Hi everyone,
I’m using JetPack 4.4 - L4T R32.4.3, I enabled the secure boot by using the PKC and SBK.
When Trying to flash the device, I got the following issue.
Here is the command I used to sign the images/binaries.
$ sudo bash ./flashcmd.txt
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
[ 0.0115 ] Parsing partition layout
[ 0.0123 ] tegraparser_v2 --pt secureflash.xml.tmp
[ 0.0134 ]
[ 0.0134 ] Boot Rom communication
[ 0.0141 ] tegrarcm_v2 --chip 0x19 0 --rcm rcm_1_signed.rcm --rcm rcm_2_signed.rcm
[ 0.0148 ] BR_CID: 0x88021911647147031000000013ff8140
[ 0.0995 ] Bootrom returned error 22
[ 0.2841 ] Boot Rom communication failed
[ 0.2841 ]
Error: Return value 22
Command tegrarcm_v2 --chip 0x19 0 --rcm rcm_1_signed.rcm --rcm rcm_2_signed.rcm
according to the secureboot readme file, this applies to Jetson Xavier NX production modules.
I need to check internally whether secureboot support Jetson Xavier NXdevkits,
thanks
What do you mean by Jetson Xavier NX production modules ? Is it the jetson-xavier-nx-devkit-emmc ?
Because I double checked the documentation even in the web site or the README_secureboot.txt, there is no mention of production module only for Jetson Nano
From the README_secureboot.txt (secureboot_R32.4.3_aarch64.tbz2)
========================================================================
Burning PKC[DK(KEK),SBK] fuses
========================================================================
The steps for burning fuses using a private key file
PEM format are as follows:
1. Navigate to the directory where you installed L4T.
2. Put the Tegra device into Forced Recovery Mode.
3. Burn the fuse using odmfuse.sh script.
For example:
- To fuse PKC HASH from .pem file with JTAG enabled:
sudo ./odmfuse.sh -j -i <chip_id> -c PKC -p -k <key.pem> \
[-D <DK file> | --KEK{0-2} <KEK file>] [-S <SBK file>] <device_name>
- To fuse PKC HASH from .pem file with JTAG disabled:
sudo ./odmfuse.sh -i <chip_id> -c PKC -p -k <key.pem> \
[-D <DK file> | --KEK{0-2} <KEK file>] [-S <SBK file>] <device_name>
- To protect odm production fuse with JTAG enabled (for T210):
sudo ./odmfuse.sh -j -i <chip_id> -c NS -p <device_name>
- To protect odm production fuse with JTAG disabled (for T210):
sudo ./odmfuse.sh -i <chip_id> -c NS -p <device_name>
Where <chip_id> is:
- Jetson TX1: 0x21
- Jetson Nano Production Module: 0x21
- Jetson TX2: 0x18
- Jetson AGX Xavier: 0x19
- Jetson Xavier NX: 0x19
<device_name> is:
- Jetson TX1: jetson-tx1
- Jetson Nano Production Module: jetson-nano-emmc
- Jetson TX2: jetson-tx2
- Jetson AGX Xavier: jetson-xavier
- Jetson Xavier NX: jetson-xavier-nx-devkit-emmc
[0005.673] C> LOADER: mb1bct binary ratchet level 0 is less than ratchet level 60 from HW fuses.
[0005.682] C> LOADER: Could not read mb1bct.
[0005.686] C> Fail to load mb1-bct bin
[0005.689] C> OEM authentication of MB1-BCT failed!!!
[0005.694] E> NV3P_SERVER: Failed to verify image bct_mb1.
I saw in the documentation that Nvidia introduce improvements in security MB1 Platform Configuration → OEM-FW Ratchet Configuration .
Is this means that my device is broken, I can not use it anymore ? Is there any solution for my issue ?
Secureboot features are only supported for production modules, this is not mentioned in the Nvidia documentation except Jetson Nano (production module). At this moment I consider all jetson platform without exception support secureboot (eMMC or SDcard versions).
sorry for misunderstanding, there’s only single paragraph to mention Jetson Xavier NX production module.
please refer to README_secureboot.txt in the secureboot_R32.4.3_aarch64.tbz2 package.
for example,
For details on hardware fuses and fuse names, consult the following documents:
- NVIDIA Jetson TX1 Fuse Specification Application Note DA-08191-001_v04
- NVIDIA Jetson TX2 Fuse Specification Application Note DA-08415-001_v1.1
- NVIDIA Jetson AGX Xavier Fuse Specification Application Note DA-09342-001_v1.0
NOTE: For Jetson Nano Production Module, consult Jetson TX1 documents.
For Jetson Xavier NX production module, consult Jetson AGX Xavier documents.
this should be an issue that ODM_Reserved8 - ODM_Reserved11 have being burned.
[0005.673] C> LOADER: mb1bct binary ratchet level 0 is less than ratchet level 60 from HW fuses.
[0005.682] C> LOADER: Could not read mb1bct.
[0005.686] C> Fail to load mb1-bct bin
[0005.689] C> OEM authentication of MB1-BCT failed!!!
[0005.694] E> NV3P_SERVER: Failed to verify image bct_mb1.
according to below, it’s failed at mb1 stage, it stops booting the board.
[0005.673] C> LOADER: mb1bct binary ratchet level 0 is less than ratchet level 60 from HW fuses.
we may save this board by defining the mb1bct version number as 60.
however, in the current release (l4t-r32.5), only Jetson AGX Xavier supports that, (i.e. by defining mb1bct version).
thanks
those fuses: ODM_Reserved8 - ODM_Reserved11 are used for rollback protection,
as I mentioned in post# 21, if they’re burned, mb1 stops booting the board. this is failed at mb1 stage due to mb1bct binary ratchet level.
I don’t have information yet, let me check internally for this item.
thanks