Still fail to enable secureboot

Autonomous Machines Jetson & Embedded Systems Jetson Nano
,
1

Hi,

I’m trying to enable secureboot on my Jetson nano production module and using latest fuse tool(secureboot_R32.4.3_aarch64.tbz2).
Before start fusing, the jetson nano had flashed jetpack 4.4 image and below is the default fuse data:

arm_jtag_disable : 0x00000000
odm_lock : 0x00000000
odm_production_mode : 0x00000000
pkc_disable : 0x00000000
sec_boot_dev_cfg : 0x00000000
sec_boot_dev_sel : 0x00000000
reserved_odm0 : 0x00000000
reserved_odm1 : 0x00000000
reserved_odm2 : 0x00000000
reserved_odm3 : 0x00000000
reserved_odm4 : 0x00000000
reserved_odm5 : 0x00000000
reserved_odm6 : 0x00000000
reserved_odm7 : 0x00000000
device_key : 0x00000000
secure_boot_key : 0x00000000000000000000000000000000
public_key : 0x0000000000000000000000000000000000000000000000000000000000000000

First fuse with below command and fused failed.

sudo ./odmfuse.sh -i 0x21 -c PKC -p -k ../rsa_priv_jetson.pem -D ../dk.key -S ../sbk.key

I found this Topic119306 that Jetson nano does not support SBK/DK. So I tried to fuse with PKC only and successfully burnt fuses:

sudo ./odmfuse.sh -i 0x21 -c PKC -p -k ../rsa_priv_jetson.pem

odmfuse_pkc.xml
<genericfuse MagicId="0x46555345" version="1.0.0">
<fuse name="JtagDisable" size="4" value="0x1" />
<fuse name="PublicKeyHash" size="32" value="0xf19be2e4e59b74e6b358eb89c03a342a71fba7bdb752b5b9dc52a4a2c3f41057" />
<fuse name="SecurityMode" size="4" value="0x1" />
</genericfuse>

After fusing, my jetson nano does not need to re-flashed to singed image, it can boot-up from previous non-signed image. The fuse data is as below:

arm_jtag_disable : 0x00000000
odm_lock : 0x00000000
odm_production_mode : 0x00000001
pkc_disable : 0x00000001
sec_boot_dev_cfg : 0x00000000
sec_boot_dev_sel : 0x00000000
reserved_odm0 : 0x00000000
reserved_odm1 : 0x32444453
reserved_odm2 : 0x00000000
reserved_odm3 : 0x00000000
reserved_odm4 : 0x00000000
reserved_odm5 : 0x00000000
reserved_odm6 : 0x00000000
reserved_odm7 : 0x00000000
device_key : 0xffffffff
secure_boot_key : 0xffffffffffffffffffffffffffffffff
public_key : 0xf19be2e4e59b74e6b358eb89c03a342a71fba7bdb752b5b9dc52a4a2c3f41057

It is really wired that arm_jtag_disable keep 0x0, pkc_disable changed from 0x0 to 0x1 and reserved_odm1 fused with my dk.key data.

What is the correct procedure to enable secureboot on jetson nano?

3

hello ninaH,

you may burn the fuse using the odmfuse.sh script. and also refer to Signing and Flashing Boot Files to flash the board.

according those fuse info, it looks like you’ve already done sercureboot process.
you’ve already assign keys to the slots; odm_production_mode by default is 0x0, you already had fused with value of 0x1 to block all further fuse write requests.
thanks

4

Hi @JerryChang,

As I mentioned in previous post,
my jetson nano does not need to re-flashed to singed image, it can boot-up from previous non-signed image.

I don’t think I have enabled secureboot on my module since it does not use PKC hash to verify image.

