TX2 Flashing Signed Images in a Factory Environment

Autonomous Machines Jetson & Embedded Systems Jetson TX2
1

Hi NV pals,

I had burn fuse using PKC and SBK.

So I want to sign images in a Factory Environment using following command:

$ sudo BOARDID=3310 FAB=C04 ./flash.sh --no-flash -u rsa_priv.pem -v sbk.xml jetson-tx2 mmcblk0p1

but finally something wrong , please check the following log:

===============================================================================================
/home/ykei/nvidia/nvidia_sdk/jonestest/JetPack_4.2.1_Linux_GA_P3310/Linux_for_Tegra/sbk.xml
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands

[ 0.0369 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/jonestest/JetPack_4.2.1_Linux_GA_P3310/Linux_for_Tegra/rsa_priv.pem --getmode mode.txt
[ 0.0385 ] PKC key in Open SSL format
[ 0.0401 ] Key size is 256 bytes
[ 0.0441 ] Valid PKC key
[ 0.0567 ]
[ 0.0622 ] Generating RCM messages
[ 0.0693 ] tegrarcm_v2 --listrcm rcm_list.xm
[ 0.0742 ] RCM 0 is saved as rcm_0.rcm
[ 0.0761 ] RCM 1 is saved as rcm_1.rcm
[ 0.0792 ] List of rcm files are saved in rcm_list.xml
[ 0.0924 ]
[ 0.0924 ] Signing RCM messages
[ 0.0942 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/jonestest/JetPack_4.2.1_Linux_GA_P3310/Linux_for_Tegra/sbk.xml --list rcm_list.xml --pubkeyhash pub_key.key
[ 0.0956 ] Not a valid EC key format
[ 0.1150 ] Not a valid eddsa key format
[ 0.1154 ] Invalid key format
[ 0.1236 ]
Error: Return value 11
Command tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/jonestest/JetPack_4.2.1_Linux_GA_P3310/Linux_for_Tegra/sbk.xml --list rcm_list.xml --pubkeyhash pub_key.key
cp: 無法 stat ‘encrypted_signed/*’: 沒有此一檔案或目錄
cp: 無法 stat ‘encrypted_signed/flash.xml.tmp’: 沒有此一檔案或目錄
sed: 無法讀取 flash.xml.tmp: 沒有此一檔案或目錄
./tegraflash.py --bl nvtboot_recovery_cpu_sigheader.bin.encrypt.signed --bct br_bct_BR.bct --applet rcm_1_signed.rcm --cmd “secureflash;reboot” --cfg secureflash.xml --chip 0x18 --mb1_bct mb1_cold_boot_bct_MB1_sigheader.bct.encrypt.signed --bins “mb2_bootloader nvtboot_recovery_sigheader.bin.encrypt.signed; mts_preboot preboot_d15_prod_cr_sigheader.bin.encrypt.signed; mts_bootpack mce_mts_d15_prod_cr_sigheader.bin.encrypt.signed; bpmp_fw bpmp_sigheader.bin.encrypt.signed; bpmp_fw_dtb tegra186-a02-bpmp-quill-p3310-1000-c04-00-te770d-ucm2_sigheader.dtb.encrypt.signed; tlk tos-trusty_sigheader.img.encrypt.signed; eks eks_sigheader.img.encrypt.signed; bootloader_dtb tegra186-quill-p3310-1000-c03-00-base_sigheader.dtb.encrypt.signed” --skipuid
saving flash command in flashcmd.txt

*** no-flash flag enabled. Exiting now… ***

User can run above saved command in factory environment without
providing pkc and sbk keys to flash a device

Example:

$ cd bootloader 
$ sudo bash ./flashcmd.txt

====================================================================================================

and then I flash the device show error message

$ cd bootloader
$ sudo bash ./flashcmd.txt

====================================================================================================
sudo bash ./flashcmd.txt
Traceback (most recent call last):
File “./tegraflash.py”, line 1274, in
exports[‘–cfg’] = tegraflash_update_img_path(exports[‘–cfg’])
File “/home/ykei/nvidia/nvidia_sdk/jonestest/JetPack_4.2.1_Linux_GA_P3310/Linux_for_Tegra/bootloader/tegraflash_internal.py”, line 3521, in tegraflash_update_img_path
xml_tree = ElementTree.parse(file)
File “/usr/lib/python2.7/xml/etree/ElementTree.py”, line 1182, in parse
tree.parse(source, parser)
File “/usr/lib/python2.7/xml/etree/ElementTree.py”, line 657, in parse
self._root = parser.close()
File “/usr/lib/python2.7/xml/etree/ElementTree.py”, line 1665, in close
self._raiseerror(v)
File “/usr/lib/python2.7/xml/etree/ElementTree.py”, line 1517, in _raiseerror
raise err
xml.etree.ElementTree.ParseError: no element found: line 1, column 0

2

hello ykei007,

it seems you’re generating an invalid key format according to the messages,

[ 0.0924 ] Signing RCM messages
[ 0.0942 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/jonestest/JetPack_4.2.1_Linux_GA_P3310/Linux_for_Tegra/sbk.xml --list rcm_list.xml --pubkeyhash pub_key.key
[ 0.0956 ] Not a valid EC key format
[ 0.1150 ] Not a valid eddsa key format
[ 0.1154 ] Invalid key format

please check the documentation, please access Secureboot chapter and review the key formats.
thanks

3

Hi Jerry,

my sbk.xml content follow document:

The representation in the fusing XML file is:
0x123456789abcdef0fedcba9876543210

I use rsa_priv.pem + sbk.xml to burn fuse successfully

Anything else need to check??

Thanks.

4

hello ykei007,

please have a try to remove board information to generate a fuseblob.
for example,

$ sudo ./flash.sh --no-flash -u rsa_priv.pem -v sbk.xml jetson-tx2 mmcblk0p1

BTW,
I’m not sure this might effect, could you please rename your sbk.xml as sbk.key for another testing,
suggest you may also share full logs with failures for checking the details.
thanks

