Black Screen after enable SecureBOOT and disk encryption

After enable secureBoot by generating custom eks.img (with 2 keys) and place it to bootloader folder and fuse keys needed with odmfuse.sh keys I am able to flash board with this command :

sudo ./flash.sh -i /data/keys/disk.key -u /data/keys/rsa.key -v /data/keys/sbk.key --user_key /data/keys/user.hex cti/xavier-nx/photon-encrypted mmcblk0p1

[0011.424] I> Kernel EP: 0x80080000, DTB: 0x90000000
[ 0.000000] Booting Linux on physical CPU 0x0
[ 0.000000] Linux version 4.9.201-tegra (root@swdev3) (gcc version 7.3.1 20180425 [linaro-7.3-2018.05 revision d29120a424ecfbc167ef90065c0eeb7f91977701] (Linaro GCC 7.3-2018.05) ) #1 SMP PREEMPT Thu Apr 22 15:33:48 EDT 2021
[ 0.000000] Boot CPU: AArch64 Processor [4e0f0040]
[ 0.000000] OF: fdt:memory scan node memory, reg size 48,
[ 0.000000] OF: fdt: - 80000000 , 2c000000
[ 0.000000] OF: fdt: - ac200000 , 44800000
[ 0.000000] OF: fdt: - 100000000 , 180000000
[ 0.000000] earlycon: tegra_comb_uart0 at MMIO32 0x000000000c168000 (options ‘’)
[ 0.000000] bootconsole [tegra_comb_uart0] enabled
[ 0.000000] Found tegra_fbmem: 00800000@a069f000
[ 0.000000] Found lut_mem: 00002008@a069b000
▒▒WARNING: pll_d2 has no dyn ramp
WARNING: at platform/drivers/pg/pg-gpu-t194.c:185
WARNING: at platform/drivers/pg/pg-gpu-t194.c:185
▒▒[ 3.708236] cgroup: cgroup2: unknown option “nsdelegate”
[ 3.711514] pstore: decompression failed;returned -5
▒▒WARNING: at platform/drivers/pg/pg-gpu-t194.c:185
WARNING: at platform/drivers/pg/pg-gpu-t194.c:185
▒▒[ 5.040019] using random self ethernet address
[ 5.040171] using random host ethernet address
[ 5.120423] random: crng init done
[ 5.120566] random: 7 urandom warning(s) missed due to ratelimiting
[ 5.511197] using random self ethernet address
[ 5.511352] using random host ethernet address
[ 9.327661] Please complete system configuration setup on desktop to proceed…
[ 9.997508] Internal error: undefined instruction: 0 [#1] PREEMPT SMP
[ 9.997780] Modules linked in: userspace_alert nvgpu bluedroid_pm ip_tables x_tables
[ 9.998110] CPU: 0 PID: 4795 Comm: NetworkManager Not tainted 4.9.201-tegra #1
[ 9.998328] Hardware name: NVIDIA Jetson Xavier NX Developer Kit (DT)
[ 9.998518] task: ffffffc1db457000 task.stack: ffffffc1d8a58000
[ 9.998668] PC is at phy_init_hw+0x30/0x78
[ 9.998774] LR is at phy_attach_direct+0xa8/0x210
