What is the meaning of sec_boot_dev_cfg fuses? The documentation says to refer to TRM, but the TRM has no mention of these bits.
@JerryChang you are not being very clear with your are suggestion. Let me try to understand… are you staying that when I initially burn the fuses on the Nvidia Jetson using ./odmfush.sh with the -p option. So I should have use the following command:
‘sudo ./odmfuse.sh -p -i 0x19 -k RSA_Key.pem -S SBK.txt --KEK2 KEK2.txt jetson-agx-xavier-devkit’
My understanding is when you use the -p option you burn the odm_production_mode fuse which “all further write requests are blocked” with the exception of odm_reserved and odm_lock. There is nothing in the Jetson Linux Developer Guide that indicates setting odm production mode in order to use Secure boot.
I looked at the resolution for the forum you gave me a link to. It seems like that works only for a brand new Jetson which any of it fuses has not been burned. I’ve now have to boards (Jetson Xavier NX and Jetson AGX Xavier) which I have already burned the public_key_hash, secure_boot_key, and KEK2 on both. What are the steps to resolving this issue? And if not how can I get both Jetsons replace so I can follow the instructions from the forum you gave me a link to?
hello dcapers44,
it’s one of known issue we met before, the board cannot boot-up when PKC and SBK were burned but SecurityMode did not;
please refer to below discussion threads for reference,
for example,
Unable to burn fuses (dev kit) / no more output (serial/hdmi) / bricked?,
and
Reflash secureboot failed.
hence,
you may enable secureBoot for Jetson AGX Xavier to program all fuse (PKC, SBK, KEK…etc) at once, in addition to make the “SecurityMode” enabled. (-p
option of odmfuse.sh)
BTW,
in order to help other users to read/understand this topic more easily. (i.e. modify to Xavier series)
I would be nitpick here to ask you update the topic title, since you’re now working with Jetson AGX Xavier.
thanks
@JerryChang I will start a mew forum to address my issues with the Jetson AGX Xavier… but I not finish with resolving my issue with the Jetson Xavier NX. I’m still not satisfied with the information you provided me in an attempt to explain why I am the experience that I am having. I don’t want to go forward with work on the Jetson AGX Xavier until I feel that the issue with the Jetson Xavier NX is resolved since both of them as showing the same exact issue.
Since my last post, I’ve burned 2 additional keys on the Jetson Xavier NX… KEK0 and KEK2. The reasoning behind this is that I know I will not be able to go back to burn any fuses once I set Security Mode. I used the following:
sudo ./odmfuse.sh -i 0x19 -k RSA_Key.pem -S SBK.txt --KEK2 KEK2.txt jetson-xavier-nx-devkit
I verified that these 2 fuses were burned onto the Xavier NX (along with the SBK, PKE, and KEK2 fuses that I burned previously) by examining the Linux_for_Tegra/bootloader/fuse_info.txt. Interesting observation that is off tangent from my issue, but is seems like KEK256 was also set to the concatenated value of KEK0 and KEK1.
Next I set the Jetson Xavier NX to Security Mode (odm_production_mode) which was successful. I used the following:
sudo ./odmfuse.sh -i 0x19 -p -k RSA_Key.pem -S SBK.txt jetson-xavier-nx-devkit
Again, I verified this by examining the Linux_for_Tegra/bootloader/fuse_info.txt. which SecurityMode
was set to 00000001
.
I then reflashed the Jetson Xavier NX using the following:
sudo ./flash.sh -u RSA_Key.pem -v SBK.txt --user_key User_Key.txt jetson-xavier-nx-devkit mmcblk0p1
Once the flashing is complete, the Jetson Xavier NX trys to bootup, but freezes. The the jetson is lock on the Nvidia Logo screen.
I was able to gather bootloader messages using minicom this time since the Jetson Xavier NX was no longer in Force Recovery Mode after the flash completed. I get the following serial output:
OPTIONS: I18n
Compiled on Aug 13 2017, 15:25:34.
Port /dev/ttyUSB0
Press CTRL-A Z for help on special keys
��
[0000.033] W> RATCHET: MB1 binary ratchet value 4 is too large than ratchet lev.
