[L4T 35.4.1] How to get both UEFI SecureBoot and burning software fuses


I am trying to set up software fuses and UEFI SecureBoot on my Orin Nano Dev Kit + NVME drive.

I followed the instructions given on the L4T 35.4.1 Developer Guide but the instructions seem to be incorrect: Secure Boot — Jetson Linux Developer Guide documentation

Here are my steps:

# Step 1 - Setup L4T Environment
sudo tar –xvf Jetson_Linux_R35.4.1_aarch64.tbz2
sudo tar -xvf Tegra_Linux_Sample-Root-Filesystem_R35.4.1_aarch64.tbz2 –C Linux_for_Tegra/rootfs 
sudo tar –xvf public_sources.tbz2 
cd Linux_for_tegra/source/public 
sudo tar –xvf nvidia-jetson-optee-source.tbz2 
cd ../.. 
sudo tools/l4t_flash_prerequisites.sh 
sudo ./apply_binaries.sh

# Step 2 - Get PKC 
openssl genrsa -out rsa.pem 3072 PKCS_KEY_XML_HASH=$(./bootloader/tegrasign_v3.py --pubkeyhash rsa.pubkey rsa.hash --key rsa.pem | grep "tegra-fuse format" | awk '{print $NF}')

# Step 3 - Get SBK 
SBK_0=$(openssl rand -hex 4) 
SBK_1=$(openssl rand -hex 4) 
SBK_2=$(openssl rand -hex 4) 
SBK_3=$(openssl rand -hex 4) 
SBK_4=$(openssl rand -hex 4) 
SBK_5=$(openssl rand -hex 4) 
SBK_6=$(openssl rand -hex 4) 
SBK_7=$(openssl rand -hex 4) 
SBK_KEY=$(echo "0x${SBK_0} 0x${SBK_1} 0x${SBK_2} 0x${SBK_3} 0x${SBK_4} 0x${SBK_5} 0x${SBK_6} 0x${SBK_7}") echo "${SBK_KEY}" > sbk.key SBK_KEY_XML="0x${SBK_0}${SBK_1}${SBK_2}${SBK_3}${SBK_4}${SBK_5}${SBK_6}${SBK_7}" 
echo "${SBK_KEY_XML}" > sbk_xml.key

# Step 4 - Get KEK 
KEK_2_0=$(openssl rand -hex 4) 
KEK_2_1=$(openssl rand -hex 4) 
KEK_2_2=$(openssl rand -hex 4) 
KEK_2_3=$(openssl rand -hex 4) 
KEK_2_4=$(openssl rand -hex 4) 
KEK_2_5=$(openssl rand -hex 4) 
KEK_2_6=$(openssl rand -hex 4) 
KEK_2_7=$(openssl rand -hex 4) 
KEK_2_KEY=$(echo "0x${KEK_2_0} 0x${KEK_2_1} 0x${KEK_2_2} 0x${KEK_2_3} 0x${KEK_2_4} 0x${KEK_2_5} 0x${KEK_2_6} 0x${KEK_2_7}") 
echo "${KEK_2_KEY}" > kek.key KEK_2_KEY_XML="0x${KEK_2_0}${KEK_2_1}${KEK_2_2}${KEK_2_3}${KEK_2_4}${KEK_2_5}${KEK_2_6}${KEK_2_7}" echo "${KEK_2_KEY_XML}" > kek_xml.key KEK_2_KEY_OPTEE="${KEK_2_0}${KEK_2_1}${KEK_2_2}${KEK_2_3}${KEK_2_4}${KEK_2_5}${KEK_2_6}${KEK_2_7}" echo "${KEK_2_KEY_OPTEE}" > kek_optee.key

# Step 5 - Generate OP-TEE image 
echo $PLACEHOLDER_KEY_1 > fv_ekb_t234 
echo $PLACEHOLDER_KEY_2 > sym_t234.key 
echo $PLACEHOLDER_KEY_3 > sym2_t234.key
python3 ./source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/gen_ekb.py -chip t234 -oem_k2_key kek_optee.key -fv fv_ekb_t234 -in_sym_key sym_t234.key -in_sym_key2 sym2_t234.key -out bootloader/eks_t234.img

