Secureboot on Nano

Hi,

I have tried to enable the secureboot on our Nano box with a carrier board.
The L4T version is 32.3.1.

Here’re my steps.

$ ls -l
total 19037316
drwxrwxrwx 8 root  root         4096 12月 10 16:04 Linux_for_Tegra
-rw-rw-r-- 1 tsato tsato 19493855566  2月 24 08:11 Linux_for_Tegra_Nano_JP4.3_20200214.tar.gz
-rw-rw-r-- 1 tsato tsato         150  2月 24 08:17 Linux_for_Tegra_Nano_JP4.3_20200214.tar.gz.MD5.txt
-rw-rw-r-- 1 tsato tsato      339353  2月 24 08:23 secureboot_R32.3.1_aarch64.tbz2
$ sudo tar xvjf secureboot_R32.3.1_aarch64.tbz2 
Linux_for_Tegra/
Linux_for_Tegra/odmfuse.sh
Linux_for_Tegra/pkc/
Linux_for_Tegra/pkc/tegrafuse.sh
Linux_for_Tegra/pkc/mkpkc
Linux_for_Tegra/pkc/LICENSE.mkpkc
Linux_for_Tegra/bootloader/
Linux_for_Tegra/bootloader/odmsign.func
Linux_for_Tegra/bootloader/README_secureboot.txt
$ openssl genrsa -out emi_pkc.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
............................................................+++++
.......................................................................+++++
e is 65537 (0x010001)
$ echo "0xabcd0001" > dk.txt
$ cd Linux_for_Tegra
$ sudo ./odmfuse.sh -c PKC -i 0x21 -k ../emi_pkc.pem jetson-nano-emmc
Usage:
  ./odmfuse.sh -c <CryptoType> -i <TegraID> -k <KeyFile> [options]

  Where options are,
    -c <CryptoType> ------ NS -- No Crypto, PKC - Public Key Crypto.
    -d <0xXXXX> ---------- sets sec_boot_dev_cfg=0xXXXX&0x3fff.
    -i <TegraID> --------- tegra ID: 0x40-TK1, 0x21-TX1
    -j ------------------- Keep jtag enabled.
    -k <KeyFile> --------- 2048 bit RSA private KEY file. (.pem file)
    -l <0xX> ------------- sets odm_lock=0xX.
    -o <8-0xXXXXXXXX> ---- sets odm_reserved=<8-0xXXXXXXXX>
                           8 32bit values MUST be quoted.
    -p ------------------- sets production mode.
    -r <0xXX> ------------ sets sw_reserved=0xXX.
    -D <DK file> --------- 32bit Device Key file in HEX format (TK1 & TX1 only).
    -S <SBK file> -------- 128bit Secure Boot Key file in HEX format.
    --noburn ------------- Prepare fuse blob without actual burning.
$ sudo ./odmfuse.sh -c PKC -i 0x21 -k ../emi_pkc.pem
*** Calculating HASH from keyfile /home/tsato/Desktop/l4timages/Nano/L4T32.3.1/emi_pkc.pem ... done
PKC HASH: 0x78e352f7bb4cc4f0ea430b73947efe33a4e86650f935257d4fdce560e0e9ba0b
*** Generating fuse configuration ... done.
done.
*** Start fusing  ... 
./tegraflash.py --chip 0x21 --applet nvtboot_recovery.bin --cmd "blowfuses odmfuse_pkc.xml;"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0030 ] Parsing fuse info as per xml file
[   0.0046 ] tegraparser --fuse_info odmfuse_pkc.xml blow_fuse_data.bin
[   0.0067 ] 
[   0.0067 ] Generating RCM messages
[   0.0084 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 0 --download rcm nvtboot_recovery.bin 0 0
[   0.0102 ] RCM 0 is saved as rcm_0.rcm
[   0.0113 ] RCM 1 is saved as rcm_1.rcm
[   0.0113 ] List of rcm files are saved in rcm_list.xml
[   0.0113 ] 
[   0.0114 ] Signing RCM messages
[   0.0135 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0150 ] Assuming zero filled SBK key
[   0.0231 ] 
[   0.0231 ] Copying signature to RCM mesages
[   0.0252 ] tegrarcm --chip 0x21 0 --updatesig rcm_list_signed.xml
[   0.0282 ] 
[   0.0282 ] Boot Rom communication
[   0.0301 ] tegrarcm --chip 0x21 0 --rcm rcm_list_signed.xml
[   0.0318 ] BR_CID: 0x00000028000000060000000100000002

Then, the process got stuck. The document has some discrepancies and lacks decent info for Nano, although it would the same as TX1, but is not mentioned anywhere so.