[0000.041] I> MB1 (prd-version: 1.5.1.6-t194-41334769-1740dd39)
[0000.046] I> Boot-mode: Coldboot
[0000.049] I> Chip revision : A02P
[0000.052] I> Bootrom patch version : 15 (correctly patched)
[0000.058] I> ATE fuse revision : 0x200
[0000.061] I> Ram repair fuse : 0x0
[0000.064] I> Ram Code : 0x0
[0000.067] I> rst_source : 0x0
[0000.069] I> rst_level : 0x0
[0000.073] I> Boot-device: QSPI
[0000.076] I> Qspi flash params source = brbct
[0000.080] I> Qspi using bpmp-dma
[0000.083] I> Qspi clock source : pllp
[0000.086] I> QSPI Flash Size = 32 MB
[0000.089] I> Qspi initialized successfully
[0000.093] W> No valid slot number is found in scratch register
[0000.099] W> Return default slot: _a
[0000.102] I> Active Boot chain : 0
[0000.105] I> Boot-device: QSPI
[0000.108] I> Qspi flash params source = brbct
[0000.115] W> MB1_PLATFORM_CONFIG: device prod data is empty in MB1 BCT.
[0000.123] I> Temperature = 53000
[0000.126] W> Skipping boost for clk: BPMP_CPU_NIC
[0000.130] W> Skipping boost for clk: BPMP_APB
[0000.134] W> Skipping boost for clk: AXI_CBB
[0000.138] W> Skipping boost for clk: AON_CPU_NIC
[0000.142] W> Skipping boost for clk: CAN1
[0000.146] W> Skipping boost for clk: CAN2
[0000.150] I> Boot-device: QSPI
[0000.153] I> Boot-device: QSPI
[0000.156] I> Qspi flash params source = mb1bct
[0000.160] I> Qspi using bpmp-dma
[0000.163] I> Qspi clock source : pllc_out0
[0000.167] I> Qspi reinitialized
[0000.170] I> Qspi flash params source = mb1bct
[0000.177] I> ECC region[0]: Start:0x0, End:0x0
[0000.181] I> ECC region[1]: Start:0x0, End:0x0
[0000.185] I> ECC region[2]: Start:0x0, End:0x0
[0000.189] I> ECC region[3]: Start:0x0, End:0x0
[0000.193] I> ECC region[4]: Start:0x0, End:0x0
[0000.197] I> Non-ECC region[0]: Start:0x80000000, End:0x100000000
[0000.203] I> Non-ECC region[1]: Start:0x0, End:0x0
[0000.207] I> Non-ECC region[2]: Start:0x0, End:0x0
[0000.212] I> Non-ECC region[3]: Start:0x0, End:0x0
[0000.216] I> Non-ECC region[4]: Start:0x0, End:0x0
[0000.222] E> FAILED: Thermal config
[0000.229] E> FAILED: MEMIO rail config
[0000.239] I> Boot-device: QSPI
[0000.242] I> Qspi flash params source = mb1bct
[0000.253] I> Qspi flash params source = mb1bct
[0000.267] I> Qspi flash params source = mb1bct
[0000.349] I> Qspi flash params source = mb1bct
[0000.361] I> Qspi flash params source = mb1bct
[0000.392] I> Qspi flash params source = mb1bct
[0000.407] I> MB1 done
����main enter
SPE VERSION #: R01.00.14 Created: Sep 19 2018 @ 11:03:21
HW Function test
Start Scheduler.
in late init
��
[0000.415] I> Welcome to MB2(TBoot-BPMP) (version: 00.00.2018.32-mobile-feba5)
[0000.415] I> DMA Heap @ [0x526fa000 - 0x52ffa000]
[0000.416] I> Default Heap @ [0xd486400 - 0xd48a400]
[0000.417] E> DEVICE_PROD: Invalid value data = 70020000, size = 0.