# Step 6 - Create “fuse.xml” 
echo "<genericfuse MagicId=\"0x45535546\" version=\"1.0.0\">" > fuse.xml 
echo " <fuse name=\"PublicKeyHash\" size=\"64\" value=\"${PKCS_KEY_XML_HASH}\"/>" >> fuse.xml 
echo " <fuse name=\"SecureBootKey\" size=\"32\" value=\"${SBK_KEY_XML}\"/>" >> fuse.xml 
echo " <fuse name=\"OemK2\" size=\"32\" value=\"${KEK_2_KEY_XML}\"/>" >> fuse.xml echo " <fuse name=\"BootSecurityInfo\" size=\"4\" value=\"0x209\"/>" >> fuse.xml 
echo " <fuse name=\"SecurityMode\" size=\"4\" value=\"0x1\"/>" >> fuse.xml 
echo "</genericfuse>" >> fuse.xml

# Step 7 - Burn Fuses
sudo ./odmfuse.sh -i 0x23 -k rsa.pem -S sbk.key -X fuse.xml jetson-orin-nano-devkit

# Step 8 - Create "uefi_keys" folder
mkdir uefi_keys
cd uefi_keys

# Step 9 - Create PK, KEK, db_1, db_2 keypair and certificate 
openssl req -newkey rsa:2048 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Platform Key/" -out PK.crt
openssl req -newkey rsa:2048 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Key Exchange Key/" -out KEK.crt
openssl req -newkey rsa:2048 -nodes -keyout db_1.key -new -x509 -sha256 -days 3650 -subj "/CN=my Signature Database key/" -out db_1.crt
openssl req -newkey rsa:2048 -nodes -keyout db_2.key -new -x509 -sha256 -days 3650 -subj "/CN=my another Signature Database key/" -out db_2.crt

# Step 10 - Create "uefi_keys.conf" 
echo 'UEFI_PK_KEY_FILE="PK.key";' > uefi_keys.conf 
echo 'UEFI_PK_CERT_FILE="PK.crt";' >> uefi_keys.conf 
echo 'UEFI_KEK_KEY_FILE="KEK.key";' >> uefi_keys.conf
 echo 'UEFI_KEK_CERT_FILE="KEK.crt";' >> uefi_keys.conf 
echo 'UEFI_DB_1_KEY_FILE="db_1.key";' >> uefi_keys.conf 
echo 'UEFI_DB_1_CERT_FILE="db_1.crt";' >> uefi_keys.conf 
echo 'UEFI_DB_2_KEY_FILE="db_2.key";' >> uefi_keys.conf 
echo 'UEFI_DB_2_CERT_FILE="db_2.crt";' >> uefi_keys.conf

# Step 11 - Generate Auth Files 
cd .. 
sudo tools/gen_uefi_default_keys_dts.sh uefi_keys/uefi_keys.conf 
sudo chmod 644 uefi_keys/_out/*.auth

# Step 12 - Flash SOM with UEFI, software fuses
sudo ./tools/kernel_flash/l4t_initrd_flash.sh \ 
  -u rsa.pem –v sbk.key \ 
  --uefi-keys uefi_keys/uefi_keys.conf \ 
  -p “-c ./bootloader/t186ref/cfg/flash_t234_qspi.xml” \ 
  --showlogs –network usb0 jetson-orin-nano-devkit internal

"rsa.pem" was created in Step 2.
"sbk.key" was created in Step 3.
"uefi_keys.conf" was created in Step 10.

If I were to do these steps, I get a Flash failure / Cleaning up... from the terminal after a few minutes. Additionally, the SOM will NOT boot (I do not get any MB1, MB2 logs at all) unless I attempt a reflash.

What changes to the process do I have to make to get the system to work?

hello kevin.choi,

let’s narrow down the issue by separate SecureBoot and UEFI SecureBoot.
for instance, are you able to boot-up successfully with only SecureBoot enabled?

Yes, I can boot up successfully with only SecureBoot enabled, by adding --uefi-keys to the l4t_initrd_flash.sh script.

UEFI Secureboot it uses additional keys. please refer to Prepare the PK, KEK, db Keys.

Yes I understand that.
If you look at the top of my post, I added that in Step 9.
I create “uefi_keys.conf” using those keys.
But if I add both -u rsa.pem -v sbk.key AND --uefi-keys uefi_keys.conf, then the SOM will lock up.
Do you understand my problem?

hello kevin.choi,

please gather the complete UART logs for checking.

There is no update from you for a period, assuming this is not an issue any more.
Hence we are closing this topic. If need further support, please open a new one.

Is this still an issue to support? Any result can be shared?