5

hello ninaH,

am I understand correctly that you’d only finish odmfuse.sh; you’re not yet enable flash scripts to assign key files.
please complete the full process as mentioned in [Signing and Flashing Boot Files] session, you should also gather the flashing messages for reference.
thanks

6

Hi @JerryChang,

Update error log while trying to flash signed image:

$ sudo ./flash.sh -r -y PKC -u ../rsa_priv_jetson.pem jetson-nano-emmc mmcblk0p1
###############################################################################
# L4T BSP Information:
# R32 , REVISION: 4.3
###############################################################################
# Target Board Information:
# Name: jetson-nano-emmc, Board Family: t210ref, SoC: Tegra 210, 
# OpMode: production, Boot Authentication: NS, 
###############################################################################
Error: either RSA key file and/or SBK key file are proviced for none SBK and PKC protected target board.
7

hello ninaH,

please enable --no-flash options to check if you’re able to generate sign images locally.
for example, $ sudo ./flash.sh --no-flash -x 0x21 -y PKC -u <keyfile> jetson-nano-emmc mmcblk0p1
thanks

8

Hi @JerryChang,

I can successfully generate singed image using this command:

$ sudo ./flash.sh -r --no-flash -y PKC -u /home/nina_han/nvidia/key/rsa_priv_jetson.pem jetson-nano-emmc mmcblk0p1
9

hello ninaH,

okay, there should be flashing commands generated to your bootloader folder.
could you please put your device to enter forced-recovery mode, and execute scripts to check the results.
thanks

$ sudo bash ./flashcmd.txt

10

Hi @JerryChang,

I got below error:

$ sudo bash ./flashcmd.txt
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0099 ] Parsing partition layout
[   0.0112 ] tegraparser --pt flash.xml.tmp
[   0.0128 ] 
[   0.0129 ] Updating BFS information on RCM BCT
[   0.0139 ] tegrabct --bct P3448_A00_4GB_Micron_4GB_lpddr4_204Mhz_P987.bct --chip 0x21 0 --updatebfsinfo flash.xml.bin
[   0.0147 ]    BFS:
[   0.0160 ]      0: [PT ] flash.xml.bin (size=4368/131072)
[   0.0167 ]      1: [TBC] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0174 ]      2: [RP1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0186 ]      3: [EBT] cboot.bin.signed (size=483872/655360)
[   0.0193 ]      4: [WB0] warmboot.bin.signed (size=3952/131072)
[   0.0200 ]      5: [BPF] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0209 ] BFS0: 131072 @ 2560 SUM ce2f75c6 over 2883584 bytes
[   0.0216 ]    BFS:
[   0.0217 ]      0: [PT-1] flash.xml.bin (size=4368/131072)
[   0.0224 ]      1: [TBC-1] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0233 ]      2: [RP1-1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0244 ]      3: [EBT-1] cboot.bin.signed (size=483872/655360)
[   0.0251 ]      4: [WB0-1] warmboot.bin.signed (size=3952/131072)
[   0.0259 ]      5: [BPF-1] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0267 ]      8: [VER_b] emmc_bootblob_ver.txt (size=90/32768)
[   0.0275 ]      9: [VER] emmc_bootblob_ver.txt (size=90/32768)
[   0.0282 ] BFS1: 131072 @ 8704 SUM ce2f75c6 over 2981888 bytes
[   0.0289 ]    KFS:
[   0.0454 ]      0: [DTB] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0463 ]      1: [TOS] tos-mon-only.img.signed (size=54448/6291456)
[   0.0469 ]      2: [EKS] eks.img (size=1028/81920)
[   0.0473 ]      3: [LNX] boot.img.signed (size=483328/67092480)
[   0.0480 ] KFS0: 1048576 @ 29376546 SUM 6a06b9df over 7905280 bytes
[   0.0514 ]    KFS:
[   0.0785 ]      0: [DTB-1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0794 ]      1: [TOS-1] tos-mon-only.img.signed (size=54448/6291456)
[   0.0800 ]      2: [EKS-1] eks.img (size=1028/81920)
[   0.0805 ]      3: [LNX-1] boot.img.signed (size=483328/67092480)
[   0.0809 ] KFS1: 1048576 @ 29522082 SUM 6a06b9df over 7905280 bytes
[   0.0840 ] 
[   0.0840 ] Updating BFS information on BCT
[   0.0851 ] tegrabct --bct P3448_A00_4GB_Micron_4GB_lpddr4_204Mhz_P987.bct --chip 0x21 0 --updatebfsinfo flash.xml.bin
[   0.0860 ]    BFS:
[   0.0875 ]      0: [PT ] flash.xml.bin (size=4368/131072)
[   0.0878 ]      1: [TBC] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0882 ]      2: [RP1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0888 ]      3: [EBT] cboot.bin.signed (size=483872/655360)
[   0.0892 ]      4: [WB0] warmboot.bin.signed (size=3952/131072)
[   0.0896 ]      5: [BPF] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0900 ] BFS0: 131072 @ 2560 SUM ce2f75c6 over 2883584 bytes
[   0.0904 ]    BFS:
[   0.0905 ]      0: [PT-1] flash.xml.bin (size=4368/131072)
[   0.0908 ]      1: [TBC-1] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0913 ]      2: [RP1-1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0919 ]      3: [EBT-1] cboot.bin.signed (size=483872/655360)
[   0.0923 ]      4: [WB0-1] warmboot.bin.signed (size=3952/131072)
[   0.0927 ]      5: [BPF-1] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0934 ]      8: [VER_b] emmc_bootblob_ver.txt (size=90/32768)
[   0.0939 ]      9: [VER] emmc_bootblob_ver.txt (size=90/32768)
[   0.0944 ] BFS1: 131072 @ 8704 SUM ce2f75c6 over 2981888 bytes
[   0.0949 ]    KFS:
[   0.1209 ]      0: [DTB] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.1219 ]      1: [TOS] tos-mon-only.img.signed (size=54448/6291456)
[   0.1226 ]      2: [EKS] eks.img (size=1028/81920)
[   0.1231 ]      3: [LNX] boot.img.signed (size=483328/67092480)
[   0.1238 ] KFS0: 1048576 @ 29376546 SUM 6a06b9df over 7905280 bytes
[   0.1264 ]    KFS:
[   0.1520 ]      0: [DTB-1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.1529 ]      1: [TOS-1] tos-mon-only.img.signed (size=54448/6291456)
[   0.1535 ]      2: [EKS-1] eks.img (size=1028/81920)
[   0.1539 ]      3: [LNX-1] boot.img.signed (size=483328/67092480)
[   0.1545 ] KFS1: 1048576 @ 29522082 SUM 6a06b9df over 7905280 bytes
[   0.1576 ] 
[   0.1577 ] Boot Rom communication
[   0.1592 ] tegrarcm --chip 0x21 0 --rcm rcm_1_signed.rcm
[   0.1605 ] BootRom is not running
[   0.2999 ] 
[   0.3000 ] Sending BCTs
[   0.3027 ] tegrarcm --download bct P3448_A00_4GB_Micron_4GB_lpddr4_204Mhz_P987.bct
[   0.3048 ] Applet is not running on device. Continue with Bootloader
[   0.4879 ] 
[   0.4880 ] Sending bootloader and pre-requisite binaries
[   0.4904 ] tegrarcm --download ebt cboot.bin.signed 0 0 --download rp1 tegra210-p3448-0000-p3449-0000-a00.dtb.signed 0
[   0.4926 ] Applet is not running on device. Continue with Bootloader
[   0.6800 ] 
[   0.6827 ] tegrarcm --boot recovery
[   0.6849 ] Applet is not running on device. Continue with Bootloader
[   0.8720 ] 
[   0.8721 ] Retrieving storage infomation
[   0.8747 ] tegrarcm --oem platformdetails storage storage_info.bin
[   0.8768 ] Applet is not running on device. Continue with Bootloader
[   1.0680 ] 
[   1.0861 ] tegradevflash --oem platformdetails storage storage_info.bin
[   1.0886 ] Cboot is not running on device.
[   1.1839 ] 
Error: Return value 4
Command tegradevflash --oem platformdetails storage storage_info.bin
11

hello ninaH,

there’s Boot Rom communication failed.
please determine whether your developer kit has enter Force Recovery mode.
please connect your Linux host to the correct USB port on your Jetson developer kit and checking with lsusb
you might see device recognize as Nvidia Corp.
for example,

$ lsusb
Bus <bbb> Device <ddd>: ID 0955: <nnnn> Nvidia Corp.
12

Hi @JerryChang,

Put module into recovery again and retry flashing.
I got another failed at tegrarcm command:

$ sudo bash ./flashcmd.txt
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0100 ] Parsing partition layout
[   0.0116 ] tegraparser --pt flash.xml.tmp
[   0.0136 ] 
[   0.0136 ] Updating BFS information on RCM BCT
[   0.0148 ] tegrabct --bct P3448_A00_4GB_Micron_4GB_lpddr4_204Mhz_P987.bct --chip 0x21 0 --updatebfsinfo flash.xml.bin
[   0.0158 ]    BFS:
[   0.0176 ]      0: [PT ] flash.xml.bin (size=4368/131072)
[   0.0183 ]      1: [TBC] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0189 ]      2: [RP1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0200 ]      3: [EBT] cboot.bin.signed (size=483872/655360)
[   0.0207 ]      4: [WB0] warmboot.bin.signed (size=3952/131072)
[   0.0216 ]      5: [BPF] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0223 ] BFS0: 131072 @ 2560 SUM 9605898d over 2883584 bytes
[   0.0230 ]    BFS:
[   0.0231 ]      0: [PT-1] flash.xml.bin (size=4368/131072)
[   0.0238 ]      1: [TBC-1] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0246 ]      2: [RP1-1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0257 ]      3: [EBT-1] cboot.bin.signed (size=483872/655360)
[   0.0264 ]      4: [WB0-1] warmboot.bin.signed (size=3952/131072)
[   0.0272 ]      5: [BPF-1] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0280 ]      8: [VER_b] emmc_bootblob_ver.txt (size=90/32768)
[   0.0287 ]      9: [VER] emmc_bootblob_ver.txt (size=90/32768)
[   0.0292 ] BFS1: 131072 @ 8704 SUM 9605898d over 2981888 bytes
[   0.0296 ]    KFS:
[   0.0512 ]      0: [DTB] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0521 ]      1: [TOS] tos-mon-only.img.signed (size=54448/6291456)
[   0.0526 ]      2: [EKS] eks.img (size=1028/81920)
[   0.0529 ]      3: [LNX] boot.img.signed (size=483328/67092480)
[   0.0534 ] KFS0: 1048576 @ 29376546 SUM 6a06b9df over 7905280 bytes
[   0.0561 ]    KFS:
[   0.0811 ]      0: [DTB-1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0819 ]      1: [TOS-1] tos-mon-only.img.signed (size=54448/6291456)
[   0.0825 ]      2: [EKS-1] eks.img (size=1028/81920)
[   0.0829 ]      3: [LNX-1] boot.img.signed (size=483328/67092480)
[   0.0833 ] KFS1: 1048576 @ 29522082 SUM 6a06b9df over 7905280 bytes
[   0.0858 ] 
[   0.0858 ] Updating BFS information on BCT
[   0.0872 ] tegrabct --bct P3448_A00_4GB_Micron_4GB_lpddr4_204Mhz_P987.bct --chip 0x21 0 --updatebfsinfo flash.xml.bin
[   0.0884 ]    BFS:
[   0.0902 ]      0: [PT ] flash.xml.bin (size=4368/131072)
[   0.0907 ]      1: [TBC] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0913 ]      2: [RP1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0922 ]      3: [EBT] cboot.bin.signed (size=483872/655360)
[   0.0927 ]      4: [WB0] warmboot.bin.signed (size=3952/131072)
[   0.0933 ]      5: [BPF] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0940 ] BFS0: 131072 @ 2560 SUM 9605898d over 2883584 bytes
[   0.0946 ]    BFS:
[   0.0947 ]      0: [PT-1] flash.xml.bin (size=4368/131072)
[   0.0952 ]      1: [TBC-1] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0958 ]      2: [RP1-1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0967 ]      3: [EBT-1] cboot.bin.signed (size=483872/655360)
[   0.0973 ]      4: [WB0-1] warmboot.bin.signed (size=3952/131072)
[   0.0979 ]      5: [BPF-1] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0986 ]      8: [VER_b] emmc_bootblob_ver.txt (size=90/32768)
[   0.0992 ]      9: [VER] emmc_bootblob_ver.txt (size=90/32768)
[   0.0998 ] BFS1: 131072 @ 8704 SUM 9605898d over 2981888 bytes
[   0.1003 ]    KFS:
[   0.1233 ]      0: [DTB] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.1238 ]      1: [TOS] tos-mon-only.img.signed (size=54448/6291456)
[   0.1242 ]      2: [EKS] eks.img (size=1028/81920)
[   0.1245 ]      3: [LNX] boot.img.signed (size=483328/67092480)
[   0.1249 ] KFS0: 1048576 @ 29376546 SUM 6a06b9df over 7905280 bytes
[   0.1279 ]    KFS:
[   0.1527 ]      0: [DTB-1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.1534 ]      1: [TOS-1] tos-mon-only.img.signed (size=54448/6291456)
[   0.1538 ]      2: [EKS-1] eks.img (size=1028/81920)
[   0.1541 ]      3: [LNX-1] boot.img.signed (size=483328/67092480)
[   0.1545 ] KFS1: 1048576 @ 29522082 SUM 6a06b9df over 7905280 bytes
[   0.1572 ] 
[   0.1572 ] Boot Rom communication
[   0.1586 ] tegrarcm --chip 0x21 0 --rcm rcm_1_signed.rcm
[   0.1597 ] BR_CID: 0x42101001644568030000000005fe8480
[   0.2509 ] Bootrom returned error 4
[   0.3577 ] Boot Rom communication failed
[   0.3577 ] 
Error: Return value 4
Command tegrarcm --chip 0x21 0 --rcm rcm_1_signed.rcm
13

