Postmortem: Jetson Xavier AGX will not get past Boot ROM after burning PKC+SBK+KEK256

Autonomous Machines Jetson & Embedded Systems Jetson AGX Xavier
5

hello ticotimo,

Q1>
ya, that should be using pyhton3, it should be comment messages did not up to date.

Q2>

  • command-line with --noburn.
    • sudo FAB=400 BOARDID=2888 BOARDSKU=0001 BOARDREV=L.0 ./odmfuse.sh -i 0x19 -p --noburn --auth SBKPKC -k ../rsa_priv.pem --KEK2 ../kek2_hex_file --KEK256 ../kek256_hex_file -S ../sbk_hex_file jetson-agx-xavier-devkit
    • this command-line is running at offline mode, in the offline mode, the --auth options is used to indicate the board fuse status, because there is no boards connected, so odmfuse.sh doesn’t have a chance to know the board’s fuse status.
    • in this scenario… since the target has burned with PKC+SBK, -k is used to sign the encrypted images; -S is the command to encrypt the images. in the end, there only --KEK2 and KEK256 will be burned to the board, then it appears in the odmfuse_pkc.xml.
  • command-line with --test.
    • sudo ./odmfuse.sh --test -i 0x19 -c SBKPKC -p -k ../rsa_priv.pem -S ../sbk_hex_file --KEK2 ../kek2_hex_file --KEK256 ../kek256_hex_file jetson-agx-xavier-devkit
    • since there is neither board info nor --noburn in the command, odmfuse.sh will run in the online mode, which means a board must be connected; -c options is no needed in the online mode since odmfuse.sh is now able to get the board’s fuse status from the target. besides, the option -c is obsolete now. it’s replace by --auth options.
    • I assume you’re test this pipeline with unfused target, right? you should assign --auth NS options to the command-line due to neither PKC nor SBK is burned.
    • following above, for these options in the command-line, all fuse info will be burn to the target, such as… -p, -k, -S, -KEK2, -KEK256. so, that’s why odmfuse_pkc.xml include all those fuse information.

Q3>
the 3072-bit RSA key option is supported only on Jetson Xavier series.

Q4>
please use the multi-steps approaches to burn the fuse and flash the target.
for example, (1) using odmfuse.sh to create the fuse blob, (2) review all the fuse info and messages, running fusecmd.sh to burn the fuse to the device actually, (3) it’s flash.sh script to create the image blob, and (4) run flashcmd.txt to flash the target. please see-also this thread for reference, Jetson Xavier NX DEVKIT secureboot enabled - #7 by JerryChang

1 Like