Still fail to enable secureboot

hello ninaH,

please enable --no-flash options to check if you’re able to generate sign images locally.
for example, $ sudo ./flash.sh --no-flash -x 0x21 -y PKC -u <keyfile> jetson-nano-emmc mmcblk0p1
thanks

Hi @JerryChang,

I can successfully generate singed image using this command:

$ sudo ./flash.sh -r --no-flash -y PKC -u /home/nina_han/nvidia/key/rsa_priv_jetson.pem jetson-nano-emmc mmcblk0p1

hello ninaH,

okay, there should be flashing commands generated to your bootloader folder.
could you please put your device to enter forced-recovery mode, and execute scripts to check the results.
thanks

$ sudo bash ./flashcmd.txt

Hi @JerryChang,

I got below error:

$ sudo bash ./flashcmd.txt
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0099 ] Parsing partition layout
[   0.0112 ] tegraparser --pt flash.xml.tmp
[   0.0128 ] 
[   0.0129 ] Updating BFS information on RCM BCT
[   0.0139 ] tegrabct --bct P3448_A00_4GB_Micron_4GB_lpddr4_204Mhz_P987.bct --chip 0x21 0 --updatebfsinfo flash.xml.bin
[   0.0147 ]    BFS:
[   0.0160 ]      0: [PT ] flash.xml.bin (size=4368/131072)
[   0.0167 ]      1: [TBC] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0174 ]      2: [RP1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0186 ]      3: [EBT] cboot.bin.signed (size=483872/655360)
[   0.0193 ]      4: [WB0] warmboot.bin.signed (size=3952/131072)
[   0.0200 ]      5: [BPF] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0209 ] BFS0: 131072 @ 2560 SUM ce2f75c6 over 2883584 bytes
[   0.0216 ]    BFS:
[   0.0217 ]      0: [PT-1] flash.xml.bin (size=4368/131072)
[   0.0224 ]      1: [TBC-1] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0233 ]      2: [RP1-1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0244 ]      3: [EBT-1] cboot.bin.signed (size=483872/655360)
[   0.0251 ]      4: [WB0-1] warmboot.bin.signed (size=3952/131072)
[   0.0259 ]      5: [BPF-1] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0267 ]      8: [VER_b] emmc_bootblob_ver.txt (size=90/32768)
[   0.0275 ]      9: [VER] emmc_bootblob_ver.txt (size=90/32768)
[   0.0282 ] BFS1: 131072 @ 8704 SUM ce2f75c6 over 2981888 bytes
[   0.0289 ]    KFS:
[   0.0454 ]      0: [DTB] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0463 ]      1: [TOS] tos-mon-only.img.signed (size=54448/6291456)
[   0.0469 ]      2: [EKS] eks.img (size=1028/81920)
[   0.0473 ]      3: [LNX] boot.img.signed (size=483328/67092480)
[   0.0480 ] KFS0: 1048576 @ 29376546 SUM 6a06b9df over 7905280 bytes
[   0.0514 ]    KFS:
[   0.0785 ]      0: [DTB-1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0794 ]      1: [TOS-1] tos-mon-only.img.signed (size=54448/6291456)
[   0.0800 ]      2: [EKS-1] eks.img (size=1028/81920)
[   0.0805 ]      3: [LNX-1] boot.img.signed (size=483328/67092480)
[   0.0809 ] KFS1: 1048576 @ 29522082 SUM 6a06b9df over 7905280 bytes
[   0.0840 ] 
[   0.0840 ] Updating BFS information on BCT
[   0.0851 ] tegrabct --bct P3448_A00_4GB_Micron_4GB_lpddr4_204Mhz_P987.bct --chip 0x21 0 --updatebfsinfo flash.xml.bin
