TK1 Secure Boot Key and Fuses

iaponte · January 9, 2017, 6:37pm

Hello,

We would like to use the secure boot key feature. As I understand it this feature makes the TK1 require encrypted BCT and bootloader. What I wish to accomplish is locking the download image functionality. I really did not found any documentation regarding:

How to create a signed/encrypted bootloader and bct ?
Does any of the partitions need to be signed ?
how to blow the fuses ?

Any info will be appreciated.

Regards

kayccc · January 13, 2017, 1:53am

Hi iaponte,

There will be the doc which included these information for your design reference, and it should be published soon, please stay tuned.

Thanks

KartikGuptaJune · July 12, 2017, 7:59am

Was there any documentation regarding this published? Can you help me with that?

Linux4all · July 12, 2017, 4:02pm

Very interested in this as well.

KartikGuptaJune · July 12, 2017, 6:45pm

Is there any ETA for the document? Last post was Jan this year.

CHuang1 · July 13, 2017, 9:45pm

Linux4all/KartikGuptaJune,
Sorry for not having too much update in the past few months. We are actually working toward releasing secure boot package to enable building a more secure product. We should be able to make it available before next month. Again thanks for your patience. We also plan to provide training tutorial for this topic after software release. Stay tuned too.

kayccc · August 30, 2017, 7:13am

The Jetson platform secure boot package was published at [url]https://developer.nvidia.com/embedded/downloads[/url]

[b]- Jetson Platform Fuse Burning and Secure Boot Documentation and Tools

Jetson TX2 Fuse Specification
Jetson TX1 Fuse Specification
Jetson TK1 Fuse Specification[/b]

This collection of documentation and tools enables fuse burning for secure boot and other purposes with Jetson TX2, Jetson TX1, and Tegra K1 for developing secure OS and trusted application.

Linux4all · October 5, 2017, 1:38pm

I have a quick question regarding programming fuses for jetson-tk1. If I would like to burn my own personal DK and SBK I read the critical requirements involve setting the VPP_FUSE state. What is the best method to prepare jetson tk1 for fuse programming?

This was taken from the Fuse Specification PDF:

Designs must provide a way to supply a 1.8v power source to the VPP_FUSE pin on Tegra to allow fuses to be burned. (Looks like dts has taken care of voltage)

as3722_ldo11: ldo11 {
				      regulator-name = "vpp-fuse";
				      regulator-min-microvolt = <1800000>;
				      regulator-max-microvolt = <1800000>;

2.6 VPP FUSE Supply
Designs must provide a way to supply a 1.8V power source to the VPP_FUSE pin on Tegra to allow fuses to be
burned (unless fuses are only to be burned before assembly). This supply is only required when fuses are burned
and should be powered off during normal operation. VPP_FUSE must be powered OFF when Tegra is in Deep Sleep
mode.
The supply for VPP_FUSE can be provided using one of several options:
Test point for external supply (does not support Over-the-Air updates)
Output of on-board LDO or Switched 1.8V supply controlled by a Tegra GPIO
Output of PMU, controlled by PWR_I2C from Tegra
The power source must provide a nominal voltage of 1.8V and be able to supply a minimum of 120mA. When not
powered, either a pull-down resistor (<=10KΩ) is required at VPP_FUSE, or the supply must provide an equivalent
pull-down. A 0.1uF bypass capacitor is also recommended on this line.

Once the VPP_FUSE is ready then I assume one can write DK/SBK with the following command:

./nvflash --writefuse odmfuse_pkc.cfg --bl fastboot.bin --go

Contents of odmfuse_pkc.cfg include DK/SBK.

