Secure boot on Jetson Orin Nano 4GB-DRAM (P3767-0004) board not booting

I have a custom board based on Jetson Orin Nano 4GB-DRAM (P3767-0004) using Jetpack 36.3 (6.0).
Exactly this model: ACCEL-JS800

Everything is working as expected ✅
I can flash the system and customize it and it boots up correctly ✅

I wanted to go to the next step and fuse the board with PKC (3 RSA keys) and SBC to secure it.
This is the used xml file for fusing (same as this one in the documentation)

<genericfuse MagicId="0x45535546" version="1.0.0">
   <fuse name="PublicKeyHash" size="64" value="0xXXX"/>
   <fuse name="PkcPubkeyHash1" size="64" value="0xXXX"/>
   <fuse name="PkcPubkeyHash2" size="64" value="0xXXX"/>
   <fuse name="SecureBootKey" size="32" value="0xXXX"/>
   <fuse name="OptInEnable" size="4" value="0x1"/>
   <fuse name="BootSecurityInfo" size="4" value="0x9"/>
   <fuse name="SecurityMode" size="4" value="0x1"/>
</genericfuse>

The fusing happened correctly ✅
I can read the fuses using ./odmfuseread.sh -i 0x23 -k <PATHTOPKC> -S <PATHTOSBK> jetson-orin-nano-devkit

Fuse reading is done. The fuse values have been saved in: /home/user/Downloads/Jetson_Linux_R36.3.0_aarch64/Linux_for_Tegra/bootloader/fuse_info.txt
PublicKeyHash: 0xXXX
BootSecurityInfo: 00000009
ArmJtagDisable: 00000000
SecurityMode: 00000001
SwReserved: 00000000
DebugAuthentication: 00000000
OdmId: 0000000000000000
OdmLock: 00000000
ReservedOdm0: 00000000
ReservedOdm1: 00000000
ReservedOdm2: 00000000
ReservedOdm3: 00000000
ReservedOdm4: 00000000
ReservedOdm5: 00000000
ReservedOdm6: 00000000
ReservedOdm7: 00000000

I can flash the board using:
sudo ./tools/kernel_flash/l4t_initrd_flash.sh -u <PATHTOPKC> -v <PATHTOSBK> --external-device nvme0n1p1 -p "-c ./bootloader/generic/cfg/flash_t234_qspi.xml" -c ./tools/kernel_flash/flash_l4t_t234_nvme.xml --showlogs --network usb0 jetson-orin-nano-devkit nvme0n1p1

The flash is successful ✅

However upon reboot, nothing on the black screen, not even UEFI or any step.

I was wondering if I did something wrong or how can I debug this.
UART access is limited and I want to avoid opening the board.

Thanks

Hello @sidalit

What do you mean by UART access is limited?

Could you get the UART log messages? Or is it not possible?

Regards!
Eduardo Salazar
Embedded SW Engineer at RidgeRun

Contact us: support@ridgerun.com
Developers wiki: https://developer.ridgerun.com/
Website: www.ridgerun.com

What do you mean by UART access is limited?

I mean that the ACCEL-JS800 is a closed box and it needs to be disassembled before accessing the UART

Could you get the UART log messages? Or is it not possible?

I can access it but I would prefer not if there is any other method

Thanks

hello sidalit,

please refer to Jetson Orin Fuse Specification to double check FUSE_BOOT_SECURITY_INFO_0.
for instance,

Bits [2:0] mapped to Secure Boot Authentication Scheme,
where:
000b: SHA2-512 Hash (not recommended)
001b: 3072-bit RSA
010b: ECDSA P-256 Curve
011b: ECDSA P-521-Curve

since Jetson Orin series targets support the PKC of RSA 3K, ECDSA P-256, and ECDSA P-521.
please check you’ve assign correct BootSecurityInfo

please refer to Jetson Orin Fuse Specification to double check FUSE_BOOT_SECURITY_INFO_0.

Yes this is the document I refereed to for the fusing


I used RSA keys so bit 0 is set and fused an SBK key so bit 3 also is set.
The final result is 1001 (0x9) the same as the documentation:
https://docs.nvidia.com/jetson/archives/r36.3/DeveloperGuide/SD/Security/SecureBoot.html#an-example-fusing-the-three-pkc-keys

I double checked and it’s correct.
This is my fuse_info.txt

fuse_info.txt
PublicKeyHash: XXX
BootSecurityInfo: 00000009
ArmJtagDisable: 00000000
SecurityMode: 00000001
SwReserved: 00000000
DebugAuthentication: 00000000
OdmId: 0000000000000000
OdmLock: 00000000
ReservedOdm0: 00000000
ReservedOdm1: 00000000
ReservedOdm2: 00000000
ReservedOdm3: 00000000
ReservedOdm4: 00000000
ReservedOdm5: 00000000
ReservedOdm6: 00000000
ReservedOdm7: 00000000

hello sidalit,

is it related to boot order config?
please refer to Overriding the Default Boot Order During Flashing to set the default boot order.

for example,
please try step-by-step approach for creating internal/external image, and then image flashing.

  1. $ sudo ADDITIONAL_DTB_OVERLAY="BootOrderNvme.dtbo" ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -u PKC -v SBK -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal

  2. $ sudo ADDITIONAL_DTB_OVERLAY="BootOrderNvme.dtbo" ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --external-device nvme0n1p1 -c tools/kernel_flash/flash_l4t_external.xml --no-flash -u PKC -v SBK --showlogs --network usb0 jetson-orin-nano-devkit external

  3. $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh -u PKC -v SBK --showlogs --network usb0 --flash-only

Hello JerryChang

$ sudo ADDITIONAL_DTB_OVERLAY="BootOrderNvme.dtbo" ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -u PKC -v SBK -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal

This steps worked well.

$ sudo ADDITIONAL_DTB_OVERLAY="BootOrderNvme.dtbo" ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --external-device nvme0n1p1 -c tools/kernel_flash/flash_l4t_external.xml -u PKC -v SBK --showlogs --network usb0 jetson-orin-nano-devkit external

This step failed and this is the log file.
message_complete.txt (488.1 KB)

Let me know if you need anything else

it has reported timeout for waiting device boot to the initrd flash kernel.
by checking the command-line again, you should adding --no-flash to the 2nd pipeline as well for creating external image.

Thanks for the help

The 2 first commands succeed however the reported timeout is now in the 3rd command that consists of flashing only.

Here are the logs:
message.txt (10.7 KB)