Secure Boot TX2i

Hi NVIDIA,

I have a customer who is trying to run a secure boot command with the 32.4.3 fuse tools. These fuse tools and commands worked for me on my machine, but it’s stalling on theirs. Do you know what’s going on?

jdurkop@ubuntu:~/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra$ sudo ./odmfuse.sh -c PKC -i 0x18 -p -k /home/jdurkop/toptal_source/test/security/SecureBoot/keys/rsa_priv.pem -S /home/jdurkop/toptal_source/test/security/SecureBoot/keys/securebootkey.txt --KEK0 /home/jdurkop/toptal_source/test/security/SecureBoot/keys/kek0.txt --KEK1 /home/jdurkop/toptal_source/test/security/SecureBoot/keys/kek1.txt --KEK2 /home/jdurkop/toptal_source/test/security/SecureBoot/keys/kek2.txt orbitty
./tegraflash.py --chip 0x18 --applet “/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin” --skipuid --cmd “dump eeprom boardinfo cvm.bin”
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands

[ 0.0170 ] Generating RCM messages
[ 0.0220 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x18 0 --download rcm /home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin 0 0
[ 0.0265 ] RCM 0 is saved as rcm_0.rcm
[ 0.0287 ] RCM 1 is saved as rcm_1.rcm
[ 0.0287 ] List of rcm files are saved in rcm_list.xml
[ 0.0287 ]
[ 0.0288 ] Signing RCM messages
[ 0.0354 ] tegrasign_v2 --key None --list rcm_list.xml --pubkeyhash pub_key.key
[ 0.0422 ] Assuming zero filled SBK key
[ 0.0703 ]
[ 0.0755 ] Copying signature to RCM mesages
[ 0.0797 ] tegrarcm_v2 --chip 0x18 0 --updatesig rcm_list_signed.xml
[ 0.0903 ]
[ 0.0904 ] Boot Rom communication
[ 0.0947 ] tegrarcm_v2 --chip 0x18 0 --rcm rcm_list_signed.xml --skipuid
[ 0.0989 ] RCM version 0X180001
[ 0.1047 ] Boot Rom communication completed
[ 1.1291 ]
[ 2.1349 ] tegrarcm_v2 --isapplet
[ 2.1400 ] Applet version 01.00.0000
[ 2.2053 ]
[ 2.2096 ] Retrieving EEPROM data
[ 2.2103 ] tegrarcm_v2 --oem platformdetails eeprom cvm /home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/cvm.bin
[ 2.2146 ] Applet version 01.00.0000
[ 2.2800 ] Saved platform info in /home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/cvm.bin
[ 2.4314 ]

