I was able to successfully program the security fuses by putting the Tegra device into force recovery mode. We wanted to explore whether there is a way to program these fuses from software (from system running Ubuntu) without going into force recovery mode.
In the README_secureboot.txt(32.1.0), there is mention of using tegrafuse.sh to set/amend fuse values. I found that this script was just reading/writing values from/to different files in /sys/devices/platform/tegra-fuse. I am not sure if writing the file would achieve the writing of the fuses.
-
Is this a viable way to program fuses, or is using the force recovery mode the only option available?
-
Also, when I was reading the fuses using tegrafuse.sh, the SBK (also KEK0, KEK1 and KEK2 while looking at the files) showed 0xffffffffffffffffffffffffffffffff. This is good in the sense that the AES key is not exposed. How would this work if I were to set the values using tegrafuse.sh?
Thanks
Rayees
hello rayees.shamsuddin,
were you asking about generate a fuse blob locally?
you may enable below options,
--noburn ------------- Prepare fuse blob without actual burning.
Jerry,
I wasn’t asking about the fuse blob generation. In fact, I used the --noburn option and already did burn the fuses. But this required that I have to put the Tegra device into the force recovery mode.
Is it possible for me to use tegrafuse.sh to set these fuse values? If this is possible, then we do not have to put the device into the force recovery mode during the fuse burning. We can run the Ubuntu OS and can run a script on top of the tegrafuse.sh to set the key and other values. This is what I am asking.
hello rayees.shamsuddin,
you must put the Jetson device into forced-recovery mode for the fuse burning process.
thanks
Hi Jerry,
Nvidia documents indicate that the software running on a target board can set or amend fuses and there is no mention of recovery mode in section “Accessing the Fuse from the Target” of “Jetson Platform Fuse Burning and Secure Boot Documentation and Tools” document and also the README_secureboot.txt file that is included in secure boot packages.
For our reference, this is the content of that section:
"
Accessing the Fuse from the Target
The L4T secureboot package provides a means to access fuses from the target board after it boots up.
To access the fuse from the target board
- Copy the …/Linux_for_Tegra/pkc/tegrafuse.sh script to the ubuntu@.
- To access the target’s fuses from the target board, login to the target board.
• To display all fuses:
sudo ./tegrafuse.sh
• To set or amend a specific fuse:
sudo ./tegrafuse.sh
"
Sorry, this may sound a redundant question, but could you please clarify if we need to always use recovery mode whenever we need to burn eFuses. It will be especially helpful if we can update some of the Fuses by software means for the products in the field without user interaction (e.g., for version control, rollback prevention, key rolling, etc.). Is there any method to set/change the eFuse settings (e.g., ODM Reserved, ODM Lock, SBK/KEK, etc.) without using recovery mode?
Also, related to that, tegrafuse.sh seems to read/write local files and these files do not seem to be device files. Does this script read/write the actual eFuses? Could you please clarify how tegrafuse.sh accesses the fuse values?
Thanks!