[0000.422] W> device prod register failed
[0000.426] I> Boot-device: QSPI
[0000.429] I> Boot_device: QSPI_FLASH instance: 0
[0000.434] I> QSPI Flash Size = 32 MB
[0000.440] I> Qspi initialized successfully
[0000.441] I> qspi flash-0 params source = boot args
[0000.446] E> Failed: Unknown device 6
[0000.454] I> Found 47 partitions in QSPI_FLASH (instance 0)
[0000.455] W> No valid slot number is found in scratch register
[0000.460] W> Return default slot: _a
[0000.464] I> Active Boot chain : 0
[0000.468] I> parsing oem signed section of bpmp-fw header done
[0000.473] I> bpmp-fw binary init read from storage
[0000.480] I> RSA PSS signature check: OK
[0000.481] I> oem authentication of bpmp-fw header done
[0000.495] I> bpmp-fw binary done read from storage
[0000.496] I> bpmp-fw: Authentication init Done
[0000.497] I> parsing oem signed section of cpubl header done
[0000.501] I> cpubl binary init read from storage
[0000.509] I> bpmp-fw: Authentication Finalize Done
[0000.512] I> RSA PSS signature check: OK
[0000.513] I> oem authentication of cpubl header done
[0000.521] I> cpubl binary done read from storage
[0000.523] I> cpubl: Authentication init Done
[0000.527] I> parsing oem signed section of rce header done
[0000.532] I> rce binary init read from storage
[0000.537] I> Relocating BR-BCT
[0000.542] I> cpubl: Authentication Finalize Done
[0000.546] I> RSA PSS signature check: OK
[0000.547] I> oem authentication of rce header done
[0000.553] I> rce binary done read from storage
[0000.556] I> rce: Authentication init Done
[0000.561] I> parsing oem signed section of ape header done
[0000.566] I> ape binary init read from storage
[0000.572] I> rce: Authentication Finalize Done
[0000.577] I> RSA PSS signature check: OK
[0000.578] I> oem authentication of ape header done
[0000.583] I> ape binary done read from storage
[0000.587] I> ape: Authentication init Done
[0000.591] I> parsing oem signed section of tos header done
[0000.596] I> tos binary init read from storage
[0000.601] I> ape: Authentication Finalize Done
[0000.607] I> RSA PSS signature check: OK
[0000.609] I> oem authentication of tos header done
[0000.616] I> tos binary done read from storage
[0000.618] I> tos: Authentication init Done
[0000.622] I> parsing oem signed section of bpmp-fw-dtb header done
[0000.628] I> bpmp-fw-dtb binary init read from storage
[0000.635] I> tos: Authentication Finalize Done
[0000.641] I> RSA PSS signature check: OK
[0000.641] I> oem authentication of bpmp-fw-dtb header done
[0000.646] I> bpmp-fw-dtb binary done read from storage
[0000.651] I> bpmp-fw-dtb: Authentication init Done
[0000.656] I> parsing oem signed section of cpubl-dtb header done
[0000.662] I> cpubl-dtb binary init read from storage
[0000.668] I> bpmp-fw-dtb: Authentication Finalize Done
[0000.726] I> RSA PSS signature check: OK
[0000.726] I> oem authentication of cpubl-dtb header done
[0000.727] I> cpubl-dtb binary done read from storage
[0000.728] I> cpubl-dtb: Authentication init Done
[0000.729] I> parsing oem signed section of eks header done
[0000.729] I> eks binary init read from storage
[0000.731] I> cpubl-dtb: Authentication Finalize Done
[0000.736] I> RSA PSS signature check: OK
[0000.737] I> oem authentication of eks header done
[0000.742] I> eks binary done read from storage
[0000.746] I> eks: Authentication init Done
[0000.751] I> eks: Authentication Finalize Done
[0000.755] I> EKB detected (length: 0x410) @ VA:0x52705400
��NOTICE: BL31: v1.3(release):5b49e7f80
NOTICE: BL31: Built : 14:42:47, Jan 15 2021
ipc-unittest-main: 1519: Welcome to IPC unittest!!!
ipc-unittest-main: 1531: waiting forever
ipc-unittest-srv: 329: Init unittest services!!!
hwkey-agent: 40: hwkey-agent is running!!
hwkey-agent: 197: key_mgnt_processing .......
hwkey-agent: 162: ekb_verification: EKB_CMAC verification is not match.
hwkey-agent: 240: key_mgnt_processing: failed (-7)
hwkey-agent: 44: main: Failed to verify or extract EKB (-7).
exit called, thread 0xffffffffea8a2d58, name trusty_app_2_92b92883-f96a-4177
luks-srv: 40: luks-srv is running!!
