Secure boot with meta-tegra on kirkstone/v35.5

[tschoop]

Good morning.

Problem

We are currently examining secure boot on Orin Nano. We are on kirkstone branch. This worked already when using 35.4. Then after the update to 35.5 it did not work any more. We figured out that the tegra234-flash-helper script now works with CHIP_SKU entry instead of using BOARDSKU value.
When not being in a secure boot environment this change does not matter at all, because during flash phase the information is taken from the device to be flashed and boardvars.sh is created correctly => no problem.

But when a secure boot enabled build wants to execute tegra234-flash-helper during build time only BOARDSKU (taken from variable TEGRA_BOARDSKU) is set and CHIP_SKU is not passed. So the tegra234-flash-helper will fallback to some internal default and create a firmware that does not start.

(Our current) Solution

Having found this issue, this could be fixed with the following small patch in image_types_tegra.bbclass:create_tegraflash_pkg:tegra234() (this is towards kirkstone branch):

diff --git a/classes/image_types_tegra.bbclass b/classes/image_types_tegra.bbclass
index 2000912a..8968b684 100644
--- a/classes/image_types_tegra.bbclass
+++ b/classes/image_types_tegra.bbclass
@@ -585,7 +585,7 @@ EOF
rm -f doflash.sh
cat > doflash.sh <<END
#!/bin/sh
-MACHINE=${TNSPEC_MACHINE} ./tegra234-flash-helper.sh $DATAARGS flash.xml.in ${DTBFILE} ${EMMC_BCT} ${ODMDATA} ${LNXFILE} ${IMAGE_BASENAME}.${IMAGE_TEGRAFLASH_FS_TYPE} "$@"
+MACHINE=${TNSPEC_MACHINE} CHIP_SKU=${chipsku} ./tegra234-flash-helper.sh $DATAARGS flash.xml.in ${DTBFILE} ${EMMC_BCT} ${ODMDATA} ${LNXFILE} ${IMAGE_BASENAME}.${IMAGE_TEGRAFLASH_FS_TYPE} "$@"
END
chmod +x doflash.sh

(this works because tegraflash_generate_bupgen_script executes before and extracts chipsku from TEGRA_BUPGEN_SPECS)

Question (about how to do this right)

Am I overseeing something?
Should we also pass the variables FAB, BOARDSKU, BOARDREV (like in execution of tegra234-flash-helper in tegraflash_generate_bupgen_script)?
Alternatively (did not yet test it), would it be better to extend TEGRA_SIGNING_ENV variable and feed the CHIP_SKU information with this environment into the execution of doflash.sh?
Or shall I open a PR for the change above?

Regards
Tilman

[madisongh]

Alternatively (did not yet test it), would it be better to extend TEGRA_SIGNING_ENV variable and feed the CHIP_SKU information with this environment into the execution of doflash.sh?

I think this would be the better approach, but we should couple it with adding a TEGRA_CHIPSKU variable to the machine configs, set to the appropriate default chip SKU value, like we do for the other environment variables set in TEGRA_SIGNING_ENV.

Thanks for bringing this up. NVIDIA did switch over to basing the BPMP image selection on the chip SKU in L4T R35.5, which is why we changed the flash helper. It hadn't occurred to me what impact that would have on build-time signing.