[ 9.998924] pc : [] lr : [] pstate: 00400045
[ 9.999097] sp : ffffffc1d8a5b4d0
[ 9.999185] x29: ffffffc1d8a5b4d0 x28: 0000000000000000
[ 9.999339] x27: ffffffc1db48a810 x26: ffffff80090591d0
[ 9.999498] x25: 0000000000000000 x24: 0000000000000008
[ 9.999655] x23: ffffffc1f2d9b800 x22: 0000000000000000
[ 9.999809] x21: ffffffc1e2ba8000 x20: ffffffc1e2ba8000
[ 9.999964] x19: ffffffc1f2d9c000 x18: 00000000000032a6
[ 10.000296] x17: 0000000000004378 x16: 00000000002d82a3
[ 10.000735] x15: 0000000000000000 x14: 0000000000630f86
[ 10.005712] x13: 0000000000001a2e x12: 071c71c71c71c71c
[ 10.011290] x11: 000000000000000b x10: 0000000000000a10
[ 10.017071] x9 : ffffffc1d8a5b0d0 x8 : ffffffc1db457a70
[ 10.022840] x7 : fefefeff646c606d x6 : 0000000028c0a78d
[ 10.028352] x5 : 0000000000000000 x4 : 0000000000000004
[ 10.033694] x3 : 0000000000000002 x2 : ffffff80088867a8
[ 10.039028] x1 : ffffff800a019760 x0 : 0000000000000000
[ 10.044365]
[ 10.045782] Process NetworkManager (pid: 4795, stack limit = 0xffffffc1d8a58000)
[ 10.052768] Call trace:
[ 10.055056] [] phy_init_hw+0x30/0x78
[ 10.059862] [] phy_attach_direct+0xa8/0x210
[ 10.065200] [] phy_connect_direct+0x40/0x98
[ 10.070799] [] of_phy_connect+0x58/0xa0
[ 10.075874] [] eqos_init_phy+0x48/0x190
[ 10.080946] [] eqos_open+0x78/0x2c0
[ 10.085759] [] __dev_open+0xcc/0x140
[ 10.090311] [] __dev_change_flags+0xa0/0x160
[ 10.095910] [] dev_change_flags+0x34/0x70
[ 10.101250] [] do_setlink+0x2c0/0xc38
[ 10.106319] [] rtnl_newlink+0x570/0x6c8
[ 10.111746] [] rtnetlink_rcv_msg+0x194/0x208
[ 10.117608] [] netlink_rcv_skb+0xa8/0xf0
[ 10.122688] [] rtnetlink_rcv+0x34/0x48
[ 10.128370] [] netlink_unicast+0x188/0x218
[ 10.134145] [] netlink_sendmsg+0x2e0/0x340
[ 10.139664] [] sock_sendmsg+0x4c/0x68
[ 10.145083] [] ___sys_sendmsg+0x2a8/0x2c0
[ 10.150595] [] __sys_sendmsg+0x54/0x98
[ 10.156020] [] SyS_sendmsg+0x38/0x50
[ 10.161271] [] el0_svc_naked+0x34/0x38
[ 10.166353] —[ end trace f027e9486c21dcc2 ]—
[ 14.135459] tegradc 15200000.nvdisplay: unblank
[ 14.135577] tegradc 15210000.nvdisplay: blank - powerdown
[ 34.132958] vdd-sdmmc1-sw: disabling
[ 34.133057] vdd-1v8-sd: disabling
[ 34.133123] vdd-epb-1v0: disabling
[ 34.133183] avdd-cam-2v8: disabling
[ 34.133248] vdd-fan: disabling
[ 34.133303] vdd-hdmi-5v0: disabling
[ 34.133367] vdd_sys_en: disabling
[ 34.133426] cti-usb-vbus: disabling