[   0.0860 ]    BFS:
[   0.0875 ]      0: [PT ] flash.xml.bin (size=4368/131072)
[   0.0878 ]      1: [TBC] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0882 ]      2: [RP1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0888 ]      3: [EBT] cboot.bin.signed (size=483872/655360)
[   0.0892 ]      4: [WB0] warmboot.bin.signed (size=3952/131072)
[   0.0896 ]      5: [BPF] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0900 ] BFS0: 131072 @ 2560 SUM ce2f75c6 over 2883584 bytes
[   0.0904 ]    BFS:
[   0.0905 ]      0: [PT-1] flash.xml.bin (size=4368/131072)
[   0.0908 ]      1: [TBC-1] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0913 ]      2: [RP1-1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0919 ]      3: [EBT-1] cboot.bin.signed (size=483872/655360)
[   0.0923 ]      4: [WB0-1] warmboot.bin.signed (size=3952/131072)
[   0.0927 ]      5: [BPF-1] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0934 ]      8: [VER_b] emmc_bootblob_ver.txt (size=90/32768)
[   0.0939 ]      9: [VER] emmc_bootblob_ver.txt (size=90/32768)
[   0.0944 ] BFS1: 131072 @ 8704 SUM ce2f75c6 over 2981888 bytes
[   0.0949 ]    KFS:
[   0.1209 ]      0: [DTB] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.1219 ]      1: [TOS] tos-mon-only.img.signed (size=54448/6291456)
[   0.1226 ]      2: [EKS] eks.img (size=1028/81920)
[   0.1231 ]      3: [LNX] boot.img.signed (size=483328/67092480)
[   0.1238 ] KFS0: 1048576 @ 29376546 SUM 6a06b9df over 7905280 bytes
[   0.1264 ]    KFS:
[   0.1520 ]      0: [DTB-1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.1529 ]      1: [TOS-1] tos-mon-only.img.signed (size=54448/6291456)
[   0.1535 ]      2: [EKS-1] eks.img (size=1028/81920)
[   0.1539 ]      3: [LNX-1] boot.img.signed (size=483328/67092480)
[   0.1545 ] KFS1: 1048576 @ 29522082 SUM 6a06b9df over 7905280 bytes
[   0.1576 ] 
[   0.1577 ] Boot Rom communication
[   0.1592 ] tegrarcm --chip 0x21 0 --rcm rcm_1_signed.rcm
[   0.1605 ] BootRom is not running
[   0.2999 ] 
[   0.3000 ] Sending BCTs
[   0.3027 ] tegrarcm --download bct P3448_A00_4GB_Micron_4GB_lpddr4_204Mhz_P987.bct
[   0.3048 ] Applet is not running on device. Continue with Bootloader
[   0.4879 ] 
[   0.4880 ] Sending bootloader and pre-requisite binaries
[   0.4904 ] tegrarcm --download ebt cboot.bin.signed 0 0 --download rp1 tegra210-p3448-0000-p3449-0000-a00.dtb.signed 0
[   0.4926 ] Applet is not running on device. Continue with Bootloader
[   0.6800 ] 
[   0.6827 ] tegrarcm --boot recovery
[   0.6849 ] Applet is not running on device. Continue with Bootloader
[   0.8720 ] 
[   0.8721 ] Retrieving storage infomation
[   0.8747 ] tegrarcm --oem platformdetails storage storage_info.bin
[   0.8768 ] Applet is not running on device. Continue with Bootloader
[   1.0680 ] 
[   1.0861 ] tegradevflash --oem platformdetails storage storage_info.bin
[   1.0886 ] Cboot is not running on device.
[   1.1839 ] 
Error: Return value 4
Command tegradevflash --oem platformdetails storage storage_info.bin

