Odmefuse.sh not burning SBK key


We are trying burn secure boot keys fuses on Jetson TX2 NX module. We are using the following command to burn the keys:

sudo bash -x ./odmfuse.sh  -c SBKPKC --disable-jtag -i 0x18 -p -k <...>/rsa_priv.pem  -S <...>/sbk.txt  2-5-nx-devkit-tx2-nx

Everything works fine, when using test or noburn options, however, when we try to burn the keys to the device, the SBK key is not burned.
Instead, the device is burned in PKC mode, and the SBK key is all zeros.

We are using the following versions:

  • Jetpack 4.6.4
  • L4T 32.7.4

Following log lines are look suspicious (full logs below):

[   0.0110 ] tegrasign_v3.py --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0111 ] Assuming zero filled SBK key


[   3.8175 ] tegrarcm_v2 --oem burnfuses blow_fuse_data.bin
[   3.8200 ] Applet version 01.00.0000
[   4.6980 ] 0000000000000001: Oem commands are not supported
[   4.6983 ] Fuse burning failed

lastfuse.log (167.6 KB)

hello shai.segev,

it looks you’re using an incorrect commands.
FYI, -c options to specify board authentication types, it should be NS (No authentication) since you’re performing fuse burning to non-fuse target.
if you have target already fused with PKC. you cannot perform odmfuse.sh again to add SBK keys by setting authentication type as SBKPKC.

may I know what’s the actual fuse status of your target?

Hi @JerryChang,
I an attempting to burn to a non-fuse target. I’ve also tried without the -c or --auth which should default to ns as far as I understood but then I see the same behavior where the sbk is omitted and a zero key is assumed.
I am fully aware, that the SBK cannot be added, I already have 3 devices that are in PKC mode the testify to that :).

hello shai.segev,

please see-also Topic 208426 for referenece.
and… you may also examine those fuse variables by odmfuseread.sh.

Hi I am still stuck and will appreciate any help.
We have looked into the odmfuse.sh script to try to figure out what is going on.
We are down to our last devices and need to be sure we are doing the right thing before we can move to test on physical device.

  • The -c option is obsolete and has no affect.
  • Tried the --auth PKCSBK and does not seem to have affect when in online or hybrid mode.
  • I followed the code as much as I could, I see the SBK key being written to bootloader/odmfuse_pkc.xml in the “SecureBootKey” tag but then I see that it is not used and the key is not passed to the tegrasign_v3.py
  • This command sudo BOARDID="3636" FAB="100" ./odmfuse.sh --test --noburn --auth SBKPKC --disable-jtag -i 0x18 -p -k /home/shai/rsa_priv.pem -S /home/shai/sbk.txkit-tx2-nx-5-nx-devk seems to work and I see many references to the sbk and that tegrasign_v3.py is call with the --key

hello shai.segev,

may I know what’s the current device’s fuse state?

this “–auth” option is only needed in offline mode.
it’s indicating the current fuse status of the board. there’re three options need to enabled all together for the offline approach,
such as… (a) board info, (b) --noburn, (c) --auth.

this offline approach will generate a fuse blob (i.e. fuseblob.tbz2),
after process complete, developers could share this file to the factory floor for actual burning the boards.

Hi Jerry,
The devices I worked with are devices with nothing burned on them. Basically, those devices were not used before.
I’d be glad to understand why online mode is not working. I run in offline mode to compare the results. I does look different but still I hesitant to use the blob generated given the problems we have with online mode.

this looks like incorrect commands, or… it’s sending incorrect commands to fuse script.
may I know what’s your host machine’s environment? for instance, is it a desktop with native ubuntu OS?

uname -a result.

 uname -a
Linux jig8 5.4.0-150-generic #167~18.04.1-Ubuntu SMP Wed May 24 00:51:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

The board we are using is a propriatary board. We are able to flash the device and burn the fuses to PKC mode. So the hardware should be ok.
Also tried with Gunstix board with same results

hello shai.segev,

here’s an explanation to ignore these two messages.
Assuming zero filled SBK key
Warning: pub_key.key is not found
as you can see, it’s calling tegrasign_v3.py, for example, tegrasign_v3.py --key None .. --pubkeyhash pub_key.key
because it’s command with a None key, --key None and, pub_key.key were passed in as zero by default.

had you try running odmfuseread for checking fuse variables?

