SecureBoot validation

I thought I did everything right and researched this topic for days. I’m not sure I was able to get SecureBoot enabled on my devkit. When I press ‘Esc’ during bootup and navigate to Device Manager → Secure Boot Configuration it says “Current Secure Boot State Disabled”.

From a previous support topic it seems someone was directed to look for “RSA PSS signature check: OK” on the serial console. I see 8 of those printouts during bootup.

Running odmfuseread.sh seems to reboot the device.

Looking at /sys/devices/platform/tegra-fuse/public_key, it seems to be a truncated version of what I used in the fuse.xml file. This doesn’t seem good.

/sys/devices/platform/tegra-fuse/boot_security_info is reporting 0x00000000. I used 0x2a09 in my fuse.xml file.

I kept all the serial logs. On the serial console all looked good:
I> Burning fuses
I> 1. Start PublicKeyHash burn
I> 1. PublicKeyHash burnt successfully
I>
I> 2. Start SecureBootKey burn
I> 2. SecureBootKey burnt successfully
I>
I> 3. Start OemK1 burn
I> 3. OemK1 burnt successfully
I>
I> 4. Start BootSecurityInfo burn
I> 4. BootSecurityInfo burnt successfully
I>
I> Successfully burnt fuses as per fuse info

Hi nbnv,

What’s your Jetpack version in use?

Please share the full steps how you enabled Secureboot.
and also the full serial console log for further check.

I’m using 5.1.2.

sudo ./odmfuse.sh -i 0x23 -k ./rsa.pem -S ./sbk.key -X fuse.xml jetson-agx-orin-devkit

I’ve attached the serial console log for the fuse step.

odmfuse_serial.txt (15.3 KB)

After that I flashed the board:

sudo ROOTFS_ENC=1 ./flash.sh -u ./rsa.pem -v ./sbk.key -i "./bootloader/sym2_t234.key" jetson-agx-orin-devkit mmcblk0p1

fuse.xml looks like this:

<genericfuse MagicId="0x45535546" version="1.0.0">
  <fuse name="PublicKeyHash" size="64" value="omitted"/>
  <fuse name="SecureBootKey" size="32" value="omitted"/>
  <fuse name="OemK1" size="32" value="omitted"/>
  <fuse name="BootSecurityInfo" size="4" value="0x2a09"/>
  <fuse name="SecurityMode" size="4" value="0x1"/>
</genericfuse>
user@ubuntu:~/orin/Linux_for_Tegra$ sudo ./odmfuseread.sh -i 0x23 jetson-agx-orin-devkit

Error: Either PKC or SBK key is not provided for SBK+PKC protected target board.

I think the problem was that odmfuseread insists on rsa.pem and sbk.key be in bootloader/… after I moved those there I get I think reasonable output from it.

user@ubuntu:~/orin/Linux_for_Tegra$ sudo ./odmfuseread.sh -i 0x23 -k ./rsa.pem -S ./sbk.key jetson-agx-orin-devkit
...
Fuse reading is done. The fuse values have been saved in: /home/user/orin/Linux_for_Tegra/bootloader/fuse_info.txt
PublicKeyHash: <this matches fuse.xml>
BootSecurityInfo: 00002a09
ArmJtagDisable: 00000000
SecurityMode: 00000001
SwReserved: 00000000
DebugAuthentication: 00000000
OdmId: 0000000000000000
OdmLock: 00000000
ReservedOdm0: 00000000
ReservedOdm1: 00000000
ReservedOdm2: 00000000
ReservedOdm3: 00000000
ReservedOdm4: 00000000
ReservedOdm5: 00000000
ReservedOdm6: 00000000
ReservedOdm7: 00000000

I don’t see OemK1 listed but this seems like SecureBoot is enabled for the bootloader. Correct?

Is the message that is seen in the “BIOS” about Secure Boot being disabled for UEFI SecureBoot? Not the bootloader SecureBoot?

There is no update from you for a period, assuming this is not an issue any more.
Hence we are closing this topic. If need further support, please open a new one.
Thanks

Sorry for the late response.
Is this still an issue to support? Any result can be shared?