hello ninaH,

there’s Boot Rom communication failed.
please determine whether your developer kit has enter Force Recovery mode.
please connect your Linux host to the correct USB port on your Jetson developer kit and checking with lsusb
you might see device recognize as Nvidia Corp.
for example,

$ lsusb
Bus <bbb> Device <ddd>: ID 0955: <nnnn> Nvidia Corp.

Hi @JerryChang,

Put module into recovery again and retry flashing.
I got another failed at tegrarcm command:

$ sudo bash ./flashcmd.txt
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0100 ] Parsing partition layout
[   0.0116 ] tegraparser --pt flash.xml.tmp
[   0.0136 ] 
[   0.0136 ] Updating BFS information on RCM BCT
[   0.0148 ] tegrabct --bct P3448_A00_4GB_Micron_4GB_lpddr4_204Mhz_P987.bct --chip 0x21 0 --updatebfsinfo flash.xml.bin
[   0.0158 ]    BFS:
[   0.0176 ]      0: [PT ] flash.xml.bin (size=4368/131072)
[   0.0183 ]      1: [TBC] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0189 ]      2: [RP1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0200 ]      3: [EBT] cboot.bin.signed (size=483872/655360)
[   0.0207 ]      4: [WB0] warmboot.bin.signed (size=3952/131072)
[   0.0216 ]      5: [BPF] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0223 ] BFS0: 131072 @ 2560 SUM 9605898d over 2883584 bytes
[   0.0230 ]    BFS:
[   0.0231 ]      0: [PT-1] flash.xml.bin (size=4368/131072)
[   0.0238 ]      1: [TBC-1] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0246 ]      2: [RP1-1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0257 ]      3: [EBT-1] cboot.bin.signed (size=483872/655360)
[   0.0264 ]      4: [WB0-1] warmboot.bin.signed (size=3952/131072)
[   0.0272 ]      5: [BPF-1] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0280 ]      8: [VER_b] emmc_bootblob_ver.txt (size=90/32768)
[   0.0287 ]      9: [VER] emmc_bootblob_ver.txt (size=90/32768)
[   0.0292 ] BFS1: 131072 @ 8704 SUM 9605898d over 2981888 bytes
[   0.0296 ]    KFS:
[   0.0512 ]      0: [DTB] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0521 ]      1: [TOS] tos-mon-only.img.signed (size=54448/6291456)
[   0.0526 ]      2: [EKS] eks.img (size=1028/81920)
[   0.0529 ]      3: [LNX] boot.img.signed (size=483328/67092480)
[   0.0534 ] KFS0: 1048576 @ 29376546 SUM 6a06b9df over 7905280 bytes
[   0.0561 ]    KFS:
[   0.0811 ]      0: [DTB-1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0819 ]      1: [TOS-1] tos-mon-only.img.signed (size=54448/6291456)
[   0.0825 ]      2: [EKS-1] eks.img (size=1028/81920)
[   0.0829 ]      3: [LNX-1] boot.img.signed (size=483328/67092480)
[   0.0833 ] KFS1: 1048576 @ 29522082 SUM 6a06b9df over 7905280 bytes
[   0.0858 ] 
[   0.0858 ] Updating BFS information on BCT
[   0.0872 ] tegrabct --bct P3448_A00_4GB_Micron_4GB_lpddr4_204Mhz_P987.bct --chip 0x21 0 --updatebfsinfo flash.xml.bin
[   0.0884 ]    BFS:
[   0.0902 ]      0: [PT ] flash.xml.bin (size=4368/131072)
[   0.0907 ]      1: [TBC] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0913 ]      2: [RP1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0922 ]      3: [EBT] cboot.bin.signed (size=483872/655360)
[   0.0927 ]      4: [WB0] warmboot.bin.signed (size=3952/131072)
[   0.0933 ]      5: [BPF] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0940 ] BFS0: 131072 @ 2560 SUM 9605898d over 2883584 bytes
[   0.0946 ]    BFS:
[   0.0947 ]      0: [PT-1] flash.xml.bin (size=4368/131072)
[   0.0952 ]      1: [TBC-1] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0958 ]      2: [RP1-1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.0967 ]      3: [EBT-1] cboot.bin.signed (size=483872/655360)
[   0.0973 ]      4: [WB0-1] warmboot.bin.signed (size=3952/131072)
[   0.0979 ]      5: [BPF-1] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0986 ]      8: [VER_b] emmc_bootblob_ver.txt (size=90/32768)
[   0.0992 ]      9: [VER] emmc_bootblob_ver.txt (size=90/32768)
[   0.0998 ] BFS1: 131072 @ 8704 SUM 9605898d over 2981888 bytes
[   0.1003 ]    KFS:
[   0.1233 ]      0: [DTB] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.1238 ]      1: [TOS] tos-mon-only.img.signed (size=54448/6291456)
[   0.1242 ]      2: [EKS] eks.img (size=1028/81920)
[   0.1245 ]      3: [LNX] boot.img.signed (size=483328/67092480)
[   0.1249 ] KFS0: 1048576 @ 29376546 SUM 6a06b9df over 7905280 bytes
[   0.1279 ]    KFS:
[   0.1527 ]      0: [DTB-1] tegra210-p3448-0000-p3449-0000-a00.dtb.signed (size=215520/1048576)
[   0.1534 ]      1: [TOS-1] tos-mon-only.img.signed (size=54448/6291456)
[   0.1538 ]      2: [EKS-1] eks.img (size=1028/81920)
[   0.1541 ]      3: [LNX-1] boot.img.signed (size=483328/67092480)
[   0.1545 ] KFS1: 1048576 @ 29522082 SUM 6a06b9df over 7905280 bytes
[   0.1572 ] 
[   0.1572 ] Boot Rom communication
[   0.1586 ] tegrarcm --chip 0x21 0 --rcm rcm_1_signed.rcm
[   0.1597 ] BR_CID: 0x42101001644568030000000005fe8480
[   0.2509 ] Bootrom returned error 4
[   0.3577 ] Boot Rom communication failed
[   0.3577 ] 
Error: Return value 4
Command tegrarcm --chip 0x21 0 --rcm rcm_1_signed.rcm

hello ninaH,

to clarify, you should burn all fuses (odmfuse.sh) to Nano in one step. for example, Topic 118476, and Topic 120665.

