000
revoke_pk_h1: 0x00000000
optin_enable: 0x00000000
public_key_hash: 0xfa3a8707da5fc9e5e3b8f63f6d6cf1027c5b3f15c1a947d2e3f2eeb003cecb98e55ff0348a6cd739acdddbfef7e8838188e81a88191f81907c589428d0880764
boot_security_info: 0x000001e9
odmid: 0x0000000000000000
pk_h1: 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
pk_h2: 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
security_mode: 0x00000000
reserved_odm2: 0x00000000
reserved_odm3: 0x00000000
reserved_odm0: 0x00000000
reserved_odm1: 0x00000000
reserved_odm6: 0x00000000
reserved_odm7: 0x00000000
reserved_odm4: 0x00000000
reserved_odm5: 0x00000000
odminfo: 0x00000000
system_fw_field_ratchet1: 0x00000000
system_fw_field_ratchet0: 0x00000000
system_fw_field_ratchet3: 0x00000000
system_fw_field_ratchet2: 0x00000000

Flash Log:

Linux_for_Tegra$ sudo ./flash.sh -u pkc.pem -v sbk.key jetson-agx-orin-devkit internal
<LOG_CUT_TO_END>
[   0.6360 ] tegrarcm_v2 --new_session --chip 0x23 0 --uid --download bct_br br_bct_BR.bct --download mb1 mb1_t234_prod_aligned_sigheader_encrypt.bin.signed --download psc_bl1 psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed --download bct_mb1 mb1_bct_MB1_sigheader_encrypt.bct.signed
[   0.6369 ] BR_CID: 0x89012344705E02216C0000000F008240
[   1.0415 ] Sending bct_br
[   1.4380 ] Sending mb1
[   1.5415 ] ERROR: might be timeout in USB write.
[   1.5415 ] 
Error: Return value 3
Command tegrarcm_v2 --new_session --chip 0x23 0 --uid --download bct_br br_bct_BR.bct --download mb1 mb1_t234_prod_aligned_sigheader_encrypt.bin.signed --download psc_bl1 psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed --download bct_mb1 mb1_bct_MB1_sigheader_encrypt.bct.signed
Reading board information failed.

When passed only the PKC key to the flash.sh with --noflash to sign and then flash using the command sudo bash ./flashcmd.txt the flashing is done successful and board boots with warning
“WARNING: Test key is used”.

Please suggest me on how do I flash and boot the image with PKC and SBK key. Also please suggest on which format the SBK key should be passed to the ./flash.sh command

$ cat sbk.key
0x11223344 0x55667788 0x99aabbcc 0xddeeff00 0xffeeddcc 0xbbaa9988 0x77665544 0x33221100

(OR)

$ cat sbk.key
0x112233445566778899aabbccddeeff00ffeeddccbbaa99887766554433221100

*** Please note that this reply is generated by LLM automatically ***

Based on the provided context, it appears that you have successfully fused your Jetson Orin 64GB Devkit using L4T Version 3560 with PKC, SBK, and BootSecurityInfo. However, you are experiencing issues when trying to flash and boot the image with both PKC and SBK keys.

To flash and boot the image with PKC and SBK keys, you need to use the flash.sh command with the -u and -v options. The -u option specifies the PKC key file, and the -v option specifies the SBK key file.

Here is an example of the correct command:

$ sudo ./flash.sh -u <pkc_keyfile> -v <sbk_keyfile> jetson-agx-orin-devkit internal

Make sure to replace <pkc_keyfile> and <sbk_keyfile> with the actual file names and paths of your PKC and SBK key files, respectively.

Regarding the format of the SBK key, it should be in the same format as the PKC key, which is an RSA private key file. The SBK key file should be in the ${ToT_BSP}/bootloader directory, or you should specify its absolute pathname.

It’s also important to note that the -v option must be used with the -u option. If you omit the -v option, the images flashed to the Jetson device will not be encrypted.

In your case, since you have already fused the board successfully with the PKC and SBK keys, you can try flashing and booting the image using the above command. If you still encounter issues, please provide more details about the error messages or warnings you receive.

Additionally, you can try checking the following:

• Make sure that the PKC and SBK key files are in the correct format and are not corrupted.
• Verify that the key files are in the correct location, as specified in the ${ToT_BSP}/bootloader directory or by specifying their absolute pathname.
• Check that the flash.sh command is being executed with the correct options and arguments.
• Ensure that the Jetson device is in Recovery mode before executing the flash.sh command.

