L4T v28.2 odm_fuse with Ubuntu 16.04

I am trying to create the fuse blob for my product and it does not seem to be working under Ubuntu 16.04
Per the readme I ran:

$ openssl genrsa -out rsa_priv.pem 2048
$ sudo FAB=C04 ./odmfuse.sh --noburn -i 0x18 -c PKC -p -k rsa_priv.pem jetson-tx2

It appears that mkpkc is failing with error "Error: Session ID check failed.’ How do I overcome this error? How do I proceed, or is this only supported under Ubuntu 14.04LTS (which has gone EOL)?

Thanks,
-David

BTW, I have enabled the “-x” flag argument in bash to capture the sequence of commands, but every time I try to post to the forum with its output I get a “Security Error” !?!

hello David_N,

did you encounter same failure by removing the “FAB=C04” option ?
please try again with standard Jetson TX2 fuse command, you’ll need an actual target device connected to the host and placed in force recovery mode.
also, please share whole odmfuse messages for us checking.
thanks

Hi David_N,

Have you clarified the cause and resolved the problem?
Any result can be shared?

Thanks

Okay, I was able to find some cycles and return to this. Via a little debugging, I determined that mkpkc calls “/bin/sh -c ‘who am i’”. I found that within terminal of my 14.04 system I would get the expected output. If I ran that command from within a bash shell within emacs, I would get no output! And if I ran that command from within terminal of my 16.04 system I would also get no output.

In summary:

  1. "/bin/sh -c 'who am i'" + Ubuntu 14.04 + 'terminal' == GOOD
  2. "/bin/sh -c 'who am i'" + Ubuntu 14.04 + 'emacs shell' == BAD
  3. "/bin/sh -c 'who am i'" + Ubuntu 16.04 + 'terminal' == BAD

I also checked ‘whoami’ and ‘who’ without any arguments and all worked as expected in all cases. If you google around, you will also find that others have reported ‘who am i’ to return without any output. I suggest changing ‘mkpkc’ and any other NVIDIA apps / scripts to not use it.

Oh, and one last thing I did… I modified the mkpkc app to change it to call ‘who’ instead of ‘who am i’ and that seemed to make things work. For the r28.2 binaries I changed mkpkc offset 0x5F36b from 0x20 to 0x00 and then odmfuse.sh behaved as it should.

Best,
-David

hello David_N,

thanks for sharing the information.
we will investigate this internally and get back to you while we come out conclusions.
thanks

Hi JerryChang,

Any update on this? We are running into the exact same issue when running the odmfuse.sh script on Ubuntu 16.04.

A couple of other issues we have noticed when running on 14.04:

  1. When specifying an SBK for a Jetson TX2 odmfuse.sh returns an error that the DK is missing

Specifically,

sudo ./odmfuse.sh -j -i 0x18 --noburn -c PKC -k rsa_priv.pem -S sbk_key.txt jetson-tx2

...
*** Error: DK is missing.

DK is not used on TX2 so this error is a little puzzling.

Also, if we specify one or more KEKs it appears the script does not recognize the --KEK[0…2] option and prints out the usage.

Any insight you could provide would be great.

Thanks

Just a quick update from my previous post. In order to get odmfuse.sh to work with the following command:

sudo ./odmfuse.sh -i 0x18 -j -c PKC --noburn -k rsa_priv.pem -S sbk_key.txt  --KEK0 kek0_key.txt --KEK1 kek1_key.txt  --KEK2 kek2_key.txt jetson-tx2

we had to apply the following patch to odmfuse.sh (Jetson Platform Fuse Burning and Secure Boot Documentation and Tools Release 28.2)