5

Hi Jerry,

  1. remove board info
  2. change sbk.xml to sbk.key

1 and 2 result: same condition

Please check following logs and what is that mean for error code value 11

==============================================================================

system.img built successfully. 
Existing tbcfile(/home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/bootloader/cboot.bin) reused.
copying tbcdtbfile(/home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/kernel/dtb/tegra186-quill-p3310-1000-c03-00-base.dtb)... done.
copying cfgfile(/home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/bootloader/t186ref/cfg/flash_l4t_t186.xml) to flash.xml... done.
Existing flasher(/home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/bootloader/nvtboot_recovery_cpu.bin) reused.
Existing flashapp(/home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/bootloader/tegraflash.py) reused.
./tegraflash.py --bl nvtboot_recovery_cpu.bin --sdram_config P3310_A00_8GB_Samsung_8GB_lpddr4_204Mhz_A02_l4t.cfg --odmdata 0x1090000 --applet mb1_recovery_prod.bin --cmd "sign"  --cfg flash.xml --chip 0x18 --misc_config tegra186-mb1-bct-misc-si-l4t.cfg --pinmux_config tegra186-mb1-bct-pinmux-quill-p3310-1000-c03.cfg --pmic_config tegra186-mb1-bct-pmic-quill-p3310-1000-c04.cfg --pmc_config tegra186-mb1-bct-pad-quill-p3310-1000-c03.cfg --prod_config tegra186-mb1-bct-prod-quill-p3310-1000-c03.cfg --scr_config minimal_scr.cfg --scr_cold_boot_config mobile_scr.cfg --br_cmd_config tegra186-mb1-bct-bootrom-quill-p3310-1000-c03.cfg --dev_params emmc.cfg  --bins "mb2_bootloader nvtboot_recovery.bin; mts_preboot preboot_d15_prod_cr.bin; mts_bootpack mce_mts_d15_prod_cr.bin; bpmp_fw bpmp.bin; bpmp_fw_dtb tegra186-a02-bpmp-quill-p3310-1000-c04-00-te770d-ucm2.dtb; tlk tos-trusty.img; eks eks.img; bootloader_dtb tegra186-quill-p3310-1000-c03-00-base.dtb"  --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/rsa_priv.pem 
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0913 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/rsa_priv.pem --getmode mode.txt
[   0.0930 ] PKC key in Open SSL format
[   0.1062 ] Key size is 256 bytes
[   0.1066 ] Valid PKC key
[   0.1386 ] 
[   0.1388 ] Generating RCM messages
[   0.1561 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x18 0 --download rcm mb1_recovery_prod.bin 0 0
[   0.1576 ] RCM 0 is saved as rcm_0.rcm
[   0.1697 ] RCM 1 is saved as rcm_1.rcm
[   0.1702 ] List of rcm files are saved in rcm_list.xml
[   0.1753 ] 
[   0.1754 ] Signing RCM messages
[   0.1800 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/rsa_priv.pem --list rcm_list.xml --pubkeyhash pub_key.key
[   0.1868 ] PKC key in Open SSL format
[   0.1885 ] Key size is 256 bytes
[   0.1912 ] Valid PKC key
[   0.2012 ] Saving pkc public key  in pub_key.key
[   0.7561 ] 
[   0.7562 ] Copying signature to RCM mesages
[   0.7579 ] tegrarcm_v2 --chip 0x18 0 --updatesig rcm_list_signed.xml --pubkeyhash pub_key.key
[   0.7899 ] 
[   0.7901 ] Parsing partition layout
[   0.8128 ] tegraparser_v2 --pt flash.xml.tmp
[   0.9224 ] 
[   0.9226 ] Creating list of images to be signed
[   0.9405 ] tegrahost_v2 --chip 0x18 0 --partitionlayout flash.xml.bin --list images_list.xml oem-rsa
[   1.2641 ] 
[   1.2643 ] Generating signatures
[   1.2691 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/rsa_priv.pem --list images_list.xml --pubkeyhash pub_key.key
[   1.2706 ] PKC key in Open SSL format
[   1.2723 ] Key size is 256 bytes
[   1.2768 ] Valid PKC key
[   1.2945 ] Saving pkc public key  in pub_key.key
[   7.5398 ] 
[   7.5399 ] Generating br-bct
[   7.5546 ] Updating dev and MSS params in BR BCT
[   7.5550 ] tegrabct_v2 --dev_param emmc.cfg --sdram P3310_A00_8GB_Samsung_8GB_lpddr4_204Mhz_A02_l4t.cfg --brbct br_bct.cfg --chip 0x18 0
[   7.6602 ] 
[   7.6604 ] Updating bl info
[   7.6660 ] tegrabct_v2 --brbct br_bct_BR.bct --chip 0x18 0 --updateblinfo flash.xml.bin --updatesig images_list_signed.xml
[   7.7129 ] 
[   7.7130 ] Updating smd info
[   7.7173 ] tegrabct_v2 --brbct br_bct_BR.bct --chip 0x18 --updatesmdinfo flash.xml.bin
[   7.7519 ] 
[   7.7521 ] Updating Odmdata
[   7.7536 ] tegrabct_v2 --brbct br_bct_BR.bct --chip 0x18 0 --updatefields Odmdata =0x1090000
[   7.7769 ] 
[   7.7770 ] Get Signed section of bct
[   7.7881 ] tegrabct_v2 --brbct br_bct_BR.bct --chip 0x18 0 --listbct bct_list.xml
[   7.8175 ] 
[   7.8280 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/rsa_priv.pem --list bct_list.xml --pubkeyhash pub_key.key
[   7.8340 ] PKC key in Open SSL format
[   7.8423 ] Key size is 256 bytes
[   7.8445 ] Valid PKC key
[   7.8546 ] Saving pkc public key  in pub_key.key
[   8.1137 ] 
[   8.1139 ] Updating BCT with signature
[   8.1154 ] tegrabct_v2 --brbct br_bct_BR.bct --chip 0x18 0 --updatesig bct_list_signed.xml --pubkeyhash pub_key.key
[   8.1599 ] 
[   8.1600 ] Generating coldboot mb1-bct
[   8.1615 ] tegrabct_v2 --chip 0x18 0 --mb1bct mb1_cold_boot_bct.cfg --sdram P3310_A00_8GB_Samsung_8GB_lpddr4_204Mhz_A02_l4t.cfg --misc tegra186-mb1-bct-misc-si-l4t.cfg --scr mobile_scr.cfg --pinmux tegra186-mb1-bct-pinmux-quill-p3310-1000-c03.cfg --pmc tegra186-mb1-bct-pad-quill-p3310-1000-c03.cfg --pmic tegra186-mb1-bct-pmic-quill-p3310-1000-c04.cfg --brcommand tegra186-mb1-bct-bootrom-quill-p3310-1000-c03.cfg --prod tegra186-mb1-bct-prod-quill-p3310-1000-c03.cfg
[   8.1827 ] MB1-BCT version: 0xf
[   8.1892 ] Copying Sdram info from 2 to 3 set
[   8.2335 ] Packing sdram param for instance[0]
[   8.2355 ] Packing sdram param for instance[1]
[   8.2375 ] Packing sdram param for instance[2]
[   8.2438 ] Packing sdram param for instance[3]