copying sdram_config(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/t186ref/BCT/P3489_A00_8GB_Samsung_8GB_lpddr4_204Mhz_P134_A02_ECC_en_l4t.cfg)… done.
copying misc_config(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-misc-si-l4t.cfg)… done.
copying pinmux_config(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-pinmux-quill-p3489-1000-a00.cfg)… done.
copying scr_config(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/t186ref/BCT/minimal_scr.cfg)… done.
copying scr_cold_boot_config(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/t186ref/BCT/mobile_scr.cfg)… done.
copying pmc_config(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-pad-quill-p3489-1000-a00.cfg)… done.
copying pmic_config(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-pmic-quill-p3489-1000-a00.cfg)… done.
copying br_cmd_config(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-bootrom-quill-p3489-1000-a00.cfg)… done.
copying prod_config(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-prod-storm-p3489-1000-a00.cfg)… done.
copying dev_params(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/t186ref/BCT/emmc.cfg)… done.
Existing mb2_bootloader(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/nvtboot_recovery.bin) reused.
Existing mts_preboot(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/preboot_d15_prod_cr.bin) reused.
Existing mts_bootpack(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/mce_mts_d15_prod_cr.bin) reused.
copying bootloader_dtb(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/kernel/dtb/tegra186-tx2i-cti-ASG003.dtb)… done.
Existing bpmp_fw(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/bpmp.bin) reused.
copying bpmp_fw_dtb(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/t186ref/tegra186-a02-bpmp-storm-p3489-a00-00-ta795sa-ucm1.dtb)… done.
Existing tlk(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/tos-trusty.img) reused.
Existing eks(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/eks.img) reused.
Existing mb1file(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/mb1_prod.bin) reused.
Existing spefile(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/spe.bin) reused.
copying tegraboot(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/t186ref/nvtboot.bin)… done.
Existing tbcfile(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/cboot.bin) reused.
Existing scefile(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/camera-rtcpu-sce.img) reused.
copying wb0boot(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/t186ref/warmboot.bin)… done.
done.
Existing cfg(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/flash.xml) reused.
Existing bl(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/nvtboot_recovery_cpu.bin) reused.
Existing applet(/home/jdurkop/nvidia/nvidia_sdk/JetPack_4.4.1_Linux_JETSON_TX2I/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin) reused.
*** Calculating HASH from keyfile /home/jdurkop/toptal_source/test/security/SecureBoot/keys/rsa_priv.pem … done
PKC HASH: removed from log, but appears okay
*** Generating fuse configuration … done.
done.
*** Start fusing …
./tegraflash.py --sdram_config P3489_A00_8GB_Samsung_8GB_lpddr4_204Mhz_P134_A02_ECC_en_l4t.cfg --misc_config tegra186-mb1-bct-misc-si-l4t.cfg --pinmux_config tegra186-mb1-bct-pinmux-quill-p3489-1000-a00.cfg --scr_config minimal_scr.cfg --scr_cold_boot_config mobile_scr.cfg --pmc_config tegra186-mb1-bct-pad-quill-p3489-1000-a00.cfg --pmic_config tegra186-mb1-bct-pmic-quill-p3489-1000-a00.cfg --br_cmd_config tegra186-mb1-bct-bootrom-quill-p3489-1000-a00.cfg --prod_config tegra186-mb1-bct-prod-storm-p3489-1000-a00.cfg --dev_params emmc.cfg --bins “mb2_bootloader nvtboot_recovery.bin; mts_preboot preboot_d15_prod_cr.bin; mts_bootpack mce_mts_d15_prod_cr.bin; bootloader_dtb tegra186-tx2i-cti-ASG003.dtb; bpmp_fw bpmp.bin; bpmp_fw_dtb tegra186-a02-bpmp-storm-p3489-a00-00-ta795sa-ucm1.dtb; tlk tos-trusty.img; eks eks.img” --cfg flash.xml --bl nvtboot_recovery_cpu.bin --odmdata 0x1090000 --chip 0x18 --applet mb1_recovery_prod.bin --cmd “burnfuses odmfuse_pkc.xml” --skipuid
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands

[ 0.0629 ] Burning fuses
[ 0.0629 ] Generating RCM messages
[ 0.0682 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x18 0 --download rcm mb1_recovery_prod.bin 0 0
[ 0.0745 ] RCM 0 is saved as rcm_0.rcm
[ 0.0780 ] RCM 1 is saved as rcm_1.rcm
[ 0.0868 ] List of rcm files are saved in rcm_list.xml
[ 0.1090 ]
[ 0.1092 ] Signing RCM messages
[ 0.1183 ] tegrasign_v2 --key None --list rcm_list.xml --pubkeyhash pub_key.key
[ 0.1256 ] Assuming zero filled SBK key
[ 0.1464 ]
[ 0.1469 ] Copying signature to RCM mesages
[ 0.1553 ] tegrarcm_v2 --chip 0x18 0 --updatesig rcm_list_signed.xml
[ 0.1751 ]
[ 0.1753 ] Boot Rom communication
[ 0.1802 ] tegrarcm_v2 --chip 0x18 0 --rcm rcm_list_signed.xml --skipuid
[ 0.1877 ] Boot Rom communication failed
[ 5.3255 ]
[ 5.3259 ] Send tboot failed. Bootrom is likely not running, try to detect whether mb1/mb2/cpubl is running.
[ 6.3369 ] tegrarcm_v2 --isapplet

