Jetson Xavier NX DEVKIT secureboot enabled

Hi everyone,
I’m using JetPack 4.4 - L4T R32.4.3, I enabled the secure boot by using the PKC and SBK.
When Trying to flash the device, I got the following issue.

Here is the command I used to sign the images/binaries.

$ sudo BOARDID=3668 FAB=200 BOARDSKU=0000 BOARDREV=H.0 ./flash.sh --no-flash -u my_privkey.pem -v my_sbk.key jetson-xavier-nx-devkit mmcblk0p1

Here is the issue logs:

$ sudo bash ./flashcmd.txt
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0115 ] Parsing partition layout
[   0.0123 ] tegraparser_v2 --pt secureflash.xml.tmp
[   0.0134 ] 
[   0.0134 ] Boot Rom communication
[   0.0141 ] tegrarcm_v2 --chip 0x19 0 --rcm rcm_1_signed.rcm --rcm rcm_2_signed.rcm
[   0.0148 ] BR_CID: 0x88021911647147031000000013ff8140
[   0.0995 ] Bootrom returned error 22
[   0.2841 ] Boot Rom communication failed
[   0.2841 ] 
Error: Return value 22
Command tegrarcm_v2 --chip 0x19 0 --rcm rcm_1_signed.rcm --rcm rcm_2_signed.rcm

Any help would be much appreciated.

Thanks,

Hi,
Please share odmfuse.sh command for reference. Do you enable product bit(-p) in the command?

Hi @DaneLLL

Here is the command line when preparing the fuse blob.

sudo BOARDID=3668 FAB=200 ./odmfuse.sh --noburn -j -i 0x19 -c PKC -k my_privkey.pem --KEK0 my_kek0.key --KEK1 my_kek1.key --KEK2 my_kek2.key -S my_sbk.key --odm_reserved0 0x9d3404b6 --odm_reserved1 0x1c5c51b4 --odm_reserved2 0xadc5a7eb --odm_reserved3 0xb5f59b4f --odm_reserved4 0xe36e8ab5 --odm_reserved5 0x818c1131 --odm_reserved6 0x05b6e566 --odm_reserved7 0x7258373e --odm_reserved8 0xe9608420 --odm_reserved9 0x0bb995ef --odm_reserved10 0xd944f075 --odm_reserved11 0x00000000 jetson-xavier-nx-devkit

Here is the result, I mean the xml file odmfuse_pkc.xml

$ cat odmfuse_pkc.xml 
<genericfuse MagicId="0x45535546" version="1.0.0">
<fuse name="ReservedOdm0" size="4" value="0x9d3404b6" />
<fuse name="ReservedOdm1" size="4" value="0x1c5c51b4" />
<fuse name="ReservedOdm2" size="4" value="0xadc5a7eb" />
<fuse name="ReservedOdm3" size="4" value="0xb5f59b4f" />
<fuse name="ReservedOdm4" size="4" value="0xe36e8ab5" />
<fuse name="ReservedOdm5" size="4" value="0x818c1131" />
<fuse name="ReservedOdm6" size="4" value="0x05b6e566" />
<fuse name="ReservedOdm7" size="4" value="0x7258373e" />
<fuse name="ReservedOdm8" size="4" value="0xe9608420" />
<fuse name="ReservedOdm9" size="4" value="0x0bb995ef" />
<fuse name="ReservedOdm10" size="4" value="0xd944f075" />
<fuse name="ReservedOdm11" size="4" value="0x00000000" />
<fuse name="SecureBootKey" size="16" value="0x6e564f1e184c4e4cb32060ee9fca278f" />
<fuse name="Kek0" size="16" value="0x2c5ec0a9c8c63f03ccb1bb048539e2fd" />
<fuse name="Kek1" size="16" value="0x0b3083d04cecea4a94fd082d349a3f45" />
<fuse name="Kek2" size="16" value="0x84e5aae92febc8220afcc05ef6ab2e6d" />
<fuse name="PublicKeyHash" size="32" value="0x0be4d85d2dd6e1acab3add77a5d6fb70c065d33d28943cc6c267664dde77594b" />
<fuse name="BootSecurityInfo" size="4" value="0x5" />
</genericfuse>
$

I didn’t enable ODM Production mode

Best regards
Ilies

Hi everyone,

When I power up my device, I have the following traces, Any idea about this ?