[   8.2499 ] Parsing config file :tegra186-mb1-bct-pinmux-quill-p3310-1000-c03.cfg 
[   8.2527 ] Appending platform config data of size :- 3048

[   8.2580 ] Parsing config file :mobile_scr.cfg 
[   8.2610 ] Appending platform config data of size :- 12240
[   8.2671 ] 
[   8.2672 ] Parsing config file :tegra186-mb1-bct-pad-quill-p3310-1000-c03.cfg 
[   8.2674 ] Appending platform config data of size :- 24
[   8.2676 ] 
[   8.2677 ] Parsing config file :tegra186-mb1-bct-pmic-quill-p3310-1000-c04.cfg 
[   8.2679 ] Appending platform config data of size :- 648
[   8.2681 ] 
[   8.2683 ] Parsing config file :tegra186-mb1-bct-bootrom-quill-p3310-1000-c03.cfg 
[   8.2684 ] Appending platform config data of size :- 64
[   8.2685 ] 
[   8.2687 ] Parsing config file :tegra186-mb1-bct-prod-quill-p3310-1000-c03.cfg 
[   8.2689 ] Appending platform config data of size :- 1628
[   8.2690 ] 
[   8.2692 ] Updating mb1-bct with firmware information
[   8.2734 ] tegrabct_v2 --chip 0x18 --mb1bct mb1_cold_boot_bct_MB1.bct --updatefwinfo flash.xml.bin
[   8.2811 ] MB1-BCT version: 0xf
[   8.3040 ] 
[   8.3041 ] Updating mb1-bct with storage information
[   8.3057 ] tegrabct_v2 --chip 0x18 --mb1bct mb1_cold_boot_bct_MB1.bct --updatestorageinfo flash.xml.bin
[   8.3095 ] MB1-BCT version: 0xf
[   8.3279 ] 
[   8.3295 ] tegrahost_v2 --chip 0x18 --align mb1_cold_boot_bct_MB1.bct
[   8.3479 ] 
[   8.3495 ] tegrahost_v2 --appendsigheader mb1_cold_boot_bct_MB1.bct oem-rsa
[   8.3600 ] 
[   8.3690 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/rsa_priv.pem --list mb1_cold_boot_bct_MB1_sigheader.bct_list.xml --pubkeyhash pub_key.key
[   8.3726 ] PKC key in Open SSL format
[   8.3778 ] Key size is 256 bytes
[   8.3800 ] Valid PKC key
[   8.3887 ] Saving pkc public key  in pub_key.key
[   8.5479 ] 
[   8.5500 ] tegrahost_v2 --updatesigheader mb1_cold_boot_bct_MB1_sigheader.bct.signed mb1_cold_boot_bct_MB1_sigheader.bct.sig oem-rsa
[   8.5742 ] 
[   8.5745 ] Generating recovery mb1-bct
[   8.5801 ] tegrabct_v2 --chip 0x18 0 --mb1bct mb1_bct.cfg --sdram P3310_A00_8GB_Samsung_8GB_lpddr4_204Mhz_A02_l4t.cfg --misc tegra186-mb1-bct-misc-si-l4t.cfg --scr minimal_scr.cfg --pinmux tegra186-mb1-bct-pinmux-quill-p3310-1000-c03.cfg --pmc tegra186-mb1-bct-pad-quill-p3310-1000-c03.cfg --pmic tegra186-mb1-bct-pmic-quill-p3310-1000-c04.cfg --brcommand tegra186-mb1-bct-bootrom-quill-p3310-1000-c03.cfg --prod tegra186-mb1-bct-prod-quill-p3310-1000-c03.cfg
[   8.5819 ] MB1-BCT version: 0xf
[   8.5832 ] Copying Sdram info from 2 to 3 set
[   8.6379 ] Packing sdram param for instance[0]
[   8.6410 ] Packing sdram param for instance[1]
[   8.6498 ] Packing sdram param for instance[2]
[   8.6563 ] Packing sdram param for instance[3]
[   8.6722 ] 
[   8.6723 ] Parsing config file :tegra186-mb1-bct-pinmux-quill-p3310-1000-c03.cfg 
[   8.6724 ] Appending platform config data of size :- 3048