Do you have an idea why my screen is black, and the console invited by to comple system configuration ?

Full console logs for reference :
console.txt (28.0 KB)

Thank you so much.

hello JulienMoinard,

here’s a bug fix in decrypting buffer, could you please apply this patch for the cboot sources.
for example, 0001-lib-tegrabl_auth-fix-a-bug-in-decrypting-buffer.patch (1.8 KB)

please download CBoot sources and check the readme file for the instructions to build CBoot binary.
for example, $L4T_Sources/r32.5/Linux_for_Tegra/source/public/cboot/CBoot_Standalone_Readme_t194.txt
thanks

Hello JerryChang,

It works ! thank you so much for your support ! my board is alive with encryption of boot and kernel.
My board start well with disk_enc_enable=0;

But for disk_enc_enable=1; the APP_ENC with 104857600 is not enougth

[ 0.0834 ] Signed and encrypted file: /data/nvidia/nvidia_sdk/JetPack_4.5_Linux_JETSON_XAVIER_NX/Linux_for_Tegra/bootloader/temp_user_dir/kernel_tegra194-xavier-nx-cti-NGX003.dtb_sigheader.encrypt.signed
l4t_sign_image.sh: Generate header for kernel_tegra194-xavier-nx-cti-NGX003.dtb_sigheader.encrypt.signed
l4t_sign_image.sh: chip 0x19: add 0x2bba7 to offset 0x8 in sig file
l4t_sign_image.sh: Generate 16-byte-size-aligned base file for kernel_tegra194-xavier-nx-cti-NGX003.dtb_sigheader.encrypt.signed
l4t_sign_image.sh: the signed file is /data/nvidia/nvidia_sdk/JetPack_4.5_Linux_JETSON_XAVIER_NX/Linux_for_Tegra/bootloader/temp_user_dir/kernel_tegra194-xavier-nx-cti-NGX003_sigheader.dtb.encrypt.signed
done.
Making system_boot.img…
populating bootfs from /data/nvidia/nvidia_sdk/JetPack_4.5_Linux_JETSON_XAVIER_NX/Linux_for_Tegra/rootfs/boot … tar: tegra194-p2888-as-p3668-p2822-0000.dtb: seulement 7168 octets sur 10240 ont été écrits
tar: tegra194-p3668-all-p3509-0000.dtb : write impossible: Aucun espace disponible sur le périphérique
tar: tegra194-p3668-all-p3509-0000-kexec.dtb : write impossible: Aucun espace disponible sur le périphérique
tar: tegra194-xavier-nx-cti-NGX003-AR0521-2CAM.dtb : write impossible: Aucun espace disponible sur le périphérique
tar: tegra194-xavier-nx-cti-NGX003-AR0521-2CAM.dtb.sig : write impossible: Aucun espace disponible sur le périphérique
tar: tegra194-xavier-nx-cti-NGX003-AVT-2CAM.dtb : write impossible: Aucun espace disponible sur le périphérique
tar: tegra194-xavier-nx-cti-NGX003-AVT-2CAM.dtb.sig : write impossible: Aucun espace disponible sur le périphérique
tar: tegra194-xavier-nx-cti-NGX003.dtb : write impossible: Aucun espace disponible sur le périphérique
tar: tegra194-xavier-nx-cti-NGX003.dtb.sig : write impossible: Aucun espace disponible sur le périphérique
tar: tegra194-xavier-nx-cti-NGX003-IMX219-2CAM.dtb : write impossible: Aucun espace disponible sur le périphérique
tar: tegra194-xavier-nx-cti-NGX003-IMX219-2CAM.dtb.sig : write impossible: Aucun espace disponible sur le périphérique
tar: tegra194-xavier-nx-cti-NGX003-IMX477-2CAM.dtb : write impossible: Aucun espace disponible sur le périphérique
tar: tegra194-xavier-nx-cti-NGX003-IMX477-2CAM.dtb.sig : write impossible: Aucun espace disponible sur le périphérique
tar: tegra194-xavier-nx-cti-NGX004-AR0521-2CAM.dtb : write impossible: Aucun espace disponible sur le périphérique
tar: tegra194-xavier-nx-cti-NGX004-AR0521-2CAM.dtb.sig : write impossible: Aucun espace disponible sur le périphérique
tar: tegra194-xavier-nx-cti-NGX004-AVT-2CAM.dtb : write impossible: Aucun espace disponible sur le périphérique
tar: tegra194-xavier-nx-cti-NGX004-AVT-2CAM.dtb.sig : write impossible: Aucun espace disponible sur le périphérique
tar: tegra194-xavier-nx-cti-NGX004.dtb : write impossible: Aucun espace disponible sur le périphérique
tar: tegra194-xavier-nx-cti-NGX004.dtb.sig : write impossible: Aucun espace disponible sur le périphérique
tar: tegra194-xavier-nx-cti-NGX004-IMX219-2CAM.dtb : write impossible: Aucun espace disponible sur le périphérique
tar: tegra194-xavier-nx-cti-NGX004-IMX219-2CAM.dtb.sig : write impossible: Aucun espace disponible sur le périphérique

There is no enought space for /boot, so I increase the size of /boot 100MB to 120MB

< partition name=“APP” type=“data”>
<allocation_policy> sequential </allocation_policy>
<filesystem_type> basic </filesystem_type>
125829120
<file_system_attribute> 0 </file_system_attribute>
<allocation_attribute> 0x8 </allocation_attribute>
<align_boundary> 4096 </align_boundary>
<percent_reserved> 0 </percent_reserved>
system_boot.img
<unique_guid> APPUUID </unique_guid>

Required. Contains the boot partition. This partition must be
defined after primary_GPT so that it can be accessed as the fixed
known special device /dev/mmcblk0p1.

I can flash the board start but at boot I can see this ubuntu issue.

