Secure boot on Jetson Orin Nano 4GB-DRAM (P3767-0004) board not booting [part 2]

Following post: Secure boot on Jetson Orin Nano 4GB-DRAM (P3767-0004) board not booting

I have a custom board based on Jetson Orin Nano 4GB-DRAM (P3767-0004) using Jetpack 36.3 (6.0).
Exactly this model: ACCEL-JS800

Everything is working as expected ✅
I can flash the system and customize it and it boots up correctly ✅

I wanted to go to the next step and fuse the board with PKC (3 RSA keys) and SBC to secure it.
This is the used xml file for fusing (same as this one in the documentation)

<genericfuse MagicId="0x45535546" version="1.0.0">
   <fuse name="PublicKeyHash" size="64" value="0xXXX"/>
   <fuse name="PkcPubkeyHash1" size="64" value="0xXXX"/>
   <fuse name="PkcPubkeyHash2" size="64" value="0xXXX"/>
   <fuse name="SecureBootKey" size="32" value="0xXXX"/>
   <fuse name="OptInEnable" size="4" value="0x1"/>
   <fuse name="BootSecurityInfo" size="4" value="0x9"/>
   <fuse name="SecurityMode" size="4" value="0x1"/>
</genericfuse>

I used RSA keys so bit 0 is set and fused an SBK key so bit 3 also is set.
The final result is 1001 (0x9) the same as the documentation:
https://docs.nvidia.com/jetson/archives/r36.3/DeveloperGuide/SD/Security/SecureBoot.html#an-example-fusing-the-three-pkc-keys

The fusing happened correctly ✅
I can read the fuses using ./odmfuseread.sh -i 0x23 -k <PATHTOPKC> -S <PATHTOSBK> jetson-orin-nano-devkit

Fuse reading is done. The fuse values have been saved in: /home/user/Downloads/Jetson_Linux_R36.3.0_aarch64/Linux_for_Tegra/bootloader/fuse_info.txt
PublicKeyHash: 0xXXX
BootSecurityInfo: 00000009
ArmJtagDisable: 00000000
SecurityMode: 00000001
SwReserved: 00000000
DebugAuthentication: 00000000
OdmId: 0000000000000000
OdmLock: 00000000
ReservedOdm0: 00000000
ReservedOdm1: 00000000
ReservedOdm2: 00000000
ReservedOdm3: 00000000
ReservedOdm4: 00000000
ReservedOdm5: 00000000
ReservedOdm6: 00000000
ReservedOdm7: 00000000

I can flash the board using:
sudo ./tools/kernel_flash/l4t_initrd_flash.sh -u <PATHTOPKC> -v <PATHTOSBK> --uefi-keys uefi_keys.conf --external-device nvme0n1p1 -p "-c ./bootloader/generic/cfg/flash_t234_qspi.xml" -c ./tools/kernel_flash/flash_l4t_t234_nvme.xml --showlogs --network usb0 jetson-orin-nano-devkit nvme0n1p1

The flash is successful ✅

However upon reboot, nothing on the black screen, not even UEFI or any step ❌

I got UART access now and from the logs I had an issue on UEFI variable authentication key:

E/TC:?? 00 jetson_user_key_pta_uefi_vars_auth:904 UEFI variable auth key not set !

I followed this “fix” and re-generated an EKS image with all 0s in the keys (which should be the default but not sure why I re-generate the EKS image and it’s getting further now).

I have a memory issue now:

I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled
E/TC: Failed to allocate buffer for decrypted image
Failed to boot recovery:0 partition

One thing that I noticed, if I remove the --uefi-keys uefi_keys.conf arguments, the board boots correctly ✅ however I need to enable UEFI secure boot.

Thanks

One question: Is the module one which has eMMC memory? Or does this use an SD card to boot to? If it has eMMC, then secure boot is possible, but if this module uses an SD card (plus QSPI on the module, but no eMMC), then secure boot is not supported.

It uses NVME memory, so I suppose secure boot is supported.

hello sidalit,

BTW, is it a must to stay-on JP-6.0/r36.3?
are you able moving to JetPack 6.2/L4T 36.4.3 to enable UEFI secureboot?

Just to emphasize, if the module has eMMC, even if it is not used (it really is used though for boot content despite moving the o/s to the NVMe), then it can use secure boot. Secure boot is about the boot content, not the o/s partition. The o/s and boot are separate. Regardless of using an NVMe or not, does the module have the option to use eMMC? If so, you can use secure boot; if not, then secure boot won’t be possible.

BTW, is it a must to stay-on JP-6.0/r36.3?
are you able moving to JetPack 6.2/L4T 36.4.3 to enable UEFI secureboot?

It’s not a requirement to stay in this version but I want to avoid updating my whole system since it’s working well and it’s not needed to update.

Just to emphasize, if the module has eMMC, even if it is not used (it really is used though for boot content despite moving the o/s to the NVMe), then it can use secure boot. Secure boot is about the boot content, not the o/s partition. The o/s and boot are separate. Regardless of using an NVMe or not, does the module have the option to use eMMC? If so, you can use secure boot; if not, then secure boot won’t be possible.

Understood, thanks for clarification. It does not have eMMC, so secure boot should be possible

Without eMMC secure boot cannot exist. Even if you were to boot to an external device, the content used for secure boot lives in the eMMC, and thus you cannot use secure boot without an eMMC model (even if you use an external device for storage).

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.