could you please tried to specify board information into flash commands,
i.e. sudo ./flash.sh BOARDID=3448 FAB=200 BOARDSKU=0002 ...
you may check these info from TNSPEC on your target, for example, $ cat /etc/nv_boot_control.conf
thanks

Hi @JerryChang,

Try flash command with specify board information:
I can successfully generate sign image with board infomation.

sudo sudo BOARDID=3448 FAB=400 BOARDSKU=0002 ./flash.sh -r --no-flash -y PKC -u /home/nina_han/nvidia/key/rsa_priv_jetson.pem jetson-nano-emmc mmcblk0p1

But flash failed with same tegrarcm error:

$ sudo bash ./flashcmd.txt
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0102 ] Parsing partition layout
[   0.0115 ] tegraparser --pt flash.xml.tmp
[   0.0131 ] 
[   0.0132 ] Updating BFS information on RCM BCT
[   0.0143 ] tegrabct --bct P3448_A00_4GB_Micron_4GB_lpddr4_204Mhz_P987.bct --chip 0x21 0 --updatebfsinfo flash.xml.bin
[   0.0153 ]    BFS:
[   0.0170 ]      0: [PT ] flash.xml.bin (size=4368/131072)
[   0.0173 ]      1: [TBC] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0179 ]      2: [RP1] tegra210-p3448-0002-p3449-0000-b00.dtb.signed (size=216096/1048576)
[   0.0185 ]      3: [EBT] cboot.bin.signed (size=483872/655360)
[   0.0189 ]      4: [WB0] warmboot.bin.signed (size=3952/131072)
[   0.0194 ]      5: [BPF] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0198 ] BFS0: 131072 @ 2560 SUM 85ec82aa over 2883584 bytes
[   0.0202 ]    BFS:
[   0.0203 ]      0: [PT-1] flash.xml.bin (size=4368/131072)
[   0.0206 ]      1: [TBC-1] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0211 ]      2: [RP1-1] tegra210-p3448-0002-p3449-0000-b00.dtb.signed (size=216096/1048576)
[   0.0218 ]      3: [EBT-1] cboot.bin.signed (size=483872/655360)
[   0.0222 ]      4: [WB0-1] warmboot.bin.signed (size=3952/131072)
[   0.0226 ]      5: [BPF-1] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0232 ]      8: [VER_b] emmc_bootblob_ver.txt (size=102/32768)
[   0.0237 ]      9: [VER] emmc_bootblob_ver.txt (size=102/32768)
[   0.0241 ] BFS1: 131072 @ 8704 SUM 85ec82aa over 2981888 bytes
[   0.0245 ]    KFS:
[   0.0474 ]      0: [DTB] tegra210-p3448-0002-p3449-0000-b00.dtb.signed (size=216096/1048576)
[   0.0480 ]      1: [TOS] tos-mon-only.img.signed (size=54448/6291456)
[   0.0485 ]      2: [EKS] eks.img (size=1028/81920)
[   0.0488 ]      3: [LNX] boot.img.signed (size=483328/67092480)
[   0.0493 ] KFS0: 1048576 @ 29376546 SUM 14e27d8c over 7905280 bytes
[   0.0511 ]    KFS:
[   0.0761 ]      0: [DTB-1] tegra210-p3448-0002-p3449-0000-b00.dtb.signed (size=216096/1048576)
[   0.0768 ]      1: [TOS-1] tos-mon-only.img.signed (size=54448/6291456)
[   0.0773 ]      2: [EKS-1] eks.img (size=1028/81920)
[   0.0778 ]      3: [LNX-1] boot.img.signed (size=483328/67092480)
[   0.0783 ] KFS1: 1048576 @ 29522082 SUM 14e27d8c over 7905280 bytes
[   0.0798 ] 
[   0.0798 ] Updating BFS information on BCT
