Partition flashing and mass flashing for secure boot

Hello
Related to my previous question, I have following questions.

  1. Can I flash only EKS and RootFS partitions with -u and -v option for secure boot? (Please assume relevant fuse is burnt.)

  2. When I have mfi (mass flash image) environment which includes not signed, not encrypted system.img, can I flash a image with -u and -v option with the mfi to enable secure boot? Or do I have to recreate a different mfi for secure boot?

hello akudo,

>>Q1

partition flash (i.e. -k A_eks) has forbidden once you enable secureboot.

>>Q2

I’ve never tested it before, it should not works in theory.
please re-create mfi package by checking $OUT/Linux_for_Tegra/tools/kernel_flash/README_initrd_flash.txt for [Workflow 8: Secure initrd Massflash].

Hi JerryChang

Thank you for your answer.

Hi JerryChang,

Regarding the Q1 answer, how about RootFS partition? Can it be reflashed with the same key file of secure boot?

hello akudo,

although the root-of-trust that uses the NVIDIA SoCs fuses to authenticate boot codes ends at the Bootloader.
flash process will interrupted if you’re not given PKC/SBK keys to a fused target.

Hi JerryChang,
Sorry, my question was bad.
Let me try again as follows.

step 1) We obtain a customized flash image for a customized board from the OEM vendor. At this step, FUSE is not burnt, but internal (qspi) is customized by the OEM and we (ODM) must not change it except EKS partition.

step 2) We (ODM) burn FUSE for secure boot and disk encryption (e.g. PKC, SBK, and K1)

  • Flash EKS partition with the PKC/SBK key files
  • Flash modified RootFS partition with the same key files.

step 3) On top of the above device state, is it possible to flash a different RootFS partition with the same PKC/SBK files in future?

hello akudo,

it’s doable as long as you’ve all the key files fused to the target.

Thank you, JerryChang, for your confirmation.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.