hello ninaH,

to clarify, you should burn all fuses (odmfuse.sh) to Nano in one step. for example, Topic 118476, and Topic 120665.

could you please tried to specify board information into flash commands,
i.e. sudo ./flash.sh BOARDID=3448 FAB=200 BOARDSKU=0002 ...
you may check these info from TNSPEC on your target, for example, $ cat /etc/nv_boot_control.conf
thanks

14

Hi @JerryChang,

Try flash command with specify board information:
I can successfully generate sign image with board infomation.

sudo sudo BOARDID=3448 FAB=400 BOARDSKU=0002 ./flash.sh -r --no-flash -y PKC -u /home/nina_han/nvidia/key/rsa_priv_jetson.pem jetson-nano-emmc mmcblk0p1

But flash failed with same tegrarcm error:

$ sudo bash ./flashcmd.txt
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0102 ] Parsing partition layout
[   0.0115 ] tegraparser --pt flash.xml.tmp
[   0.0131 ] 
[   0.0132 ] Updating BFS information on RCM BCT
[   0.0143 ] tegrabct --bct P3448_A00_4GB_Micron_4GB_lpddr4_204Mhz_P987.bct --chip 0x21 0 --updatebfsinfo flash.xml.bin
[   0.0153 ]    BFS:
[   0.0170 ]      0: [PT ] flash.xml.bin (size=4368/131072)
[   0.0173 ]      1: [TBC] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0179 ]      2: [RP1] tegra210-p3448-0002-p3449-0000-b00.dtb.signed (size=216096/1048576)
[   0.0185 ]      3: [EBT] cboot.bin.signed (size=483872/655360)
[   0.0189 ]      4: [WB0] warmboot.bin.signed (size=3952/131072)
[   0.0194 ]      5: [BPF] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0198 ] BFS0: 131072 @ 2560 SUM 85ec82aa over 2883584 bytes
[   0.0202 ]    BFS:
[   0.0203 ]      0: [PT-1] flash.xml.bin (size=4368/131072)
[   0.0206 ]      1: [TBC-1] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0211 ]      2: [RP1-1] tegra210-p3448-0002-p3449-0000-b00.dtb.signed (size=216096/1048576)
[   0.0218 ]      3: [EBT-1] cboot.bin.signed (size=483872/655360)
[   0.0222 ]      4: [WB0-1] warmboot.bin.signed (size=3952/131072)
[   0.0226 ]      5: [BPF-1] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0232 ]      8: [VER_b] emmc_bootblob_ver.txt (size=102/32768)
[   0.0237 ]      9: [VER] emmc_bootblob_ver.txt (size=102/32768)
[   0.0241 ] BFS1: 131072 @ 8704 SUM 85ec82aa over 2981888 bytes
[   0.0245 ]    KFS:
[   0.0474 ]      0: [DTB] tegra210-p3448-0002-p3449-0000-b00.dtb.signed (size=216096/1048576)
[   0.0480 ]      1: [TOS] tos-mon-only.img.signed (size=54448/6291456)
[   0.0485 ]      2: [EKS] eks.img (size=1028/81920)
[   0.0488 ]      3: [LNX] boot.img.signed (size=483328/67092480)
[   0.0493 ] KFS0: 1048576 @ 29376546 SUM 14e27d8c over 7905280 bytes
[   0.0511 ]    KFS:
[   0.0761 ]      0: [DTB-1] tegra210-p3448-0002-p3449-0000-b00.dtb.signed (size=216096/1048576)
[   0.0768 ]      1: [TOS-1] tos-mon-only.img.signed (size=54448/6291456)