platform_bootstrap_epilog: trusty bootstrap complete
��
welcome to lk
calling constructors
initializing heap
creating bootstrap completion thread
top of bootstrap2()
initializing platform
bpmp: platform_init
tag is e73a758761f0c6d24a1e69a2ac6b5035
tag_show initialized
dt initialized
mail initialized
chipid initialized
fuse initialized
sku initialized
speedo initialized
ec_get_ec_list: found 45 ecs
ec initialized
ec_mrq initialized
vmon_populate_monitors: found 3 monitors
vmon initialized
adc initialized
fmon_populate_monitors: found 73 monitors
fmon initialized
fmon_mrq initialized
reset initialized
nvhs initialized
391 clocks registered
clk_mrq_init: mrq handler registered
clk initialized
nvlink initialized
io_dpd initialized
io_dpd initialized
thermal initialized
i2c5 controller initialized
initialized i2c mrq handling
i2c initialized
regulator initialized
avfs_clk_platform_init: bad clk id in clock@cluster1_avfs
avfs_clk_platform initialized
soctherm initialized
aotag initialized
powergate initialized
dvs initialized
pm initialized
pg_late initialized
strap initialized
tag initialized
emc initialized
clk_dt initialized
avfs_ccplex_platform initialized
tj_max: dt node not found
tj_init initialized
uphy_mrq_init: mrq handler registered
uphy_dt initialized
uphy initialized
safereg_init: period 80 ms
ec_late initialized
��
��mrq initialized
��[0001.096] I> Welcome to Cboot
��WARNING: no registered clock for FMON_NAFLL_CLUSTER1 (id 281)
fmon_post initialized
��[0001.096] I> Cboot Version: t194-9efcbc4f
[0001.098] I> CPU-BL Params @ 0xf2820000
[0001.102] I> 0) Base:0x00000000 Size:0x00000000
[0001.107] I> 1) Base:0xf1100000 Size:0x00100000
��clk_set_parent failed for clk i2c2, parent pll_aon (-22)
clk_set_parent failed for clk i2c8, parent pll_aon (-22)
clk_dt_late initialized
machine_check initialized
pm_post initialized
dbells initialized
avfs_clk_platform_post initialized
dmce initialized
cvc initialized
ccplex_avfs_hw_init: nafll_cluster0: not monitored
ccplex_avfs_hw_init: nafll_cluster2: not monitored
ccplex_avfs_hw_init: nafll_cluster3: not monitored
avfs_clk_mach_post initialized
regulator_post initialized
rm initialized
sc7_diag initialized
thermal_test initialized
serial_late initialized
clk_post initialized
clk_dt_post initialized
mc_reg initialized
pg_post initialized
dyn_modules initialized
sku_debugfs initialized
speedo_debugfs initialized
adc_debugfs initialized
Failed to register PTO counter for id 281
Failed to register PTO counter for id 281
Failed to register PTO counter for id 281
Failed to register PTO counter for id 281
clk_debugfs initialized
emc_debugfs initialized
dvs_debugfs initialized
fmon_debugfs_init_one: no clock debugfs node to attach FMON_NAFLL_CLUSTER1
fmon_debugfs initialized
vmon_debugfs initialized
pg_debugfs initialized
profile_fs initialized
debugfs_cons initialized
mail_fs initialized
profile initialized
cvc_debugfs initialized
dmce_debugfs initialized
ec_debugfs initialized
rm_rail_debugfs_init: /rm/vdd_cpu: failed
rm_rail_debugfs_init: /rm/vdd_cpu: failed
rm_debugfs initialized
soctherm_debug initialized
gr_reader initialized
mods initialized
dt_fs initialized
debugfs_mrq initialized
debug_mrq initialized
debug_safereg initialized
initializing target
calling apps_init()
starting app shell
entering main console loop
] ��[0001.111] I> 2) Base:0xf2000000 Size:0x00200000
[0001.265] I> 3) Base:0xf1200000 Size:0x00200000
[0001.270] I> 4) Base:0xf1000000 Size:0x00100000
[0001.274] I> 5) Base:0xf0f00000 Size:0x00100000
[0001.279] I> 6) Base:0xf3800000 Size:0x00400000
[0001.283] I> 7) Base:0xf1c00000 Size:0x00400000
[0001.288] I> 8) Base:0xf0e00000 Size:0x00100000
[0001.292] I> 9) Base:0xf0d00000 Size:0x00100000
[0001.296] I> 10) Base:0xf3000000 Size:0x00800000
[0001.301] I> 11) Base:0x40000000 Size:0x00040000
[0001.305] I> 12) Base:0xf0c00000 Size:0x00100000
[0001.310] I> 13) Base:0x40046000 Size:0x00002000
[0001.314] I> 14) Base:0x40048000 Size:0x00002000
