I’m trying to flash a Thor with disk encryption and secure boot. The fuses haven’t been burned yet. I’m saving that for later when the flashing scripts even get that far to where it matters.
Here’s how I call l4t_initrd_flash.sh:
sudo ADDITIONAL_DTB_OVERLAY_OPT="BootOrderNvme.dtbo" \
./tools/kernel_flash/l4t_initrd_flash.sh \
-i "${HOME}/jetson_security_keys/20250623_152506/disk_encryption.key" \
-u "${HOME}/jetson_security_keys/20250623_152506/ecp521-0.pem" \
-v "${HOME}/jetson_security_keys/20250623_152506/sbk.key" \
--uefi-keys "${HOME}/jetson_security_keys/20250623_152506/uefi_keys.conf" \
--uefi-enc "${HOME}/jetson_security_keys/20250623_152506/uefi_payload_encryption.key" \
--showlogs \
--network usb0 \
jetson-agx-thor-devkit \
internal
This fails:
Please install the Secureboot package to use initrd flash for fused board
/home/chris/nvidia/nvidia_sdk/JetPack_7.0_Linux_JETSON_AGX_THOR_DEVKIT/Linux_for_Tegra/tools/kernel_flash/l4t_initrd_flash_internal.sh --no-flash -i /home/chris/jetson_security_keys/20250623_152506/disk_encryption.key -u /home/chris/jetson_security_keys/20250623_152506/ecp521-0.pem -v /home/chris/jetson_security_keys/20250623_152506/sbk.key --uefi-keys /home/chris/jetson_security_keys/20250623_152506/uefi_keys.conf --uefi-enc /home/chris/jetson_security_keys/20250623_152506/uefi_payload_encryption.key --showlogs --network usb0 jetson-agx-thor-devkit internal
************************************
* *
* Step 1: Generate flash packages *
* *
************************************
Run image gen script: /home/chris/nvidia/nvidia_sdk/JetPack_7.0_Linux_JETSON_AGX_THOR_DEVKIT/Linux_for_Tegra/tools/kernel_flash/l4t_create_images_for_kernel_flash.sh --external-device nvme0n1p1 -c tools/kernel_flash/flash_l4t_t264_nvme.xml -u /home/chris/jetson_security_keys/20250623_152506/ecp521-0.pem -v /home/chris/jetson_security_keys/20250623_152506/sbk.key -i /home/chris/jetson_security_keys/20250623_152506/disk_encryption.key --uefi-keys /home/chris/jetson_security_keys/20250623_152506/uefi_keys.conf --uefi-enc /home/chris/jetson_security_keys/20250623_152506/uefi_payload_encryption.key jetson-agx-thor-devkit internal
Create folder to store images to flash
Generate image for internal storage devices
Generate images to be flashed
ADDITIONAL_DTB_OVERLAY="BootOrderNvme.dtbo" /home/chris/nvidia/nvidia_sdk/JetPack_7.0_Linux_JETSON_AGX_THOR_DEVKIT/Linux_for_Tegra/flash.sh --no-flash --sign -u "/home/chris/jetson_security_keys/20250623_152506/ecp521-0.pem" -v "/home/chris/jetson_security_keys/20250623_152506/sbk.key" jetson-agx-thor-devkit internal
###############################################################################
# L4T BSP Information:
# R38 , REVISION: 2.1
# User release: 0.0
###############################################################################
/home/chris/jetson_security_keys/20250623_152506/ecp521-0.pem:1: parser error : Start tag expected, '<' not found
-----BEGIN EC PRIVATE KEY-----
^
/home/chris/jetson_security_keys/20250623_152506/ecp521-0.pem:1: parser error : Start tag expected, '<' not found
-----BEGIN EC PRIVATE KEY-----
^
/home/chris/jetson_security_keys/20250623_152506/ecp521-0.pem:1: parser error : Start tag expected, '<' not found
-----BEGIN EC PRIVATE KEY-----
^
/home/chris/jetson_security_keys/20250623_152506/ecp521-0.pem:1: parser error : Start tag expected, '<' not found
-----BEGIN EC PRIVATE KEY-----
^
Error: keylist is only support on t264
Error: failed to generate images
Cleaning up...
Apparently, l4t_initrd_flash.sh calls flash.sh which unconditionally treats -u as some kind of XML file:
flash.sh
# get key file if -u option provided
pkc_keylistfile=""
if [ "${keyfile}" != "" ]; then
if [[ ! ${keyfile} =~ ^/ ]]; then
keyfile=$(readlink -f "${keyfile}");
fi;
if [ "${CHIPID}" = "0x26" ]; then
pkc_keylistfile="${keyfile}"
get_active_key_from_keylist "${pkc_keylistfile}" keyfile
fi
if [ ! -f "${keyfile}" ]; then
echo "Error: keyfile ${keyfile} not found";
exit 1;
fi;
fi;
This does not seem to be documented anywhere. The l4t_initrd_flash.sh options say that -u is a key file:
Usage: ./tools/kernel_flash/l4t_initrd_flash.sh <options> <board-name> <rootdev>
Where,
-u <PKC key file> PKC key used for ODM fused board.
flash.sh says it can be a key file or an XML file:
Usage: sudo ./flash.sh [options] <target_board> <rootdev>
Where,
target board: Valid target board name or 'autodetect'
rootdev: Proper root device.
options:
[...]
-u <PKC key file>------ PKC key or PKC keylist used for odm fused board.
This option is also used for cpu-bootloader signing in PV key feature.
What’s the play here? Reverse-engineer flash.sh and come up with an XML file?
hello chris649,
actually, you should not given PKC/SBK keys to the flash command-line if you’ve not fuse a target yet.
