Hi Folks,
I’m trying to follow the steps in the secureboot documentation to get signed bootloader boot working.
I haven’t been successful in burning the PKC hash using odmfuse.sh
I get one of two possible outcomes when I attempt to use this command:
sudo ./odmfuse.sh -j -i 0x18 -c PKC -p -k ../rsa_priv.pem jetson-tx2
Where …/rsa_priv.pem is a key generated using these steps
The first thing I see is that the odmfuse script hangs:
sudo ./odmfuse.sh -j -i 0x18 -c PKC -p -k ../rsa_priv.pem jetson-tx2
./tegraflash.py --chip 0x18 --applet "/home/dan/secureboot/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin" --cmd "dump eeprom boardinfo cvm.bin"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
[ 0.0032 ] Generating RCM messages
[ 0.0042 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x18 0 --download rcm /home/dan/secureboot/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin 0 0
[ 0.0051 ] RCM 0 is saved as rcm_0.rcm
[ 0.0065 ] RCM 1 is saved as rcm_1.rcm
[ 0.0065 ] List of rcm files are saved in rcm_list.xml
[ 0.0065 ]
[ 0.0065 ] Signing RCM messages
[ 0.0079 ] tegrasign_v2 --key None --list rcm_list.xml --pubkeyhash pub_key.key
[ 0.0088 ] Assuming zero filled SBK key
[ 0.0127 ]
[ 0.0127 ] Copying signature to RCM mesages
[ 0.0137 ] tegrarcm_v2 --chip 0x18 0 --updatesig rcm_list_signed.xml
[ 0.0150 ]
[ 0.0151 ] Boot Rom communication
[ 0.0163 ] tegrarcm_v2 --chip 0x18 0 --rcm rcm_list_signed.xml
[ 0.0176 ] BootRom is not running
[ 5.1688 ]
[ 6.1716 ] tegrarcm_v2 --isapplet
The “BootRom is not running” message makes it look like I’m not in recovery mode, but I am, or at least I was when I started the script.
I’ve let it sit for minutes at this screen with no update.
The second outcome I see is this:
sudo ./odmfuse.sh -j -i 0x18 -c PKC -p -k ../rsa_priv.pem jetson-tx2
Error: Cannot fuse non-production board.
I don’t completely understand this error message, I thought I needed to set the fuse bits before burning the oem production fuse based on the order listed here
Here’s a bash -x trace of the “Cannot fuse non-production board” message
sudo ./odmfuse.sh -j -i 0x18 -c PKC -p -k ../rsa_priv.pem jetson-tx2
[sudo] password for dan:
+ noburn=0
+ jtag_disable=yes
+ getopts c:d:i:jk:l:o:pr:s:D:H:S:X:-: OPTION
+ case $OPTION in
+ jtag_disable=no
+ getopts c:d:i:jk:l:o:pr:s:D:H:S:X:-: OPTION
+ case $OPTION in
+ tid=0x18
+ pkcopt+='-i 0x18 '
+ getopts c:d:i:jk:l:o:pr:s:D:H:S:X:-: OPTION
+ case $OPTION in
+ Ctype=PKC
+ pkcopt+='-f PKC '
+ getopts c:d:i:jk:l:o:pr:s:D:H:S:X:-: OPTION
+ case $OPTION in
+ set_productionmode=yes
+ getopts c:d:i:jk:l:o:pr:s:D:H:S:X:-: OPTION
+ case $OPTION in
+ KEYFILE=../rsa_priv.pem
+ getopts c:d:i:jk:l:o:pr:s:D:H:S:X:-: OPTION
+ '[' 0x18 = '' ']'
+ '[' 0x18 '!=' 0x40 -a 0x18 '!=' 0x21 -a 0x18 '!=' 0x18 -a 0x18 '!=' 0x19 ']'
+ shift 8
+ '[' -f /home/dan/secureboot-tegra/Linux_for_Tegra/pkc/keyviadb ']'
+ '[' 0x18 = 0x18 -o 0x18 = 0x19 ']'
+ '[' 1 -ne 1 ']'
+ '[' 1 -eq 1 ']'
+ nargs=1
+ ext_target_board=jetson-tx2
+ '[' '!' -r jetson-tx2.conf ']'
+++ dirname ./odmfuse.sh
++ cd .
++ pwd
+ LDK_DIR=/home/dan/secureboot-tegra/Linux_for_Tegra
++ readlink -f /home/dan/secureboot-tegra/Linux_for_Tegra
+ LDK_DIR=/home/dan/secureboot-tegra/Linux_for_Tegra
+ source jetson-tx2.conf
++ BPFDTB_FILE=tegra186-a02-bpmp-quill-p3310-1000-a00-00-te770d-ucm2.dtb
++ source /home/dan/secureboot-tegra/Linux_for_Tegra/p2771-0000.conf.common
+++ CHIPID=0x18
+++ EMMC_CFG=flash_l4t_t186.xml
+++ BOOTPARTSIZE=8388608
+++ EMMCSIZE=31276924928
+++ ITS_FILE=
+++ EMMC_BCT=P3310_A00_8GB_Samsung_8GB_lpddr4_204Mhz_A02_l4t.cfg
+++ DTB_FILE=tegra186-quill-p3310-1000-a00-00-base.dtb
+++ TBCDTB_FILE=tegra186-quill-p3310-1000-a00-00-base.dtb
+++ '[' -z '' ']'
+++ USE_UBOOT=1
+++ ROOTFSSIZE=28GiB
+++ CMDLINE_ADD='console=ttyS0,115200n8 console=tty0 fbcon=map:0 net.ifnames=0'
+++ target_board=t186ref
+++ ROOT_DEV='mmcblk0p12 ------------ internal eMMC.
sda1 ----------------- external USB devices. (USB memory stick, HDD)
eth0 ----------------- nfsroot via RJ45 Ethernet port.
eth1 ----------------- nfsroot via USB Ethernet interface.'