Hi Again,
Yes, I ran odmfuseread and as expected the sbk is zeroed out.
My question is, why the code is assuming zero filled SBK in the first place? I am providing an SBK file which is not all zeros, it should use it instead.

The sbk file I’m providing looks like this:

0x12345678 0x9abcdef0 0xfedcba98 0x76543210

As far as I understood from the documentation, the SBK should be 4 32 bit random numbers (words), is that the case?
What am I missing? why we are not able to burn the SBK we configure?

hello shai.segev,

as mentioned above, please simply ignore that messages reported by flash script.

let me double confirm what’s your previous commands to enable SecureBoot.
for instance, had you add -p options to program device as production mode?

Yes, I am using the -p option

hello shai.segev,

the ODM production fuse is a global lock of all the manufacturing fuses.
please refer to Jetson TX2 NX Fuse Specification for checking [ODM Production Fuse].

Hi JerryChang,
I am not sure how this reference should help. Odmfuseread of a burned device clearly states that the device security is set to PKB and the SBK contains all zeros.

./odmfuseread.sh -i 0x18 -k /home/xxx-jig/shai/rsa_priv.pem  -S /home/xxx-jig/shai/sbk.txt  nt-su-2-5-nx-devkit-tx2-nx
++ dirname ./odmfuseread.sh
+ cd .
+ source ./odmfuse.func
++ FUSE_READ_OUTPUT=fuse_info.txt
++ FUSES_KEYS=("PublicKeyHash" "SecureBootKey" "Kek0" "Kek1" "Kek2" "Kek256")
++ FUSES_MANUFACTURING=("BootSecurityInfo" "JtagDisable" "SecurityMode" "SwReserved" "DebugAuthentication" "OdmId")
++ FUSES_ODM_RESERVED=("OdmLock" "ReservedOdm0" "ReservedOdm1" "ReservedOdm2" "ReservedOdm3" "ReservedOdm4" "ReservedOdm5" "ReservedOdm6" "ReservedOdm7")
++ FUSES_T19X_EXTRA_ODM=("ReservedOdm8" "ReservedOdm9" "ReservedOdm10" "ReservedOdm11")
++ tid=
++ usb_instance=
++ BL_DIR=
+ getopts i:k:S: OPTION
+ case $OPTION in
+ tid=0x18
+ getopts i:k:S: OPTION
+ case $OPTION in
+ KEYFILE=/home/xxx-jig/shai/rsa_priv.pem
+ getopts i:k:S: OPTION
+ case $OPTION in
+ SBKFILE=/home/xxx-jig/shai/sbk.txt
+ getopts i:k:S: OPTION
+ '[' /home/xxx-jig/shai/sbk.txt '!=' '' ']'
+ '[' /home/xxx-jig/shai/rsa_priv.pem = '' ']'
+ '[' 0x18 = '' ']'
+ '[' 0x18 '!=' 0x18 ']'
+ shift 6
+ '[' 1 -ne 1 ']'
+ cmd_target_board=nt-su-2-5-nx-devkit-tx2-nx
+ '[' '!' -r nt-su-2-5-nx-devkit-tx2-nx.conf ']'
++ pwd
+ LDK_DIR=/home/xxx-jig/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra
++ readlink -f /home/xxx-jig/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra
+ LDK_DIR=/home/xxx-jig/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra
+ source nt-su-2-5-nx-devkit-tx2-nx.conf
++ source /home/xxx-jig/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/p3636.conf.common
+++ ODMDATA=0x2090000
+++ CHIPID=0x18
+++ EMMC_CFG=flash_l4t_t186.xml
+++ BOOTPARTSIZE=8388608
+++ EMMCSIZE=15766388736
+++ BPFDTB_FILE=tegra186-bpmp-p3636-0001-a00-00.dtb
+++ EMMC_BCT=tegra186-mb1-bct-memcfg-p3636-0001-a01.cfg
+++ DTB_FILE=tegra186-p3636-0001-p3509-0000-a01.dtb
+++ TBCDTB_FILE=tegra186-p3636-0001-p3509-0000-a01.dtb
+++ '[' -z '' ']'
+++ CMDLINE_ADD='console=ttyS0,115200n8 console=tty0 fbcon=map:0 net.ifnames=0 isolcpus=1-2'
+++ target_board=t186ref
+++ ROOT_DEV='mmcblk0p12 ------------ internal eMMC.
        sda1 ----------------- external USB devices. (USB memory stick, HDD)
        eth0 ----------------- nfsroot via RJ45 Ethernet port.
        eth1 ----------------- nfsroot via USB Ethernet interface.'
+++ TEGRABOOT=bootloader/t186ref/nvtboot.bin
+++ WB0BOOT=bootloader/t186ref/warmboot.bin
+++ FLASHER=bootloader/nvtboot_recovery_cpu.bin
+++ BOOTLOADER=bootloader/nvtboot_cpu.bin
+++ INITRD=bootloader/l4t_initrd.img
+++ TBCFILE=bootloader/cboot.bin
+++ BPFFILE=bootloader/bpmp.bin
+++ TOSFILE=bootloader/tos.img