At this point it is locked up and never returns. No fuses appear to be burned after this (if we halt and boot the system)

Fuse dump:

test@jetson-dev:/sys/devices/platform/tegra-fuse$ ls
arm_jtag_disable kek1 of_node reserved_odm4
boot_security_info kek2 power reserved_odm5
calc_h2 modalias public_key reserved_odm6
debug_authentication odm_h2 reserved_odm0 reserved_odm7
driver odm_info reserved_odm1 secure_boot_key
driver_override odm_lock reserved_odm2 subsystem
kek0 odm_production_mode reserved_odm3 uevent
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat arm_jtag_disable
0x00000000
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat calc_h2
0x00003000
0x00000000n-dev:/sys/devices/platform/tegra-fuse$ sudo cat debug_authentication
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat driver
cat: driver: Is a directory
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat driver_override
(null)
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat kek0
0x00000000000000000000000000000000
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat kek1
0x00000000000000000000000000000000
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat kek2
0x00000000000000000000000000000000
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat modalias
of:Nefuse-burnTCnvidia,tegra186-efuse-burntest@jetson-dev:/sys/devices/platform
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat odm_h2
0x00000000
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat odm_info
0x00000000
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat odm_lock
0x00000000
test@jetson-dev:/sys/devices/platform/tegra-fuse$ ls
arm_jtag_disable kek1 of_node reserved_odm4
boot_security_info kek2 power reserved_odm5
calc_h2 modalias public_key reserved_odm6
debug_authentication odm_h2 reserved_odm0 reserved_odm7
driver odm_info reserved_odm1 secure_boot_key
driver_override odm_lock reserved_odm2 subsystem
kek0 odm_production_mode reserved_odm3 uevent
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat odm_production_mode
0x00000000
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat of_node
cat: of_node: Is a directory
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat power
cat: power: Is a directory
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat public_key
0x0000000000000000000000000000000000000000000000000000000000000000
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat reserved_odm0
0x00000000
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat reserved_odm1
0x00000000
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat reserved_odm2
0x00000000
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat reserved_odm3
0x00000000
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat reserved_odm4
0x00000000
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat reserved_odm5
0x00000000
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat reserved_odm6
0x00000000
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat reserved_odm7
0x00000000
test@jetson-dev:/sys/devices/platform/tegra-fuse$ ls
arm_jtag_disable kek1 of_node reserved_odm4
boot_security_info kek2 power reserved_odm5
calc_h2 modalias public_key reserved_odm6
debug_authentication odm_h2 reserved_odm0 reserved_odm7
driver odm_info reserved_odm1 secure_boot_key
driver_override odm_lock reserved_odm2 subsystem
kek0 odm_production_mode reserved_odm3 uevent
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat secure_boot_key
0x00000000000000000000000000000000
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat subsystem
cat: subsystem: Is a directory
test@jetson-dev:/sys/devices/platform/tegra-fuse$ sudo cat uevent
DRIVER=tegra-fuse-burn
OF_NAME=efuse-burn
OF_FULLNAME=/efuse@3820000/efuse-burn
OF_COMPATIBLE_0=nvidia,tegra186-efuse-burn
OF_COMPATIBLE_N=1
MODALIAS=of:Nefuse-burnTCnvidia,tegra186-efuse-burn
test@jetson-dev:/sys/devices/platform/tegra-fuse$

This may be partially resolved now with a workaround:

Had him run the fuseblob directly and it appears it may have worked through that path.

$ tar -xf fuseblob.tbz2 -C fuseblob

$ cd fuseblob/bootloader

$ ./fusecmd.sh

hello nathan546,

since you’re working with r32.4, we’re having some bug fixes for similar issues, and those changes has check-in to r32.5,
may I know is there any chances for moving to the latest JetPack SDK release version, (i.e. JetPack-4.5).
thanks