Secure Boot odmfuse programming step fail on 32.2.1

Hi Folks,
I’m trying to follow the steps in the secureboot documentation to get signed bootloader boot working.

I haven’t been successful in burning the PKC hash using odmfuse.sh

I get one of two possible outcomes when I attempt to use this command:

sudo ./odmfuse.sh -j -i 0x18 -c PKC -p -k ../rsa_priv.pem jetson-tx2

Where …/rsa_priv.pem is a key generated using these steps

The first thing I see is that the odmfuse script hangs:

sudo ./odmfuse.sh -j -i 0x18 -c PKC -p -k ../rsa_priv.pem jetson-tx2
./tegraflash.py --chip 0x18 --applet "/home/dan/secureboot/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin"  --cmd "dump eeprom boardinfo cvm.bin"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands

[   0.0032 ] Generating RCM messages
[   0.0042 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x18 0 --download rcm /home/dan/secureboot/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin 0 0
[   0.0051 ] RCM 0 is saved as rcm_0.rcm
[   0.0065 ] RCM 1 is saved as rcm_1.rcm
[   0.0065 ] List of rcm files are saved in rcm_list.xml
[   0.0065 ]
[   0.0065 ] Signing RCM messages
[   0.0079 ] tegrasign_v2 --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0088 ] Assuming zero filled SBK key
[   0.0127 ]
[   0.0127 ] Copying signature to RCM mesages
[   0.0137 ] tegrarcm_v2 --chip 0x18 0 --updatesig rcm_list_signed.xml
[   0.0150 ]
[   0.0151 ] Boot Rom communication
[   0.0163 ] tegrarcm_v2 --chip 0x18 0 --rcm rcm_list_signed.xml
[   0.0176 ] BootRom is not running
[   5.1688 ]
[   6.1716 ] tegrarcm_v2 --isapplet

The “BootRom is not running” message makes it look like I’m not in recovery mode, but I am, or at least I was when I started the script.

I’ve let it sit for minutes at this screen with no update.

The second outcome I see is this:

sudo ./odmfuse.sh -j -i 0x18 -c PKC -p -k ../rsa_priv.pem jetson-tx2
Error: Cannot fuse non-production board.

I don’t completely understand this error message, I thought I needed to set the fuse bits before burning the oem production fuse based on the order listed here