I know, I wanted to defer a risky fuse burn until l4t_initrd_flash.sh had actually gotten that far. Which it can’t, because it fails trying to parse the pem file.
hello chris649,
please share the actual use-case for running flash commands with PKC/SBK keys onto unfused modules.
if that’s related to Massfuse/Massflash process, please refer to readme file, $OUT/r38.4/Linux_for_Tegra/bootloader/README_Massfuse.txt
let’s give it a try by running with l4t_initrd_flash.sh for adding --no-flash and also --massflash for creating signed/encrypted image blob.
for instance,
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh -u PKC.key -v SBK.key --no-flash --massflash 1 --network usb0 --showlogs jetson-agx-thor-devkit internal
please share the actual use-case for running flash commands with PKC/SBK keys onto unfused modules.
It’s a smoke test to make sure the flashing scripts aren’t broken before I do a risky fuse burn. I guess adding --no-flash would make more sense in this case.
That command produces the same error
sudo ./tools/kernel_flash/l4t_initrd_flash.sh -u ~/jetson_security_keys/20250623_152506/ecp521-0.pem -v ~/jetson_security_keys/20250623_152506/sbk.key --no-flash --massflash 1 --network usb0 --showlogs jetson-agx-thor-devkit internal
[sudo] password for chris:
/home/chris/nvidia/nvidia_sdk/JetPack_7.1_Linux_JETSON_AGX_THOR_TARGETS/Linux_for_Tegra/tools/kernel_flash/l4t_initrd_flash_internal.sh --no-flash -u /home/chris/jetson_security_keys/20250623_152506/ecp521-0.pem -v /home/chris/jetson_security_keys/20250623_152506/sbk.key --no-flash --massflash 1 --network usb0 --showlogs jetson-agx-thor-devkit internal
************************************
* *
* Step 1: Generate flash packages *
* *
************************************
Run image gen script: /home/chris/nvidia/nvidia_sdk/JetPack_7.1_Linux_JETSON_AGX_THOR_TARGETS/Linux_for_Tegra/tools/kernel_flash/l4t_create_images_for_kernel_flash.sh --external-device nvme0n1p1 -c tools/kernel_flash/flash_l4t_t264_nvme.xml -u /home/chris/jetson_security_keys/20250623_152506/ecp521-0.pem -v /home/chris/jetson_security_keys/20250623_152506/sbk.key --boot-chain-flash ALL --boot-chain-select A jetson-agx-thor-devkit internal
Create folder to store images to flash
Generate image for internal storage devices
Generate images to be flashed
ADDITIONAL_DTB_OVERLAY="" /home/chris/nvidia/nvidia_sdk/JetPack_7.1_Linux_JETSON_AGX_THOR_TARGETS/Linux_for_Tegra/flash.sh --no-flash --sign -u "/home/chris/jetson_security_keys/20250623_152506/ecp521-0.pem" -v "/home/chris/jetson_security_keys/20250623_152506/sbk.key" --boot-chain-flash ALL --boot-chain-select A jetson-agx-thor-devkit internal
###############################################################################
# L4T BSP Information:
# R38 , REVISION: 4.0
# User release: 0.0
###############################################################################
/home/chris/jetson_security_keys/20250623_152506/ecp521-0.pem:1: parser error : Start tag expected, '<' not found
-----BEGIN EC PRIVATE KEY-----
^
/home/chris/jetson_security_keys/20250623_152506/ecp521-0.pem:1: parser error : Start tag expected, '<' not found
-----BEGIN EC PRIVATE KEY-----
^
/home/chris/jetson_security_keys/20250623_152506/ecp521-0.pem:1: parser error : Start tag expected, '<' not found
-----BEGIN EC PRIVATE KEY-----
^
/home/chris/jetson_security_keys/20250623_152506/ecp521-0.pem:1: parser error : Start tag expected, '<' not found
-----BEGIN EC PRIVATE KEY-----
^
Error: keylist is only support on t264
Error: failed to generate images
Cleaning up...
The issue seems pretty clear from the source code of flash.sh. The Thor (chip ID 0x26) requires a keylist XML file, not a key, but the documentation for the -u argument doesn’t seem to have gotten the memo.
The Thor documentation mentions generating a keylist XML file so I’ll try that. But it’s very confusing from the documentation whether the tools expect a key or a keylist.
hello chris649,
that’s correct, for Thor (t264) series, the -u option takes in a xml file with PKC keys instead of a single-key file now, the xml file will be passed to tegraflash.py as --key_list option. the active key indicated in the xml file will be extracted and passed to tegraflash.py as well.
hello chris649,
the parameter of -u option is explained a little earlier in the same section, which Thor series support with PKC key list.
<pkc_keyfile>:
- For Orin series, it is a RSA 3K, ECDSA P-256, or ECDSA P-521 key file.
- For Thor series, it is a PKC key list with active key ID. For more information, refer to Generate a PKC Key List for Jetson Thor.
FYI,
we’ve doc update to revise l4t_initrd_flash sample command-line to have some improvements to make it clearer.
for example,
- To flash an SBKPKC-fused Jetson AGX Thor target using l4t_initrd_flash.sh:
Sign the images:
$ sudo ./l4t_initrd_flash.sh --no-flash -u pkc_keylist.xml -v sbk.key jetson-agx-thor-devkit internal
Flash the signed images:
$ sudo ./l4t_initrd_flash.sh --flash-only jetson-agx-thor-devkit internal
For more information about PKC key lists, refer to [Generate a PKC Key List for Jetson Thor].
For more information about SBK keys, refer to [Prepare an SBK key].