What is the right procedure to burn fuses on a carrier board of Nano?

Also, I have tried to use a device key, but which is not allowed by odmfuse.sh without specifiying SBK that is not available on Nano. So, please clarify how DK is supposed to be burned.

$ sudo ./odmfuse.sh -j -i "0x21" -c PKC -k ../emi_pkc.pem -D ../dk.txt
*** Error: SBK is missing.
$ sudo ./odmfuse.sh -c PKC -i 0x21 -k ../emi_pkc.pem -D ../dk.txt -S ../kek0.txt 
*** Calculating HASH from keyfile /home/tsato/Desktop/l4timages/Nano/L4T32.3.1/emi_pkc.pem ... done
PKC HASH: 0x78e352f7bb4cc4f0ea430b73947efe33a4e86650f935257d4fdce560e0e9ba0b
*** Generating fuse configuration ... done.
done.
*** Start fusing  ... 
./tegraflash.py --chip 0x21 --applet nvtboot_recovery.bin --cmd "blowfuses odmfuse_pkc.xml;"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0030 ] Parsing fuse info as per xml file
[   0.0046 ] tegraparser --fuse_info odmfuse_pkc.xml blow_fuse_data.bin
[   0.0068 ] 
[   0.0069 ] Generating RCM messages
[   0.0084 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 0 --download rcm nvtboot_recovery.bin 0 0
[   0.0101 ] RCM 0 is saved as rcm_0.rcm
[   0.0110 ] RCM 1 is saved as rcm_1.rcm
[   0.0111 ] List of rcm files are saved in rcm_list.xml
[   0.0112 ] 
[   0.0112 ] Signing RCM messages
[   0.0128 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0144 ] Assuming zero filled SBK key
[   0.0258 ] 
[   0.0259 ] Copying signature to RCM mesages
[   0.0277 ] tegrarcm --chip 0x21 0 --updatesig rcm_list_signed.xml
[   0.0304 ] 
[   0.0305 ] Boot Rom communication
[   0.0322 ] tegrarcm --chip 0x21 0 --rcm rcm_list_signed.xml
[   0.0339 ] BR_CID: 0x321010016445b5071000000018058200
[   0.1945 ] RCM version 0X210001
[   0.3703 ] Boot Rom communication completed
[   1.3772 ] 
[   1.3772 ] Blowing fuses
[   1.3788 ] tegrarcm --oem blowfuses blow_fuse_data.bin
[   1.3808 ] Applet version 00.01.0000
[   1.4764 ] Failed to burn fuses as per fuse info blob, Error:1179996997
[   1.4993 ] 0000005c: Failed to process oem command
[   1.4993 ] 
Error: Return value 92
Command tegrarcm --oem blowfuses blow_fuse_data.bin
failed.

Hi,
Please take a look at training video
It shall give more information to help you out.

1 Like

Thanks for the training video. I have seen the video long time ago, and now have decent knowledge about it.

When I had tried before on L4T 32.2.1 with TX2, it didn’t work as described in the document, either. The odmfuse.sh has not worked without a patch.

Regarding Nano, there had been no mention about Nano in the document. But I had confirmed from a NVIDIA guy that it should work in the same way as TX1. But only with a carrier board, not with a devkit.

So, I had waited for our products became ready. Then, after I received our products, I have just tried by following the documentand failed as described above. This post is about it.

Let me clarify my questions again.

  1. what is the correct procedure to burn fuses on Nano? (the document has some discrepancies)
  2. how to burn DK on Nano? (the program complains about SBK is missing, but which is not supported on Nano[TX1])

I am simply trying to burn a public key hash for secureboot and a device key for our service on Nano.

Hi TakenoriSato,

A few notes,
. For DK, what’s the main purpose of using it in your product? Keep in mind, once ODM Production Bit is burned, all the fuses are not readable, including DK. Reserved ODM fuse is another option to consider.
. The reason why the error message from script is due to SSK calculation will be from DK and SBK.
. The document you referred to is correct. So is the secure boot package. Sorry for the confusion. Nano is using TX1 so the fuses are mostly the same. We will make the document clear on Nano product.
. Other than that, could you point out what discrepancies you were referring to? We will make sure it’s clear and accurate. Thanks

Hi chijen,

Thanks for your notes.

Interesting. I have not been aware of the fact.

Where can I find such critical specifications?

I tried to burn our product_id to identify the box.
So, ok, I will consider using an odm reserved fuse.

As I have just realized it can not be read, I am not going to use a DK. But let me clarify.

