Problems with burning Jetson TX2 keys

Hello,

I have similar issues like in this post with burning fuses of TX2. I tried all variants to burn fusses described in README_secureboot.txt, but I constantly get “Oem commands are not supported. Fuse burning failed” error.

sudo ./odmfuse.sh -j -i 0x18 -c PKC \
 -k keys/rsa_priv.pem -S keys/SBK.key \
 --KEK0 keys/KEK0.key --KEK1 keys/KEK1.key --KEK2 keys/KEK2.key \
 jetson-tx2

[   6.1100 ] tegrarcm_v2 --oem burnfuses blow_fuse_data.bin
[   6.1110 ] Applet version 01.00.0000
[   6.1133 ] 0000000000000001: Oem commands are not supported
[   6.1143 ] Fuse burning failed
[   6.1143 ] 
[   6.1144 ] trying fusing with CPU binary
[   6.1172 ] tegrasign_v2 --key None --getmode mode.txt
[   6.1184 ] Assuming zero filled SBK key
[   6.1186 ] 
[   6.1186 ] Parsing partition layout
[   6.1199 ] tegraparser_v2 --pt flash.xml.tmp
[   6.1219 ] 
[   6.1220 ] Creating list of images to be signed
[   6.1232 ] tegrahost_v2 --chip 0x18 0 --partitionlayout flash.xml.bin --list images_list.xml zerosbk
[   6.1244 ] Stat for RECFILE failed
[   6.1538 ] 
Error: Return value 4
Command tegrahost_v2 --chip 0x18 0 --partitionlayout flash.xml.bin --list images_list.xml zerosbk
failed.

Hi,
Please share your release version( $ head -1 /etc/nv_tegra_release ). r28 releases or r32 releases.

$ head -1 /etc/nv_tegra_release
# R32 (release), REVISION: 3.1, GCID: 18186506, BOARD: t186ref, EABI: aarch64, DATE: Tue Dec 10 07:03:07 UTC 2019

Just in case:
$ ./tegrafuse.sh
odm_lock : 0x00000000
arm_jtag_disable : 0x00000000
odm_production_mode : 0x00000000
boot_security_info : 0x00000000
odm_info : 0x00000000

I applied fix-uid-check-in-odmfuse.patch in accordance with this post.
I use the Jetson TX2 module provided with Developer Kit. Can such module be fused?

Hi,
The TX2 module with devkit is fuse-able. Please check if this patch helps:

And you may also try a simple command:

$ sudo ./odmfuse.sh -j -i 0x18 -c PKC -k rsa_priv.pem jetson-tx2

This command
sudo ./odmfuse.sh -j -i 0x18 -c PKC -k rsa_priv.pem jetson-tx2
produces the same result:
[ 6.1925 ] tegrarcm_v2 --oem burnfuses blow_fuse_data.bin
[ 6.2000 ] Applet version 01.00.0000
[ 6.2130 ] 0000000000000001: Oem commands are not supported
[ 6.2145 ] Fuse burning failed
[ 6.2145 ]
[ 6.2146 ] trying fusing with CPU binary
[ 6.2441 ] tegrasign_v2 --key None --getmode mode.txt
[ 6.2517 ] Assuming zero filled SBK key
[ 6.2678 ]
[ 6.2698 ] Parsing partition layout
[ 6.2752 ] tegraparser_v2 --pt flash.xml.tmp
[ 6.2881 ]
[ 6.2882 ] Creating list of images to be signed
[ 6.2922 ] tegrahost_v2 --chip 0x18 0 --partitionlayout flash.xml.bin --list images_list.xml zerosbk
[ 6.2991 ] Stat for RECFILE failed
[ 6.3673 ]
Error: Return value 4
Command tegrahost_v2 --chip 0x18 0 --partitionlayout flash.xml.bin --list images_list.xml zerosbk
failed.

Regarding patch: in accordance with documentation KEK256 = KEK0 + KEK1 (T186 and T194).

Is this command correct?
sudo BOARDID=3310 FAB=C04 ./odmfuse.sh -j -i 0x18 -c PKC -k my_privkey.pem --KEK0 my_kek0.key --KEK1 my_kek1.key --KEK2 my_kek2.key –KEK256 my_kek256.key -S my_sbk.key jetson-tx2

Should I anyway apply the patch and use --KEK256 ?

Hi,

Please confirm you get the package for r32.3.1. The error should be present on r28 releases only. A bit strange you see it on r32.
[ 6.2130 ] 0000000000000001: Oem commands are not supported

Command shows that I have R32.3.1 release:

$ head -1 /etc/nv_tegra_release

R32 (release), REVISION: 3.1, GCID: 18186506, BOARD: t186ref, EABI: aarch64, DATE: Tue Dec 10 07:03:07 UTC 2019

Ok, I will do all steps from scratch and come back.

My steps:

  • downloaded and installed Tegra186_Linux_R32.3.1_aarch64.tbz2
  • downloaded and installed Tegra_Linux_Sample-Root-Filesystem_R32.3.1_aarch64.tbz2
  • downloaded and installed secureboot_R32.3.1_aarch64.tbz2
  • flashed TX2 : sudo ./flash.sh jetson-tx2 mmcblk0p1
  • applied fix-uid-check-in-odmfuse.patch
  • tried to burn:
    sudo ./odmfuse.sh -j -i 0x18 -c PKC
    -k keys/rsa_priv.pem -S keys/SBK.key
    –KEK0 keys/KEK0.key --KEK1 keys/KEK1.key --KEK2 keys/KEK2.key
    jetson-tx2

Got:
[ 6.0400 ] 0000000000000001: Oem commands are not supported

Hi,
Does it work if you with with –no-burn?

Please also try to flash through SDKManager and extract secureboot_R32.3.1_aarch64.tbz2 to

$HOME\nvidia\nvidia_sdk\JetPack_4.3_Linux_P3310\Linux_for_Tegra

A user has done cross verfication on TX2 and Nano. It looks fine on TX2:

Hi,

I installed JetPack_4.3, but it did not help.
The same error Oem commands are not supported with and without --noburn.

The user tried L4T 32.2.1 with TX2:

When I had tried before on L4T 32.2.1 with TX2, it didn’t work as described in the document, either. The odmfuse.sh has not worked without a patch.

I will try to downgrade L4T to 32.2.1.

Hi,

Success with JetPack_4.2.3 [L4T 32.2.1] !!!

JetPack_4.3 [L4T 32.3.1] does not work for TX2.

Hi,

Do you have any updates regarding burning fuses by using JetPack_4.3 [L4T 32.3.1] ?

Using multiple Jetpack releases is quite inconvenient.

Hi,
The error looks specfiic to the board since we have other users work on r32.3.1/TX2 and don’t report the error. For more information, please execute tegrafuse.sh and share status of the board.

I have the exact same behavior

TX2 in dev board
Standard unmodified R32.3.1 install created from the BSP and sample rootfs

Only 32.2.1 will write the fuses
I can then use 32.3.1 to flash the device

Fortunately this suffices and I am not concerned about having two releases of JetPack.