+++ EKSFILE=bootloader/eks.img
+++ MTSPREBOOT=bootloader/preboot_d15_prod_cr.bin
+++ MTS=bootloader/mce_mts_d15_prod_cr.bin
+++ MB1FILE=bootloader/mb1_prod.bin
+++ SOSFILE=bootloader/mb1_recovery_prod.bin
+++ MB2BLFILE=bootloader/nvtboot_recovery.bin
+++ BCT=--sdram_config
+++ BINSARGS='--bins "'
+++ DEV_PARAMS=emmc.cfg
+++ SCR_CONFIG=minimal_scr.cfg
+++ SCR_COLD_BOOT_CONFIG=mobile_scr.cfg
+++ MISC_CONFIG=tegra186-mb1-bct-misc-si-l4t.cfg
+++ PINMUX_CONFIG=tegra186-mb1-bct-pinmux-p3636-0001-a00.cfg
+++ PMC_CONFIG=tegra186-mb1-bct-pad-p3636-0001-a00.cfg
+++ PMIC_CONFIG=tegra186-mb1-bct-pmic-p3636-0001-a00.cfg
+++ PROD_CONFIG=tegra186-mb1-bct-prod-p3636-0001-a00.cfg
+++ BOOTROM_CONFIG=tegra186-mb1-bct-bootrom-p3636-0001-a00.cfg
+++ VERFILENAME=emmc_bootblob_ver.txt
+++ SMDFILE=slot_metadata.bin
+++ rootfs_ab=0
+++ disk_enc_enable=0
+++ [[ '' == 1 ]]
+++ [[ '' == '' ]]
+++ [[ '' == 1 ]]
+++ [[ '' == 1 ]]
+ BL_DIR=/home/xxx-jig/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/bootloader
+ TARGET_DIR=/home/xxx-jig/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/bootloader/t186ref
+ KERNEL_DIR=/home/xxx-jig/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/kernel
+ DTB_DIR=/home/xxx-jig/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/kernel/dtb
+ odmfuse_init 0x18 '' '' /home/xxx-jig/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/bootloader /home/xxx-jig/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/bootloader/t186ref /home/xxx-jig/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra /home/xxx-jig/shai/sbk.txt /home/xxx-jig/shai/rsa_priv.pem
+ tid=0x18
+ usb_instance=
+ BL_DIR=/home/xxx-jig/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/bootloader
+ TARGET_DIR=/home/xxx-jig/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/bootloader/t186ref
+ LDK_DIR=/home/xxx-jig/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra
+ SBKFILE=/home/xxx-jig/shai/sbk.txt
+ KEYFILE=/home/xxx-jig/shai/rsa_priv.pem
+ read_fuse_values
+ local READ_CMD=
+ local out_bootauth=
+ local out_fuseargs=
+ get_fuse_level __fuselevel __hwchipid __hwchiprev __bootauth skipuid
+ local ECID
+ local rcmcmd
+ local inst_args=
+ local idval_1=
+ local idval_2=
+ local flval=
+ local baval=None
+ local hwchiprev=
+ local flvar=__fuselevel
+ local hivar=__hwchipid
+ local hrvar=__hwchiprev
+ local bavar=__bootauth
+ local skuid=skipuid
+ '[' -f /home/xxx-jig/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/bootloader/tegrarcm_v2 ']'
+ rcmcmd=tegrarcm_v2
+ '[' -n '' ']'
+ pushd /home/xxx-jig/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/bootloader
++ ./tegrarcm_v2 --uid
++ grep BR_CID
++ cut '-d ' -f2
+ ECID=0xe18010016411d1800000000010018300
+ popd
+ '[' 0xe18010016411d1800000000010018300 '!=' '' ']'
+ idval_1=0x18
+ eval '__hwchipid="0x18"'
++ __hwchipid=0x18
+ idval_2=0x10
+ flval=e
+ baval=NS
+ '[' 0x18 = 0x21 -o 0x18 = 0x12 -o 0x18 = 0x00 -a 0x10 = 0x21 ']'
+ '[' 0x18 = 0x80 ']'
+ case ${flval} in
+ flval=fuselevel_production
+ baval=PKC
+ eval '__fuselevel="fuselevel_production"'
++ __fuselevel=fuselevel_production
+ eval '__bootauth="PKC"'
++ __bootauth=PKC
+ eval '__hwchiprev=""'
++ __hwchiprev=
+ eval 'skipuid="--skipuid"'
++ skipuid=--skipuid
+ check_sbk_pkc PKC /home/xxx-jig/shai/rsa_priv.pem /home/xxx-jig/shai/sbk.txt
+ local __auth=PKC
+ local __pkc=/home/xxx-jig/shai/rsa_priv.pem
+ local __sbk=/home/xxx-jig/shai/sbk.txt
+ case ${__auth} in
+ '[' /home/xxx-jig/shai/rsa_priv.pem = '' ']'
+ '[' /home/xxx-jig/shai/sbk.txt '!=' '' ']'
+ echo -n 'Error: Either RSA key file is not provided or SBK key '
Error: Either RSA key file is not provided or SBK key + echo 'file is provided for PKC protected target board.'
file is provided for PKC protected target board.
+ exit 1