Here’s a bash -x trace of the “Cannot fuse non-production board” message

sudo ./odmfuse.sh -j -i 0x18 -c PKC -p -k ../rsa_priv.pem jetson-tx2
[sudo] password for dan:
+ noburn=0
+ jtag_disable=yes
+ getopts c:d:i:jk:l:o:pr:s:D:H:S:X:-: OPTION
+ case $OPTION in
+ jtag_disable=no
+ getopts c:d:i:jk:l:o:pr:s:D:H:S:X:-: OPTION
+ case $OPTION in
+ tid=0x18
+ pkcopt+='-i 0x18 '
+ getopts c:d:i:jk:l:o:pr:s:D:H:S:X:-: OPTION
+ case $OPTION in
+ Ctype=PKC
+ pkcopt+='-f PKC '
+ getopts c:d:i:jk:l:o:pr:s:D:H:S:X:-: OPTION
+ case $OPTION in
+ set_productionmode=yes
+ getopts c:d:i:jk:l:o:pr:s:D:H:S:X:-: OPTION
+ case $OPTION in
+ KEYFILE=../rsa_priv.pem
+ getopts c:d:i:jk:l:o:pr:s:D:H:S:X:-: OPTION
+ '[' 0x18 = '' ']'
+ '[' 0x18 '!=' 0x40 -a 0x18 '!=' 0x21 -a 0x18 '!=' 0x18 -a 0x18 '!=' 0x19 ']'
+ shift 8
+ '[' -f /home/dan/secureboot-tegra/Linux_for_Tegra/pkc/keyviadb ']'
+ '[' 0x18 = 0x18 -o 0x18 = 0x19 ']'
+ '[' 1 -ne 1 ']'
+ '[' 1 -eq 1 ']'
+ nargs=1
+ ext_target_board=jetson-tx2
+ '[' '!' -r jetson-tx2.conf ']'
+++ dirname ./odmfuse.sh
++ cd .
++ pwd
+ LDK_DIR=/home/dan/secureboot-tegra/Linux_for_Tegra
++ readlink -f /home/dan/secureboot-tegra/Linux_for_Tegra
+ LDK_DIR=/home/dan/secureboot-tegra/Linux_for_Tegra
+ source jetson-tx2.conf
++ BPFDTB_FILE=tegra186-a02-bpmp-quill-p3310-1000-a00-00-te770d-ucm2.dtb
++ source /home/dan/secureboot-tegra/Linux_for_Tegra/p2771-0000.conf.common
+++ CHIPID=0x18
+++ EMMC_CFG=flash_l4t_t186.xml
+++ BOOTPARTSIZE=8388608
+++ EMMCSIZE=31276924928
+++ ITS_FILE=
+++ EMMC_BCT=P3310_A00_8GB_Samsung_8GB_lpddr4_204Mhz_A02_l4t.cfg
+++ DTB_FILE=tegra186-quill-p3310-1000-a00-00-base.dtb
+++ TBCDTB_FILE=tegra186-quill-p3310-1000-a00-00-base.dtb
+++ '[' -z '' ']'
+++ USE_UBOOT=1
+++ ROOTFSSIZE=28GiB
+++ CMDLINE_ADD='console=ttyS0,115200n8 console=tty0 fbcon=map:0 net.ifnames=0'
+++ target_board=t186ref
+++ ROOT_DEV='mmcblk0p12 ------------ internal eMMC.
        sda1 ----------------- external USB devices. (USB memory stick, HDD)
        eth0 ----------------- nfsroot via RJ45 Ethernet port.
        eth1 ----------------- nfsroot via USB Ethernet interface.'
+++ TEGRABOOT=bootloader/t186ref/nvtboot.bin
+++ WB0BOOT=bootloader/t186ref/warmboot.bin
+++ FLASHER=bootloader/nvtboot_recovery_cpu.bin
+++ BOOTLOADER=bootloader/nvtboot_cpu.bin
+++ INITRD=bootloader/l4t_initrd.img
+++ TBCFILE=bootloader/cboot.bin
+++ BPFFILE=bootloader/bpmp.bin
+++ TOSFILE=bootloader/tos.img
+++ EKSFILE=bootloader/eks.img
+++ MTSPREBOOT=bootloader/preboot_d15_prod_cr.bin
+++ MTS=bootloader/mce_mts_d15_prod_cr.bin
+++ MB1FILE=bootloader/mb1_prod.bin
+++ SOSFILE=bootloader/mb1_recovery_prod.bin
+++ MB2BLFILE=bootloader/nvtboot_recovery.bin
+++ BCT=--sdram_config
+++ BINSARGS='--bins "'
+++ DEV_PARAMS=emmc.cfg
+++ SCR_CONFIG=minimal_scr.cfg
+++ SCR_COLD_BOOT_CONFIG=mobile_scr.cfg
+++ MISC_CONFIG=tegra186-mb1-bct-misc-si-l4t.cfg
+++ PINMUX_CONFIG=tegra186-mb1-bct-pinmux-quill-p3310-1000-a00.cfg
+++ PMIC_CONFIG=tegra186-mb1-bct-pmic-quill-p3310-1000-a00.cfg
+++ PMC_CONFIG=tegra186-mb1-bct-pad-quill-p3310-1000-a00.cfg
+++ PROD_CONFIG=tegra186-mb1-bct-prod-quill-p3310-1000-a00.cfg
+++ BOOTROM_CONFIG=tegra186-mb1-bct-bootrom-quill-p3310-1000-a00.cfg
+++ DEFAULT_FAB=B01
+ BL_DIR=/home/dan/secureboot-tegra/Linux_for_Tegra/bootloader
+ TARGET_DIR=/home/dan/secureboot-tegra/Linux_for_Tegra/bootloader/t186ref
+ KERNEL_DIR=/home/dan/secureboot-tegra/Linux_for_Tegra/kernel
+ DTB_DIR=/home/dan/secureboot-tegra/Linux_for_Tegra/kernel/dtb
+ '[' 0 -ne 1 ']'
+ get_fuse_level fuselevel hwchipid bootauth
+ local ECID
+ local rcmcmd
+ local inst_args=
+ local idval_1=
+ local idval_2=
+ local flval=
+ local baval=None
+ local flvar=fuselevel
+ local hivar=hwchipid
+ local bavar=bootauth
+ '[' -f /home/dan/secureboot-tegra/Linux_for_Tegra/bootloader/tegrarcm_v2 ']'
+ rcmcmd=tegrarcm_v2
+ '[' -n '' ']'
+ pushd /home/dan/secureboot-tegra/Linux_for_Tegra/bootloader
++ ./tegrarcm_v2 --uid
++ grep BR_CID
++ cut '-d ' -f2
+ ECID=
+ popd
+ '[' '' '!=' '' ']'
+ '[' '' '!=' fuselevel_production ']'
+ echo 'Error: Cannot fuse non-production board.'
Error: Cannot fuse non-production board.
+ exit 1

