Booting Issues with Secure Boot Key (SBK) on Nvidia Jetson Orin Nano Dev Board

Issue Overview

Users are experiencing difficulties booting their Nvidia Jetson Orin Nano Dev boards after implementing Secure Boot with both Public Key Cryptography (PKC) and Secure Boot Key (SBK). The issue occurs during the early stages of the bootloader, specifically when loading the MEM-BCT (Memory Boot Configuration Table). The problem persists across different carrier boards, including custom boards and the Xavier NX carrier board, suggesting it’s not hardware-specific.

Key symptoms include:

• Successful flashing of the device
• Failure to boot after flashing
• Error messages indicating failure to load MEM-BCT
• Inability to read fuse values using odmfuseread.sh

Possible Causes

1. Incorrect SBK Implementation: The SBK may not be properly fused or recognized by the system, despite successful flashing.

2. BootSecurityInfo Configuration: The BootSecurityInfo value (0x209) might be incorrectly set or interpreted by the bootloader.

3. Fuse Burning Issues: There could be problems with the fuse burning process, leading to incorrect or incomplete security configurations.

4. Incompatibility Between PKC and SBK: The combination of PKC and SBK might be causing conflicts in the boot process.

5. Bootloader Configuration: The XML file used for flashing might contain incorrect parameters, leading to boot failures.

Troubleshooting Steps, Solutions & Fixes

1. Verify Fuse Values:

   • Attempt to read fuse values using the odmfuseread.sh script:

     sudo ./odmfuseread.sh -i 0x23 -k uefi_keys/keys/pkc_rsa3k.pem -S uefi_keys/keys/sbk.key jetson-orin-nano-devkit
     

   • If this fails, try reading without the SBK key:

     sudo ./odmfuseread.sh -i 0x23 -k uefi_keys/keys/pkc_rsa3k.pem jetson-orin-nano-devkit
     

   • Check for the presence of SecureBootKey in the fuse_info output.

2. Review BootSecurityInfo Configuration:

   • Ensure the BootSecurityInfo value (0x209) is correct for your setup:
     • Bits [2:0] = 001b (3072-bit RSA)
     • Bit = 1 (SBK enabled)
     • Bit = 1 (ODM Key Valid)
   • Refer to the Jetson AGX Orin Fuse Specification for detailed information on FUSE_BOOT_SECURITY_INFO_0.

3. Verify SBK Key Format:

   • Ensure the SBK key is in the correct format:

     0x31110a13 0xa3d4ec1d 0xdd67dd6a 0xfdabff59 0xffe13453 0x0480fb9d 0x31e95506 0x95508f8a
     

   • Refer to the documentation on preparing an SBK key.

4. Re-flash with Updated Configuration:

   • Use the following commands to create a massflash image and flash the device:

     sudo ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash --external-device nvme0n1p1 -c tools/kernel_flash/flash_l4t_external.xml -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" -u uefi_keys/keys/pkc_rsa3k.pem -v uefi_keys/keys/sbk.key --showlogs --network usb0 p3509-a02+p3767-0000 internal
     
     sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only -u uefi_keys/keys/pkc_rsa3k.pem -v uefi_keys/keys/sbk.key p3509-a02+p3767-0000 internal
     

   • Ensure you’re using the correct board configuration (e.g., p3509-a02+p3767-0000 for Xavier NX carrier board).

5. Check for Timeout Issues:

   • The flashing script (l4t_initrd_flash.sh) has a default 1-minute timeout for device boot-up.
   • If necessary, increase the timeout value in the script:

     $OUT/Linux_for_Tegra/tools/kernel_flash/l4t_network_flash.func
     

   • Modify the maxcount variable to extend the timeout period.

6. Consult Nvidia Documentation:

   • Review the latest Nvidia documentation on Secure Boot implementation for Jetson Orin Nano.
   • Check for any known issues or updates related to SBK and PKC configuration.

7. Isolate the Issue:

   • Try booting with only PKC enabled (without SBK) to determine if the problem is specific to the SBK implementation.

8. Examine Debug Console Output:

   • Analyze the debug console output, particularly the error message:

     [0000.394] E> Top caller module: MSS, error module: LOADER, reason: 0x18, aux_info: 0x94
     [0000.402] C> Boot Info Table status dump :
     0111111100111000111111111111
     

   • This error suggests issues with loading the MEM-BCT, which could be related to fuse configurations.

If the issue persists after trying these steps, consider reaching out to Nvidia support or posting in their official developer forums for more specialized assistance.