This article explains how to set up Secure Boot for the Jetson Nano.
Fuse
The Jetson Nano has a fuse that enables Secure Boot. fuse is a feature that allows the rewriting of bit 0 to 1 and does not allow the rewriting of bit 1 to 0. The written value is stored even when the power is turned off. The Jetson Nano’s fuse has a lock feature, and if the lock is written to 1, the fuse to be locked cannot be changed. See https://docs.nvidia.com/jetson/archives/l4t-archived/l4t-3261/index.html#page/Tegra%20Linux%20Driver%20Package%20Development%20Guide/bootloader_secure_boot.html more details.
The fuse related to Secure Boot in Jetson Nano is as follows
Enabling Secure Boot
To enable Secure Boot, put the Jetson Nano into Recovery Mode and run the fuse write command. See this article how to put the Nano into Recovery Mode. Download the fuse write tool from https://developer.nvidia.com/embedded/l4t/r32_release_v7.2/t210/secureboot_r32.7.2_aarch64.tbz2 and extract it to the Linux_for_Tegra directory.
Subsequent operations are performed in the Linux_for_Tegra directory.
Create the RSA private key required for Secure Boot. Jetson Nano requires a 2048-bit RSA key.
openssl genrsa -out jetson_rsa_private.pem 2048
Code language: Bash (bash)
Write fuse.
sudo ./odmfuse.sh -i 0x21 -c PKC -k jetson_rsa_priv.pem -p --disable-jtag
Code language: Bash (bash)
-c PKC: Specify Public Key Cryptography
-p: odm_production_mode has lock functionality, writing 1 makes public_key_hash unwritable.
-k jetson_rsa_priv.pem: Write sha256 value of jetson_rsa_priv.pem to public_key_hash fuse
–disable-jtag: JTAG is set to disabled from a Secure Boot perspective.
The above operation enables Jetson Nano to be Secure Boot enabled.
Finally, write an image with Secure Boot enabled.
sudo ./flash.sh -x 0x21 -u jetson_rsa_priv.pem jetson-nano-devkit mmcblk0p1
That’s all.