I think this might only happen after the first attempt to run odmflash.sh fails.

When I boot the system this is what I see from tegrafuse

jetson@jetson-desktop:~$ sudo ./tegrafuse.sh
[sudo] password for jetson:
Unsupported fuse: device_key
Unsupported fuse: jtag_disable
odm_lock : 0x00000000
odm_production_mode : 0x00000000
Unsupported fuse: odm_reserved
Unsupported fuse: pkc_disable
public_key : 0x0000000000000000000000000000000000000000000000000000000000000000
Unsupported fuse: sec_boot_dev_cfg
secure_boot_key : 0x00000000000000000000000000000000
Unsupported fuse: sw_reserved

Here’s a repository which includes scripts to automate each part of the secure boot setup process.

https://github.com/Trellis-Logic/secureboot-tegra

Creating a rsa_priv.pem file in this repo base folder, then running

./download-and-prepare-files.sh
./installing-secureboot.sh
./burn-pkc.sh

should give you exactly the same setup I’m using currently.

Has anyone been successful getting this deployed on 32.2.1 and if so could you please clue me in as to what I’m doing wrong?

danwalkes,
To check if the board is in recovery mode, you should see the NVIDIA USB device using lsusb (use it before and after entering recovery mode to tell the difference).

A bit more info,

"BootRom is not running
This message told us device is not in recovery mode so yes please check that first.
Run lsusb command before entering recovery mode and then manually put the device in recovery mode
$ lsusb

Bus 006 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 005 Device 002: ID 045e:00cb Microsoft Corp. Basic Optical Mouse v2.0
Bus 005 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 8087:800a Intel Corp.
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 119: ID 0955:7c18 NVidia Corp

You should see additional NVidia USB device as above then you know the device is in recovery mode.

Thanks for the suggestions chijen,
I have verified the part is in recovery mode before and after.
Power off the device:

dan@dan-ubuntu:~/secureboot$ lsusb | grep NVida
dan@dan-ubuntu:~/secureboot$

Power on the device and put in recovery mode

dan@dan-ubuntu:~/secureboot$ lsusb | grep NVidia
Bus 003 Device 021: ID 0955:7c18 NVidia Corp.

Run

sudo ./odmfuse.sh -j -i 0x18 -c PKC -p -k ../rsa_priv.pem jetson-tx2
+ args+='--chip 0x18 '
+ args+='--applet "/home/dan/secureboot-tegra/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin" '
+ args+=' '
+ SKIPUID=
+ '[' 0x18 = 0x19 ']'
+ args+='--cmd "dump eeprom boardinfo cvm.bin" '
+ local 'cmd=./tegraflash.py --chip 0x18 --applet "/home/dan/secureboot-tegra/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin"  --cmd "dump eeprom boardinfo cvm.bin" '
+ pushd /home/dan/secureboot-tegra/Linux_for_Tegra/bootloader
+ '[' '' '!=' '' ']'
+ echo './tegraflash.py --chip 0x18 --applet "/home/dan/secureboot-tegra/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin"  --cmd "dump eeprom boardinfo cvm.bin" '
./tegraflash.py --chip 0x18 --applet "/home/dan/secureboot-tegra/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin"  --cmd "dump eeprom boardinfo cvm.bin"
+ eval './tegraflash.py --chip 0x18 --applet "/home/dan/secureboot-tegra/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin"  --cmd "dump eeprom boardinfo cvm.bin" '
++ ./tegraflash.py --chip 0x18 --applet /home/dan/secureboot-tegra/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin --cmd 'dump eeprom boardinfo cvm.bin'
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands

[   0.0044 ] Generating RCM messages
[   0.0059 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x18 0 --download rcm /home/dan/secureboot-tegra/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin 0 0
[   0.0067 ] RCM 0 is saved as rcm_0.rcm
[   0.0080 ] RCM 1 is saved as rcm_1.rcm
[   0.0080 ] List of rcm files are saved in rcm_list.xml
[   0.0080 ]
[   0.0080 ] Signing RCM messages
[   0.0098 ] tegrasign_v2 --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0106 ] Assuming zero filled SBK key
[   0.0187 ]
[   0.0187 ] Copying signature to RCM mesages
[   0.0196 ] tegrarcm_v2 --chip 0x18 0 --updatesig rcm_list_signed.xml
[   0.0208 ]
[   0.0209 ] Boot Rom communication
[   0.0217 ] tegrarcm_v2 --chip 0x18 0 --rcm rcm_list_signed.xml
[   0.0149 ] BootRom is not running
[   5.2551 ]
[   6.2586 ] tegrarcm_v2 --isapplet

See full bash -x log at https://github.com/Trellis-Logic/secureboot-tegra/blob/master/burn_pkc_first_attempt.log

Open a new terminal prompt, verify device is still in recovery mode

dan@dan-ubuntu:~$ lsusb | grep NVidia
Bus 003 Device 021: ID 0955:7c18 NVidia Corp.

After waiting 5 minutes, kill the stalled process, verify device is still in recovery mode

dan@dan-ubuntu:~$ lsusb | grep NVidia
Bus 003 Device 021: ID 0955:7c18 NVidia Corp.

Retry command:

+++ PROD_CONFIG=tegra186-mb1-bct-prod-quill-p3310-1000-a00.cfg
+++ BOOTROM_CONFIG=tegra186-mb1-bct-bootrom-quill-p3310-1000-a00.cfg
+++ DEFAULT_FAB=B01
+ BL_DIR=/home/dan/secureboot-tegra/Linux_for_Tegra/bootloader
+ TARGET_DIR=/home/dan/secureboot-tegra/Linux_for_Tegra/bootloader/t186ref
+ KERNEL_DIR=/home/dan/secureboot-tegra/Linux_for_Tegra/kernel
+ DTB_DIR=/home/dan/secureboot-tegra/Linux_for_Tegra/kernel/dtb
+ '[' 0 -ne 1 ']'
+ get_fuse_level fuselevel hwchipid bootauth
+ local ECID
+ local rcmcmd
+ local inst_args=
+ local idval_1=
+ local idval_2=
+ local flval=
+ local baval=None
+ local flvar=fuselevel
+ local hivar=hwchipid
+ local bavar=bootauth
+ '[' -f /home/dan/secureboot-tegra/Linux_for_Tegra/bootloader/tegrarcm_v2 ']'
+ rcmcmd=tegrarcm_v2
+ '[' -n '' ']'
+ pushd /home/dan/secureboot-tegra/Linux_for_Tegra/bootloader
++ ./tegrarcm_v2 --uid
++ grep BR_CID
++ cut '-d ' -f2
+ ECID=
+ popd
+ '[' '' '!=' '' ']'
+ '[' '' '!=' fuselevel_production ']'
+ echo 'Error: Cannot fuse non-production board.'
Error: Cannot fuse non-production board.
+ exit 1

See https://github.com/Trellis-Logic/secureboot-tegra/blob/master/burn_pkc_reattempt.log

Attempting to run tegraflash in this state also fails, despite the fact that the device is still listed with lsusb. So it seems the bootloader is in some type of non functional state after the first failed attempt.

If I power cycle, put in recovery mode and retry, board process repeats. The first attempt after power cycle is always a hang and message https://github.com/Trellis-Logic/secureboot-tegra/blob/master/burn_pkc_first_attempt.log. The second attempt is always “Cannot fuse non-production board” and https://github.com/Trellis-Logic/secureboot-tegra/blob/master/burn_pkc_reattempt.log

However, if I power cycle, put in recovery mode and tegraflash there’s no issue with the bootloader.

