Hi,
I have tried to enable the secureboot on our Nano box with a carrier board.
The L4T version is 32.3.1.
Here’re my steps.
$ ls -l
total 19037316
drwxrwxrwx 8 root root 4096 12月 10 16:04 Linux_for_Tegra
-rw-rw-r-- 1 tsato tsato 19493855566 2月 24 08:11 Linux_for_Tegra_Nano_JP4.3_20200214.tar.gz
-rw-rw-r-- 1 tsato tsato 150 2月 24 08:17 Linux_for_Tegra_Nano_JP4.3_20200214.tar.gz.MD5.txt
-rw-rw-r-- 1 tsato tsato 339353 2月 24 08:23 secureboot_R32.3.1_aarch64.tbz2
$ sudo tar xvjf secureboot_R32.3.1_aarch64.tbz2
Linux_for_Tegra/
Linux_for_Tegra/odmfuse.sh
Linux_for_Tegra/pkc/
Linux_for_Tegra/pkc/tegrafuse.sh
Linux_for_Tegra/pkc/mkpkc
Linux_for_Tegra/pkc/LICENSE.mkpkc
Linux_for_Tegra/bootloader/
Linux_for_Tegra/bootloader/odmsign.func
Linux_for_Tegra/bootloader/README_secureboot.txt
$ openssl genrsa -out emi_pkc.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
............................................................+++++
.......................................................................+++++
e is 65537 (0x010001)
$ echo "0xabcd0001" > dk.txt
$ cd Linux_for_Tegra
$ sudo ./odmfuse.sh -c PKC -i 0x21 -k ../emi_pkc.pem jetson-nano-emmc
Usage:
./odmfuse.sh -c <CryptoType> -i <TegraID> -k <KeyFile> [options]
Where options are,
-c <CryptoType> ------ NS -- No Crypto, PKC - Public Key Crypto.
-d <0xXXXX> ---------- sets sec_boot_dev_cfg=0xXXXX&0x3fff.
-i <TegraID> --------- tegra ID: 0x40-TK1, 0x21-TX1
-j ------------------- Keep jtag enabled.
-k <KeyFile> --------- 2048 bit RSA private KEY file. (.pem file)
-l <0xX> ------------- sets odm_lock=0xX.
-o <8-0xXXXXXXXX> ---- sets odm_reserved=<8-0xXXXXXXXX>
8 32bit values MUST be quoted.
-p ------------------- sets production mode.
-r <0xXX> ------------ sets sw_reserved=0xXX.
-D <DK file> --------- 32bit Device Key file in HEX format (TK1 & TX1 only).
-S <SBK file> -------- 128bit Secure Boot Key file in HEX format.
--noburn ------------- Prepare fuse blob without actual burning.
$ sudo ./odmfuse.sh -c PKC -i 0x21 -k ../emi_pkc.pem
*** Calculating HASH from keyfile /home/tsato/Desktop/l4timages/Nano/L4T32.3.1/emi_pkc.pem ... done
PKC HASH: 0x78e352f7bb4cc4f0ea430b73947efe33a4e86650f935257d4fdce560e0e9ba0b
*** Generating fuse configuration ... done.
done.
*** Start fusing ...
./tegraflash.py --chip 0x21 --applet nvtboot_recovery.bin --cmd "blowfuses odmfuse_pkc.xml;"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
[ 0.0030 ] Parsing fuse info as per xml file
[ 0.0046 ] tegraparser --fuse_info odmfuse_pkc.xml blow_fuse_data.bin
[ 0.0067 ]
[ 0.0067 ] Generating RCM messages
[ 0.0084 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 0 --download rcm nvtboot_recovery.bin 0 0
[ 0.0102 ] RCM 0 is saved as rcm_0.rcm
[ 0.0113 ] RCM 1 is saved as rcm_1.rcm
[ 0.0113 ] List of rcm files are saved in rcm_list.xml
[ 0.0113 ]
[ 0.0114 ] Signing RCM messages
[ 0.0135 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key
[ 0.0150 ] Assuming zero filled SBK key
[ 0.0231 ]
[ 0.0231 ] Copying signature to RCM mesages
[ 0.0252 ] tegrarcm --chip 0x21 0 --updatesig rcm_list_signed.xml
[ 0.0282 ]
[ 0.0282 ] Boot Rom communication
[ 0.0301 ] tegrarcm --chip 0x21 0 --rcm rcm_list_signed.xml
[ 0.0318 ] BR_CID: 0x00000028000000060000000100000002
Then, the process got stuck. The document has some discrepancies and lacks decent info for Nano, although it would the same as TX1, but is not mentioned anywhere so.
What is the right procedure to burn fuses on a carrier board of Nano?
Also, I have tried to use a device key, but which is not allowed by odmfuse.sh without specifiying SBK that is not available on Nano. So, please clarify how DK is supposed to be burned.
$ sudo ./odmfuse.sh -j -i "0x21" -c PKC -k ../emi_pkc.pem -D ../dk.txt
*** Error: SBK is missing.
$ sudo ./odmfuse.sh -c PKC -i 0x21 -k ../emi_pkc.pem -D ../dk.txt -S ../kek0.txt
*** Calculating HASH from keyfile /home/tsato/Desktop/l4timages/Nano/L4T32.3.1/emi_pkc.pem ... done
PKC HASH: 0x78e352f7bb4cc4f0ea430b73947efe33a4e86650f935257d4fdce560e0e9ba0b
*** Generating fuse configuration ... done.
done.
*** Start fusing ...
./tegraflash.py --chip 0x21 --applet nvtboot_recovery.bin --cmd "blowfuses odmfuse_pkc.xml;"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
[ 0.0030 ] Parsing fuse info as per xml file
[ 0.0046 ] tegraparser --fuse_info odmfuse_pkc.xml blow_fuse_data.bin
[ 0.0068 ]
[ 0.0069 ] Generating RCM messages
[ 0.0084 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 0 --download rcm nvtboot_recovery.bin 0 0
[ 0.0101 ] RCM 0 is saved as rcm_0.rcm
[ 0.0110 ] RCM 1 is saved as rcm_1.rcm
[ 0.0111 ] List of rcm files are saved in rcm_list.xml
[ 0.0112 ]
[ 0.0112 ] Signing RCM messages
[ 0.0128 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key
[ 0.0144 ] Assuming zero filled SBK key
[ 0.0258 ]
[ 0.0259 ] Copying signature to RCM mesages
[ 0.0277 ] tegrarcm --chip 0x21 0 --updatesig rcm_list_signed.xml
[ 0.0304 ]
[ 0.0305 ] Boot Rom communication
[ 0.0322 ] tegrarcm --chip 0x21 0 --rcm rcm_list_signed.xml
[ 0.0339 ] BR_CID: 0x321010016445b5071000000018058200
[ 0.1945 ] RCM version 0X210001
[ 0.3703 ] Boot Rom communication completed
[ 1.3772 ]
[ 1.3772 ] Blowing fuses
[ 1.3788 ] tegrarcm --oem blowfuses blow_fuse_data.bin
[ 1.3808 ] Applet version 00.01.0000
[ 1.4764 ] Failed to burn fuses as per fuse info blob, Error:1179996997
[ 1.4993 ] 0000005c: Failed to process oem command
[ 1.4993 ]
Error: Return value 92
Command tegrarcm --oem blowfuses blow_fuse_data.bin
failed.