[0000.024] W> RATCHET: MB1 binary ratchet value 4 is too large than ratchet level 2 from HW fuses.
[0000.033] I> MB1 (prd-version: 1.5.1.3-t194-41334769-d2a21c57)
[0000.038] I> Boot-mode: Coldboot
[0000.041] I> Chip revision : A02P
[0000.044] I> Bootrom patch version : 15 (correctly patched)
[0000.049] I> ATE fuse revision : 0x200
[0000.053] I> Ram repair fuse : 0x0
[0000.056] I> Ram Code : 0x0
[0000.058] I> rst_source : 0xb
[0000.061] I> rst_level : 0x1
[0000.065] I> Boot-device: QSPI
[0000.067] I> Qspi flash params source = brbct
[0000.071] I> Qspi using bpmp-dma
[0000.074] I> Qspi clock source : pllp
[0000.078] I> QSPI Flash Size = 32 MB
[0000.081] I> Qspi initialized successfully
[0000.085] W> No valid slot number is found in scratch register
[0000.091] W> Return default slot: _a
[0000.094] I> Active Boot chain : 0
[0000.097] I> Boot-device: QSPI
[0000.100] I> Qspi flash params source = brbct
[0000.104] C> LOADER: mb1bct binary ratchet level 0 is less than ratchet level 60 from HW fuses.
[0000.113] C> LOADER: Could not read mb1bct.
[0000.116] C> Fail to load mb1-bct bin
[0000.120] E> Task 24 failed (err: 0x1d1d0b08)
[0000.124] E> Top caller module: LOADER, error module: LOADER, reason: 0x08, aux_info: 0x0b
[0000.132] I> MB1(1.5.1.3-t194-41334769-d2a21c57) BIT boot status dump :
000000000001111111111011100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001100000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000

Any help would be much appreciated.

Thanks,

hello ilies.chergui,

we had confirmed fuse and flashing works on Xavier NX, we’re based-on JetPack-4.4 for testing.
please also check the steps for reference,
thanks

$ sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./odmfuse.sh --noburn -j -i 0x19 -c PKC -p -k rsa_priv.pem -S sbk.key --KEK2 kek2.key jetson-xavier-nx-devkit-emmc
$ tar xpvf fuseblob.tbz2
$ cd bootloader/
$ sudo ./fusecmd.sh
$ cd ../
$ sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./flash.sh --no-flash -u rsa_priv.pem -v sbk.key jetson-xavier-nx-devkit-emmc mmcblk0p1
$ cd bootloader/
$ sudo bash ./flashcmd.txt

Hi @JerryChang

Thanks for your response.

For your information, I don’t have the Xavier NX devkit with EMMC but I have the one with SDcard.

I tried with a command similar as yours but for my xavier nx devkit.

$ sudo BOARDID=3668 BOARDSKU=0000 FAB=200 BOARDREV=H.0 ./odmfuse.sh --noburn -j -i 0x19 -c PKC -p -k my_privkey.pem -S my_sbk.key --KEK2 my_kek2.key jetson-xavier-nx-devkit

I got an issue, please see the logs below.

• On the terminal

[   3.2537 ] tegrahost_v2 --chip 0x19 0 --updatesigheader mem_rcm_sigheader.bct.encrypt mem_rcm_sigheader.bct.hash zerosbk
[   3.2550 ] 
[   3.2551 ] Copying signatures
[   3.2558 ] tegrahost_v2 --chip 0x19 0 --partitionlayout flash.xml.bin --updatesig images_list_signed.xml
[   3.3809 ] 
[   3.3809 ] Sending BCTs
[   3.3817 ] tegrarcm_v2 --download bct_bootrom br_bct_BR.bct --download bct_mb1 mb1_bct_MB1_sigheader.bct.encrypt --download bct_mem mem_rcm_sigheader.bct.encrypt
[   3.3823 ] Applet version 01.00.0000
[   3.6385 ] Sending bct_bootrom
[   3.6390 ] [................................................] 100%
[   3.6402 ] Sending bct_mb1
[   3.6444 ] [................................................] 100%
[   3.6486 ] 00000Traceback (most recent call last):
  File "./tegraflash.py", line 1280, in <module>
    tegraflash_run_commands()
  File "./tegraflash.py", line 1149, in tegraflash_run_commands
    interpreter.onecmd(command)
  File "/usr/lib/python2.7/cmd.py", line 221, in onecmd
    return func(arg)
  File "./tegraflash.py", line 817, in do_burnfuses
    tegraflash_burnfuses(exports, args)
  File "/home/ichergui/projects/platforms/xavier_nx_devkit/jetpack_4.4/nvidia/nvidia_sdk/JetPack_4.4_Linux_JETSON_XAVIER_NX_DEVKIT/nvidia_tests/bootloader/tegraflash_internal.py", line 1539, in tegraflash_burnfuses
    tegraflash_send_bct()
  File "/home/ichergui/projects/platforms/xavier_nx_devkit/jetpack_4.4/nvidia/nvidia_sdk/JetPack_4.4_Linux_JETSON_XAVIER_NX_DEVKIT/nvidia_tests/bootloader/tegraflash_internal.py", line 2288, in tegraflash_send_bct
    run_command(command)
  File "/home/ichergui/projects/platforms/xavier_nx_devkit/jetpack_4.4/nvidia/nvidia_sdk/JetPack_4.4_Linux_JETSON_XAVIER_NX_DEVKIT/nvidia_tests/bootloader/tegraflash_internal.py", line 198, in run_command
    log = print_process(process, enable_print)
  File "/home/ichergui/projects/platforms/xavier_nx_devkit/jetpack_4.4/nvidia/nvidia_sdk/JetPack_4.4_Linux_JETSON_XAVIER_NX_DEVKIT/nvidia_tests/bootloader/tegraflash_internal.py", line 181, in print_process
    log += str(string)
UnicodeEncodeError: 'ascii' codec can't encode character u'\u01e7' in position 17: ordinal not in range(128)