[0001.319] I> 15) Base:0xac000000 Size:0x00004000
[0001.323] I> 16) Base:0x4004a000 Size:0x00002000
[0001.328] I> 17) Base:0xf0b00000 Size:0x00100000
[0001.332] I> 18) Base:0x4004c000 Size:0x00002000
[0001.337] I> 19) Base:0xf2200000 Size:0x00600000
[0001.341] I> 20) Base:0x4004e000 Size:0x00002000
[0001.346] I> 21) Base:0xf0ad0000 Size:0x0000c000
[0001.350] I> 22) Base:0x00000000 Size:0x00000000
[0001.354] I> 23) Base:0xf0ae0000 Size:0x00020000
[0001.359] I> 24) Base:0xf6000000 Size:0x02000000
[0001.363] I> 25) Base:0x40050000 Size:0x00002000
[0001.368] I> 26) Base:0x40040000 Size:0x00006000
[0001.372] I> 27) Base:0xf1800000 Size:0x00400000
[0001.377] I> 28) Base:0xf4c00000 Size:0x01400000
[0001.381] I> 29) Base:0xf1400000 Size:0x00400000
[0001.386] I> 30) Base:0x00000000 Size:0x00000000
[0001.390] I> 31) Base:0x00000000 Size:0x00000000
[0001.395] I> 32) Base:0xf8000000 Size:0x08000000
[0001.399] I> 33) Base:0x00000000 Size:0x00000000
[0001.404] I> 34) Base:0xf3c00000 Size:0x01000000
[0001.408] I> 35) Base:0xab000000 Size:0x01000000
[0001.412] I> 36) Base:0xa0000000 Size:0x0b000000
[0001.417] I> 37) Base:0xf2800000 Size:0x00800000
[0001.421] I> 38) Base:0x80000000 Size:0x20000000
[0001.426] I> 39) Base:0xb0000000 Size:0x08000000
[0001.430] I> 40) Base:0x00000000 Size:0x00000000
[0001.435] I> 41) Base:0x00000000 Size:0x00000000
[0001.439] I> 42) Base:0x00000000 Size:0x00000000
[0001.444] I> 43) Base:0x00000000 Size:0x00000000
[0001.448] I> 44) Base:0x00000000 Size:0x00000000
[0001.453] I> 45) Base:0x00000000 Size:0x00000000
[0001.457] GIC-SPI Target CPU: 0
[0001.460] Interrupts Init done
[0001.463] calling constructors
[0001.466] initializing heap
[0001.468] I> Heap: [0xa06945e8 ... 0xab000000]
[0001.473] initializing threads
[0001.476] initializing timers
[0001.478] creating bootstrap completion thread
[0001.483] top of bootstrap2()
[0001.486] CPU: MIDR: 0x4E0F0040, MPIDR: 0x80000000
[0001.490] initializing platform
[0001.493] E> DEVICE_PROD: Invalid value data = 0, size = 0.
[0001.499] W> device prod register failed
[0001.502] I> Bl_dtb @0xaaf00000
[0001.508] W> "plugin-manager" doesn't exist, creating
[0001.510] W> "ids" doesn't exist, creating
[0001.514] W> "connection" doesn't exist, creating
[0001.519] W> "configs" doesn't exist, creating
[0001.527] I> Find /i2c@3160000's alias i2c0
[0001.527] I> Reading eeprom i2c=0 address=0x50
[0001.557] I> Device at /i2c@3160000:0x50
[0001.557] I> Reading eeprom i2c=0 address=0x57
[0001.581] I> Device at /i2c@3160000:0x57
[0001.583] I> Find /i2c@c240000's alias i2c1
[0001.583] I> Reading eeprom i2c=1 address=0x50
[0001.585] E> I2C: slave not found in slaves.
[0001.585] E> I2C: Could not write 0 bytes to slave: 0x00a0 with repeat start t.
[0001.586] E> I2C_DEV: Failed to send register address 0x00000000.
[0001.587] E> I2C_DEV: Could not read 256 registers of size 1 from slave 0xa0 a.
[0001.595] E> eeprom: Retry to read I2C slave device.
[0001.600] E> I2C: slave not found in slaves.
[0001.604] E> I2C: Could not write 0 bytes to slave: 0x00a0 with repeat start t.
[0001.612] E> I2C_DEV: Failed to send register address 0x00000000.
[0001.618] E> I2C_DEV: Could not read 256 registers of size 1 from slave 0xa0 a.
[0001.627] E> eeprom: Failed to read I2C slave device
[0001.632] I> Eeprom read failed 0x3526070d
[0001.636] I> create_pm_ids: id: 3668-0000-200-J, len: 15
[0001.641] I> config: mem-type:00,power-config:00,misc-config:00,modem-config:03
[0001.652] I> create_pm_ids: id: 3509-0000-100-G, len: 15
[0001.657] I> config: mem-type:00,power-config:00,misc-config:00,modem-config:03
[0001.668] I> Adding plugin-manager/ids/3668-0000-200=/i2c@3160000:module@0x50
[0001.676] W> "i2c@3160000" doesn't exist, creating
[0001.680] W> "module@0x50" doesn't exist, creating
[0001.685] I> Adding plugin-manager/ids/3509-0000-100=/i2c@3160000:module@0x57
[0001.692] W> "module@0x57" doesn't exist, creating
[0001.698] I> Adding plugin-manager/cvm
[0001.700] W> "chip-id" doesn't exist, creating
