Orin nano devkit tegrasign_v3.py isn't found

we flashed our Orin nano dev kit with the NVidia SDK according to the guide here:

log file from the SDK are attached. we are using an NVMe ssd.

after doing so we connected the devkit to ethernet, screen(through the display port) and the system seems to boot fine. we wanted to try the security feature of generating keys, creating hash, and fusing them to encrypt the disk/use secure boot etc’.
the openssl lib seems also to work fine and key file are generated, but we cant seem to find the tegrasign_v3.py script that is needed after. we are not sure if we had an error during the flashing process and there for the file weren’t installed properly or we simply not using these feature correctly and we would like some help since we couldn’t figure it from the guide here:
https://docs.nvidia.com/jetson/archives/r36.2/DeveloperGuide/SD/Security/SecureBoot.html

thank you in advance

SDKM_logs_2024-03-07_12-02-41.zip (358.6 KB)
SDKM_logs_JetPack_6.0_DP_Linux_for_Jetson_Orin_Nano_modules_2024-03-07_11-45-01.zip (188.9 KB)

hello yuvalda,

did you meant you’re try to create a fuse blob on the target (i.e. Jetson Orin Nano)?

actually, SDKmanager should also install the JP-6 release image to your local host machine.
you shall have tegrasign_v3.py within the release image,
for instance, ~/nvidia/nvidia_sdk/JetPack_6.0_DP_Linux_DP_JETSON_AGX_ORIN_TARGETS/Linux_for_Tegra/bootloader/tegrasign_v3.py

Thank you,
This is what I was trying to accomplish.
I will try to find those files in my host PC.
I though after flashing and installing jetpack SDK components on the orin nano I wouldn’t need the host PC ang more. Did I understood wrong the working topology of the devkit?

hello yuvalda,

ya… you still need host machine for deployment.
you may further check $OUT/Linux_for_Tegra/bootloader/README_Massfuse.txt for creating fuse blob. it’s possible to fuse multiple Jetson devices simultaneously.

thank you jerry,
I looked at it, and indeed i have all the files and scripts in the host PC and I saw the readme you mentioned.
we are currently far from deployment and still in the “figuring out” stage, and I thought for some reason, that after flashing the target(orin nano devkit) using a host PC will be optional and not a requirement.
I see now that this isn’t the case even if we have only one devkit at the moment. In that regards. does other security features like disk encryption and OP-TEE also require host PC for setup and testing?

you’ll need to apply customize key to re-generate EKS image.
please see-also developer guide, Tool for EKB Generation section.
or… you may see-also Topic 270934 for the steps to enable disk encryption with a custom key.

thank you,
for now we are trying to focus on the secure boot feature.
we are trying to follow the guide here :
https://docs.nvidia.com/jetson/archives/r36.2/DeveloperGuide/SD/Security/SecureBoot.html
is there a way we can verify a the correctness of the signing for the image without burning the fuse? meaning testing the secure boot will work to avoid bricking the devkit due to wrong fusing?
also is there a standard procedure to creating the “sbk-32.key” like with the “pkc.pubkey”

there’s --test option, please see-also Burn Fuses with the Fuse Configuration file.
re-cap as following.

NVIDIA strongly recommends that you use the --test option to verify fuse burning operations before you perform them.

please refer to Prepare an SBK key, you may use HSM to generate a truly random number for SBK key.

BTW, r36.2 it’s still a DP (Developer Preview) version.
you may have test and evaluation, it’s not suggest to enable SecureBoot with this version.

thank you for the help,
I think we can carry on with our test for now, I will open another question if needed.
about r36.2, is there a date for it’s release as a production version?

FYI, JP-6 production version is schedule to Q2/2024.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.