[   0.0812 ] tegrabct --bct P3448_A00_4GB_Micron_4GB_lpddr4_204Mhz_P987.bct --chip 0x21 0 --updatebfsinfo flash.xml.bin
[   0.0824 ]    BFS:
[   0.0846 ]      0: [PT ] flash.xml.bin (size=4368/131072)
[   0.0853 ]      1: [TBC] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0859 ]      2: [RP1] tegra210-p3448-0002-p3449-0000-b00.dtb.signed (size=216096/1048576)
[   0.0869 ]      3: [EBT] cboot.bin.signed (size=483872/655360)
[   0.0875 ]      4: [WB0] warmboot.bin.signed (size=3952/131072)
[   0.0881 ]      5: [BPF] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0890 ] BFS0: 131072 @ 2560 SUM 85ec82aa over 2883584 bytes
[   0.0897 ]    BFS:
[   0.0898 ]      0: [PT-1] flash.xml.bin (size=4368/131072)
[   0.0903 ]      1: [TBC-1] nvtboot_cpu.bin.signed (size=65760/196608)
[   0.0912 ]      2: [RP1-1] tegra210-p3448-0002-p3449-0000-b00.dtb.signed (size=216096/1048576)
[   0.0921 ]      3: [EBT-1] cboot.bin.signed (size=483872/655360)
[   0.0927 ]      4: [WB0-1] warmboot.bin.signed (size=3952/131072)
[   0.0933 ]      5: [BPF-1] sc7entry-firmware.bin.signed (size=3376/262144)
[   0.0942 ]      8: [VER_b] emmc_bootblob_ver.txt (size=102/32768)
[   0.0949 ]      9: [VER] emmc_bootblob_ver.txt (size=102/32768)
[   0.0954 ] BFS1: 131072 @ 8704 SUM 85ec82aa over 2981888 bytes
[   0.0960 ]    KFS:
[   0.1177 ]      0: [DTB] tegra210-p3448-0002-p3449-0000-b00.dtb.signed (size=216096/1048576)
[   0.1183 ]      1: [TOS] tos-mon-only.img.signed (size=54448/6291456)
[   0.1187 ]      2: [EKS] eks.img (size=1028/81920)
[   0.1191 ]      3: [LNX] boot.img.signed (size=483328/67092480)
[   0.1195 ] KFS0: 1048576 @ 29376546 SUM 14e27d8c over 7905280 bytes
[   0.1214 ]    KFS:
[   0.1468 ]      0: [DTB-1] tegra210-p3448-0002-p3449-0000-b00.dtb.signed (size=216096/1048576)
[   0.1475 ]      1: [TOS-1] tos-mon-only.img.signed (size=54448/6291456)
[   0.1480 ]      2: [EKS-1] eks.img (size=1028/81920)
[   0.1484 ]      3: [LNX-1] boot.img.signed (size=483328/67092480)
[   0.1488 ] KFS1: 1048576 @ 29522082 SUM 14e27d8c over 7905280 bytes
[   0.1506 ] 
[   0.1506 ] Boot Rom communication
[   0.1519 ] tegrarcm --chip 0x21 0 --rcm rcm_1_signed.rcm
[   0.1531 ] BR_CID: 0x42101001644568030000000005fe8480
[   0.2468 ] Bootrom returned error 4
[   0.3454 ] Boot Rom communication failed
[   0.3455 ] 
Error: Return value 4
Command tegrarcm --chip 0x21 0 --rcm rcm_1_signed.rcm

By the way, I’ll try burn all fuses in one step to another piece of clean Jetson Nano module.

Hi,

Sorry for the late reply for getting new clean Jetson Nano module.
Using same odmfuse_pkc.xml mentioned in first post, the test result still the same when I try burn all fuses in one step.

The fuse data read from tegrafuse.sh shows that arm_jtag_disable keep 0x0, pkc_disable changed from 0x0 to 0x1 which is different from odm_fuse.xml.
Can someone explain why pkc_disable always be 0x1?