BTW I’ve left it sit overnight to make sure it doesn’t eventually succeed in the first attempt case. This ultimately fails with

[ 60951.2515 ]
Error: None of the bootloaders are running on device. Check the UART log.

hello danwalkes,

am just tried again with secureboot_R32.2.1_aarch64.tbz2 pacakage without failures.
please also check my console logs for reference,

$ sudo ./odmfuse.sh --noburn -i 0x18 -c PKC -p -k ~/Desktop/rsa_priv.pem jetson-tx2

Board ID() version() sku() revision()
copying sdram_config(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/t186ref/BCT/P3310_A00_8GB_Samsung_8GB_lpddr4_204Mhz_A02_l4t.cfg)... done.
copying misc_config(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-misc-si-l4t.cfg)... done.
copying pinmux_config(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-pinmux-quill-p3310-1000-c03.cfg)... done.
copying scr_config(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/t186ref/BCT/minimal_scr.cfg)... done.
copying scr_cold_boot_config(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/t186ref/BCT/mobile_scr.cfg)... done.
copying pmc_config(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-pad-quill-p3310-1000-c03.cfg)... done.
copying pmic_config(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-pmic-quill-p3310-1000-c04.cfg)... done.
copying br_cmd_config(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-bootrom-quill-p3310-1000-c03.cfg)... done.
copying prod_config(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-prod-quill-p3310-1000-c03.cfg)... done.
copying dev_params(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/t186ref/BCT/emmc.cfg)... done.
Existing mb2_bootloader(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/nvtboot_recovery.bin) reused.
Existing mts_preboot(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/preboot_d15_prod_cr.bin) reused.
Existing mts_bootpack(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/mce_mts_d15_prod_cr.bin) reused.
copying bootloader_dtb(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/kernel/dtb/tegra186-quill-p3310-1000-c03-00-base.dtb)... done.
Existing bpmp_fw(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/bpmp.bin) reused.
copying bpmp_fw_dtb(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/t186ref/tegra186-a02-bpmp-quill-p3310-1000-c04-00-te770d-ucm2.dtb)... done.
Existing tlk(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/tos-trusty.img) reused.
Existing eks(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/eks.img) reused.
Existing mb1file(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/mb1_prod.bin) reused.
Existing spefile(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/spe.bin) reused.
copying tegraboot(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/t186ref/nvtboot.bin)... done.
Existing tbcfile(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/cboot.bin) reused.
Existing scefile(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/camera-rtcpu-sce.img) reused.
copying wb0boot(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/t186ref/warmboot.bin)... done.
done.
Existing cfg(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/flash.xml) reused.
Existing bl(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/nvtboot_recovery_cpu.bin) reused.
Existing applet(/media/jerry/Hitachi/L4T/T186/r32.x/out/l4t-t186ref-release-aarch64/full_linux_for_tegra/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin) reused.
*** Calculating HASH from keyfile /home/jerry/Desktop/rsa_priv.pem ... done
PKC HASH: 0xeef3f38223c699d8c7202d60a15b47b3ed1ec5ebdbacfff40f4c6a733b56d804
*** Generating fuse configuration ... done.
done.
*** Start preparing fuse configuration ... 
*** done.

could you please share your board revision for us checking,
you could execute the flash script and it’ll parse the board in the beginning.
for example,

$ sudo ./flash.sh --no-flash -r jetson-tx2 mmcblk0p1
...
Board ID(3310) version(B00) sku(1000) revision(E.0)

Thank you for the response Jerry
Here’s the output of the flash.sh script on this board

Board ID(3310) version(D01) sku(1000) revision(B.0)

I also see no failures running the command you referenced

sudo ./odmfuse.sh --noburn -i 0x18 -c PKC -p -k ~/Desktop/rsa_priv.pem jetson-tx2
*** Calculating HASH from keyfile /home/dan/secureboot-tegra/rsa_priv.pem ... done
PKC HASH: 0x6ec08947720942ec8a0a4f5c8cbb555e600757c17f178d883b1656628c2bd3fd
*** Generating fuse configuration ... done.
done.
*** Start preparing fuse configuration ...
*** done.