[0001.704] I> Adding plugin-manager/chip-id/A02P
[0001.709] I> Plugin-manager override starting
[0001.714] I> node /plugin-manager/fragment-pcie-c5-rp matches
[0001.723] I> node /plugin-manager/fragement-tegra-wdt-en matches
[0001.728] I> node /plugin-manager/fragement-tegra-sdhci-emmc-dis matches
[0001.734] I> Disable plugin-manager status in FDT
[0001.735] I> Plugin-manager override finished successfully
[0001.741] I> gpio framework initialized
[0001.745] I> tegrabl_gpio_driver_register: register 'nvidia,tegra194-gpio' drir
[0001.753] I> tegrabl_gpio_driver_register: register 'nvidia,tegra194-gpio-aon'r
[0001.759] I> tegrabl_tca9539_init: i2c bus: 1, slave addr: 0x46
[0001.767] W> fetch_driver_phandle_from_dt: failed to get node with compatible 9
[0001.774] W> fetch_driver_phandle_from_dt: failed to get node with compatible 9
[0001.781] W> tegrabl_tca9539_init: failed to fetch phandle from dt
[0001.787] I> tegrabl_tca9539_init: i2c bus: 1, slave addr: 0x44
[0001.794] W> fetch_driver_phandle_from_dt: failed to get node with compatible 9
[0001.802] W> fetch_driver_phandle_from_dt: failed to get node with compatible 9
[0001.809] W> tegrabl_tca9539_init: failed to fetch phandle from dt
[0001.816] I> fixed regulator driver initialized
[0001.823] I> register 'maxim' power off handle
[0001.824] I> virtual i2c enabled
[0001.827] I> registered 'maxim,max20024' pmic
[0001.831] I> tegrabl_gpio_driver_register: register 'max20024-gpio' driver
[0001.838] I> Boot-device: QSPI
[0001.841] I> Boot_device: QSPI_FLASH instance: 0
[0001.846] I> QSPI source rate = 204000 Khz
[0001.849] I> Requested rate for QSPI clock = 34000 Khz
[0001.854] I> BPMP-set rate for QSPI clk = 34000 Khz
[0001.859] I> QSPI Flash Size = 32 MB
[0001.867] I> Qspi initialized successfully
[0001.867] I> qspi flash-0 params source = boot args
[0001.871] I> create_pm_ids: id: 3668-0000-200-J, len: 15
[0001.876] I> config: mem-type:00,power-config:00,misc-config:00,modem-config:03
[0001.887] I> create_pm_ids: id: 3509-0000-100-G, len: 15
[0001.892] I> config: mem-type:00,power-config:00,misc-config:00,modem-config:03
[0001.903] I> Found sdcard
[0001.907] I> enabling 'vdd-sdmmc1-sw' regulator
[0001.913] I> regulator 'vdd-sdmmc1-sw' already enabled
[0002.159] I> sdmmc SDR mode
[0002.173] I> -0 params source =
[0002.175] I> Found 47 partitions in QSPI_FLASH (instance 0)
[0002.184] I> Found 11 partitions in SDCARD (instance 0)
[0002.190] I> regulator 'vdd-hdmi-5v0' already enabled
[0002.193] I> regulator 'vdd-hdmi-5v0' already enabled
[0002.194] I> hdmi cable connected
[0002.195] W> set volts not configured for 'vdd-1v0'
[0002.196] W> set volts not configured for 'vdd-1v8-hs'
[0002.199] E> invalid display type
[0002.200] E> cannot find any other nvdisp nodes
[0002.215] I> edid read success
[0002.227] I> edid read success
[0002.227] I> width = 640, height = 480, frequency = 25174825
[0002.228] I> width = 1920, height = 1080, frequency = 148500000
[0002.228] I> width = 1920, height = 1080, frequency = 148500000
[0002.229] I> width = 1920, height = 1080, frequency = 148351648
[0002.229] I> width = 1920, height = 1080, frequency = 148351648
[0002.234] I> width = 1280, height = 720, frequency = 74175824
[0002.239] I> width = 1280, height = 720, frequency = 74175824
[0002.245] I> width = 720, height = 480, frequency = 26973026
[0002.250] I> width = 720, height = 576, frequency = 26973026
[0002.256] I> width = 720, height = 480, frequency = 26973026
[0002.261] I> width = 720, height = 576, frequency = 26973026
[0002.267] I> width = 640, height = 480, frequency = 25174825
[0002.272] I> Best mode Width = 1920, Height = 1080, freq = 148351648
[0002.282] I> hdmi_enable, starting HDMI initialisation
[0002.288] I> hdmi_enable, HDMI initialisation complete
[0002.298] I> Load in CBoot Boot Options partition and parse it
[0002.298] E> Error -9 when finding node with path /boot-configuration
[0002.301] E> tegrabl_cbo_parse_info: "boot-configuration" not found in CBO fil.