[   0.0773 ]      2: [EKS-1] eks.img (size=1028/81920)
[   0.0778 ]      3: [LNX-1] boot.img.signed (size=483328/67092480)
[   0.0783 ] KFS1: 1048576 @ 29522082 SUM 14e27d8c over 7905280 bytes
[   0.0798 ] 
[   0.0798 ] Updating BFS information on BCT
[   0.0812 ] tegrabct --bct P3448_A00_4GB_Micron_4GB_lpddr4_204Mhz_P987.bct --chip 0x21 0 --updatebfsinfo flash.xml.bin
[   0.0824 ]    BFS:
[   0.0846 ]      0: [PT ] flash.xml.bin (size=4368/131072)
[   0.0853 ]      1: [TBC] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0859 ]      2: [RP1] tegra210-p3448-0002-p3449-0000-b00.dtb.signed (size=216096/1048576)
[   0.0869 ]      3: [EBT] cboot.bin.signed (size=483872/655360)
[   0.0875 ]      4: [WB0] warmboot.bin.signed (size=3952/131072)
[   0.0881 ]      5: [BPF] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0890 ] BFS0: 131072 @ 2560 SUM 85ec82aa over 2883584 bytes
[   0.0897 ]    BFS:
[   0.0898 ]      0: [PT-1] flash.xml.bin (size=4368/131072)
[   0.0903 ]      1: [TBC-1] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0912 ]      2: [RP1-1] tegra210-p3448-0002-p3449-0000-b00.dtb.signed (size=216096/1048576)
[   0.0921 ]      3: [EBT-1] cboot.bin.signed (size=483872/655360)
[   0.0927 ]      4: [WB0-1] warmboot.bin.signed (size=3952/131072)
[   0.0933 ]      5: [BPF-1] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0942 ]      8: [VER_b] emmc_bootblob_ver.txt (size=102/32768)
[   0.0949 ]      9: [VER] emmc_bootblob_ver.txt (size=102/32768)
[   0.0954 ] BFS1: 131072 @ 8704 SUM 85ec82aa over 2981888 bytes
[   0.0960 ]    KFS:
[   0.1177 ]      0: [DTB] tegra210-p3448-0002-p3449-0000-b00.dtb.signed (size=216096/1048576)
[   0.1183 ]      1: [TOS] tos-mon-only.img.signed (size=54448/6291456)
[   0.1187 ]      2: [EKS] eks.img (size=1028/81920)
[   0.1191 ]      3: [LNX] boot.img.signed (size=483328/67092480)
[   0.1195 ] KFS0: 1048576 @ 29376546 SUM 14e27d8c over 7905280 bytes
[   0.1214 ]    KFS:
[   0.1468 ]      0: [DTB-1] tegra210-p3448-0002-p3449-0000-b00.dtb.signed (size=216096/1048576)
[   0.1475 ]      1: [TOS-1] tos-mon-only.img.signed (size=54448/6291456)
[   0.1480 ]      2: [EKS-1] eks.img (size=1028/81920)
[   0.1484 ]      3: [LNX-1] boot.img.signed (size=483328/67092480)
[   0.1488 ] KFS1: 1048576 @ 29522082 SUM 14e27d8c over 7905280 bytes
[   0.1506 ] 
[   0.1506 ] Boot Rom communication
[   0.1519 ] tegrarcm --chip 0x21 0 --rcm rcm_1_signed.rcm
[   0.1531 ] BR_CID: 0x42101001644568030000000005fe8480
[   0.2468 ] Bootrom returned error 4
[   0.3454 ] Boot Rom communication failed
[   0.3455 ] 
Error: Return value 4
Command tegrarcm --chip 0x21 0 --rcm rcm_1_signed.rcm

By the way, I’ll try burn all fuses in one step to another piece of clean Jetson Nano module.