Please find console.log at the first boot for reference
console-firsts-boot.txt (24.5 KB)

If I click on the button ok the board restart and the screen is black but in the console I have a prompt
console-after-restart.txt (24.9 KB)

Do you have any idea ?

Kind regards.
Julien.

Hi Julien,

Have you contacted Connect Tech’s Tech Team? If you fill out our Support Form, our team will help you troubleshoot and get you up and running.

Let me know if you have any questions!
Kara

hello JulienMoinard,

please review your partition layout, may I know what’s your total rootfs size?
the value of APP_ENC_SIZE must be calculated by subtracting the size of APP from the total rootfs size.
thanks

Hello JerryChang,

Yes I probably make a mistake.
But I don’t know where I need to change “later” APP_ENC_SIZE ?

Notice that the element of APP specifies an actual number, but the element of APP_ENC specifies a symbol, APP_ENC_SIZE**. Later, the value of APP_ENC_SIZE must be calculated** by subtracting the size of APP from the total rootfs size.

Ok later, but I don’t kown where I need to put the new APP_ENC_SIZE value ? Where is the defined of default APP_ENC_SIZE ? Or I need to replace APP_ENC_SIZE directly by my Integer value ? But It seems to work so there is a default value ?

partition name=“APP” type=“data”>
<allocation_policy> sequential </allocation_policy>
<filesystem_type> basic </filesystem_type>
262144000
<file_system_attribute> 0 </file_system_attribute>
<allocation_attribute> 0x8 </allocation_attribute>
<align_boundary> 4096 </align_boundary>
<percent_reserved> 0 </percent_reserved>
system_boot.img
<unique_guid> APPUUID </unique_guid>

Required. Contains the boot partition. This partition must be
defined after primary_GPT so that it can be accessed as the fixed
known special device /dev/mmcblk0p1.



<allocation_policy> sequential </allocation_policy>
<filesystem_type> basic </filesystem_type>
APP_ENC_SIZE
<file_system_attribute> 0 </file_system_attribute>
<allocation_attribute> 0x8 </allocation_attribute>
<align_boundary> 4096 </align_boundary>
<percent_reserved> 0 </percent_reserved>
system_root_encrypted.img
<unique_guid> APP_ENC_UUID </unique_guid>

Required. Contains the encrypted root partition.

My conf file

source “${LDK_DIR}/p3668.cti-base.common”;
DTB_FILE=tegra194-xavier-nx-cti-NGX003.dtb;
disk_enc_enable=1;
EMMC_CFG=flash_l4t_t194_spi_emmc_p3668-encrypted.xml
EMMCSIZE=17179869184;

Thank you so much

Hi,

If I edit flash.sh I can read that APP_ENC_SIZE = encrrootfssize = roofssize - bootsize

So normaly is done by flash.sh ?

I don’t need to do anything ?

Best regards.

hello JulienMoinard,

may I know did disk encryption works without APP size modification?
here’s a partition layout sample you should refer to, t186ref/cfg/flash_t194_sdmmc_enc_rfs.xml

to clarify,
once the feature had been applied, the APP partition would be separated into two partitions, (1) boot ("/boot") and (2) root ("/") partitions.
the boot partition (“APP”) remains in an unencrypted format, so the bootloader can sill load kernel and device tree blob; the root partition (“APP_ENC”) would be encrypted.

here’s an example of the flash commands to flash encrypted disk images.
i.e. $ sudo ROOTFS_ENC=1 ./flash.sh jetson-xavier mmcblk0p1

Hi,

Yes I agree with you and in t186ref/cfg/flash_t194_sdmmc_enc_rfs.xml file I can read the same thing, APP partition for the kernel (10485600 is not enougth for me because the kernel have a size of 150-180MB) and APP_ENC partition with a size variable APP_ENC_SIZE that is replaced by flash.sh :

So I am not sure I do something wrong. I have an issue with nvidia installer.
The board is up withtout prompt login on serial console or if change to console screen but without password set I can’t login to obtain any log about this issue…

hello JulienMoinard,

could you please include -S options to assign the size of the rootfs.
for example, $ sudo ROOTFS_ENC=1 ./flash.sh -S 100MiB jetson-xavier mmcblk0p1
it’s KiB/MiB/GiB suffixes represents of 1024, 1024^2, 1024^3.
please check Flash Script Usage as see-also.
thanks