• On the Serial UART, I got the following logs

[0002.337] W> RATCHET: MB1 binary ratchet value 4 is too large than ratchet level 2 from HW fuses.
[0002.345] I> MB1 (prd-version: 1.5.1.3-t194-41334769-d2a21c57)
[0002.351] I> Boot-mode: RCM
[0002.353] I> Chip revision : A02P
[0002.356] I> Bootrom patch version : 15 (correctly patched)
[0002.362] I> ATE fuse revision : 0x200
[0002.365] I> Ram repair fuse : 0x0
[0002.368] I> Ram Code : 0x0
[0002.371] I> rst_source : 0xb
[0002.373] I> rst_level : 0x1
[0002.377] I> USB configuration success
[0004.798] I> Handling oem command 6
[0004.801] E> NV3P_SERVER: Fuse burn is not supported.
[0005.665] I> bct_bootrom image downloaded
[0005.673] C> LOADER: mb1bct binary ratchet level 0 is less than ratchet level 60 from HW fuses.
[0005.682] C> LOADER: Could not read mb1bct.
[0005.686] C> Fail to load mb1-bct bin
[0005.689] C> OEM authentication of MB1-BCT failed!!!
[0005.694] E> NV3P_SERVER: Failed to verify image bct_mb1.

Please see the attached files for a complete logs.
xavier_nx_devkit_fuseblob.log (8.5 KB)
xavier_nx_devkit_burn_tegrafuses.log (24.9 KB)
xavier_nx_devkit_burn_tegrafuses_serial_uart.log (2.8 KB)

hello ilies.chergui,

according to the secureboot readme file, this applies to Jetson Xavier NX production modules.
I need to check internally whether secureboot support Jetson Xavier NX devkits,
thanks

Hello @JerryChang

What do you mean by Jetson Xavier NX production modules ? Is it the jetson-xavier-nx-devkit-emmc ?

Because I double checked the documentation even in the web site or the README_secureboot.txt, there is no mention of production module only for Jetson Nano

• From the README_secureboot.txt (secureboot_R32.4.3_aarch64.tbz2)

========================================================================
Burning PKC[DK(KEK),SBK] fuses
========================================================================
The steps for burning fuses using a private key file
PEM format are as follows:

1. Navigate to the directory where you installed L4T.
2. Put the Tegra device into Forced Recovery Mode.
3. Burn the fuse using odmfuse.sh script.

For example:
- To fuse PKC HASH from .pem file with JTAG enabled:
  sudo ./odmfuse.sh -j -i <chip_id> -c PKC -p -k <key.pem> \
  [-D <DK file> | --KEK{0-2} <KEK file>] [-S <SBK file>] <device_name>

- To fuse PKC HASH from .pem file with JTAG disabled:
  sudo ./odmfuse.sh -i <chip_id> -c PKC -p -k <key.pem> \
  [-D <DK file> | --KEK{0-2} <KEK file>] [-S <SBK file>] <device_name>

- To protect odm production fuse with JTAG enabled (for T210):
  sudo ./odmfuse.sh -j -i <chip_id> -c NS -p <device_name>

- To protect odm production fuse with JTAG disabled (for T210):
  sudo ./odmfuse.sh -i <chip_id> -c NS -p <device_name>

