TK1 Secure Boot Key and Fuses

Hello,

We would like to use the secure boot key feature. As I understand it this feature makes the TK1 require encrypted BCT and bootloader. What I wish to accomplish is locking the download image functionality. I really did not found any documentation regarding:

  • How to create a signed/encrypted bootloader and bct ?
  • Does any of the partitions need to be signed ?
  • how to blow the fuses ?

Any info will be appreciated.

Regards

Hi iaponte,

There will be the doc which included these information for your design reference, and it should be published soon, please stay tuned.

Thanks

Was there any documentation regarding this published? Can you help me with that?

Very interested in this as well.

Is there any ETA for the document? Last post was Jan this year.

Linux4all/KartikGuptaJune,
Sorry for not having too much update in the past few months. We are actually working toward releasing secure boot package to enable building a more secure product. We should be able to make it available before next month. Again thanks for your patience. We also plan to provide training tutorial for this topic after software release. Stay tuned too.

The Jetson platform secure boot package was published at https://developer.nvidia.com/embedded/downloads

[b]- Jetson Platform Fuse Burning and Secure Boot Documentation and Tools

  • Jetson TX2 Fuse Specification
  • Jetson TX1 Fuse Specification
  • Jetson TK1 Fuse Specification[/b]

This collection of documentation and tools enables fuse burning for secure boot and other purposes with Jetson TX2, Jetson TX1, and Tegra K1 for developing secure OS and trusted application.

I have a quick question regarding programming fuses for jetson-tk1. If I would like to burn my own personal DK and SBK I read the critical requirements involve setting the VPP_FUSE state. What is the best method to prepare jetson tk1 for fuse programming?

This was taken from the Fuse Specification PDF:

Designs must provide a way to supply a 1.8v power source to the VPP_FUSE pin on Tegra to allow fuses to be burned. (Looks like dts has taken care of voltage)

as3722_ldo11: ldo11 {
				      regulator-name = "vpp-fuse";
				      regulator-min-microvolt = <1800000>;
				      regulator-max-microvolt = <1800000>;

Once the VPP_FUSE is ready then I assume one can write DK/SBK with the following command:

./nvflash --writefuse odmfuse_pkc.cfg --bl fastboot.bin --go

Contents of odmfuse_pkc.cfg include DK/SBK.

<fuse:jtag_disable;value:0x1>
<fuse:device_key;value:0xaabbccdd>
<fuse:secure_boot_key;value:0x01234567 0x89abcdef 0x01234567 0x89abcdef>
<fuse:public_key_hash;value:0x6b0d920e 0xe369f0bc 0x34a17440 0xdffa1a86 0x1f0780f0 0x2e5acb82 0x241369da 0x20fc2f20>

Okay well im glad i tried my first fuse burn on my 1st gen apalis-tk1. Bootloader is corrupted somehow. Hope this is fixable since i know the generic DK/SBK:

[0000.007] No Battery Present
[0000.011] Sdram initialization is successful 
[0000.058] Instance[1] bootloader is corrupted                         trying for next Instance !
[0000.066] No Bootloader is found !
[0000.069] Error in NvTbootLoadBinary: 0x13 !

I should also add I am flashing bootloader.bin not u-boot for android 7.0.

I guess I need to know how to flash now with an sdk burned:

Before:
chip uid from BR is: 0x34001001740dc1c4080000000dfc8300
rcm version 0X400001
Skipping BoardID read at miniloader level
System Information:
   chip name: unknown
   chip id: 0x40 major: 1 minor: 1
   chip sku: 0x0
   chip uid: 0x00000000000000000000000000000000
   macrovision: disabled
   hdcp: disabled
   jtag: disabled
   sbk burned: false
   board id: 0
   warranty fuse: 0
   dk burned: false
   boot device: emmc
   operating mode: 3
   device config strap: 0
   device config fuse: 0
   sdram config strap: 0

After:
BR_CID: 0x34001001740dc1c4080000000dfc8300
rcm version 0X400001
Skipping BoardID read at miniloader level
System Information:
   chip name: unknown
   chip id: 0x40 major: 1 minor: 1
   chip sku: 0x0
   chip uid: 0x00000001740dc1c4080000000dfc8300
   macrovision: disabled
   hdcp: disabled
   jtag: disabled
   sbk burned: true
   board id: 0
   warranty fuse: 0
   dk burned: false
   boot device: emmc
   operating mode: 3
   device config strap: 0
   device config fuse: 0
   sdram config strap: 0

I think I figured it out for myself. Just need to apply the correct flash command:

sudo ./flash.sh -x 0x40 -y PKC -u Key_File jetson-tk1 mmcblk0p1

Okay very cool the above command does indeed work for signing the secure bootloader.

post deleted.

Linux4all,
Hope thing is clear - here you could also check for a security and secure boot video,

Perfect Thank you for linking the webinar chuang. Much appreciated.