Device key (DK) for T210. Device key for other security applications. If no other security applications are used, leave it untouched.

DK is only for TK1 and Nano.

Secureboot Key (SBK): AES encryption key for encrypting bootloader (T186 and T194).

SBK is only for TX2 and Xavier.

So, how are these two can be combined?

Also, my example above does not involve a DK as below.
Are you saying I have to provide both of DK and SBK anyway?

$ sudo ./odmfuse.sh -c PKC -i 0x21 -k ../emi_pkc.pem

Sounds good. Thanks for the confirmation.

Sure.

1. The step 2 of “To Install Secureboot” in Installing the Secureboot Package says the tarball includes those two files, but which does not.

It is extracted as follows.

Nano/TX1

$ sudo tar xvjf secureboot_R32.3.1_aarch64.tbz2 
Linux_for_Tegra/
Linux_for_Tegra/odmfuse.sh
Linux_for_Tegra/pkc/
Linux_for_Tegra/pkc/tegrafuse.sh
Linux_for_Tegra/pkc/mkpkc
Linux_for_Tegra/pkc/LICENSE.mkpkc
Linux_for_Tegra/bootloader/
Linux_for_Tegra/bootloader/odmsign.func
Linux_for_Tegra/bootloader/README_secureboot.txt

TX2/Xavier

$ sudo tar xvjf secureboot_R32.3.1_aarch64.tbz2 
Linux_for_Tegra/
Linux_for_Tegra/odmfuse.sh
Linux_for_Tegra/bootloader/
Linux_for_Tegra/bootloader/LICENSE.tegrakeyhash
Linux_for_Tegra/bootloader/wb_sign.sh
Linux_for_Tegra/bootloader/README_secureboot.txt
Linux_for_Tegra/bootloader/tegrakeyhash
Linux_for_Tegra/bootloader/odmsign.func
Linux_for_Tegra/pkc/
Linux_for_Tegra/pkc/LICENSE.mkpkc
Linux_for_Tegra/pkc/LICENSE.nvsecuretool
Linux_for_Tegra/pkc/0001-warmboot-change-wb-prepare-code-for-t1x4.patch
Linux_for_Tegra/pkc/tegrafuse.sh
Linux_for_Tegra/pkc/mkpkc
Linux_for_Tegra/pkc/nvsecuretool

I simply moved to the step3.

2. The step 3 of “To burn PKC fuses” in Burning PKC [DK(KEK), SBK] Fuses shows an example of the script, but whose <device_name> does not exist anymore.

I think this is from L4T 32.3.1, but the script has changed as follows.

Nano/TX1

$ ./odmfuse.sh --help
Usage:
  ./odmfuse.sh -c <CryptoType> -i <TegraID> -k <KeyFile> [options]

  Where options are,
    -c <CryptoType> ------ NS -- No Crypto, PKC - Public Key Crypto.
    -d <0xXXXX> ---------- sets sec_boot_dev_cfg=0xXXXX&0x3fff.
    -i <TegraID> --------- tegra ID: 0x40-TK1, 0x21-TX1
    -j ------------------- Keep jtag enabled.
    -k <KeyFile> --------- 2048 bit RSA private KEY file. (.pem file)
    -l <0xX> ------------- sets odm_lock=0xX.
    -o <8-0xXXXXXXXX> ---- sets odm_reserved=<8-0xXXXXXXXX>
                           8 32bit values MUST be quoted.
    -p ------------------- sets production mode.
    -r <0xXX> ------------ sets sw_reserved=0xXX.
    -D <DK file> --------- 32bit Device Key file in HEX format (TK1 & TX1 only).
    -S <SBK file> -------- 128bit Secure Boot Key file in HEX format.
    --noburn ------------- Prepare fuse blob without actual burning.

TX2/Xavier

$ sudo ./odmfuse.sh --help
Usage:
  ./odmfuse.sh -c <CryptoType> -i <TegraID> -k <KeyFile> [options]

  Where options are,
    -c <CryptoType> ------ NS -- No Crypto, PKC - Public Key Crypto.
    -d <0xXXXX> ---------- sets sec_boot_dev_cfg=0xXXXX&0x3fff.
    -i <TegraID> --------- tegra ID: 0x40-TK1, 0x21-TX1
    -j ------------------- Keep jtag enabled.
    -k <KeyFile> --------- 2048 bit RSA private KEY file. (.pem file)
    -l <0xX> ------------- sets odm_lock=0xX.
    -o <8-0xXXXXXXXX> ---- sets odm_reserved=<8-0xXXXXXXXX>
                           8 32bit values MUST be quoted.
    -p ------------------- sets production mode.
    -r <0xXX> ------------ sets sw_reserved=0xXX.
    -D <DK file> --------- 32bit Device Key file in HEX format (TK1 & TX1 only).
    -S <SBK file> -------- 128bit Secure Boot Key file in HEX format.
    --noburn ------------- Prepare fuse blob without actual burning.