  Where <chip_id> is:
            - Jetson TX1: 0x21
            - Jetson Nano Production Module: 0x21
            - Jetson TX2: 0x18
            - Jetson AGX Xavier: 0x19
            - Jetson Xavier NX: 0x19
        <device_name> is:
            - Jetson TX1: jetson-tx1
            - Jetson Nano Production Module: jetson-nano-emmc
            - Jetson TX2: jetson-tx2
            - Jetson AGX Xavier: jetson-xavier
            - Jetson Xavier NX: jetson-xavier-nx-devkit-emmc

Please take a look in the Web site here

Regards,
Ilies

Hi @JerryChang

Could you please explain what happen here ?

[0005.673] C> LOADER: mb1bct binary ratchet level 0 is less than ratchet level 60 from HW fuses.
[0005.682] C> LOADER: Could not read mb1bct.
[0005.686] C> Fail to load mb1-bct bin
[0005.689] C> OEM authentication of MB1-BCT failed!!!
[0005.694] E> NV3P_SERVER: Failed to verify image bct_mb1.

I saw in the documentation that Nvidia introduce improvements in security MB1 Platform Configuration → OEM-FW Ratchet Configuration .

Pease take a look here

I can’t find the folder t19x/<platform>/bct/ratchet in the BSP tarball or in the Jetpack 4.4 L4T R32.4.3

Could you please confirm that ?

Best regards,
Ilies

hello ilies.chergui,

correct, production modules means emmc version.

FYI,
secureboot features are only supported for production modules. (i.e. eMMC version)

Hello @JerryChang

Is this means that my device is broken, I can not use it anymore ? Is there any solution for my issue ?

Secureboot features are only supported for production modules, this is not mentioned in the Nvidia documentation except Jetson Nano (production module). At this moment I consider all jetson platform without exception support secureboot (eMMC or SDcard versions).

hello ilies.chergui,

sorry for misunderstanding, there’s only single paragraph to mention Jetson Xavier NX production module.
please refer to README_secureboot.txt in the secureboot_R32.4.3_aarch64.tbz2 package.
for example,

For details on hardware fuses and fuse names, consult the following documents:
- NVIDIA Jetson TX1 Fuse Specification Application Note DA-08191-001_v04
- NVIDIA Jetson TX2 Fuse Specification Application Note DA-08415-001_v1.1
- NVIDIA Jetson AGX Xavier Fuse Specification Application Note DA-09342-001_v1.0

NOTE: For Jetson Nano Production Module, consult Jetson TX1 documents.
      For Jetson Xavier NX production module, consult Jetson AGX Xavier documents.

Hi @JerryChang

You did response to my question.
Could you please give an answer to the questions Q1 and Q2?

Best regards
Ilies

hello ilies.chergui,

I’m sorry to say you had broken your Xavier NX devkit since fuse programming is non-reversible.

hello ilies.chergui,

this should be an issue that ODM_Reserved8 - ODM_Reserved11 have being burned.

[0005.673] C> LOADER: mb1bct binary ratchet level 0 is less than ratchet level 60 from HW fuses.
[0005.682] C> LOADER: Could not read mb1bct.
[0005.686] C> Fail to load mb1-bct bin
[0005.689] C> OEM authentication of MB1-BCT failed!!!
[0005.694] E> NV3P_SERVER: Failed to verify image bct_mb1.

hello ilies.chergui,

according to below, it’s failed at mb1 stage, it stops booting the board.

[0005.673] C> LOADER: mb1bct binary ratchet level 0 is less than ratchet level 60 from HW fuses.

we may save this board by defining the mb1bct version number as 60.
however, in the current release (l4t-r32.5), only Jetson AGX Xavier supports that, (i.e. by defining mb1bct version).
thanks

Hello @JerryChang

Thanks for the feedback, why it is an issue when ODM_Reserved8 - ODM_Reserved11 are burned ?

I don’t understand.

Hello @JerryChang

That’s really good news, could you please let me know when it will be available for Jetson Xavier NX (defining mb1bct version) ?

Thanks a lot.

hello ilies.chergui,

those fuses: ODM_Reserved8 - ODM_Reserved11 are used for rollback protection,
as I mentioned in post# 21, if they’re burned, mb1 stops booting the board. this is failed at mb1 stage due to mb1bct binary ratchet level.

I don’t have information yet, let me check internally for this item.
thanks

Hello @JerryChang
Have you an updates about defining the mb1bct version for the Jetson Xavier NX (SDcard version) ?
Thanks