+++ TEGRABOOT=bootloader/t186ref/nvtboot.bin
+++ WB0BOOT=bootloader/t186ref/warmboot.bin
+++ FLASHER=bootloader/nvtboot_recovery_cpu.bin
+++ BOOTLOADER=bootloader/nvtboot_cpu.bin
+++ INITRD=bootloader/l4t_initrd.img
+++ TBCFILE=bootloader/cboot.bin
+++ BPFFILE=bootloader/bpmp.bin
+++ TOSFILE=bootloader/tos.img
+++ EKSFILE=bootloader/eks.img
+++ MTSPREBOOT=bootloader/preboot_d15_prod_cr.bin
+++ MTS=bootloader/mce_mts_d15_prod_cr.bin
+++ MB1FILE=bootloader/mb1_prod.bin
+++ SOSFILE=bootloader/mb1_recovery_prod.bin
+++ MB2BLFILE=bootloader/nvtboot_recovery.bin
+++ BCT=--sdram_config
+++ BINSARGS='--bins "'
+++ DEV_PARAMS=emmc.cfg
+++ SCR_CONFIG=minimal_scr.cfg
+++ SCR_COLD_BOOT_CONFIG=mobile_scr.cfg
+++ MISC_CONFIG=tegra186-mb1-bct-misc-si-l4t.cfg
+++ PINMUX_CONFIG=tegra186-mb1-bct-pinmux-quill-p3310-1000-a00.cfg
+++ PMIC_CONFIG=tegra186-mb1-bct-pmic-quill-p3310-1000-a00.cfg
+++ PMC_CONFIG=tegra186-mb1-bct-pad-quill-p3310-1000-a00.cfg
+++ PROD_CONFIG=tegra186-mb1-bct-prod-quill-p3310-1000-a00.cfg
+++ BOOTROM_CONFIG=tegra186-mb1-bct-bootrom-quill-p3310-1000-a00.cfg
+++ DEFAULT_FAB=B01
+ BL_DIR=/home/dan/secureboot-tegra/Linux_for_Tegra/bootloader
+ TARGET_DIR=/home/dan/secureboot-tegra/Linux_for_Tegra/bootloader/t186ref
+ KERNEL_DIR=/home/dan/secureboot-tegra/Linux_for_Tegra/kernel
+ DTB_DIR=/home/dan/secureboot-tegra/Linux_for_Tegra/kernel/dtb
+ '[' 0 -ne 1 ']'
+ get_fuse_level fuselevel hwchipid bootauth
+ local ECID
+ local rcmcmd
+ local inst_args=
+ local idval_1=
+ local idval_2=
+ local flval=
+ local baval=None
+ local flvar=fuselevel
+ local hivar=hwchipid
+ local bavar=bootauth
+ '[' -f /home/dan/secureboot-tegra/Linux_for_Tegra/bootloader/tegrarcm_v2 ']'
+ rcmcmd=tegrarcm_v2
+ '[' -n '' ']'
+ pushd /home/dan/secureboot-tegra/Linux_for_Tegra/bootloader
++ ./tegrarcm_v2 --uid
++ grep BR_CID
++ cut '-d ' -f2
+ ECID=
+ popd
+ '[' '' '!=' '' ']'
+ '[' '' '!=' fuselevel_production ']'
+ echo 'Error: Cannot fuse non-production board.'
Error: Cannot fuse non-production board.
+ exit 1
I think this might only happen after the first attempt to run odmflash.sh fails.
When I boot the system this is what I see from tegrafuse
jetson@jetson-desktop:~$ sudo ./tegrafuse.sh
[sudo] password for jetson:
Unsupported fuse: device_key
Unsupported fuse: jtag_disable
odm_lock : 0x00000000
odm_production_mode : 0x00000000
Unsupported fuse: odm_reserved
Unsupported fuse: pkc_disable
public_key : 0x0000000000000000000000000000000000000000000000000000000000000000
Unsupported fuse: sec_boot_dev_cfg
secure_boot_key : 0x00000000000000000000000000000000
Unsupported fuse: sw_reserved
Here’s a repository which includes scripts to automate each part of the secure boot setup process.
Creating a rsa_priv.pem file in this repo base folder, then running
./download-and-prepare-files.sh
./installing-secureboot.sh
./burn-pkc.sh
should give you exactly the same setup I’m using currently.
Has anyone been successful getting this deployed on 32.2.1 and if so could you please clue me in as to what I’m doing wrong?