It looks like the --noburn option means it doesn’t attempt to access the bootloader, which probably explains why it’s not failing in my case.

Can you please copy the output of the command I’m using (or tell me the command I should be using) to burn the fuse?

sudo ./odmfuse.sh -j -i 0x18 -c PKC -p -k ../rsa_priv.pem jetson-tx2

FYI I tried a second part today as well, same observations with that one attempting to fuse with odmfuse.sh. The output of the flash script is the same on this board:

sudo ./flash.sh --no-flash -r jetson-tx2 mmcblk0p1
Board ID(3310) version(D01) sku(1000) revision(B.0)

hello danwalkes,

noburn option prepare a fuse blob without actual burning. you’ll need to exclude that option with odmfuse script file to fuse the board.
may I also know if you’re able to flash the board with the latest JetPack release.
thanks

Thanks for the response Jerry

you’ll need to exclude that option with odmfuse script file to fuse the board.

Yes, like this command I’m using now, correct?

sudo ./odmfuse.sh -j -i 0x18 -c PKC -p -k ../rsa_priv.pem jetson-tx2

Do you have an example execution of this command on TX2 showing what to expect in the success case?

may I also know if you’re able to flash the board with the latest JetPack release.

Yes, flashing the board and booting is successful. I can boot both boards successfully using the L4T 32.2.1 release files. In fact that’s what I used to capture the tegrafuse.sh output in the first post.

Jerry or chijen,

Thank you for your previous responses.

I’m curious if you have suggestions about the next steps I should take to resolve or if you can provide an example showing successful odmfuse.sh execution which I could compare to the results above.

Dan

hello danwalkes,

could you please check you’re able to get the BR_CID or not. this data will be then used by the script to determine the fused sate of the board.
for example,

$ sudo ./bootloader/tegrarcm_v2 --uid
BR_CID: 0xe1801001641a00471c00000001038440

Hi Jerry,
Thanks for the response.
Yes I can read this value. Here it is:

dan@dan-ubuntu:~/secureboot-tegra/Linux_for_Tegra$ sudo ./bootloader/tegrarcm_v2 --uid
BR_CID: 0x81801001645118400c000000010203c0

hello danwalkes,

may I know what’s your host machine ubuntu version,
could you please have a try to exclude -p option to burn fuse.
$ sudo ./odmfuse.sh -j -i 0x18 -c PKC -k …/rsa_priv.pem jetson-tx2

BTW, what’s the message shown if you exclude the board naming.
$ sudo ./odmfuse.sh -j -i 0x18 -c PKC -k …/rsa_priv.pem

Hi Jerry,

may I know what’s your host machine ubuntu version,

dan@dan-ubuntu:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.2 LTS
Release:        18.04
Codename:       bionic
dan@dan-ubuntu:~$

could you please have a try to exclude -p option to burn fuse.

Fails the same way

0.0038 ] Generating RCM messages
[   0.0049 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x18 0 --download rcm /home/dan/secureboot-tegra/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin 0 0
[   0.0058 ] RCM 0 is saved as rcm_0.rcm
[   0.0072 ] RCM 1 is saved as rcm_1.rcm
[   0.0072 ] List of rcm files are saved in rcm_list.xml
[   0.0072 ]
[   0.0072 ] Signing RCM messages
[   0.0091 ] tegrasign_v2 --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0100 ] Assuming zero filled SBK key
[   0.0179 ]
[   0.0179 ] Copying signature to RCM mesages
[   0.0188 ] tegrarcm_v2 --chip 0x18 0 --updatesig rcm_list_signed.xml
[   0.0201 ]
[   0.0201 ] Boot Rom communication
[   0.0209 ] tegrarcm_v2 --chip 0x18 0 --rcm rcm_list_signed.xml
[   0.0218 ] BootRom is not running
[   5.1810 ]
[   6.1831 ] tegrarcm_v2 --isapplet