[   8.6725 ] 
[   8.6726 ] Parsing config file :minimal_scr.cfg 
[   8.6727 ] Appending platform config data of size :- 12240
[   8.6727 ] 
[   8.6729 ] Parsing config file :tegra186-mb1-bct-pad-quill-p3310-1000-c03.cfg 
[   8.6729 ] Appending platform config data of size :- 24
[   8.6730 ] 
[   8.6731 ] Parsing config file :tegra186-mb1-bct-pmic-quill-p3310-1000-c04.cfg 
[   8.6732 ] Appending platform config data of size :- 648
[   8.6733 ] 
[   8.6734 ] Parsing config file :tegra186-mb1-bct-bootrom-quill-p3310-1000-c03.cfg 
[   8.6734 ] Appending platform config data of size :- 64
[   8.6735 ] 
[   8.6736 ] Parsing config file :tegra186-mb1-bct-prod-quill-p3310-1000-c03.cfg 
[   8.6759 ] Appending platform config data of size :- 1628
[   8.6760 ] 
[   8.6761 ] Updating mb1-bct with firmware information
[   8.6776 ] tegrabct_v2 --chip 0x18 --mb1bct mb1_bct_MB1.bct --updatefwinfo flash.xml.bin
[   8.6805 ] MB1-BCT version: 0xf
[   8.6919 ] 
[   8.6921 ] Updating mb1-bct with storage information
[   8.6960 ] tegrabct_v2 --chip 0x18 --mb1bct mb1_bct_MB1.bct --updatestorageinfo flash.xml.bin
[   8.7086 ] MB1-BCT version: 0xf
[   8.7346 ] 
[   8.7404 ] tegrahost_v2 --chip 0x18 --align mb1_bct_MB1.bct
[   8.7532 ] 
[   8.7546 ] tegrahost_v2 --appendsigheader mb1_bct_MB1.bct oem-rsa
[   8.7881 ] 
[   8.7938 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/rsa_priv.pem --list mb1_bct_MB1_sigheader.bct_list.xml --pubkeyhash pub_key.key
[   8.7963 ] PKC key in Open SSL format
[   8.8118 ] Key size is 256 bytes
[   8.8139 ] Valid PKC key
[   8.8256 ] Saving pkc public key  in pub_key.key
[   9.0560 ] 
[   9.0581 ] tegrahost_v2 --updatesigheader mb1_bct_MB1_sigheader.bct.signed mb1_bct_MB1_sigheader.bct.sig oem-rsa
[   9.0800 ] 
[   9.0803 ] Copying signatures
[   9.0841 ] tegrahost_v2 --chip 0x18 0 --partitionlayout flash.xml.bin --updatesig images_list_signed.xml --pubkeyhash pub_key.key
[   9.1961 ] 
[   9.1977 ] tegrahost_v2 --chip 0x18 --align nvtboot_recovery.bin
[   9.2201 ] 
[   9.2217 ] tegrahost_v2 --appendsigheader nvtboot_recovery.bin oem-rsa
[   9.2517 ] 
[   9.2555 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/rsa_priv.pem --list nvtboot_recovery_sigheader.bin_list.xml --pubkeyhash pub_key.key
[   9.2693 ] PKC key in Open SSL format
[   9.2714 ] Key size is 256 bytes
[   9.2778 ] Valid PKC key
[   9.2874 ] Saving pkc public key  in pub_key.key
[   9.5243 ] 
[   9.5376 ] tegrahost_v2 --updatesigheader nvtboot_recovery_sigheader.bin.signed nvtboot_recovery_sigheader.bin.sig oem-rsa
[   9.5641 ] 
[   9.5658 ] tegrahost_v2 --chip 0x18 --align preboot_d15_prod_cr.bin
[   9.5841 ] 
[   9.5858 ] tegrahost_v2 --appendsigheader preboot_d15_prod_cr.bin oem-rsa
[   9.6032 ] 
[   9.6123 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/rsa_priv.pem --list preboot_d15_prod_cr_sigheader.bin_list.xml --pubkeyhash pub_key.key