If you add the device_id as indicated, then the script shows nothing but the usage.

Linux_for_Tegra$ sudo ./odmfuse.sh -c PKC -i 0x21 -k ../emi_pkc.pem jetson-nano-emmc
Usage:
  ./odmfuse.sh -c <CryptoType> -i <TegraID> -k <KeyFile> [options]

  Where options are,
    -c <CryptoType> ------ NS -- No Crypto, PKC - Public Key Crypto.
    -d <0xXXXX> ---------- sets sec_boot_dev_cfg=0xXXXX&0x3fff.
    -i <TegraID> --------- tegra ID: 0x40-TK1, 0x21-TX1
    -j ------------------- Keep jtag enabled.
    -k <KeyFile> --------- 2048 bit RSA private KEY file. (.pem file)
    -l <0xX> ------------- sets odm_lock=0xX.
    -o <8-0xXXXXXXXX> ---- sets odm_reserved=<8-0xXXXXXXXX>
                           8 32bit values MUST be quoted.
    -p ------------------- sets production mode.
    -r <0xXX> ------------ sets sw_reserved=0xXX.
    -D <DK file> --------- 32bit Device Key file in HEX format (TK1 & TX1 only).
    -S <SBK file> -------- 128bit Secure Boot Key file in HEX format.
    --noburn ------------- Prepare fuse blob without actual burning.

3. The step 3 of “To burn PKC fuses” in Burning PKC [DK(KEK), SBK] Fuses will get stuck and makes no progress on a carrier board.

I have already burned my fuses on a TX2 dev board, so can not make more tests anymore.

Nano (L4T 32.3.1)

I asked about this issue here.

$ sudo ./odmfuse.sh -c PKC -i 0x21 -k ../emi_pkc.pem
*** Calculating HASH from keyfile /home/tsato/Desktop/l4timages/Nano/L4T32.3.1/emi_pkc.pem ... done
PKC HASH: 0x78e352f7bb4cc4f0ea430b73947efe33a4e86650f935257d4fdce560e0e9ba0b
*** Generating fuse configuration ... done.
done.
*** Start fusing  ... 
./tegraflash.py --chip 0x21 --applet nvtboot_recovery.bin --cmd "blowfuses odmfuse_pkc.xml;"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0030 ] Parsing fuse info as per xml file
[   0.0046 ] tegraparser --fuse_info odmfuse_pkc.xml blow_fuse_data.bin
[   0.0067 ] 
[   0.0067 ] Generating RCM messages
[   0.0084 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 0 --download rcm nvtboot_recovery.bin 0 0
[   0.0102 ] RCM 0 is saved as rcm_0.rcm
[   0.0113 ] RCM 1 is saved as rcm_1.rcm
[   0.0113 ] List of rcm files are saved in rcm_list.xml
[   0.0113 ] 
[   0.0114 ] Signing RCM messages
[   0.0135 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0150 ] Assuming zero filled SBK key
[   0.0231 ] 
[   0.0231 ] Copying signature to RCM mesages
[   0.0252 ] tegrarcm --chip 0x21 0 --updatesig rcm_list_signed.xml
[   0.0282 ] 
[   0.0282 ] Boot Rom communication
[   0.0301 ] tegrarcm --chip 0x21 0 --rcm rcm_list_signed.xml
[   0.0318 ] BR_CID: 0x00000028000000060000000100000002

TX2 (L4T 32.2.1~3)

This can be fixed by the patch that adds --skipuid to the internal script.