last lines of bash -x

+ SKIPUID=
+ '[' 0x18 = 0x19 ']'
+ args+='--cmd "dump eeprom boardinfo cvm.bin" '
+ local 'cmd=./tegraflash.py --chip 0x18 --applet "/home/dan/secureboot-tegra/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin"  --cmd "dump eeprom boardinfo cvm.bin" '
+ pushd /home/dan/secureboot-tegra/Linux_for_Tegra/bootloader
+ '[' '' '!=' '' ']'
+ echo './tegraflash.py --chip 0x18 --applet "/home/dan/secureboot-tegra/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin"  --cmd "dump eeprom boardinfo cvm.bin" '
./tegraflash.py --chip 0x18 --applet "/home/dan/secureboot-tegra/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin"  --cmd "dump eeprom boardinfo cvm.bin"
+ eval './tegraflash.py --chip 0x18 --applet "/home/dan/secureboot-tegra/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin"  --cmd "dump eeprom boardinfo cvm.bin" '
++ ./tegraflash.py --chip 0x18 --applet /home/dan/secureboot-tegra/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin --cmd 'dump eeprom boardinfo cvm.bin'
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands

[   0.0035 ] Generating RCM messages
[   0.0044 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x18 0 --download rcm /home/dan/secureboot-tegra/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin 0 0
[   0.0053 ] RCM 0 is saved as rcm_0.rcm
[   0.0058 ] RCM 1 is saved as rcm_1.rcm
[   0.0058 ] List of rcm files are saved in rcm_list.xml
[   0.0058 ]
[   0.0058 ] Signing RCM messages
[   0.0066 ] tegrasign_v2 --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0074 ] Assuming zero filled SBK key
[   0.0111 ]
[   0.0112 ] Copying signature to RCM mesages
[   0.0121 ] tegrarcm_v2 --chip 0x18 0 --updatesig rcm_list_signed.xml
[   0.0135 ]
[   0.0135 ] Boot Rom communication
[   0.0144 ] tegrarcm_v2 --chip 0x18 0 --rcm rcm_list_signed.xml
[   0.0152 ] BootRom is not running
[   5.2106 ]

what’s the message shown if you exclude the board naming.
sudo ./odmfuse.sh -j -i 0x18 -c PKC -k …/rsa_priv.pem

This fails with a usage argument

dan@dan-ubuntu:~/secureboot-tegra/Linux_for_Tegra$ sudo ./odmfuse.sh -j -i 0x18 -c PKC -k ../rsa_priv.pem
Usage:
  ./odmfuse.sh -c <CryptoType> -i <TegraID> -k <KeyFile> [options] TargetBoard

  Where options are,
    -c <CryptoType> ------ NS -- No Crypto, PKC - Public Key Crypto.
    -d <0xXXXX> ---------- sets sec_boot_dev_cfg=0xXXXX&0x3fff.
    -i <TegraID> --------- tegra ID: 0x40-TK1, 0x21-TX1, 0x18-TX2, 0x19-Xavier
    -j ------------------- Keep jtag enabled.
    -k <KeyFile> --------- 2048 bit RSA private KEY file. (.pem file)
    -l <0xX> ------------- sets odm_lock=0xX.
    -o <8-0xXXXXXXXX> ---- sets odm_reserved=<8-0xXXXXXXXX>
                           8 32bit values MUST be quoted.
    -p ------------------- sets production mode.
    -r <0xXX> ------------ sets sw_reserved=0xXX.
    -S <SBK file> -------- 128bit Secure Boot Key file in HEX format.
    --noburn ------------- Prepare fuse blob without actual burning.
    --KEK0 <Key file> ---- 128bit Key Encryption Key file in HEX format.
    --KEK1 <Key file> ---- 128bit Key Encryption Key file in HEX format.
    --KEK2 <Key file> ---- 128bit Key Encryption Key file in HEX format.
    --KEK256 <Key file> -- 256bit Key Encryption Key file in HEX format.
dan@dan-ubuntu:~/secureboot-tegra/Linux_for_Tegra$

Matt Madison was able to solve this issue with a patch to odmfuse.sh. Based on his comments this fix might be TX2 specific.

