Rollback Protection on Jetson AGX Orin

Hello,

I want to enable rollback protection on my Jetson AGX Orin Devkit. I am using this guide: Rollback Protection — NVIDIA Jetson Linux Developer Guide 1 documentation

I am using L4T version R36.4.

When creating the ratchet configuration file for the Jetson AGX Orin, I used the basic example given on the website:

/dts-v1/;

/ {
    ratchet {
        /* name = <index value> */
        mb1bct = <1 0>;
        membct = <2 0>;
        bpmp_fw_dtb = <3 0>;
        mb2rf = <4 0>;
        mb2 = <5 0>;
        /* index 6 and 7 are reserved */
        mb2_applet = <8 0>;
        fskp_fw = <9 0>;

        /* index 15 is reserved */
        spe = <16 0>;
        /* index 17 and 18 are reserved */
        sce = <19 0>;
        rce = <20 0>;
        ape = <21 0>;
        dce = <22 0>;
        eks = <23 0>;
        tos = <24 0>;
        /* index 25 is reserved */
        cpubl = <26 0>;
        cpubl_dtb = <27 0>;
    };
};

However, I have some questions left:

  1. Are there components such as the kernel, which would be beneficial to give rollback protection too? I can’t find documentation on what values are possible to set in the ratchet config file beyond this example. Is there a complete list of supported components and their corresponding index values?
  2. Is it correct that once the ratchet configuration file is completely set up, I just need to:
  • Set the OptInEnable fuse to 1 in the fuse config file: <fuse name="OptInEnable" size="4" value="0x1"/>
  • Burn the fuses and flash the device

Is this sufficient for complete rollback protection across all components?

I really appreciate any help.

Hi,
Here are some suggestions for the common issues:

1. Performance

Please run the below command before benchmarking deep learning use case:

$ sudo nvpmodel -m 0
$ sudo jetson_clocks

2. Installation

Installation guide of deep learning frameworks on Jetson:

3. Tutorial

Startup deep learning tutorial:

4. Report issue

If these suggestions don’t help and you want to report an issue to us, please attach the model, command/step, and the customized app (if any) with us to reproduce locally.

Thanks!

Thank you carolyuu for your response, but the linked information didn’t lead to my solution. Could you please give me further assistance?

hello andib,

please refer to $OUT/Linux_for_Tegra/bootloader/generic/BCT/tegra234-mb1-bct-ratchet-p3701-0000.dts for all supported components.
you may see-also other discussion thread, such as Topic 277417 for reference.

Thank you JerrryChang for your answer. The file you pointed out is the same as the description that I mentioned in my post. Can I then assume that other parts such as the kernel can not be rollback protected?

In that case, I will just keep the file as it is and burn the OptInEnable fuse.
Furthermore, in the linked Topic the developer used an older version of L4T. In the description that he used, the following is written:

MB2 ratchet takes effect only when one of the two conditions is met:

    SECURITY_MODE fuse is burned, or

    OEM_KEY_VALID bit is set in SECURITY_INFO fuse.

In my descpription for L4T 36.4, it says that MB2 ratchet is enabled by default. Does that mean that in my case I just have to burn the OptInEnable fuse with value 0x1 as I wrote and then the rollback protection is enabled or are there further steps required?

Another question regarding the fuses:
I have read in the secure boot chapter, that the whole fusing process is recommended to be done in one go. I want to burn the fuses for secure boot too, that means I will update the fuse config file and add the OptInEnable and then fuse everything in one go. Should it be done like that?

hello andib,

yes, OptInEnable must be 0x1 to enable rollback protection.
this also enables rollback protection for preventing earlier boot images running on this system.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.