If none of these suggestions resolve the issue, please provide more information about the error messages or warnings you receive, and I’ll be happy to help you further.

*** Please give the thumbs up if you get answers you like. Or provide feedback to help us improve the answer. ***

hello grajendran,

please also share the BR_CID during image flash stage, it’ll report right after boot from communication.

Linux_for_Tegra$ sudo ./flash.sh -u pkc.pem -v sbk.key jetson-agx-orin-devkit internal
###############################################################################
# L4T BSP Information:
# R35 , REVISION: 6.0
# User release: 0.0
###############################################################################
ECID is 0x89012344705E02216C0000000F008240
# Target Board Information:
# Name: jetson-agx-orin-devkit, Board Family: t186ref, SoC: Tegra 234, 
# OpMode: production, Boot Authentication: SBKPKC, 
# Disk encryption: disabled ,
###############################################################################
<...LOG_CUT_TO_END...>
[   2.2447 ] Boot Rom communication
[   2.2461 ] tegrarcm_v2 --new_session --chip 0x23 0 --uid --download bct_br br_bct_BR.bct --download mb1 mb1_t234_prod_aligned_sigheader_encrypt.bin.signed --download psc_bl1 psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed --download bct_mb1 mb1_bct_MB1_sigheader_encrypt.bct.signed
[   2.2472 ] BR_CID: 0x89012344705E02216C0000000F008240
[   2.6584 ] Sending bct_br
[   3.0585 ] Sending mb1
[   3.0591 ] ERROR: might be timeout in USB write.
Error: Return value 3
Command tegrarcm_v2 --new_session --chip 0x23 0 --uid --download bct_br br_bct_BR.bct --download mb1 mb1_t234_prod_aligned_sigheader_encrypt.bin.signed --download psc_bl1 psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed --download bct_mb1 mb1_bct_MB1_sigheader_encrypt.bct.signed
Reading board information failed.

hello grajendran,

you should use this key format for running flash script to assign SBK key.

$ cat sbk.key
0x11223344 0x55667788 0x99aabbcc 0xddeeff00 0xffeeddcc 0xbbaa9988 0x77665544 0x33221100

here’s OemKeyValid bit in fuse BootSecurityInfo (not SecurityMode), it controls if the boot images need to be encrypted or not. since you’ve SBK key, you should also have this bit enabled.
please refer to Jetson Orin Fuse Specification for bit-9 of FUSE_BOOT_SECURITY_INFO_0.
you may see-also similar forum thread, Topic 363914.

Are you referring to the Bit [9] ODM Key Valid in the FUSE_BOOT_SECURITY_INFO_0

image1389×648 63.1 KB

Currently my fuse config for the BootSecurityInfo is 0x1E9 so, enabling the Bit [9] ODM Key Valid the BootSecurityInfo will become 0x3E9 did I understand correct?

If I set the Bit [9] ODM Key Valid in the BootSecurityInfo then I need to burn the OemK1 and OemK2 keys also?

    <!-- <fuse name="OemK1" size="32" value="0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"/> -->
    <!-- <fuse name="OemK2" size="32" value="0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"/> -->

hello grajendran,

yes, that’s correct.

that’s right, it’s suggest to have OEM keys as well.

Hi Jerry,

I have a few questions and would appreciate your clarification.

Is it possible to first burn the BootSecurityInfo (0x3E9) and perform a boot test using the signed and encrypted image with SBKPKC keys, and then burn the OEMK1 and OEMK2 fuses later? Or is it mandatory to burn all of these fuses in a single step?

Additionally, which format of the sbk.key is recommended when passing it to the odmfuse.sh command? i.e $ sudo ./odmfuse.sh -X fuse.xml -i 0x23 -k pkc.pem -S sbk.key --test jetson-agx-orin-devkit

$ cat sbk.key 
0x11223344 0x55667788 0x99aabbcc 0xddeeff00 0xffeeddcc 0xbbaa9988 0x77665544 0x33221100

or

$ cat sbk.key
112233445566778899aabbccddeeff00ffeeddccbbaa99887766554433221100

hello grajendran,

here’re couple of things for clarification..
(1) it recommends burning all the fuses you need in a single operation.
(2) when you call odmfuse script with the -X option, it’ll burn fuses with the fuse_config.xml file. however, if you add the options, -k pkc.pem -S sbk.key, it means a target was previously burned with a PKC/SBK key, you’re having additional fuses.