[0002.308] I> Using default boot order
[0002.311] I> boot-dev-order :-
[0002.314] I> 1.sd
[0002.316] I> 2.usb
[0002.318] I> 3.nvme
[0002.320] I> 4.emmc
[0002.322] I> 5.net
[0002.324] I> Hit any key to stop autoboot: 4 3 2 1
[0004.331] initializing target
[0004.331] calling apps_init()
[0004.332] starting app kernel_boot_app
[0004.342] I> found decompressor handler: lz4-legacy
[0004.343] I> decompressing BMP blob ...
[0004.354] I> Kernel type = Normal
[0004.354] I> Loading kernel-bootctrl from partition
[0004.355] I> Loading partition kernel-bootctrl at 0xa4ad0000 from device(0x6)
[0004.379] W> tegrabl_get_kernel_bootctrl: magic number(0x00000000) is invalid
[0004.379] W> tegrabl_get_kernel_bootctrl: use default dummy boot control data
[0004.380] I> ########## SD (0) boot ##########
[0004.380] I> Found sdcard
[0004.382] I> regulator 'vdd-sdmmc1-sw' already enabled
[0004.385] I> regulator 'vdd-sdmmc1-sw' already enabled
[0004.420] I> sdmmc SDR mode
[0004.435] I> -0 params source =
[0004.435] I> Already published: 00060000
[0004.435] I> Look for boot partition
[0004.435] I> Fallback: assuming 0th partition is boot partition
[0004.436] I> Detect filesystem
[0004.452] I> Loading extlinux.conf ...
[0004.453] I> rootfs path: /sd/boot/extlinux/extlinux.conf
[0004.481] I> L4T boot options
[0004.482] I> [1]: "primary kernel"
[0004.482] I> Enter choice:
[0007.483] I> Continuing with default option: 1
[0007.483] I> Loading kernel sig file from rootfs ...
[0007.483] I> rootfs path: /sd/boot/Image.sig
[0007.496] I> Loading kernel binary from rootfs ...
[0007.496] I> rootfs path: /sd/boot/Image
[0010.292] I> overload load_size to 34338824 (from 34338832)
[0010.315] I> Validate kernel ...
[0010.316] I> T19x: Authenticate kernel (bin_type: 37), max size 0x5000000
[0010.317] I> RSA PSS signature check: OK
[0010.629] W> keyslot 14 is zero
[0010.649] I> No kernel-dtb binary path
[0010.649] W> No valid slot number is found in scratch register
[0010.650] W> Return default slot: _a
[0010.650] I> A/B: bin_type (38) slot 0
[0010.650] I> Loading kernel-dtb from partition
[0010.650] I> Loading partition kernel-dtb at 0x91000000 from device(0x6)
[0010.692] I> Validate kernel-dtb ...
[0010.692] I> T19x: Authenticate kernel-dtb (bin_type: 38), max size 0x400000
[0010.693] I> RSA PSS signature check: OK
[0010.696] W> keyslot 14 is zero
[0010.697] I> Loading ramdisk from rootfs ...
[0010.697] I> Loading initrd sig file from rootfs ...
[0010.697] I> rootfs path: /sd/boot/initrd.sig
[0010.710] I> Loading initrd binary from rootfs ...
[0010.710] I> rootfs path: /sd/boot/initrd
[0011.307] I> overload load_size to 7236790 (from 7236800)
[0011.310] I> Validate initrd ...
[0011.310] I> T19x: Authenticate initrd (bin_type: 49), max size 0x4000000
[0011.312] I> RSA PSS signature check: OK
[0011.378] W> keyslot 14 is zero
[0011.391] I> Kernel hdr @0xa4ad0000
[0011.391] I> Kernel dtb @0x90000000
[0011.392] I> decompressor handler not found
[0011.392] I> Copying kernel image (34338824 bytes) from 0xa4ad0000 to 0x800800e
[0011.402] E> fdt_open_into fail (FDT_ERR_BADMAGIC)
[0011.403] E> Error (727449637) extracting the kernel DTB
[0011.421] I> Kernel EP: 0x80080000, DTB: 0x90000000
[0011.422]
[0011.422] -----------------------------------------------
[0011.424] Synchronous Exception: UNKNOWN EXCEPTION
[0011.426] -----------------------------------------------
[0011.428]
[0011.428] ESR 0x2000000: ec 0x0, il 0x1, iss 0x0
[0011.430] -----------------------------------------------
[0011.432] [Stack Trace]
[0011.433]
[0011.433] => pc:0x80080000, sp:0xA0EA3500
[0011.435] => pc:0xA060F858, sp:0xA0EA3730
[0011.439] => pc:0xA060F86C, sp:0xA0EA37A0
[0011.443] => pc:0xA060F4EC, sp:0xA0EA37E0
[0011.447] => pc:0xA060EA60, sp:0xA0EA37F0
[0011.451] => pc:0xA060EA34, sp:0xA0EA3800
[0011.455] -----------------------------------------------
[0011.460] iframe 0xa0ea3410:
[0011.463] x0 0x 90000000 x1 0x 0 x2 0x 00
[0011.472] x4 0x 80080000 x5 0x 20 x6 0x b2001230
[0011.481] x8 0x 0 x9 0xffffffffffffffff x10 0x 62
[0011.490] x12 0x 1 x13 0x 40 x14 0x 10
[0011.499] x16 0x 1500 x17 0x 1e0 x18 0x 00
[0011.508] x20 0x a0ea37b0 x21 0x 0 x22 0x 00
[0011.517] x24 0x 0 x25 0x 0 x26 0x 00
[0011.526] x28 0x 0 x29 0x a0ea3730 lr 0x a060f80c0
[0011.535] elr 0x 80080000
[0011.538] spsr 0x 400003c9
[0011.542] -----------------------------------------------
[0011.547] panic (caller 0xa0601238): die
[0011.551] HALT: spinning forever...
