Odmfuse.sh always burns pkc_disable

Hi, lately I’ve been trying to enable secure boot on production modules Jetson Nanos, and I’ve already messed up 2 for the same reason:
First I tried:

sudo ./odmfuse.sh -c PKC -i 0x21 -k rsa_priv.pem

To burn the public_key_hash expecting to burn odm_production_mode in another round (just to be sure the fuses were burnt correctly).
But when I checked the fuses on the device with tegraflash.sh, pkc_disable had value 1, which means secure boot was disabled. So, the unsigned image that was already flashed booted normally.

For the second I tried:

sudo ./odmfuse.sh -c PKC -i 0x21 -p -k rsa_priv.pem

To burn both odm_production_mode and public_key_hash at the same time. And as a result I got the same: both fuses burnt correctly plus pkc_disable also in 1 again.
So, basically my issue is what the title said, odmfuse.sh is always burning pkc_disable into 1 even when not instructed to.

I’m using the latest of everything:
Tegra210_Linux_R32.4.2_aarch64.tbz2 L4T release (not latest stable)
secureboot_R32.2.0_aarch64.tbz2 (while writing this I just noticed 32.3.1 is also available)

So, my question is:
Is it a known issue?
Maybe is a version incompatibility issue?
Is there any working sequence of steps to enable secure boot on Jetson Nano? (Documentation and latest version of the script disagree in several points)

hello cr1,

there’s default values for PKC crypto types, you may enable security without boot authentication by NS for checking.

Sorry, didn’t really understood your answer.
To enable security I should run odmfuse.sh with -c NS? and will it keeps PKC_DISABLE on 0?
thanks in advance

hello cr1,

pkc_disable=0x1 means NS mode.
if you did not specify it as production modes (-p), pkc_disable would burned to 0x1;
for the steps to enable secureboot, you will need to have specify all commands at once, so that pkc_disable burned as 0x0.
for example,
$ sudo ./odmfuse.sh -i 0x21 -c PKC -p -k pkc.pem -o 0x0000000000000000000000000000000000000000000000000000000100000000

please download the latest release package for verification.
you may also check similar discussion thread for reference, Topic 118476, and Topic 118354.

I had already read both Topic 118476 and Topic 118354. I did tried to burn all at once as I said in my original comment. Almost exactly the same line that you just sent me except for the -o value (that I don’t really need for now).
Would that make any difference? Conceptually it doesn’t seem like it should.

I’ll try to upgrade to the latest version and try again, but I don’t have that many devices to try and fail 😅. So I want to be as informed as I can to be as sure as I can that it WILL work the next time I do it.
This cant be tested in the devkits, right?

hello cr1,

the major difference would be burning with production modes (-p) to make pkc_disable as 0x0.
please download all the latest release package for verification.