Postmortem: Jetson Xavier AGX will not get past Boot ROM after burning PKC+SBK+KEK256

JerryChang · March 21, 2022, 2:33am

hello ticotimo,

Q1>
ya, that should be using pyhton3, it should be comment messages did not up to date.

Q2>

command-line with --noburn.
- sudo FAB=400 BOARDID=2888 BOARDSKU=0001 BOARDREV=L.0 ./odmfuse.sh -i 0x19 -p --noburn --auth SBKPKC -k ../rsa_priv.pem --KEK2 ../kek2_hex_file --KEK256 ../kek256_hex_file -S ../sbk_hex_file jetson-agx-xavier-devkit
- this command-line is running at offline mode, in the offline mode, the --auth options is used to indicate the board fuse status, because there is no boards connected, so odmfuse.sh doesn’t have a chance to know the board’s fuse status.
- in this scenario… since the target has burned with PKC+SBK, -k is used to sign the encrypted images; -S is the command to encrypt the images. in the end, there only --KEK2 and KEK256 will be burned to the board, then it appears in the odmfuse_pkc.xml.
command-line with --test.
- sudo ./odmfuse.sh --test -i 0x19 -c SBKPKC -p -k ../rsa_priv.pem -S ../sbk_hex_file --KEK2 ../kek2_hex_file --KEK256 ../kek256_hex_file jetson-agx-xavier-devkit
- since there is neither board info nor --noburn in the command, odmfuse.sh will run in the online mode, which means a board must be connected; -c options is no needed in the online mode since odmfuse.sh is now able to get the board’s fuse status from the target. besides, the option -c is obsolete now. it’s replace by --auth options.
- I assume you’re test this pipeline with unfused target, right? you should assign --auth NS options to the command-line due to neither PKC nor SBK is burned.
- following above, for these options in the command-line, all fuse info will be burn to the target, such as… -p, -k, -S, -KEK2, -KEK256. so, that’s why odmfuse_pkc.xml include all those fuse information.

Q3>
the 3072-bit RSA key option is supported only on Jetson Xavier series.

Q4>
please use the multi-steps approaches to burn the fuse and flash the target.
for example, (1) using odmfuse.sh to create the fuse blob, (2) review all the fuse info and messages, running fusecmd.sh to burn the fuse to the device actually, (3) it’s flash.sh script to create the image blob, and (4) run flashcmd.txt to flash the target. please see-also this thread for reference, Jetson Xavier NX DEVKIT secureboot enabled - #7 by JerryChang

Topic		Replies	Views
KEK Fuse burn failed on Jetson Xavier R32.3.1 Jetson AGX Xavier security , nvbugs	10	1775	October 18, 2021
Unable to burn fuses (dev kit) / no more output (serial/hdmi) / bricked? Jetson AGX Xavier security , nvbugs	93	6985	October 18, 2021
Secure Boot on Jetson Xavier AGX Jetson AGX Xavier security , nvbugs	44	5574	October 18, 2021
Xavier NX (eMMC) Secureboot Fusing renders devices unbootable Jetson Xavier NX boot , security	27	1529	May 10, 2023
Secure Boot odmfuse programming step fail on 32.2.1 Jetson TX2	20	2770	October 18, 2021
Jetson Xavier NX DEVKIT secureboot enabled Jetson Xavier NX security , nvbugs	21	6145	October 18, 2021
Will not boot after enabling Security Boot (Jetson AGX Xavier) Jetson AGX Xavier reflash , security	68	5673	October 18, 2021
Concerns about fuse burning on TX2 Jetson TX2 security , nvbugs	32	3743	October 18, 2021
Xavier doesn't boot after Secure Boot (PKC + SBK + KEK2) flash (JetPack 5.1.5 / L4T R35.6.1) Jetson AGX Xavier security	15	258	April 23, 2025
Secure Boot TX2i Jetson TX2 security	4	1365	October 18, 2021

Postmortem: Jetson Xavier AGX will not get past Boot ROM after burning PKC+SBK+KEK256

Related topics