--- odmfuse.sh	2018-07-05 09:26:43.522556293 -0700
+++ odmfuse_new.sh	2018-07-05 09:22:11.931418217 -0700
@@ -621,12 +621,28 @@
 	S) SBKFILE="${OPTARG}"; ;;
 	X) XFILE="${OPTARG}"; ;;
 	-) case ${OPTARG} in
-	   noburn) noburn=1; ;;
-	   KEK0) KEK0FILE=${OPTARG}; ;;
-	   KEK1) KEK1FILE=${OPTARG}; ;;
-	   KEK2) KEK2FILE=${OPTARG}; ;;
-	   KEK256) KEK256FILE=${OPTARG}; ;;
-	   *) usage; ;;
+	       noburn) noburn=1; ;;
+	       KEK0)
+                    val="${!OPTIND}"; OPTIND=$(( $OPTIND + 1 ))
+                    # echo "Parsing option: '--${OPTARG}', value: '${val}'" >&2;
+                    KEK0FILE="${val}";
+                    ;;
+               KEK1)
+                    val="${!OPTIND}"; OPTIND=$(( $OPTIND + 1 ))
+                    # echo "Parsing option: '--${OPTARG}', value: '${val}'" >&2;
+                    KEK1FILE="${val}";
+                    ;;
+               KEK2)
+                    val="${!OPTIND}"; OPTIND=$(( $OPTIND + 1 ))
+                    # echo "Parsing option: '--${OPTARG}', value: '${val}'" >&2;
+                    KEK2FILE="${val}";
+                    ;;
+               KEK256)
+                    val="${!OPTIND}"; OPTIND=$(( $OPTIND + 1 ))
+                    # echo "Parsing option: '--${OPTARG}', value: '${val}'" >&2;
+                    KEK256FILE="${val}";
+                    ;;
+  	       *) usage; ;;
 	   esac;;
 	*) usage; ;;
 	esac
@@ -819,8 +835,13 @@
 	fi;
 	SBKFILE=`readlink -f "${SBKFILE}"`;
 	if [ "${DKFILE}" = "" ]; then
+            # Device Key (DK) applies to TK1 and TX1 only and is replaced
+            # with KEKs on TX2 (tid = 0x18)
+	    if [ "${tid}" != "0x18" ]; then
 		echo "*** Error: DK is missing.";
 		exit 1;
+	    fi;
+
 	fi;
 fi;

Hi, how did you changed the mkpkc offset? I think i need this fix as well.

Update: I figured it out by using a hex editor, thanks.

hi all,

FYI, we had fixes integrate to our code-line,
please expect next public release (i.e. l4t-r28.3) fix the issue that “who am i” returns failures with ubuntu.
thanks

Jerry,

I am running into the same issue.

I see that the 28.3 l4t is out (https://developer.nvidia.com/embedded/linux-tegra-r283). Where can I find the matching secure boot files for 28.3? I couldn’t find it on the downloads section.

  • Rayees

it’s correct that there’s no public release secureboot files for r28.3,
please download the attachment and update below two files for testing, thanks
Linux_for_Tegra/odmfuse.sh
Linux_for_Tegra/pkc/mkpkc
Topic1033753_Apr23_secureboot.tar.gz (316 KB)

Thanks Jerry

Jerry,

I tried to use L4T 32.1.0 with this package. Ran into a couple of issues:

1.There was a renaming of the SCEFILE which caused the odmfuse.sh to fail. I modified the name of the SCEFILE to match the name in L4T 32.1.0 and got that script to work.

— Z:\local_tools\os_distros\linux_for_tegra\r28.3\bsp\odmfuse.sh 2019-04-25 10:35:16.000000000 -0700
+++ Z:\local_tools\os_distros\linux_for_tegra\r32.1.0\bsp\odmfuse.sh 2019-04-25 10:22:23.000000000 -0700
@@ -512,13 +512,13 @@
CFGCONV+="-e s/BPFDTB-NAME/bpmp-fw-dtb/ “;
CFGCONV+=”-e s/BPMPDTB-SIGN/true/ “;
CFGCONV+=”-e s/BPFDTB-FILE/${bpmp_fw_dtbname}/ ";

# SCE_TAG:
if [ "${SCEFILE}" = "" -o ! -f "${SCEFILE}" ]; then
  •   SCEFILE="${BL_DIR}/camera-rtcpu-sce.bin";
    
  •   SCEFILE="${BL_DIR}/camera-rtcpu-sce.img";
    
    fi;
    mkarg scefile “${SCEFILE}” “”;
    CFGCONV+="-e s/SCENAME/sce-fw/ “;
    CFGCONV+=”-e s/SCESIGN/true/ “;
    CFGCONV+=”-e s/SCEFILE/${scefilename}/ ";
  1. Need updated odmsign.func
    I got error (./flash.sh: line 2316: odmsign_ext: command not found) while trying to create the signed and encrypted binary images. Could you please provide this?

Thanks
Rayees

hello rayees.shamsuddin,

you should stay on r28.3 and apply the update in comment #12 for testing.

if you would like to upgrade to r32.1, please wait another public release secureboot package for it.
also, since this discussion thread is based-on rel-28, please initial another new topic for rel-32 issue.
thanks

Hi Jerry,

We are investigating what it will take to move our TX2 based product from L4T28.x to L4T 32.x (i.e. new kernel version, transition from ubuntu 16.04 to 18.04 etc.). Can you share any details of when the secure boot tools for L4T 32.x will be publicly available?

Thanks!

Hi 5121802,

Jetson Platform Fuse Burning and Secure Boot Documentation and Tools for TX2 and AGX Xavier” was released in the Download Center. Please take a look at it. Thanks!