$ sudo ./odmfuse.sh -j -i 0x18 -c PKC -k ../abcd0008.pem --KEK0 ../abcd0008_kek0.txt jetson-tx2
./tegraflash.py --chip 0x18 --applet "/home/tsato/Desktop/l4timages/TX2G1.0/L4T32.2.3/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin"  --cmd "dump eeprom boardinfo cvm.bin" 
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0057 ] Generating RCM messages
[   0.0074 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x18 0 --download rcm /home/tsato/Desktop/l4timages/TX2G1.0/L4T32.2.3/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin 0 0
[   0.0091 ] RCM 0 is saved as rcm_0.rcm
[   0.0099 ] RCM 1 is saved as rcm_1.rcm
[   0.0099 ] List of rcm files are saved in rcm_list.xml
[   0.0099 ] 
[   0.0099 ] Signing RCM messages
[   0.0117 ] tegrasign_v2 --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0134 ] Assuming zero filled SBK key
[   0.0203 ] 
[   0.0203 ] Copying signature to RCM mesages
[   0.0221 ] tegrarcm_v2 --chip 0x18 0 --updatesig rcm_list_signed.xml
[   0.0247 ] 
[   0.0248 ] Boot Rom communication
[   0.0265 ] tegrarcm_v2 --chip 0x18 0 --rcm rcm_list_signed.xml
[   0.0282 ] BootRom is not running
[   5.3548 ] 
[   6.3580 ] tegrarcm_v2 --isapplet
^CTraceback (most recent call last):
  File "./tegraflash.py", line 1280, in <module>
    tegraflash_run_commands()
  File "./tegraflash.py", line 1149, in tegraflash_run_commands
    interpreter.onecmd(command)
  File "/usr/lib/python2.7/cmd.py", line 221, in onecmd
    return func(arg)
  File "./tegraflash.py", line 779, in do_dump
    tegraflash_dump(exports, args)
  File "/home/tsato/Desktop/l4timages/TX2G1.0/L4T32.2.3/Linux_for_Tegra/bootloader/tegraflash_internal.py", line 1147, in tegraflash_dump
    tegraflash_send_tboot(tegrarcm_values['--signed_list'])
  File "/home/tsato/Desktop/l4timages/TX2G1.0/L4T32.2.3/Linux_for_Tegra/bootloader/tegraflash_internal.py", line 2119, in tegraflash_send_tboot
    tegraflash_poll_applet_bl()
  File "/home/tsato/Desktop/l4timages/TX2G1.0/L4T32.2.3/Linux_for_Tegra/bootloader/tegraflash_internal.py", line 2223, in tegraflash_poll_applet_bl
    if check_ismb1() or check_ismb2() or check_iscpubl():
  File "/home/tsato/Desktop/l4timages/TX2G1.0/L4T32.2.3/Linux_for_Tegra/bootloader/tegraflash_internal.py", line 2162, in check_ismb1
    run_command(command)
  File "/home/tsato/Desktop/l4timages/TX2G1.0/L4T32.2.3/Linux_for_Tegra/bootloader/tegraflash_internal.py", line 195, in run_command
    log = print_process(process, enable_print)
  File "/home/tsato/Desktop/l4timages/TX2G1.0/L4T32.2.3/Linux_for_Tegra/bootloader/tegraflash_internal.py", line 155, in print_process
    output = process.stdout.read(1)
KeyboardInterrupt
Reading board information failed.

TakenoriSato,

"Where can I find such critical specifications?
=> For the time being, please go ahead to refer to TX1 fuse spec app note, version 6.0 dated 2018/05/25
Reserved ODM - 256 bits

"I am not going to use a DK
"Are you saying I have to provide both of DK and SBK anyway?
=> In that case, you should simpy leave SBK alone as you are using Nano and won’t use DK anyway. For Xavier and TX2, SBK can be used to encrypt bootloader when enabled besides signing using private key.

"
The tarball includes:
•secureboot.tbz2
•README_secureboot.txt that is also provided as a PDF on the Jetson Download Center.
=> You are right. Thanks for that. It should be secureboot_<release_version>.tbz2. We will also review readme file location to avoid confusion as its content is also included in the ‘Developer Guide’.

"…shows an example of the script, but whose <device_name> does not exist anymore.
=> Indeed the case. We will clean it up.

"will get stuck and makes no progress on a carrier board.

I have already burned my fuses on a TX2 dev board, so can not make more tests anymore.
=> We will double check the process and test it from our side again. So give us some time.
But want to make sure you are developing for Nano product or TX2? Which one we should focus your fusing issue on?

Thanks again for your detailed problem description.

TakenoriSato,
To exercise fusing, one good tips is to Not program Fuse_Security_Mode bit before your experiment programming, i.e. only program the bit very last when you are fully comfortable with fuse/key contents you’d like to get into production. Or else you won’t be able to reuse the board for fusing any more - but you need the bit on to truly exercise secure boot :)

Hi chijen,

I didn’t expect I would get any new information, but took a look at the note, and found the followings.

