Hi, lately I’ve been trying to enable secure boot on production modules Jetson Nanos, and I’ve already messed up 2 for the same reason:
First I tried:
sudo ./odmfuse.sh -c PKC -i 0x21 -k rsa_priv.pem
To burn the
public_key_hash expecting to burn
odm_production_mode in another round (just to be sure the fuses were burnt correctly).
But when I checked the fuses on the device with
pkc_disable had value 1, which means secure boot was disabled. So, the unsigned image that was already flashed booted normally.
For the second I tried:
sudo ./odmfuse.sh -c PKC -i 0x21 -p -k rsa_priv.pem
To burn both
public_key_hash at the same time. And as a result I got the same: both fuses burnt correctly plus
pkc_disable also in 1 again.
So, basically my issue is what the title said,
odmfuse.sh is always burning
pkc_disable into 1 even when not instructed to.
I’m using the latest of everything:
Tegra210_Linux_R32.4.2_aarch64.tbz2 L4T release (not latest stable)
secureboot_R32.2.0_aarch64.tbz2 (while writing this I just noticed 32.3.1 is also available)
So, my question is:
Is it a known issue?
Maybe is a version incompatibility issue?
Is there any working sequence of steps to enable secure boot on Jetson Nano? (Documentation and latest version of the script disagree in several points)
there’s default values for PKC crypto types, you may enable security without boot authentication by NS for checking.
Sorry, didn’t really understood your answer.
To enable security I should run odmfuse.sh with -c NS? and will it keeps PKC_DISABLE on 0?
thanks in advance
pkc_disable=0x1 means NS mode.
if you did not specify it as production modes (-p), pkc_disable would burned to 0x1;
for the steps to enable secureboot, you will need to have specify all commands at once, so that pkc_disable burned as 0x0.
$ sudo ./odmfuse.sh -i 0x21 -c PKC -p -k pkc.pem -o 0x0000000000000000000000000000000000000000000000000000000100000000
please download the latest release package for verification.
you may also check similar discussion thread for reference, Topic 118476, and Topic 118354.
I had already read both Topic 118476 and Topic 118354. I did tried to burn all at once as I said in my original comment. Almost exactly the same line that you just sent me except for the -o value (that I don’t really need for now).
Would that make any difference? Conceptually it doesn’t seem like it should.
I’ll try to upgrade to the latest version and try again, but I don’t have that many devices to try and fail 😅. So I want to be as informed as I can to be as sure as I can that it WILL work the next time I do it.
This cant be tested in the devkits, right?
the major difference would be burning with production modes (-p) to make pkc_disable as 0x0.
please download all the latest release package for verification.