Secure Boot confirmation

Hello,

i’m new to the secure boot procedures in the nvidia jetson nano.

i sucessefuly flashed the image with:

sudo ./flash.sh BOARDID=3448 FAB=200 BOARDSKU=0002 -x 0x21 -y PKC -u …/emi_pkc.pem jetson-nano-emmc mmcblk0p1

now at runtime how can i check that the i’m using the secure boot?

i saw that the fuse: pkc_disable is 0x00000001, shouldn’t be 0x00000000?

how can i set FUSE_PKC_DISABLE to 0 with odmfuse?

other question is if i burn with pkc key the filesystem gets encrypted?

Best regards,
Rui

Hi,

No, rootfs is not encrypted.

We are checking why pkc_disable being set to 1 after PKC is burned. Will update.

1 Like

Hi,
Please check

So to keep the pkc_disable at 0x0 i have to put the board in production mode? In the docs stats that should be the last thing to do.

Hi,
We would like developers can practice fuse porcess and check the result in NS mode. Once the process is confirmed, you can apply it to production line with -p

Ok, i understand, but to practice the fuse process without the -p flag, the pkc_disable will be fused and then the secure boot (with pkc) cannot be used any more. I think there must be an option to use odmfuse.sh without -p and keep the pkc_disable fuse at 0x0

Hi,
The current implmentaion looks fine for production. Please execute -c PKC -p together in production line.