  • In the ODM Production Mode, it says "This fuse write- protects all manufacturing device fuses against any further fuse programming and also hides the SBK and DK values".
  • SBK is available on TX1 as well. Indeed, "Secureboot Key (SBK): AES encryption key for encrypting bootloader (T186 and T194)." can be read that SBK is available for all, but the encryption feature is only available on T186 and T194.
  • In the "PKC Disable" section, it says "This fuse selects between using PKC or the SBK for secure booting method. However, SBK boot is obsolete and not used anymore". Now I have a crystal clear understanding of not using DK and SBK.

For Nano, I don’t use both of DK and SBK since it is obsolete and does not support an encryption of bootloaders.

For TX2/Xavier, I will use SBK together with PKC to enable a secureboot and bootloader encryptions.

Is my understanding correct?

Thanks for taking time. Both. But Nano has more urgent since fuses are only available on a carrier board and we have never succeeded yet.

That is odm_production_mode, which is enabled when -p is added to the odmfuse.sh program, right?

I haven’t succeeded with Nano, so have no experiences about it. But with a TX2 carrier board, definitely no, I won’t set -p.

Does this, the output below, mean the odm_production_mode is still zero, so fuses can be rewritten again?

$ sudo ./tegrafuse.sh 
[sudo] password for nvidia: 
Unsupported fuse: device_key
Unsupported fuse: jtag_disable
odm_lock : 0x00000000
odm_production_mode : 0x00000000
Unsupported fuse: odm_reserved
Unsupported fuse: pkc_disable
public_key : 0x744ba4449ef444c0324b61126348f69cf4858819542041cbefd1c779b31f40d4
Unsupported fuse: sec_boot_dev_cfg
secure_boot_key : 0x00000000000000000000000000000000
Unsupported fuse: sw_reserved

But even in this state, the following rule is applied, correct?

“NVIDIA SoCs contain multiple fuses that control different items for security and boot. Once a fuse bit is set to 1, you cannot change its value back to 0. For example, a fuse value of 1 (0x01) can be changed to 3 (0x03) or 5 (0x05), but not to 4 (0x4) because bit 0 is already programmed to 1.”

Hi TakenoriSato,

"Is my understanding correct?
"when -p is added to
"so fuses can be rewritten again?
"the following rule is applied, correct?
=> all yes :)

Hi,
For more information, please confirm if you use production module of Jetson Nano(with eMMC). The developer kit(with micro SD) does not support the function.

For more information, please confirm if you use production module of Jetson Nano(with eMMC). The developer kit(with micro SD) does not support the function.

Yes. I have already broken one devkit when I have tried this, back when nothing was mentioned in the document.

So as I said, I had waited for our products with a carrier board became ready, and made the test.

Any updates? Did you successfully burn fuses on a Nano carrier board with the script?

Hi,
We have verified the command working:

$ sudo ./odmfuse.sh --noburn -i 0x21 -c PKC -p -k /media/mohits/disk1/rsa_priv.pem -S /media/mohits/disk1/sbk.key -D /media/mohits/disk1/dk.key

Please give it a try. The document is not clear for Jetson Nano. We are checking to update the document.

I have tried your command and confirmed it works although it is with --no-burn option.

But for some reasons, I was successfully run the odm_fuse.sh command as follows.

$ sudo ./odmfuse.sh -i 0x21 -c PKC -k ../emi_pkc.pem
*** Calculating HASH from keyfile /home/tsato/Desktop/l4timages/Nano/L4T32.3.1/emi_pkc.pem ... done
PKC HASH: 0x78e352f7bb4cc4f0ea430b73947efe33a4e86650f935257d4fdce560e0e9ba0b
*** Generating fuse configuration ... done.
done.
*** Start fusing  ... 
./tegraflash.py --chip 0x21 --applet nvtboot_recovery.bin --cmd "blowfuses odmfuse_pkc.xml;"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0031 ] Parsing fuse info as per xml file
[   0.0047 ] tegraparser --fuse_info odmfuse_pkc.xml blow_fuse_data.bin
[   0.0068 ] 
[   0.0068 ] Generating RCM messages
[   0.0085 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 0 --download rcm nvtboot_recovery.bin 0 0
[   0.0102 ] RCM 0 is saved as rcm_0.rcm
[   0.0110 ] RCM 1 is saved as rcm_1.rcm
[   0.0112 ] List of rcm files are saved in rcm_list.xml
[   0.0112 ] 
[   0.0112 ] Signing RCM messages
[   0.0128 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0144 ] Assuming zero filled SBK key
[   0.0255 ] 
[   0.0255 ] Copying signature to RCM mesages
[   0.0267 ] tegrarcm --chip 0x21 0 --updatesig rcm_list_signed.xml
[   0.0283 ] 
[   0.0284 ] Boot Rom communication
[   0.0296 ] tegrarcm --chip 0x21 0 --rcm rcm_list_signed.xml
[   0.0308 ] BR_CID: 0x421010016445b5071000000018058200
[   0.1960 ] RCM version 0X210001
[   0.3717 ] Boot Rom communication completed
[   1.3787 ] 
[   1.3788 ] Blowing fuses
[   1.3808 ] tegrarcm --oem blowfuses blow_fuse_data.bin
[   1.3827 ] Applet version 00.01.0000
[   1.7171 ] Successfully burnt fuses as per fuse info blob
[   1.7297 ] 
*** The fuse configuration is saved in bootloader/odmfuse_pkc.xml
*** The ODM fuse has been secured with PKC keys.
*** Flash "signed BCT and bootloader(s)".
*** done.
tsato@TTVIEW71:~/Desktop/l4timages/Nano/L4T32.3.1/Linux_for_Tegra$ cat bootloader/odmfuse_pkc.xml 
<genericfuse MagicId="0x46555345" version="1.0.0">
<fuse name="JtagDisable" size="4" value="0x1" />
<fuse name="PublicKeyHash" size="32" value="0x0bbae9e060e5dc4f7d2535f95066e8a433fe7e94730b43eaf0c44cbbf752e378" />
</genericfuse>

