Asymmetric Boot Chain#

Note

The following steps are for Standard/Standard or Standard/Prod.

Note

In the steps below, change p3710/p3960-10-s05 to your board.

  1. Setup: 1. Create a directory to store chains:

 mkdir ~/linux
export LINUX_DIR=~/linux/
2. Create a directory to install SDK:
mkdir ~/branch
cd branch
3. Export:
export PDK_TOP=${PWD}
4. To use local HSM, refer to Update Tegrasign_v3_debug.yaml format.
  1. Create Chain A:

Execute:

cd drive-foundation
./make/bind_partitions  -b p3710/p3960-10-s05 linux -z -p mods clean
./make/bind_partitions  -b p3710/p3960-10-s05 linux -z -p mods
  1. Create FuseBlob:

cd tools/flashtools/fuseburn
python3 ./fskp_fuseburn.py -c 0x23 -f ~/keys/fuse_t234_odm.xml -g /home/user/branch/drive-foundation/firmware/bin/t234/fskpboot/ -i 63 -B p3710/p3960 -b –hsm fskp
cd ${NV_WORKSPACE}
cd drive-foundation/
tools/flashtools/bootburn/create_bsp_images.py -b p3710/p3960-10-s05 -r 1 -g $LINUX_DIR/p3710/p3960-10-s05/chain_a -D --chain A --asymmetric --fskp-bct-path ${NV_WORKSPACE}/drive-foundation/firmware/bin/t234/fskpboot/br_bct_BR_sigheader.bct --customer-data ~/keys/factory.json
  1. Create Chain B:

    • For Standard:

./make/bind_partitions -b p3710/p3960-10-s05 linux
* For Prod:
mkdir build-prod
cd build-prod
export PDK_TOP=${PWD}
* Install Linux production SDK.
* Execute:
./make/bind_partitions -b p3710/p3960-10-s05 linux -p nsr_prod_debug

If you are using Linux prod, then set up local HSM again in the build-prod directory. Refer to Update Tegrasign_v3_debug.yaml format.

* Execute:
./tools/flashtools/bootburn/create_bsp_images.py -b p3710/p3960-10-s05 -r 1 -g $LINUX_DIR/p3710/p3960-10-s05/chain_b --chain B --asymmetric --hsm eddsa --customer-data ~/keys/prod.json
  1. Merge Chains:

./tools/flashtools/bootburn/create_bsp_images.py -b p3710/p3960-10-s05 -r 1 -g $LINUX_DIR/p3710/p3960-10-s05/merge -D --asymmetric --merge-chains A=$LINUX_DIR/p3710/p3960-10-s05/chain_a B=$LINUX_DIR/p3710/p3960-10-s05/chain_b
  1. Flash Chain A:

cd $LINUX_DIR/p3710/p3960-10-s05
./merge/tools/flashtools/bootburn/flash_bsp_images.py -b p3710/p3960-10-s05 -D -P /home/user/linux/p3710/p3960-10-s05/merge/642-63710-0010-000_TS5/  --asymmetric
  1. Update Tegrasign_v3_debug.yaml format:

Reference default implementation of tegrasign_v3_hsm.py expects the drive-foundation-safety/tools/flashtools/flash/tegrasign_v3_debug.yaml file with the following content:

{"HSM":
 {
 "SBK_KEY" : "/path_to/sbk_hsm.key",
 "FSKP_AK_KEY" : "/path_to/fskp_ak_hsm.key",
 "FSKP_EK_KEY" : "/path_to/fskp_ek_hsm.key",
 "ED25519_KEY" : "/path_to/ed25519_hsm.key",
 }
}
  1. DRIVE Update to update BRBCT with FSKP: 1. Download package-1.tar and untar it.

System should reboot and boot in Chain B after this step

2. Copy the package, sample_driveupdate, and content_server app to the target.
3. In the target, execute:
./content_server ./package-1 &
./sample_driveupdate -p /gos-a/content/files

The system should reboot and boot in Chain B after this step.

  1. DRIVE Update to clone Chain B: 1. Download package-2.tar and untar it.

2. Copy the package, sample_driveupdate, and content_server app to the target.

Note

Since there is a reboot command in package-1, you see an error message in DRIVE Update. You can safely ignore the error.

3. Launch the sample app after 4 minutes from boot to console.

4. In the target, execute:
./content_server ./package-2 &
./sample_driveupdate -p /gos-a/content/files

The system should reboot and boot in Chain A after this step.