Jetson TK1 u-boot "secure monitor" option (r21.8.0-sources.tbz2)

I am working on TK1 (Toradex aplalis-tk1 module), I am wondering if this “secure monitor” is the same thing with “secure boot” for TK1? I see that “secure monitor” includes the “warmboot” code, but it is the same thing, can I have the document about the signing and programming process for it on jetson TK1?


We don’t have secure boot support on TK1.

If you want, you could try to buy jetson nano. We don’t support any new feature on TK1 anymore.

You might want to see what the “help” description says…two right arrows should show that. Toradex still supports this so they could probably answer.

Toradex doesn’t give any support on secureboot, I just want to know if the L4T “secure monitor” is the same thing with secureboot

I could not say for sure on that. Someone from NVIDIA would have to answer that, but 32-bit was never well developed in terms of securing boot. Most of the development for this started in 64-bit. About the best I could suggest (other than NVIDIA answering) is to check the TK1’s documentation. In general:$product,jetson_tk1

In particular, look there for the “Jetson Platform Fuse Burning and Secure Boot Documentation and Tools” document:$product,jetson_tk1

(you might need to go to the URL, log in, and click the link a second time)

Thank you so much, linuxdev

I believe L4T R21.7 was the last support for secureboot on jetson-tk1, the document your pointed out as “Jetson Platform Fuse Burning and Secure Boot Documentation and Tools” are very clear and good, I experiment and exercised, it looks like working OK.

L4T R21.8 was the last release for jetson-tk1, there is no official document about secureboot on it, just dig into the u-boot source, it newly introduced “secure monito” module, it appears to be the same thing with secure boot on R21,7, but Nvidia never explicitly documented it, or if I missed something

hello sxiang,

there’s Tegra K1 Fuse Specification to provides an overview for TK1,
you should also moving your BSP to rel-28, please access Jetson Platform Fuse Burning and Secure Boot Documentation and Tools package for Tk1 supports.

Hello, Jerry
Let me put it in a simple way, I am using jetson-tk1 development board (model: TR375)

  1. u-boot in R21.7.0-source, without “secure monitor”, it could boot on the board very well
  2. u-boot in R21.7.0-source, with “secure monitor”, it could NOT boot on the board at all
  3. I believe “secure monitor” in R21.8-source is the same thing with “secure boot” in R21.7-source, please help confirm, if so, then do we have any document about how to setup secure boot on TK1 with “secure monitor”?
  4. When I used “” to sign u-boot-dtb-tegra.bin being built from #2, the image became around 2.0 GB, I guess the SECURE_MONITOR_BASE configuration might be wrong, please read the italic lines in below result
  5. I found that CONFIG_ARMV7_SECURE_BASE=0xffe00000, could this be the reason the wb_header is way too big?

Can you help give document about the u-boot signing process with rel-28?

Please see my result

…/ u-boot.bin …/…/…/jetson_tk1_rsa_priv.pem u-boot u-boot-spl
IMAGE_FILE: /home/myname/Desktop/jetson-tk1/Linux_for_Tegra/bootloader/ardbeg/u-boot.bin
KEY_FILE: /home/myname/Desktop/jetson-tk1/jetson_tk1_rsa_priv.pem
U_BOOT_ELF: /home/myname/Desktop/jetson-tk1/Linux_for_Tegra/bootloader/ardbeg/u-boot
U_BOOT_SPL_ELF: /home/myname/Desktop/jetson-tk1/Linux_for_Tegra/bootloader/ardbeg/u-boot-spl

  1. Extract WB_header from U-Boot
    wb_header: 0xffe08568
    uboot_base: 0x83d90000
    uboot_spl_base: 0x83d88000
    wb_header_offset: 2080900456
    wb_header: wb_header.tmp
  2. Extract WB_code from U-Boot
    wb_start: 0xffe02df0
    uboot_base: 0x83d90000
    uboot_spl_base: 0x83d88000
    wb_start_offset: 2080878064
    wb_end: 0xffe03280
    uboot_base: 0x83d90000
    uboot_spl_base: 0x83d88000
    wb_end_offset: 2080879232
    wb_len: 1168
    wb_code: wb_code.tmp
  3. Construct complete WB0
    len_insecure = 1744
    len_secure = 1744
    code_length = 1168
  4. Call WB0 signing function
    to sign length: 1200
    Extract the part of the binary that needs to be signed
    Calculate rsa-pss signature and save to wb.tmp.rsa.sig
    Reverse rsa signature byte order
    Inject rsa-pss signature wb.tmp.rsa.sig.rev into wb_header
    Generate public key modulus and save to ./key.tmp.mod
    Inject public key modulus ./key.tmp.mod.rev into wb_header
    Image signed to file wb.tmp
  5. Inject WB_header back to U-Boot image
    WarmBoot code reside in /home/myname/Desktop/jetson-tk1/Linux_for_Tegra/bootloader/ardbeg/u-boot.bin has been signed