And yet, I have tried to flash as instructed and failed.

$ sudo ./flash.sh -u ../emi_pkc.pem jetson-nano-emmc mmcblk0p1
###############################################################################
# L4T BSP Information:
# R32 , REVISION: 3.1
###############################################################################
# Target Board Information:
# Name: jetson-nano-emmc, Board Family: t210ref, SoC: Tegra 210, 
# OpMode: production, Boot Authentication: NS, 
###############################################################################
Error: either RSA key file and/or SBK key file are proviced for none SBK and PKC protected target board.

Note that I pulled the plug to shutdown after running odmfuse.sh so that flash.sh command works. Otherwise, I get the following errors.

$ sudo ./flash.sh -u ../emi_pkc.pem jetson-nano-emmc mmcblk0p1
###############################################################################
# L4T BSP Information:
# R32 , REVISION: 3.1
###############################################################################
Error: probing the target board failed.
       Make sure the target board is connected through 
       USB port and is in recovery mode.

Just for the confirmation, I have checked fuses with the tegrafuse.sh command after booting and logging into the Nano box.

$ sudo ./tegrafuse.sh 
[sudo] password for nvidia: 
arm_jtag_disable : 0x00000000
odm_lock : 0x00000000
odm_production_mode : 0x00000001
pkc_disable : 0x00000001
sec_boot_dev_cfg : 0x00000000
sec_boot_dev_sel : 0x00000000

Perhaps, the step to sign and flash bootloaders is different?

Hi,
For the error

Error: either RSA key file and/or SBK key file are proviced for none SBK and PKC protected target board.

, please refer to
https://devtalk.nvidia.com/default/topic/1037657/

Thanks, but what’s the point of the reference? Adding -x and -y options?

I have tried anyway, but got the same error.

$ sudo ./odmfuse.sh -i 0x21 -c PKC -k ../emi_pkc.pem
[sudo] password for tsato: 
*** Calculating HASH from keyfile /home/tsato/Desktop/l4timages/Nano/L4T32.3.1/emi_pkc.pem ... done
PKC HASH: 0x78e352f7bb4cc4f0ea430b73947efe33a4e86650f935257d4fdce560e0e9ba0b
*** Generating fuse configuration ... done.
done.
*** Start fusing  ... 
./tegraflash.py --chip 0x21 --applet nvtboot_recovery.bin --cmd "blowfuses odmfuse_pkc.xml;"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0841 ] Parsing fuse info as per xml file
[   0.1253 ] tegraparser --fuse_info odmfuse_pkc.xml blow_fuse_data.bin
[   0.1479 ] 
[   0.1480 ] Generating RCM messages
[   0.2464 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 0 --download rcm nvtboot_recovery.bin 0 0
[   0.2483 ] RCM 0 is saved as rcm_0.rcm
[   0.4651 ] RCM 1 is saved as rcm_1.rcm
[   0.4655 ] List of rcm files are saved in rcm_list.xml
[   0.4693 ] 
[   0.4693 ] Signing RCM messages
[   0.5485 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.5504 ] Assuming zero filled SBK key
[   0.7482 ] 
[   0.7483 ] Copying signature to RCM mesages
[   0.7498 ] tegrarcm --chip 0x21 0 --updatesig rcm_list_signed.xml
[   0.7528 ] 
[   0.7529 ] Boot Rom communication
[   0.7543 ] tegrarcm --chip 0x21 0 --rcm rcm_list_signed.xml
[   0.7558 ] BR_CID: 0x421010016445b5071000000018058200
[   0.9142 ] RCM version 0X210001
[   1.0980 ] Boot Rom communication completed
[   2.1050 ] 
[   2.1050 ] Blowing fuses
[   2.1069 ] tegrarcm --oem blowfuses blow_fuse_data.bin
[   2.1087 ] Applet version 00.01.0000
[   2.4513 ] Successfully burnt fuses as per fuse info blob
[   2.4638 ] 
*** The fuse configuration is saved in bootloader/odmfuse_pkc.xml
*** The ODM fuse has been secured with PKC keys.
*** Flash "signed BCT and bootloader(s)".
*** done.
$ sudo ./flash.sh -x 0x21 -y PKC -u ../emi_pkc.pem jetson-nano-emmc mmcblk0p1
###############################################################################
# L4T BSP Information:
# R32 , REVISION: 3.1
###############################################################################
# Target Board Information:
# Name: jetson-nano-emmc, Board Family: t210ref, SoC: Tegra 210, 
# OpMode: production, Boot Authentication: NS, 
###############################################################################
Error: either RSA key file and/or SBK key file are proviced for none SBK and PKC protected target board.

