We are working with the Jetson Orin Nano platform and building our system image using Yocto with the meta-tegra layer. We want to enable Secure Boot on our devices.
We have a few questions regarding the current recommended approach:
It is stated in the recent documentation that odmfuse.sh has been deprecated in favor of the Factory Secure Key Provisioning (FSKP) tool. Does this mean odmfuse.sh is no longer supported and should not be used at all for fusing on Orin Nano?
Can we still safely use odmfuse.sh to burn secure boot fuses, or is it mandatory to switch to the FSKP process?
Since we are using Yocto/meta-tegra, is the following the correct way to ensure that our bootloader and images are signed during the build?
>> Q1 odmfuse.sh is still available with JetPack 6.2 public release version. you may using it to enable Jetson security.
>> Q2
unfortunately, I don’t have experience with Yocto/meta-tegra. but it looks correct for sending keys to sign/encrypt the binary for image creation.
We are currently working on enabling Secure Boot for our Jetson using the official odmfuse.sh script and followed the steps described in the documentation Burn Fuses with the Fuse Configuration File.
We used both PKC and SBK keys, and we are running the process with the --test flag first, to validate the operation.
The command runs through all key generation, signature creation, and BCT processing stages successfully, but fails at the final step with the following message:
...
Existing camerafw(/home/floukil/Linux_for_Tegra/bootloader/camera-rtcpu-t234-rce.img) reused.
Existing wb0boot(/home/floukil/Linux_for_Tegra/bootloader/sc7_t234_prod.bin) reused.
sed: -e expression n°34, caractère 12: option inconnue pour « s »
failed.