[   9.6189 ] PKC key in Open SSL format
[   9.6250 ] Key size is 256 bytes
[   9.6284 ] Valid PKC key
[   9.6442 ] Saving pkc public key  in pub_key.key
[   9.8921 ] 
[   9.9162 ] tegrahost_v2 --updatesigheader preboot_d15_prod_cr_sigheader.bin.signed preboot_d15_prod_cr_sigheader.bin.sig oem-rsa
[   9.9322 ] 
[   9.9339 ] tegrahost_v2 --chip 0x18 --align mce_mts_d15_prod_cr.bin
[   9.9602 ] 
[   9.9641 ] tegrahost_v2 --appendsigheader mce_mts_d15_prod_cr.bin oem-rsa
[  10.0071 ] 
[  10.0092 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/rsa_priv.pem --list mce_mts_d15_prod_cr_sigheader.bin_list.xml --pubkeyhash pub_key.key
[  10.0206 ] PKC key in Open SSL format
[  10.0294 ] Key size is 256 bytes
[  10.0307 ] Valid PKC key
[  10.0365 ] Saving pkc public key  in pub_key.key
[  10.3229 ] 
[  10.3440 ] tegrahost_v2 --updatesigheader mce_mts_d15_prod_cr_sigheader.bin.signed mce_mts_d15_prod_cr_sigheader.bin.sig oem-rsa
[  10.3802 ] 
[  10.3842 ] tegrahost_v2 --chip 0x18 --align bpmp.bin
[  10.3950 ] 
[  10.3984 ] tegrahost_v2 --appendsigheader bpmp.bin oem-rsa
[  10.4287 ] 
[  10.4373 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/rsa_priv.pem --list bpmp_sigheader.bin_list.xml --pubkeyhash pub_key.key
[  10.4435 ] PKC key in Open SSL format
[  10.4563 ] Key size is 256 bytes
[  10.4575 ] Valid PKC key
[  10.4598 ] Saving pkc public key  in pub_key.key
[  10.7625 ] 
[  10.7735 ] tegrahost_v2 --updatesigheader bpmp_sigheader.bin.signed bpmp_sigheader.bin.sig oem-rsa
[  10.8083 ] 
[  10.8203 ] tegrahost_v2 --chip 0x18 --align tegra186-a02-bpmp-quill-p3310-1000-c04-00-te770d-ucm2.dtb
[  10.8362 ] 
[  10.8378 ] tegrahost_v2 --appendsigheader tegra186-a02-bpmp-quill-p3310-1000-c04-00-te770d-ucm2.dtb oem-rsa
[  10.8683 ] 
[  10.8775 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/rsa_priv.pem --list tegra186-a02-bpmp-quill-p3310-1000-c04-00-te770d-ucm2_sigheader.dtb_list.xml --pubkeyhash pub_key.key
[  10.8815 ] PKC key in Open SSL format
[  10.8889 ] Key size is 256 bytes
[  10.8928 ] Valid PKC key
[  10.8968 ] Saving pkc public key  in pub_key.key
[  11.1450 ] 
[  11.1627 ] tegrahost_v2 --updatesigheader tegra186-a02-bpmp-quill-p3310-1000-c04-00-te770d-ucm2_sigheader.dtb.signed tegra186-a02-bpmp-quill-p3310-1000-c04-00-te770d-ucm2_sigheader.dtb.sig oem-rsa
[  11.1843 ] 
[  11.1883 ] tegrahost_v2 --chip 0x18 --align tos-trusty.img
[  11.2043 ] 
[  11.2060 ] tegrahost_v2 --appendsigheader tos-trusty.img oem-rsa
[  11.2319 ] 
[  11.2409 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/rsa_priv.pem --list tos-trusty_sigheader.img_list.xml --pubkeyhash pub_key.key
[  11.2449 ] PKC key in Open SSL format
[  11.2465 ] Key size is 256 bytes
[  11.2525 ] Valid PKC key
[  11.2607 ] Saving pkc public key  in pub_key.key
[  11.5398 ] 
[  11.5419 ] tegrahost_v2 --updatesigheader tos-trusty_sigheader.img.signed tos-trusty_sigheader.img.sig oem-rsa