As you can see, odmfuse.sh succeeds, but the flash fails.

I have never encountered such an issue on TX2.

TakenoriSato,
So you know the fuse spec for Nano was posted on the Download site,
https://developer.nvidia.com/embedded/downloads#?search=fuse

OK, I will try with the updated document and the tools.

I have downloaded the tool for L4T 32.3.1 for Nano, tried again, but got the same result as follows.

$ sudo ./odmfuse.sh -i 0x21 -c PKC -k ../emi_pkc.pem
*** Calculating HASH from keyfile /home/tsato/Desktop/l4timages/Nano/L4T32.3.1/emi_pkc.pem ... done
PKC HASH: 0x78e352f7bb4cc4f0ea430b73947efe33a4e86650f935257d4fdce560e0e9ba0b
*** Generating fuse configuration ... done.
done.
*** Start fusing  ... 
./tegraflash.py --chip 0x21 --applet nvtboot_recovery.bin --cmd "blowfuses odmfuse_pkc.xml;"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0029 ] Parsing fuse info as per xml file
[   0.0045 ] tegraparser --fuse_info odmfuse_pkc.xml blow_fuse_data.bin
[   0.0067 ] 
[   0.0067 ] Generating RCM messages
[   0.0085 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 0 --download rcm nvtboot_recovery.bin 0 0
[   0.0102 ] RCM 0 is saved as rcm_0.rcm
[   0.0113 ] RCM 1 is saved as rcm_1.rcm
[   0.0113 ] List of rcm files are saved in rcm_list.xml
[   0.0113 ] 
[   0.0113 ] Signing RCM messages
[   0.0130 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0150 ] Assuming zero filled SBK key
[   0.0284 ] 
[   0.0285 ] Copying signature to RCM mesages
[   0.0305 ] tegrarcm --chip 0x21 0 --updatesig rcm_list_signed.xml
[   0.0336 ] 
[   0.0337 ] Boot Rom communication
[   0.0355 ] tegrarcm --chip 0x21 0 --rcm rcm_list_signed.xml
[   0.0373 ] BR_CID: 0x421010016445b5071000000018058200
[   0.1991 ] RCM version 0X210001
[   0.3746 ] Boot Rom communication completed
[   1.3814 ] 
[   1.3815 ] Blowing fuses
[   1.3835 ] tegrarcm --oem blowfuses blow_fuse_data.bin
[   1.3855 ] Applet version 00.01.0000
[   1.7243 ] Successfully burnt fuses as per fuse info blob
[   1.7364 ] 
*** The fuse configuration is saved in bootloader/odmfuse_pkc.xml
*** The ODM fuse has been secured with PKC keys.
*** Flash "signed BCT and bootloader(s)".
*** done.

Then, unplugged and turned on to flash.

$ sudo ./flash.sh -u ../emi_pkc.pem jetson-nano-emmc mmcblk0p1
###############################################################################
# L4T BSP Information:
# R32 , REVISION: 3.1
###############################################################################
# Target Board Information:
# Name: jetson-nano-emmc, Board Family: t210ref, SoC: Tegra 210, 
# OpMode: production, Boot Authentication: NS, 
###############################################################################
Error: either RSA key file and/or SBK key file are proviced for none SBK and PKC protected target board.

What have you actually fixed?