Our understanding from the documents is that the following command.

./odmfuse.sh  --disable-jtag -i 0x18 -p -k <...>/rsa_priv.pem  -S <...>/sbk.txt  2-5-nx-devkit-tx2-nx

Should burn the fuses to SBKPKC mode. However, we clearly see that its not.
My questions are:

  1. Is that the correct syntax and parameters to burn TX2 NX in SBKPKC mode?
  2. Apart from creating the keys, are there any additional steps that are missing?
  3. If we are doing all the required steps correctly, what can we do to troubleshoot?


hello shai.segev,

don’t it be your 2nd trial for burning fuse to the same target?
am I understand correctly that it’s your 1st approach to burn PKC with -p option enabled,
after that, you’ve 2nd approach to burn the target with SBKPKC without success.

Hi JerryChang,
NO, I am attempting to do in one command.
This is the command I am using.

./odmfuse.sh  --disable-jtag -i 0x18 -p -k <...>/rsa_priv.pem  -S <...>/sbk.txt  2-5-nx-devkit-tx2-nx

My understanding is that since I provide both -k, -S and -p, it should burn everything in one go.
Is that the correct command? Am I missing any steps?

Please refer to this command with --auth NS:
TX2NX fuse noburn doesn't generate public key in odmfuse_pck.xml

Your command has 2-5-nx-devkit-tx2-nx but it should be jetson-xavier-nx-devkit-tx2-nx

And please use the two-step method(the example is AGX Xavier):
Unable to burn fuses (dev kit) / no more output (serial/hdmi) / bricked? - #89 by DaneLLL

to generate a odmfuse_pkc.xml to make sure it is correct, and to fuse one device for validation. And then you can use it for all devices.

Thanks for the response.
Can you help locate bootloader/fusecmd.sh I don’t have it on my disk where do I get it from?

I am running the command:

BOARDID=3636 FAB=100 ./odmfuse.sh --noburn -c SBKPKC --disable-jtag -i 0x18 -p -k /.../rsa_priv.pem  -S /.../sbk.txt  jetson-xavier-nx-devkit-tx2-nx
I get the following:

The option -c is obsolete now.
If you’re running this script with boards connected, “-c” is not needed.
If you’re running this script without boards connected(offline mode),
use “–auth” to indicate the authentication type of the board instead.

*** Error: --auth is missing.

Tried executing with --auth and got the following odmfuse_pkc.xml

<genericfuse MagicId="0x45535546" version="1.0.0">
<fuse name="JtagDisable" size="4" value="0x1" />
<fuse name="SecurityMode" size="4" value="0x1" />