Hello JerryChang,

why I can’t get the board version by the script.

garret:~/tx2/l4t32.2$ sudo ./flash.sh --no-flash -r jetson-tx2 mmcblk0p1
###############################################################################
# L4T BSP Information:
# R32 , REVISION: 2.1
###############################################################################
Board ID() version() sku() revision()
copying bctfile(/home/garret/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/bootloader/t186ref/BCT/P3310_A00_8GB_Samsung_8GB_lpddr4_204Mhz_A02_l4t.cfg)... done.
copying misc_config(/home/garret/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-misc-si-l4t.cfg)... done.
copying pinmux_config(/home/garret/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-pinmux-quill-p3310-1000-c03.cfg)... done.
...
Existing flasher(/home/garret/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/bootloader/nvtboot_recovery_cpu.bin) reused.
Existing flashapp(/home/garret/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/bootloader/tegraflash.py) reused.
./tegraflash.py --bl nvtboot_recovery_cpu.bin --sdram_config P3310_A00_8GB_Samsung_8GB_lpddr4_204Mhz_A02_l4t.cfg --odmdata 0x1090000 --applet mb1_recovery_prod.bin --cmd "flash; reboot"  --cfg flash.xml --chip 0x18 --misc_config tegra186-mb1-bct-misc-si-l4t.cfg --pinmux_config tegra186-mb1-bct-pinmux-quill-p3310-1000-c03.cfg --pmic_config tegra186-mb1-bct-pmic-quill-p3310-1000-c04.cfg --pmc_config tegra186-mb1-bct-pad-quill-p3310-1000-c03.cfg --prod_config tegra186-mb1-bct-prod-quill-p3310-1000-c03.cfg --scr_config minimal_scr.cfg --scr_cold_boot_config mobile_scr.cfg --br_cmd_config tegra186-mb1-bct-bootrom-quill-p3310-1000-c03.cfg --dev_params emmc.cfg  --bins "mb2_bootloader nvtboot_recovery.bin; mts_preboot preboot_d15_prod_cr.bin; mts_bootpack mce_mts_d15_prod_cr.bin; bpmp_fw bpmp.bin; bpmp_fw_dtb tegra186-a02-bpmp-quill-p3310-1000-c04-00-te770d-ucm2.dtb; tlk tos-trusty.img; eks eks.img; bootloader_dtb tegra186-quill-p3310-1000-c03-00-base.dtb" --skipuid  
saving flash command in /home/garret/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/bootloader/flashcmd.txt
saving Windows flash command to /home/garret/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/bootloader/flash_win.bat
*** no-flash flag enabled. Exiting now... ***

hello garretzou,

could you please create another new discussion thread for tracking since your reply in comment #15 did not related to odmfuse failures.
thanks

Hi Jerry,

I’m using odmfuse to burn new keys on the Jetson TX2, I found a bug in the script when using KEK256.
Please see the patch below.
Could you please confirm that this is the right patch ?

Also, can we burn multiple keys at one time ? (See below)

sudo BOARDID=3310 FAB=C04 ./odmfuse.sh -j -i 0x18 -c PKC -k my_privkey.pem --KEK0 my_kek0.key --KEK1 my_kek1.key --KEK2 my_kek2.key --KEK256 my_kek256.key -S my_sbk.key jetson-tx2

Here is the Patch:

--- odmfuse.sh	2020-01-28 18:10:07.000000000 +0000
+++ odmfuse.sh.patch	2020-01-28 16:57:51.000000000 +0000
@@ -1056,7 +1056,7 @@ if [ "${KEK256FILE}" != "" ]; then
 		echo "*** Error: ${KEK256FILE} doesn't exits.";
 		exit 1;
 	fi;
-	KEK0FILE=`readlink -f "${KEK256FILE}"`;
+	KEK256FILE=`readlink -f "${KEK256FILE}"`;
 fi;
 
 if [ "${KEYFILE}" != "" ]; then
@@ -1234,7 +1234,7 @@ fi;
 
 if [ "${KEK256FILE}" != "" ]; then
 	kek256=`cat ${KEK256FILE}`;
-	chkhash "kek256" 64;
+	chkhash "kek256" 32;
 fi;
 
 if [ "${DKFILE}" != "" ]; then

Best regards,
Ilies

hello ilies.chergui,

thanks for sharing the patch, we’ll have code-review process for that.
BTW, you’re able burn multiple keys at one time, please also check example for burning the Fuse in a factory environment.
thanks

Hi Jerry,

Is there any updates.

Regards,
Ilies

hello ilies.chergui,

we’re now making the change merge to the release code-line,
if we could catch the release date, then it’ll include in the next public release, i.e. JetPack-4.4
thanks