I have a custom board based on Jetson Orin Nano 4GB-DRAM (P3767-0004) using Jetpack 36.3 (6.0) .
Exactly this model: ACCEL-JS800
Everything is working as expected ✅
I can flash the system and customize it and it boots up correctly ✅
I wanted to go to the next step and fuse the board with PKC (3 RSA keys) and SBC to secure it.
This is the used xml file for fusing (same as this one in the documentation )
<genericfuse MagicId="0x45535546" version="1.0.0">
<fuse name="PublicKeyHash" size="64" value="0xXXX"/>
<fuse name="PkcPubkeyHash1" size="64" value="0xXXX"/>
<fuse name="PkcPubkeyHash2" size="64" value="0xXXX"/>
<fuse name="SecureBootKey" size="32" value="0xXXX"/>
<fuse name="OptInEnable" size="4" value="0x1"/>
<fuse name="BootSecurityInfo" size="4" value="0x9"/>
<fuse name="SecurityMode" size="4" value="0x1"/>
</genericfuse>
The fusing happened correctly ✅
I can read the fuses using ./odmfuseread.sh -i 0x23 -k <PATHTOPKC> -S <PATHTOSBK> jetson-orin-nano-devkit
Fuse reading is done. The fuse values have been saved in: /home/user/Downloads/Jetson_Linux_R36.3.0_aarch64/Linux_for_Tegra/bootloader/fuse_info.txt
PublicKeyHash: 0xXXX
BootSecurityInfo: 00000009
ArmJtagDisable: 00000000
SecurityMode: 00000001
SwReserved: 00000000
DebugAuthentication: 00000000
OdmId: 0000000000000000
OdmLock: 00000000
ReservedOdm0: 00000000
ReservedOdm1: 00000000
ReservedOdm2: 00000000
ReservedOdm3: 00000000
ReservedOdm4: 00000000
ReservedOdm5: 00000000
ReservedOdm6: 00000000
ReservedOdm7: 00000000
I can flash the board using:
sudo ./tools/kernel_flash/l4t_initrd_flash.sh -u <PATHTOPKC> -v <PATHTOSBK> --external-device nvme0n1p1 -p "-c ./bootloader/generic/cfg/flash_t234_qspi.xml" -c ./tools/kernel_flash/flash_l4t_t234_nvme.xml --showlogs --network usb0 jetson-orin-nano-devkit nvme0n1p1
The flash is successful ✅
However upon reboot, nothing on the black screen, not even UEFI or any step.
I was wondering if I did something wrong or how can I debug this.
UART access is limited and I want to avoid opening the board.
Thanks
Hello @sidalit
What do you mean by UART access is limited?
Could you get the UART log messages? Or is it not possible?
Regards!
Eduardo Salazar
Embedded SW Engineer at RidgeRun
Contact us: support@ridgerun.com
Developers wiki: https://developer.ridgerun.com/
Website: www.ridgerun.com
What do you mean by UART access is limited?
I mean that the ACCEL-JS800 is a closed box and it needs to be disassembled before accessing the UART
Could you get the UART log messages? Or is it not possible?
I can access it but I would prefer not if there is any other method
Thanks
hello sidalit,
please refer to Jetson Orin Fuse Specification to double check FUSE_BOOT_SECURITY_INFO_0
.
for instance,
Bits [2:0] mapped to Secure Boot Authentication Scheme,
where:
000b: SHA2-512 Hash (not recommended)
001b: 3072-bit RSA
010b: ECDSA P-256 Curve
011b: ECDSA P-521-Curve
since Jetson Orin series targets support the PKC of RSA 3K, ECDSA P-256, and ECDSA P-521.
please check you’ve assign correct BootSecurityInfo
please refer to Jetson Orin Fuse Specification to double check FUSE_BOOT_SECURITY_INFO_0
.
Yes this is the document I refereed to for the fusing
I used RSA keys so bit 0 is set and fused an SBK key so bit 3 also is set.
The final result is
1001
(
0x9
) the same as the documentation:
https://docs.nvidia.com/jetson/archives/r36.3/DeveloperGuide/SD/Security/SecureBoot.html#an-example-fusing-the-three-pkc-keys
I double checked and it’s correct.
This is my fuse_info.txt
fuse_info.txt
PublicKeyHash: XXX
BootSecurityInfo: 00000009
ArmJtagDisable: 00000000
SecurityMode: 00000001
SwReserved: 00000000
DebugAuthentication: 00000000
OdmId: 0000000000000000
OdmLock: 00000000
ReservedOdm0: 00000000
ReservedOdm1: 00000000
ReservedOdm2: 00000000
ReservedOdm3: 00000000
ReservedOdm4: 00000000
ReservedOdm5: 00000000
ReservedOdm6: 00000000
ReservedOdm7: 00000000
hello sidalit,
is it related to boot order config?
please refer to Overriding the Default Boot Order During Flashing to set the default boot order.
for example,
please try step-by-step approach for creating internal/external image, and then image flashing.
$ sudo ADDITIONAL_DTB_OVERLAY="BootOrderNvme.dtbo" ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -u PKC -v SBK -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
$ sudo ADDITIONAL_DTB_OVERLAY="BootOrderNvme.dtbo" ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --external-device nvme0n1p1 -c tools/kernel_flash/flash_l4t_external.xml --no-flash -u PKC -v SBK --showlogs --network usb0 jetson-orin-nano-devkit external
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh -u PKC -v SBK --showlogs --network usb0 --flash-only
sidalit
January 14, 2025, 10:53am
8
Hello JerryChang
$ sudo ADDITIONAL_DTB_OVERLAY="BootOrderNvme.dtbo" ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -u PKC -v SBK -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
This steps worked well.
$ sudo ADDITIONAL_DTB_OVERLAY="BootOrderNvme.dtbo" ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --external-device nvme0n1p1 -c tools/kernel_flash/flash_l4t_external.xml -u PKC -v SBK --showlogs --network usb0 jetson-orin-nano-devkit external
This step failed and this is the log file.
message_complete.txt (488.1 KB)
Let me know if you need anything else
it has reported timeout for waiting device boot to the initrd flash kernel.
by checking the command-line again, you should adding --no-flash
to the 2nd pipeline as well for creating external image.
sidalit
January 16, 2025, 12:15pm
10
Thanks for the help
The 2 first commands succeed however the reported timeout is now in the 3rd command that consists of flashing only.
Here are the logs:
message.txt (10.7 KB)