sudo ./tegrafuse.sh

arm_jtag_disable : 0x00000000
odm_lock : 0x00000000
odm_production_mode : 0x00000001
pkc_disable : 0x00000001
sec_boot_dev_cfg : 0x00000000
sec_boot_dev_sel : 0x00000000
reserved_odm0 : 0x00000000
reserved_odm1 : 0x00000000
reserved_odm2 : 0x00000000
reserved_odm3 : 0x00000000
reserved_odm4 : 0x00000000
reserved_odm5 : 0x00000000
reserved_odm6 : 0x00000000
reserved_odm7 : 0x00000000
device_key : 0xffffffff
secure_boot_key : 0xffffffffffffffffffffffffffffffff
public_key : 0xf19be2e4e59b74e6b358eb89c03a342a71fba7bdb752b5b9dc52a4a2c3f41057

hello ninaH,

you may refer to Secureboot readme file,
for example,

|      1| pkc_disable         | PKC - 0x0, NS - 0x1    

BTW,
here’s also another similar topic, we had confirm Nano secureboot with r32.3.1, Topic 112511.

hello ninaH,

could you please also share your TNSPEC of your board,
for example, cat /etc/nv_boot_control.conf

Hi @JerryChang,

/etc/nv_boot_control.conf :

TNSPEC 3448-400-0002-F.0-1-0-jetson-nano-emmc-mmcblk0p1
TEGRA_CHIPID 0x21
TEGRA_OTA_BOOT_DEVICE /dev/mmcblk0boot0
TEGRA_OTA_GPT_DEVICE /dev/mmcblk0boot1

To affirm again, my goal is to enable secuerboot on Jetson Nano.
pkc_disable as you mentioned should be 0x0 not 0x1.
After running below fuse command on clean module, still unable to use secureboot function and pkc_disable change to 0x1.

sudo ./odmfuse.sh -i 0x21 -c PKC -p -k ../rsa_priv_jetson.pem

odmfuse_pkc.xml
<genericfuse MagicId="0x46555345" version="1.0.0">
<fuse name="JtagDisable" size="4" value="0x1" />
<fuse name="PublicKeyHash" size="32" value="0xf19be2e4e59b74e6b358eb89c03a342a71fba7bdb752b5b9dc52a4a2c3f41057" />
<fuse name="SecurityMode" size="4" value="0x1" />
</genericfuse>

Can you try enabling secureboot on your Jetson Nano SOM and provide your test result?

Hi @ninaH,
So on a clean, non-fused Jetson Nano, if you execute

sudo ./odmfuse.sh -i 0x21 -p -c PKC -k ../nano_priv.pem

pkc_disable fuse is still programmed to 0x1?

Since fuse bits are irreversible, if the device is with pkc_disable=0x1, it cannot be reverted back to 0x0. Would like to confirm if you execute odmfuse.sh on clean, non-fused device.

Hi @DaneLLL,

Yes, the pkc_disable is programmed to 0x1 after running odmfuse.sh with -p on brand new Jetson Nano SOM.
This test result is mentioned in 9/1 post.

Hi,
Thanks for the double confirmation. We will check with internal team and update.

Hi,

Is there any update?

Hi ninaH,

we found there’s a bug of fusing utility, which burn PKC Disable accidently.
it’s still under investigation.

hello @ninaH,

please download Topic144888_Sep22_nvtboot.zip (211.1 KB) for nvtboot binaries.
there’re total 4 binaries, you may update those nvtboot*.bin binaries to correct the issue for fuse burn.

$OUT/Linux_for_Tegra/
./bootloader/nvtboot_recovery.bin
./bootloader/nvtboot_cpu.bin
./bootloader/nvtboot_recovery_cpu.bin
./bootloader/t210ref/nvtboot.bin

we had some software approaches to confirm issue resolved.
for example,
$ sudo ./odmfuse.sh -i 0x21 -p -c PKC -k keys_priv.pem --test

PKC Disable did not programmed to 0x1 by checking the xml content of the fuse results,
for example, $ cat bootloader/odmfuse_pkc.xml.sav

<genericfuse MagicId="0x46555345" version="1.0.0">
<fuse name="JtagDisable" size="4" value="0x1" />
<fuse name="PublicKeyHash" size="32" value="0xc9c4ef2073a436724d6e988188b3e1be5ed61ddcc25b3028ab8fd6c5ea2eabb0" />
<fuse name="SecurityMode" size="4" value="0x1" />
</genericfuse>

hence,
please do actual fuse burns to have confirmation,
thanks

1 Like

Hi @JerryChang,

I’ve tested fuse and flash procedure on new SOM with those nvtboot binaries.
This SOM boots successfully on signed image.
Thank you for your great help.

hello ninaH,

FYI, we had finish code-review process.
please expect next public release, (i.e. JetPack-4.5) will include those nvtboot fixes.
thanks

1 Like