<fuse:jtag_disable;value:0x1>
<fuse:device_key;value:0xaabbccdd>
<fuse:secure_boot_key;value:0x01234567 0x89abcdef 0x01234567 0x89abcdef>
<fuse:public_key_hash;value:0x6b0d920e 0xe369f0bc 0x34a17440 0xdffa1a86 0x1f0780f0 0x2e5acb82 0x241369da 0x20fc2f20>

Linux4all · October 6, 2017, 2:30am

Okay well im glad i tried my first fuse burn on my 1st gen apalis-tk1. Bootloader is corrupted somehow. Hope this is fixable since i know the generic DK/SBK:

[0000.007] No Battery Present
[0000.011] Sdram initialization is successful 
[0000.058] Instance[1] bootloader is corrupted                         trying for next Instance !
[0000.066] No Bootloader is found !
[0000.069] Error in NvTbootLoadBinary: 0x13 !

I should also add I am flashing bootloader.bin not u-boot for android 7.0.

Linux4all · October 6, 2017, 3:03am

I guess I need to know how to flash now with an sdk burned:

Before:
chip uid from BR is: 0x34001001740dc1c4080000000dfc8300
rcm version 0X400001
Skipping BoardID read at miniloader level
System Information:
   chip name: unknown
   chip id: 0x40 major: 1 minor: 1
   chip sku: 0x0
   chip uid: 0x00000000000000000000000000000000
   macrovision: disabled
   hdcp: disabled
   jtag: disabled
   sbk burned: false
   board id: 0
   warranty fuse: 0
   dk burned: false
   boot device: emmc
   operating mode: 3
   device config strap: 0
   device config fuse: 0
   sdram config strap: 0

After:
BR_CID: 0x34001001740dc1c4080000000dfc8300
rcm version 0X400001
Skipping BoardID read at miniloader level
System Information:
   chip name: unknown
   chip id: 0x40 major: 1 minor: 1
   chip sku: 0x0
   chip uid: 0x00000001740dc1c4080000000dfc8300
   macrovision: disabled
   hdcp: disabled
   jtag: disabled
   sbk burned: true
   board id: 0
   warranty fuse: 0
   dk burned: false
   boot device: emmc
   operating mode: 3
   device config strap: 0
   device config fuse: 0
   sdram config strap: 0

Linux4all · October 6, 2017, 3:34pm

I think I figured it out for myself. Just need to apply the correct flash command:

sudo ./flash.sh -x 0x40 -y PKC -u Key_File jetson-tk1 mmcblk0p1

Linux4all · October 6, 2017, 11:58pm

Okay very cool the above command does indeed work for signing the secure bootloader.

Linux4all · October 7, 2017, 9:44pm

post deleted.

chuang · October 19, 2017, 8:13am

Linux4all,
Hope thing is clear - here you could also check for a security and secure boot video,
https://developer.nvidia.com/embedded/learn/tutorials

Linux4all · October 19, 2017, 7:37pm

Perfect Thank you for linking the webinar chuang. Much appreciated.

Topic		Replies	Views
Secure boot Jetson TK1	5	2357	October 18, 2021
How to verify that secure boot with kernel encryption and disc encryption is enabled in Jetson TX2? Jetson TX2 boot , security , nvbugs	19	1348	September 13, 2023
Jetson TX2 not booting after ROOTFS_ENC=1 flash Jetson TX2 boot , security , nvbugs	20	3282	October 3, 2021
TK1 Secure Boot Key and Fuses: Link Redirect Jetson TK1 security	5	949	July 21, 2022
TX1 Boot Flow Issue Jetson TX1	10	1050	October 18, 2021
Jetson Nano Developer Kit issues after fuse burning with SB/PKC; fuse_bypass options and samples needed Jetson Nano security	15	1499	October 15, 2021
The wrong boot authentication identification Jetson Nano security	10	1780	October 18, 2021
Upgrade Jetson TK1 to Ubuntu 16.04 Jetson TK1	6	5888	February 12, 2018
Question about security boot? Jetson TX2	8	2171	October 18, 2021
TK1 boot fuses Jetson TK1	2	2520	September 22, 2015

TK1 Secure Boot Key and Fuses

Related topics