Xavier doesn’t boot after Secure Boot flash (JetPack 5.1.2 / L4T R35.4.1)

Hi, I would like to have secureboot with encrypted rootfs on AGX XAVIER. I’m using ubuntu 20.04, I’ve burned fuses Kek0, Kek1, Kek2,PublicKeyHash SecureBootKey, BootSecurityInfo 0x6.
I can read the fuses with ./odmfuseread.sh -i 0x19 -k ${KEYS_DIR}/key.pem -S ${KEYS_DIR}/SBK.key cti/xavier/rogue/base without any issue.
See the attached picture. (I blacked out the keys, they are the same as I burned).

fuse_config1058×474 49.1 KB

I generate EKS image
python3 gen_ekb.py -chip t194 -kek2_key kek2.key -fv fv.txt
-in_sym_key sym1_t194.key -in_sym_key2 sym2_t194.key -out eks_t194.img
cp eks_t194.img bootloader/eks_t194.img

I flash the device with command sudo ROOTFS_ENC=1 ./flash.sh -u ${KEYS_DIR}/key.pem -v ${KEYS_DIR}/SBK.key -i ${KEYS_DIR}/sym2_t194.key cti/xavier/rogue/base mmcblk0p1

The flash.sh ends

[ 363.7768 ] Flashing completed

[ 363.7770 ] Coldbooting the device
[ 363.7807 ] tegrarcm_v2 --ismb2
[ 363.9057 ] tegradevflash_v2 --reboot coldboot
[ 363.9080 ] Bootloader version 01.00.0000

But the device after reboot stays in recovery mode no UART or HDMI output.
Is it issue that I burned kek0,kek1 too?

Any help would be appreciated. Thanks!

hello pwaadm7,

it looks you did not enable security mode. (i.e. ODM_PRODUCTION)
FYI, the recommended way (especially for Xavier series) is to burn all fuses together instead of burning fuses step-by-step.

Thank you for your previous response. I thought that AGX would boot even if it is not in production mode. Could you please confirm if that is the case? I would like to have JTAG disabled in production mode, but if I do that now, I will lose the ability to use it.

hello pwaadm7,

please see-also Topic 158361, please burn all fuses together.
you may refer to developer guide, Secure Boot — NVIDIA Jetson Linux Developer Guide.
re-cap as below.

NVIDIA recommends burning all the fuses you need in a single operation.

I will definitely burn the fuses at once for the production devices. But now I would like to know If I can fix the device with missing ODM_PRODUCTION fuse, and if it is the issue why the jetson doesnt boot, as I dont have any messages in debug console.

hello pwaadm7,

you may do partial fuse burning to program ODM_PRODUCTION on that target.

hi @JerryChang, please advice what’s the best way to partial burn to production mode ?

1. sudo ./odmfuse.sh -i 0x19 -k ${KEYS_DIR}/key.pem -S ${KEYS_DIR}/SBK.key -p cti/xavier/rogue/base

or

2. sudo ./odmfuse.sh -X ${KEYS_DIR}/fuse_config_agx_xavier.xml -i 0x19 -k ${KEYS_DIR}/key.pem -S ${KEYS_DIR}/SBK.key cti/xavier/rogue/base

where fuse_config_agx_xavier.xml
< genericfuse MagicId=“0x45535546” version=“1.0.0”>
< fuse name=“SecurityMode” size=“4” value=“0x1”/>
< /genericfuse>

hello pwaadm7,

either use-p to sets production mode, or, set SecurityMode through fuse configuration file. both of them all okay to partial burn for enabling production mode.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.