[  11.5839 ] 
[  11.5904 ] tegrahost_v2 --chip 0x18 --align eks.img
[  11.6318 ] 
[  11.6441 ] tegrahost_v2 --appendsigheader eks.img oem-rsa
[  11.6719 ] 
[  11.6840 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/rsa_priv.pem --list eks_sigheader.img_list.xml --pubkeyhash pub_key.key
[  11.6898 ] PKC key in Open SSL format
[  11.7021 ] Key size is 256 bytes
[  11.7130 ] Valid PKC key
[  11.7158 ] Saving pkc public key  in pub_key.key
[  11.9439 ] 
[  11.9569 ] tegrahost_v2 --updatesigheader eks_sigheader.img.signed eks_sigheader.img.sig oem-rsa
[  11.9919 ] 
[  11.9936 ] tegrahost_v2 --chip 0x18 --align tegra186-quill-p3310-1000-c03-00-base.dtb
[  12.0175 ] 
[  12.0192 ] tegrahost_v2 --appendsigheader tegra186-quill-p3310-1000-c03-00-base.dtb oem-rsa
[  12.0559 ] 
[  12.0600 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/rsa_priv.pem --list tegra186-quill-p3310-1000-c03-00-base_sigheader.dtb_list.xml --pubkeyhash pub_key.key
[  12.0623 ] PKC key in Open SSL format
[  12.0719 ] Key size is 256 bytes
[  12.0732 ] Valid PKC key
[  12.0755 ] Saving pkc public key  in pub_key.key
[  12.3181 ] 
[  12.3364 ] tegrahost_v2 --updatesigheader tegra186-quill-p3310-1000-c03-00-base_sigheader.dtb.signed tegra186-quill-p3310-1000-c03-00-base_sigheader.dtb.sig oem-rsa
[  12.3599 ] 
[  12.3616 ] tegrahost_v2 --chip 0x18 --align nvtboot_recovery_cpu.bin
[  12.3879 ] 
[  12.3896 ] tegrahost_v2 --appendsigheader nvtboot_recovery_cpu.bin oem-rsa
[  12.4125 ] 
[  12.4250 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/rsa_priv.pem --list nvtboot_recovery_cpu_sigheader.bin_list.xml --pubkeyhash pub_key.key
[  12.4329 ] PKC key in Open SSL format
[  12.4357 ] Key size is 256 bytes
[  12.4392 ] Valid PKC key
[  12.4485 ] Saving pkc public key  in pub_key.key
[  12.7030 ] 
[  12.7120 ] tegrahost_v2 --updatesigheader nvtboot_recovery_cpu_sigheader.bin.signed nvtboot_recovery_cpu_sigheader.bin.sig oem-rsa
[  12.7440 ] 
[  12.7444 ] Copying signed file in /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/bootloader/signed
./tegraflash.py --bl nvtboot_recovery_cpu.bin --sdram_config P3310_A00_8GB_Samsung_8GB_lpddr4_204Mhz_A02_l4t.cfg --odmdata 0x1090000 --applet mb1_recovery_prod.bin --cmd "sign"  --cfg flash.xml --chip 0x18 --misc_config tegra186-mb1-bct-misc-si-l4t.cfg --pinmux_config tegra186-mb1-bct-pinmux-quill-p3310-1000-c03.cfg --pmic_config tegra186-mb1-bct-pmic-quill-p3310-1000-c04.cfg --pmc_config tegra186-mb1-bct-pad-quill-p3310-1000-c03.cfg --prod_config tegra186-mb1-bct-prod-quill-p3310-1000-c03.cfg --scr_config minimal_scr.cfg --scr_cold_boot_config mobile_scr.cfg --br_cmd_config tegra186-mb1-bct-bootrom-quill-p3310-1000-c03.cfg --dev_params emmc.cfg  --bins "mb2_bootloader nvtboot_recovery.bin; mts_preboot preboot_d15_prod_cr.bin; mts_bootpack mce_mts_d15_prod_cr.bin; bpmp_fw bpmp.bin; bpmp_fw_dtb tegra186-a02-bpmp-quill-p3310-1000-c04-00-te770d-ucm2.dtb; tlk tos-trusty.img; eks eks.img; bootloader_dtb tegra186-quill-p3310-1000-c03-00-base.dtb"  --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/rsa_priv.pem --encrypt_key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/sbk.txt 
