Hi there I am implementing the secure boot on Xavier AGX. I have flashed Xavier AGX with jetpack4.5 using SDK Manager. I have few question regarding secure boot.
To implement secure boot guide says Extract the file “secureboot.tbz2” onto the directory that is one level up
from the Linux_for_Tegra/ directory on your Linux host so every thing I have to do is on the host as I couldn’t find this directory in the Xavier file system.
while running $ sudo ./odmfuse.sh -i 0x19 -c NS -p jetson-agx-xavier-devkit I am getting Error: Invalid target board - jetson-agx-xavier-devkit kindly guide me what I am doing wrong.
due to fuse programming is non-reversible, please carefully to examine your process step by step when enabling secureBoot.
for example,
please enable --noburn options in the odmfuse, check whether the fuseblob is generated, and please also look into the xml file to review the fuse programming values.
after that, execute fusecmd to actually perform fuse programming once everything is confirmed.
From where can I download fuseblob.tbz2 I counldn’t find fusecmd.sh in Linux_for_Tegra/booloader but there is odmfuse_pkc.xml in Linux_for_Tegra/booloader.
Hi there I am using this ~/xavier/Tegra186_Linux_R32.5.1_aarch64/Linux_for_Tegra$ sudo ./odmfuse.sh --noburn -i 0x19 -c PKC -k ../pri.pem --KEK0 ../KEK.txt -S ../SBK.txt jetson-agx-xavier-devkit
so, you’ll see fuseblob generated after the odmfuse return success.
yes, please add -p fuse options to write all fuse at once.
it’s still suggest to keep the --noburn options, and perform generated command to program the fuse.
thanks
Yes I can see fuseblob.tbz2 generated so what will be the next step
I will untar this and run flash?
Kindly guide me about flash command which command should I use for xavier agx
Thanks
fuseblob.tbz2 has bootlooder directroy so should I untar fuseblob.tbz2 in Linux_for_Tegra/bootloader
or like this Linux_for_Tegra/fuseblob/bootloader and after
you’ll see fuse commands,fusecmd.sh. after un-tar the fuse blob.
for your reference, here’s thread we had confirmed fuse and flashing works on Xavier NX,
thanks
to clarify, it’s odmfuse to enable secureBoot, which fuse the keys to the target.
once you enable Jetson security, you’ll need to assign keys into flash script to flash the board.
yes, you’ll need to assign keys to your target once the board is fused.
note.
partially flash the partition is not supported with the fused platform. (i.e. -k options),
please perform a whole flash if you need to re-flash the target.
thanks
Hi @JerryChang
I want to implement the disk encryption as well
I have gone through that but haven’t fused the board yet. I was wondering what will be further if I want to encrypt the Xavier as well.
My Commands are as follow To genrate fuseblob.tbz2 Sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./odmfuse.sh --noburn -j -i 0x19 -c PKC -p -k <pkc_file> -S <sbk_file> --KEK2 <kek2_file> jetson-agx-xavier-devkit To sign the boot files Sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./flash.sh --no-flash -u <pkc_file> -v <sbk_file> jetson-agx-xavier-devkit
Kindly guide me what should I add to implement disk encryption of Xavier at this stage.
Thanks
KEKs were Key Encryption Keys, they’re using as key seed to encode keys.
for example, KEK2 can be used as a key seed to encrypt and decrypted the Encrypted Key Blob (EKB) when TOS is enabled.
there’s user key stored in the Encrypted Key Blob (EKB), the Secure Engine (SE) retrieves the user key from the EKB and uses it to decrypt the kernel image files.
please also refer to below two topics, they’re supported by default on r32.5.
assume you’d download r32.5.1 L4T Driver Package (BSP) Sources,
please un-tar trusty_src.tbz2 package, and you’ll see gen_ekb.py as following,
for example, $L4T_Sources/r32.5.1/Linux_for_Tegra/source/public/trusty/app/nvidia-sample/hwkey-agent/CA_sample/tool/gen_ekb/gen_ekb.py