Hi,
I’m trying to enable secureboot on my Jetson nano production module and using latest fuse tool(secureboot_R32.4.3_aarch64.tbz2).
Before start fusing, the jetson nano had flashed jetpack 4.4 image and below is the default fuse data:
arm_jtag_disable : 0x00000000
odm_lock : 0x00000000
odm_production_mode : 0x00000000
pkc_disable : 0x00000000
sec_boot_dev_cfg : 0x00000000
sec_boot_dev_sel : 0x00000000
reserved_odm0 : 0x00000000
reserved_odm1 : 0x00000000
reserved_odm2 : 0x00000000
reserved_odm3 : 0x00000000
reserved_odm4 : 0x00000000
reserved_odm5 : 0x00000000
reserved_odm6 : 0x00000000
reserved_odm7 : 0x00000000
device_key : 0x00000000
secure_boot_key : 0x00000000000000000000000000000000
public_key : 0x0000000000000000000000000000000000000000000000000000000000000000
First fuse with below command and fused failed.
sudo ./odmfuse.sh -i 0x21 -c PKC -p -k ../rsa_priv_jetson.pem -D ../dk.key -S ../sbk.key
I found this Topic119306 that Jetson nano does not support SBK/DK. So I tried to fuse with PKC only and successfully burnt fuses:
sudo ./odmfuse.sh -i 0x21 -c PKC -p -k ../rsa_priv_jetson.pem
odmfuse_pkc.xml
<genericfuse MagicId="0x46555345" version="1.0.0">
<fuse name="JtagDisable" size="4" value="0x1" />
<fuse name="PublicKeyHash" size="32" value="0xf19be2e4e59b74e6b358eb89c03a342a71fba7bdb752b5b9dc52a4a2c3f41057" />
<fuse name="SecurityMode" size="4" value="0x1" />
</genericfuse>
After fusing, my jetson nano does not need to re-flashed to singed image, it can boot-up from previous non-signed image. The fuse data is as below:
arm_jtag_disable : 0x00000000
odm_lock : 0x00000000
odm_production_mode : 0x00000001
pkc_disable : 0x00000001
sec_boot_dev_cfg : 0x00000000
sec_boot_dev_sel : 0x00000000
reserved_odm0 : 0x00000000
reserved_odm1 : 0x32444453
reserved_odm2 : 0x00000000
reserved_odm3 : 0x00000000
reserved_odm4 : 0x00000000
reserved_odm5 : 0x00000000
reserved_odm6 : 0x00000000
reserved_odm7 : 0x00000000
device_key : 0xffffffff
secure_boot_key : 0xffffffffffffffffffffffffffffffff
public_key : 0xf19be2e4e59b74e6b358eb89c03a342a71fba7bdb752b5b9dc52a4a2c3f41057
It is really wired that arm_jtag_disable keep 0x0, pkc_disable changed from 0x0 to 0x1 and reserved_odm1 fused with my dk.key data.
What is the correct procedure to enable secureboot on jetson nano?