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0723 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/rsa_priv.pem --getmode mode.txt
[   0.0795 ] PKC key in Open SSL format
[   0.0856 ] Key size is 256 bytes
[   0.0868 ] Valid PKC key
[   0.1112 ] 
[   0.1114 ] Generating RCM messages
[   0.1130 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x18 0 --download rcm mb1_recovery_prod.bin 0 0
[   0.1218 ] RCM 0 is saved as rcm_0.rcm
[   0.1312 ] RCM 1 is saved as rcm_1.rcm
[   0.1336 ] List of rcm files are saved in rcm_list.xml
[   0.1415 ] 
[   0.1417 ] Signing RCM messages
[   0.1525 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/sbk.txt --list rcm_list.xml --pubkeyhash pub_key.key
[   0.1543 ] Not a valid EC key format
[   0.1722 ] Not a valid eddsa key format
[   0.1726 ] Invalid key format
[   0.1843 ] 
Error: Return value 11
Command tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/sbk.txt --list rcm_list.xml --pubkeyhash pub_key.key
./tegraflash.py --bl nvtboot_recovery_cpu_sigheader.bin.encrypt.signed --bct br_bct_BR.bct --applet rcm_1_signed.rcm --cmd "secureflash;reboot"  --cfg secureflash.xml --chip 0x18 --mb1_bct mb1_cold_boot_bct_MB1_sigheader.bct.encrypt.signed  --bins "mb2_bootloader nvtboot_recovery_sigheader.bin.encrypt.signed; mts_preboot preboot_d15_prod_cr_sigheader.bin.encrypt.signed; mts_bootpack mce_mts_d15_prod_cr_sigheader.bin.encrypt.signed; bpmp_fw bpmp_sigheader.bin.encrypt.signed; bpmp_fw_dtb tegra186-a02-bpmp-quill-p3310-1000-c04-00-te770d-ucm2_sigheader.dtb.encrypt.signed; tlk tos-trusty_sigheader.img.encrypt.signed; eks eks_sigheader.img.encrypt.signed; bootloader_dtb tegra186-quill-p3310-1000-c03-00-base_sigheader.dtb.encrypt.signed"  --skipuid  
saving flash command in flashcmd.txt

*** no-flash flag enabled. Exiting now... *** 

User can run above saved command in factory environment without 
providing pkc and sbk keys to flash a device

Example:

    $ cd bootloader 
    $ sudo bash ./flashcmd.txt

=============================================================================================

6

Hi Jerry,

Fixed by following:

-SBK file For burn fuse
0x123456789abcdef0fedcba9876543210

-SBK file For signed image
0x12345678 0x9abcdef0 0xfedcba98 0x76543210

7

hello ykei007,

to summarize,
below error messages means an invalid skb.txt key file.

[ 0.1525 ] tegrasign_v2 --key /home/ykei/nvidia/nvidia_sdk/JetPack_4.2.2_Linux_GA_P3310/Linux_for_Tegra/sbk.txt --list rcm_list.xml --pubkeyhash pub_key.key
[ 0.1543 ] Not a valid EC key format
[ 0.1722 ] Not a valid eddsa key format
[ 0.1726 ] Invalid key format