16

Hi,

Sorry for the late reply for getting new clean Jetson Nano module.
Using same odmfuse_pkc.xml mentioned in first post, the test result still the same when I try burn all fuses in one step.

The fuse data read from tegrafuse.sh shows that arm_jtag_disable keep 0x0, pkc_disable changed from 0x0 to 0x1 which is different from odm_fuse.xml.
Can someone explain why pkc_disable always be 0x1?

sudo ./tegrafuse.sh

arm_jtag_disable : 0x00000000
odm_lock : 0x00000000
odm_production_mode : 0x00000001
pkc_disable : 0x00000001
sec_boot_dev_cfg : 0x00000000
sec_boot_dev_sel : 0x00000000
reserved_odm0 : 0x00000000
reserved_odm1 : 0x00000000
reserved_odm2 : 0x00000000
reserved_odm3 : 0x00000000
reserved_odm4 : 0x00000000
reserved_odm5 : 0x00000000
reserved_odm6 : 0x00000000
reserved_odm7 : 0x00000000
device_key : 0xffffffff
secure_boot_key : 0xffffffffffffffffffffffffffffffff
public_key : 0xf19be2e4e59b74e6b358eb89c03a342a71fba7bdb752b5b9dc52a4a2c3f41057
18

hello ninaH,

you may refer to Secureboot readme file,
for example,

|      1| pkc_disable         | PKC - 0x0, NS - 0x1

BTW,
here’s also another similar topic, we had confirm Nano secureboot with r32.3.1, Topic 112511.

19

hello ninaH,

could you please also share your TNSPEC of your board,
for example, cat /etc/nv_boot_control.conf

20

Hi @JerryChang,

/etc/nv_boot_control.conf :

TNSPEC 3448-400-0002-F.0-1-0-jetson-nano-emmc-mmcblk0p1
TEGRA_CHIPID 0x21
TEGRA_OTA_BOOT_DEVICE /dev/mmcblk0boot0
TEGRA_OTA_GPT_DEVICE /dev/mmcblk0boot1

To affirm again, my goal is to enable secuerboot on Jetson Nano.
pkc_disable as you mentioned should be 0x0 not 0x1.
After running below fuse command on clean module, still unable to use secureboot function and pkc_disable change to 0x1.

sudo ./odmfuse.sh -i 0x21 -c PKC -p -k ../rsa_priv_jetson.pem

odmfuse_pkc.xml
<genericfuse MagicId="0x46555345" version="1.0.0">
<fuse name="JtagDisable" size="4" value="0x1" />
<fuse name="PublicKeyHash" size="32" value="0xf19be2e4e59b74e6b358eb89c03a342a71fba7bdb752b5b9dc52a4a2c3f41057" />
<fuse name="SecurityMode" size="4" value="0x1" />
</genericfuse>

Can you try enabling secureboot on your Jetson Nano SOM and provide your test result?

22

Hi @ninaH,
So on a clean, non-fused Jetson Nano, if you execute

sudo ./odmfuse.sh -i 0x21 -p -c PKC -k ../nano_priv.pem

pkc_disable fuse is still programmed to 0x1?

Since fuse bits are irreversible, if the device is with pkc_disable=0x1, it cannot be reverted back to 0x0. Would like to confirm if you execute odmfuse.sh on clean, non-fused device.

23

Hi @DaneLLL,

Yes, the pkc_disable is programmed to 0x1 after running odmfuse.sh with -p on brand new Jetson Nano SOM.
This test result is mentioned in 9/1 post.

24

Hi,
Thanks for the double confirmation. We will check with internal team and update.