Jetson Orin NX - board can't flash after partial fuse burn

I need to setup jeton orin nano devkit to do the test… it may take me some time.
I don’t want this post to automatically close, so how should we proceed:
Should I open a new post when I setup the nano devkit and reference this one ?

Thanks.

Hi JerryChang,

I set up orin nano devkit and put my fused orin nx som in it.
it boots and get into recovery correctly.
Tried to run flash/odmfuseread in secure on it and it fails the same in mb1 send.
So orin nano devkit carrier exhibit the same behavior as the forecr.

Can you assert on your side that fuses can be burnt without securitymode ?

Thanks.

why don’t you perform image flash directly on devkit?
FYI, we’ve fused Orin NX with PKC+SBK+KDK+OEM_K1+OEM_K2 and SecurityMode has enabled.

  1. I tried to image flash directly on devkit - it failed on mb1 as in the forecr case
  2. Can you as nvidia assert that there is no option to burn an orin nx board in separate steps ? And so, it must be fused in a single step with security mode enabled ? Such a detail should be clearly conveyed in your docs.

Thanks.

hello ncs1,

the recommended way is to burn all fuses together instead of burning fuses step-by-step.

please confirm you’re using p3768 (Orin Nano Devkit) to reproduce this issue.
you should let tegraflash to communicate with the board via EEPROM, if that’s an issue with board communication, please try adding SKIP_EEPROM options to test again.
you may also check image flashing with different JP release version (such as JP-5.1.2/ JP-6.0 GA) as well.

Hi,

I tried other jetpack versions, and tried with SKIP_EEPROM - same issue.

I continued to burn another board, this time it seems successful, and I have communication without any issue.

I burnt it using the following xml:

<genericfuse MagicId="0x45535546" version="1.0.0">
    <fuse name="PublicKeyHash" size="64" value="REDACTED"/>
    <fuse name="SecureBootKey" size="32" value="REDACTED"/>
    <fuse name="PscOdmStatic" size="4" value="0x60"/>
    <fuse name="OemK1" size="32" value="REDACTED"/>
    <fuse name="OemK2" size="32" value="REDACTED"/>
    <fuse name="BootSecurityInfo" size="4" value="0x209"/>
    <fuse name="SecurityMode" size="4" value="0x1"/>
</genericfuse>

In contrast to my previous attempt:

  1. SecurityMode is enabled
  2. Added the ODM valid bit for bootsecinfo
  3. defined oemk2 as KDK for uefi sb in PscOdmStatic.
  4. Burnt a single PK instead of 3.

In my opinion, there’s no option to burn nvidia orin in separate steps and only in single step with SecurityMode MUST be enabled. (sadly, nvidia didn’t confirm / deny it / documented it)

Thanks.

you may try burning SecurityMode fuse to your previous fused module for confirmation.

Hi JerryChang,

In your comment, you’re ignoring 40+ message discussion on why I couldn’t burn any other fuse after my partial burn.

Please review the matter on your end (nvidia) and document this in your guidance.

All the best.

hello ncs1,

ya, I’ve arranged resources to improve the documentation, we’ll remove those partial fuse burn steps, and suggest user to burn all fuses (including SecurityMode) in one shot.

anyways,
per [Burn Fuses with the Fuse Configuration file] section. did you tired to have additional fuses burn by following odmfuse.sh command with -k option?

Hi,

  • odmfuse.sh - doesn’t work (again, see earlier comments) and I provide the key and sbk.
  • this shouldn’t be a ‘suggestion’ it should be a clear-cut warning to burn in a single step the ORIN with security mode.
  • as said before, NVIDIA should assert this behavior on their side - go burn PKC+SBK without security mode.

All the best.

hello ncs1,

thank you for your patience. I would like to dig into this issue for the root cause.


let’s back to your partial fuse-burn target, Orin NX.
as long as your Orin NX able to enter forced-recovery mode, we can flash it, or burn fuses to it.
firstly, let’s check you’re able to put your partial fuse-burn target enter forced-recovery mode.

according to your comment,

let me double check, you’re NOT flashing image onto this target after partial fuse-burn, right?
even though you’ve enable PKC+SBK, but you’re not burning OemKeyValid fuse variable.
if that’s true.
that should be the reason why you’re booting-up with pre-flash image (non-encrypted/unsigned boot image)

let’s give it one more try,
please refer to Jetson Orin Fuse Specification to enable bit-9 of FUSE_BOOT_SECURITY_INFO_0.
in your use-case (for RSA3K+SBK),
please try again with your partial fuse-burn target with below fuse variable.
<fuse name="BootSecurityInfo" size="4" value="0x209"/>

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.