hello dcapers44,
you’re still not getting that, as I’ve mentioned it several times,
for example, in post #3, post #15, and also post #31.
Jetson secureBoot only support with eMMC modules.
secureBoot is not supported with Jetson Xavier NX devkit, a SD-card version.
we already had an internal feature request to avoid burning fuse for SD-card platforms;
so, please contact with Jetson Partners if you’re looking for Jetson Xavier NX with eMMC modules.
thanks
@JerryChang I get everything that you are saying. Because there is no safe guards in place to stop any one from burning fuses on Jetson Xavier NX devkit (SD-card version) which doesn’t support Secure Boot. What you are not saying is that this Jetson Xavier NX that I tried to enable Secure Boot on is no longer operational and nothing can be done to make it boot up. And if that is the case, what is the resolution?
hello dcapers44,
it’s indeed a workaround for device not booting while enable PKC+SBK without production mode fuse (i.e. -p
option)
since the fuse is non-reversible, you’re getting bootloader messages it shows kernel panic.
please contact with NVIDIA Customer Care team for RMA process.
thanks
@JerryChang now that you said that my Jetson Xavier NX is nonoperational, I am in talks with NVIDIA Customer Care team to hopefully create a RMA. Going forward, all of my dialog will be directed towards the Jetson AGX Xavier that I purchase during the efforts of trying to resolve my issues with my Jetson Xavier NX.
Up to this point I have done everything to my Jetson AGX Xavier that I have done to my Jetson Xavier NX, with the exception of burning the security mode fuse which puts the board into production mode. Recap… I have burned SBK, PKE, KEK0, KEK1, and KEK2 fuses onto the board. My objective, is to enable secure boot. Before I put the board into production mode by burning the secure mode fuse… I would like you to verify that I have done everything right up to this point and state my next steps. I believe it is to burn the security mode fuse then flash the Jetson AGX Xavier with the SBK and PKE along with a User Key. Per our discussion you indicated that my issue was that I was that I was using an incompatible Jetson to do Secure Boot. You said said that the Jetson AGX Xavier supports Secure Boot, so at this point we both should be on the same page. If an issue arise from this point I expecting it has nothing to do with an incompatible board…
hello dcapers44,
Jetson secureBoot only support with eMMC modules.
so, that’s the difference between your Jetson AGX Xavier and Jetson Xavier NX DevKits.
you meant PKC, (Public Key Cryptography), right?
please enable secureBoot for Jetson AGX Xavier to program all fuse (PKC, SBK, KEK…etc) and also to make the “odm_production_mode” enabled.
thanks
Correct… I meant PKC, I have already set the PKC, SBK, KEK0, KEK1, and KEK2 fuses. So now I’m going to enable the odm_production_mode as you are suggesting. I’ll let you know how it goes…
Well, I just burn the security mode (odm_production_mode) fuse using:
‘sudo ./odmfuse.sh -i 0x19 -p -k RSA_Key.pem -S SBK.txt jetson-agx-xavier-devkit’
And flashed it using:
‘sudo ./flash.sh -u RSA_Key.pem -v SBK.txt --user_key User_Key.txt jetson-agx-xavier-devkit mmcblk0p1’
The Jetson AGX Xavier is doing the same exact things as the Jetson Xavier NX up to this point. It frozen on the Nvidia screen.
So now what are the next steps?..
hello dcapers44,
please have another topic for tracking your Jetson AGX Xavier issue.
thanks
hello dcapers44,
please initial another topic to track your Jetson AGX Xavier secureBoot issue. you may leave the linkage here for reference.
please also setup serial console to gather UART logs and attach to the thread. we’ll need to check bootloader messages for more details.
thanks