Questions for secureboot and trusty

I tried to enable the secureboot and trusty on Jetson Xavier NX develop kit carrier board. The document I’m referencing is:
https://docs.nvidia.com/jetson/l4t/index.html#page/Tegra%20Linux%20Driver%20Package%20Development%20Guide%2Fbootloader_secure_boot.html%23

I have some questions about step of burning fuses.

Q1: According to the documentation I used the following command line: “sudo ./odmfuse.sh -j -i 0x19 -c PKC -p -k rsa_pri.pem --KEK2 KEK2.txt -S SBK.txt jetson-xavier-nx-devkit”. You can see I used “-p” parameter which means set product mode and result in I can’t reflash, must use RSA key or SBK key(“Either RSA key file is not proviced or SBK key file is provided for PKC protected target board”). I hava RSA key and SBK key, but I want not use it, How can I reset to factory setting to carrier board without PKC.

Q2: if I just want to enable trusty with KEK2 key. What are the correct steps?

Hi,
We would suggest program all fuses in single step. Please refer to

trusty zone should work only in PKC+SBK enabled. Is it OK for you to run with PKC+SBK enabled?

I want to enable secureboot and trusty, program all fuses in single step really with:
“sudo ./odmfuse.sh -j -i 0x19 -c PKC -p -k rsa_pri.pem --KEK2 KEK2.txt -S SBK.txt jetson-xavier-nx-devkit” accroding to the reference: “https://docs.nvidia.com/jetson/l4t/index.html#page/Tegra%20Linux%20Driver%20Package%20Development%20Guide%2Fbootloader_secure_boot.html%23wwpID0E0CD0HA”,
but I failed.
so I changed command line parameter, may be “sudo ./odmfuse.sh -j -i 0x19 -c PKC -p -k rsa_pri.pem --KEK2 KEK2.txt -S SBK.txt jetson-xavier-nx-devkit”, may be “sudo ./odmfuse.sh -j -i 0x19 -c PKC -p -k rsa_pri.pem --KEK2 KEK2.txt jetson-xavier-nx-devkit”, and one of them worked.

This causes odm_production_mode to be set to 1, so I can’t burn fuses others now. Is there any way to set odm_product_mode to zero.

I’m a beginner. I don’t understand a lot of it. Can you read it?

I tried your solution at “Unable to burn fuses (dev kit) / no more output (serial/hdmi) / bricked?”, but when i do “sudo ./fusecmd.sh”, I got “Error: Return value 3”

Hi,
fuse programming is irreversible. Once odm production bit is set to 1, it cannot be set back to 0, and most fuses are locked except odm reserved bits.

So,There’s no way to change it?
There’s nothing the manufacturer can do?

You have a default parameter p in your documentation, which is misleading.

hello zjfsharp,

according to documentation,

Once odm_production_mode is fused with value of 0x1, all further fuse write requests are blocked.

please adding --no-flash commands to generate fuse blobs if you’re doing experiments,
thanks

Thanks.

I want to know another question is:
Can I flash new trusty little kernel to the carrier board when odm_production_code equals 1?

hello zjfsharp,

yes, you may update it.

due to security process and factory flow, we don’t support partial updates once your device has fused.

Thank you for your reply.

I got an error of “Error: Return value 3…Reading board information failed.” when I flash trusty little kernel after odm_product_mode was setted to 1.

I would like to know if this error is related to the odm_product_mode value of 1, or if something else is causing the problem!

can you give me some helps?

hello zjfsharp,

had you assign the keys to update the partition?
could you please share your flashing commands and also complete flash messages,
thanks

sudo ./flash -s rsa_pri.pem -k secure-os jetson-xavier-nx-devkit mmcblk0p1
(I used -s paramter, if I not use, will get an error of “Either RSA key file is not proviced or SBK key file is provided for PKC protected target board”)

hello zjfsharp,

sorry, I need to revise my previous comments.
due to security process and factory flow, we don’t support partial updates once your device has fused.
please perform flash script to assign keys and flash your board completely.
thanks

The status of the board as viewed via the Tegrafuse.sh script is that the odm_product_mode value is already 1.

odm_lock: 0x00000000
arm_jtag_disable: 0x00000000
odm_production_mode: 0x00000001
boot_security_info: 0x00000001
odm_info: 0x0000000

Carrier board model is Jetson Xavier NX Develop Kit.

Then:
I used “sudo ./flash -s rsa_pri.pem -k secure-os jetson-xavier-nx-devkit mmcblk0p1" to udpate trusty, it successed. Does that fit with what you’re saying above?

Also I was wondering if the KEK2 and SBK key have been burned to the board. What tools can I use to check?

hello zjfsharp,

we don’t recommend to have partial updates (i.e. -k options ) once your device has fused due to security process.

you may access the latest Secure Boot packages, i.e. l4t-r32.4.3.
there’s script file, odmfuseread.sh, you may enable to read the fuse information for checking.
thanks

In recovery mode, I failed to read the information using the script

sudo ./odmfuseread.sh -c PKC -i 0x19 -k pub.pem jetson-xavier-nx-devkit

where the public key used here is generated from the private key, but I got an error of

return value 8.
Command tegrarcm_v2 --chip 0x19 0 --rcm rcm_list_signed.xml --skipuid.
Reading board information failed"

hello zjfsharp,

FYI,
I’ve check internally and there’s a bug for odmfuseread.sh to read fuse for PKC fused board.

:(, so how can I solve this problem? Thx