Hi,
I would like to use secure boot features on Jetson Nano. If I use odmfuse with PKC only it runs without error:
sudo ./odmfuse.sh -i 0x21 -c PKC -k ../nano_priv.pem
*** Calculating HASH from keyfile /home/balazad/nano/nano_priv.pem ... done
PKC HASH: 0x791c44563ad7ef6de799843b2a7166d97b13411edbebcb40241529fde0b14ed6
*** Generating fuse configuration ... done.
done.
*** Start fusing ...
./tegraflash.py --chip 0x21 --applet nvtboot_recovery.bin --cmd "blowfuses odmfuse_pkc.xml;"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
[ 0.0013 ] Parsing fuse info as per xml file
[ 0.0022 ] tegraparser --fuse_info odmfuse_pkc.xml blow_fuse_data.bin
[ 0.0031 ]
[ 0.0031 ] Generating RCM messages
[ 0.0038 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 0 --download rcm nvtboot_recovery.bin 0 0
[ 0.0046 ] RCM 0 is saved as rcm_0.rcm
[ 0.0049 ] RCM 1 is saved as rcm_1.rcm
[ 0.0049 ] List of rcm files are saved in rcm_list.xml
[ 0.0049 ]
[ 0.0049 ] Signing RCM messages
[ 0.0056 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key
[ 0.0062 ] Assuming zero filled SBK key
[ 0.0101 ]
[ 0.0101 ] Copying signature to RCM mesages
[ 0.0108 ] tegrarcm --chip 0x21 0 --updatesig rcm_list_signed.xml
[ 0.0117 ]
[ 0.0118 ] Boot Rom communication
[ 0.0124 ] tegrarcm --chip 0x21 0 --rcm rcm_list_signed.xml
[ 0.0130 ] BR_CID: 0x321010016441f807000000000c060440
[ 0.1064 ] RCM version 0X210001
[ 0.2022 ] Boot Rom communication completed
[ 1.2114 ]
[ 1.2115 ] Blowing fuses
[ 1.2136 ] tegrarcm --oem blowfuses blow_fuse_data.bin
[ 1.2154 ] Applet version 00.01.0000
[ 1.4001 ] Successfully burnt fuses as per fuse info blob
[ 1.4129 ]
*** The fuse configuration is saved in bootloader/odmfuse_pkc.xml
*** The ODM fuse has been secured with PKC keys.
*** Flash "signed BCT and bootloader(s)".
*** done.
When I try to specify Device Key I get the following error:
sudo ./odmfuse.sh -i 0x21 -c PKC -k ../nano_priv.pem -D ../nano_dk.key
*** Error: SBK is missing.
I thought SBK is not supported on Jetson Nano, the documentation says the followings:
Secureboot Key (SBK): AES encryption key for encrypting bootloader (T186 and T194).
If I try to call odmfuse with DK and SBK I always get the following error:
sudo ./odmfuse.sh -i 0x21 -c PKC -k ../nano_priv.pem -D ../nano_dk.key -S ../nano_sbk.key
*** Calculating HASH from keyfile /home/balazad/nano/nano_priv.pem ... done
PKC HASH: 0x791c44563ad7ef6de799843b2a7166d97b13411edbebcb40241529fde0b14ed6
*** Generating fuse configuration ... done.
done.
*** Start fusing ...
./tegraflash.py --chip 0x21 --applet nvtboot_recovery.bin --cmd "blowfuses odmfuse_pkc.xml;"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
[ 0.0013 ] Parsing fuse info as per xml file
[ 0.0023 ] tegraparser --fuse_info odmfuse_pkc.xml blow_fuse_data.bin
[ 0.0036 ]
[ 0.0037 ] Generating RCM messages
[ 0.0044 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 0 --download rcm nvtboot_recovery.bin 0 0
[ 0.0051 ] RCM 0 is saved as rcm_0.rcm
[ 0.0054 ] RCM 1 is saved as rcm_1.rcm
[ 0.0054 ] List of rcm files are saved in rcm_list.xml
[ 0.0054 ]
[ 0.0055 ] Signing RCM messages
[ 0.0062 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key
[ 0.0070 ] Assuming zero filled SBK key
[ 0.0116 ]
[ 0.0116 ] Copying signature to RCM mesages
[ 0.0127 ] tegrarcm --chip 0x21 0 --updatesig rcm_list_signed.xml
[ 0.0139 ]
[ 0.0140 ] Boot Rom communication
[ 0.0148 ] tegrarcm --chip 0x21 0 --rcm rcm_list_signed.xml
[ 0.0156 ] BootRom is not running
[ 0.1514 ]
[ 0.1515 ] Blowing fuses
[ 0.1546 ] tegrarcm --oem blowfuses blow_fuse_data.bin
[ 0.1574 ] Applet version 00.01.0000
[ 0.3422 ] Failed to burn fuses as per fuse info blob, Error:1179996997
[ 0.3617 ] 0000005c: Failed to process oem command
[ 0.3619 ]
Error: Return value 92
Command tegrarcm --oem blowfuses blow_fuse_data.bin
failed.
How should I use odmfuse.sh if I want to use PKC and DK together?
Kind regards,
Adam