Asymmetric Boot Chain#
Note
The following steps are for Standard/Standard or Standard/Prod.
Note
In the steps below, change p3710/p3960-10-s05 to your board.
Setup: 1. Create a directory to store chains:
mkdir ~/linux
export LINUX_DIR=~/linux/
2. Create a directory to install SDK:
mkdir ~/branch
cd branch
3. Export:
export PDK_TOP=${PWD}
4. To use local HSM, refer to Update Tegrasign_v3_debug.yaml format.
Create Chain A:
Execute:
cd drive-foundation
./make/bind_partitions -b p3710/p3960-10-s05 linux -z -p mods clean
./make/bind_partitions -b p3710/p3960-10-s05 linux -z -p mods
Create FuseBlob:
cd tools/flashtools/fuseburn
python3 ./fskp_fuseburn.py -c 0x23 -f ~/keys/fuse_t234_odm.xml -g /home/user/branch/drive-foundation/firmware/bin/t234/fskpboot/ -i 63 -B p3710/p3960 -b –hsm fskp
cd ${NV_WORKSPACE}
cd drive-foundation/
tools/flashtools/bootburn/create_bsp_images.py -b p3710/p3960-10-s05 -r 1 -g $LINUX_DIR/p3710/p3960-10-s05/chain_a -D --chain A --asymmetric --fskp-bct-path ${NV_WORKSPACE}/drive-foundation/firmware/bin/t234/fskpboot/br_bct_BR_sigheader.bct --customer-data ~/keys/factory.json
Create Chain B:
For Standard:
./make/bind_partitions -b p3710/p3960-10-s05 linux
* For Prod:
mkdir build-prod
cd build-prod
export PDK_TOP=${PWD}
* Install Linux production SDK.
* Execute:
./make/bind_partitions -b p3710/p3960-10-s05 linux -p nsr_prod_debug
If you are using Linux prod, then set up local HSM again in the build-prod directory. Refer to Update Tegrasign_v3_debug.yaml format.
* Execute:
./tools/flashtools/bootburn/create_bsp_images.py -b p3710/p3960-10-s05 -r 1 -g $LINUX_DIR/p3710/p3960-10-s05/chain_b --chain B --asymmetric --hsm eddsa --customer-data ~/keys/prod.json
Merge Chains:
./tools/flashtools/bootburn/create_bsp_images.py -b p3710/p3960-10-s05 -r 1 -g $LINUX_DIR/p3710/p3960-10-s05/merge -D --asymmetric --merge-chains A=$LINUX_DIR/p3710/p3960-10-s05/chain_a B=$LINUX_DIR/p3710/p3960-10-s05/chain_b
Flash Chain A:
cd $LINUX_DIR/p3710/p3960-10-s05
./merge/tools/flashtools/bootburn/flash_bsp_images.py -b p3710/p3960-10-s05 -D -P /home/user/linux/p3710/p3960-10-s05/merge/642-63710-0010-000_TS5/ --asymmetric
Update Tegrasign_v3_debug.yaml format:
Reference default implementation of tegrasign_v3_hsm.py
expects the drive-foundation-safety/tools/flashtools/flash/tegrasign_v3_debug.yaml
file with the following content:
{"HSM":
{
"SBK_KEY" : "/path_to/sbk_hsm.key",
"FSKP_AK_KEY" : "/path_to/fskp_ak_hsm.key",
"FSKP_EK_KEY" : "/path_to/fskp_ek_hsm.key",
"ED25519_KEY" : "/path_to/ed25519_hsm.key",
}
}
DRIVE Update to update BRBCT with FSKP: 1. Download package-1.tar and untar it.
System should reboot and boot in Chain B after this step
2. Copy the package, sample_driveupdate, and content_server app to the target.
3. In the target, execute:
./content_server ./package-1 &
./sample_driveupdate -p /gos-a/content/files
The system should reboot and boot in Chain B after this step.
DRIVE Update to clone Chain B: 1. Download package-2.tar and untar it.
2. Copy the package, sample_driveupdate, and content_server app to the target.
Note
Since there is a reboot command in package-1, you see an error message in DRIVE Update. You can safely ignore the error.
3. Launch the sample app after 4 minutes from boot to console.
4. In the target, execute:
./content_server ./package-2 &
./sample_driveupdate -p /gos-a/content/files
The system should reboot and boot in Chain A after this step.