BSP 35.6.2 does not seem to boot properly when using UEFI secure boot

Robotics & Edge Computing Jetson Systems Jetson AGX Xavier
, ,
1

Using BSP 35.6.2 with a Jetson AGX Xavier devkit.

If I generate uefi_keys folder with keys as explained in “ Secure Boot — NVIDIA Jetson Linux Developer Guide 1 documentation “, and run flash.sh with –uefi-keys uefi_keys/uefi_keys.conf, the boot appears to fail as in the capture below.

Reboots a few times, then tries PXE and finally enters a UEFI shell when everything else fails.

If I do not use the –uefi-keys option, it boots “fine”, but appears to not find the extlinux.conf, and picks things from individual partitions (by what it says).

The “Test key is used” is printed in all cases (good and bad boot)… seems suspicious.

What could be wrong? Let m e know if you need more information.


Jetson UEFI firmware (version 6.2-40633251 built on 2025-05-16T01:35:20+00:00)
ESC   to enter Setup.
F11   to enter Boot Manager Menu.
Enter to continue boot.
**  WARNING: Test Key is used.  **
......
      ��I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled
��L4TLauncher: Attempting Direct Boot
OpenAndReadUntrustedFileToBuffer: Failed to open boot\extlinux\extlinux.conf: No
t Found
ProcessExtLinuxConfig:sds Failed to Authenticate boot\extlinux\extlinux.conf (No
t Found)
L4TLauncher: Unable to process extlinux config: Not Found
L4TLauncher: Attempting Kernel Boot
��E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0006
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA:  decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
��ReadEncryptedImage: Failed to read data from partition
OpteeDecryptImage: Failed to read data
ReadAndroidStyleKernelPartition: OpteeDecryptImage failed 
Failed to boot kernel:0 partition
����Shutdown state requested 1
Rebooting system ...
BSP 35.6.2: L4TLauncher does not find extlinux.conf
BSP 35.6.2: L4TLauncher does not find extlinux.conf
3

hello david.fernandez,

please see-also Topic 342801 for reference.

4

Hi @JerryChang,

I have read the Topic you linked, but it seems different in many ways… I am not using options -u or -v, or --uefi-enc, and my keys are not generated with -rand option.

I use only –uedfi-keys, with the idea to get all binaries signed, to see if the extlinux.conf is then found by L4TLauncher, as without any –uefi-keys, nothing is signed, and the extlinux.conf is not found… although the jAX boots fine.

The commands to generate keys are:

$ mkdir -p uefi_keys
$ cd uefi_keys
$ openssl req -newkey rsa:2048 -nodes -keyout PK.key  -new -x509 -sha256 \
              -days 3650 -subj "/CN=my Platform Key/" -out PK.crt
$ openssl req -newkey rsa:2048 -nodes -keyout KEK.key -new -x509 -sha256 \
              -days 3650 -subj "/CN=my Key Exchange Key/" -out KEK.crt
$ openssl req -newkey rsa:2048 -nodes -keyout db_1.key  -new -x509 -sha256 \
              -days 3650 -subj "/CN=my Signature Database key #1/" -out db_1.crt
$ openssl req -newkey rsa:2048 -nodes -keyout db_2.key  -new -x509 -sha256 \
              -days 3650 -subj "/CN=my Signature Database key #2/" -out db_2.crt
$ cat >uefi_keys.conf <<EOF
UEFI_PK_KEY_FILE="PK.key";
UEFI_PK_CERT_FILE="PK.crt";
UEFI_KEK_KEY_FILE="KEK.key";
UEFI_KEK_CERT_FILE="KEK.crt";
UEFI_DB_1_KEY_FILE="db_1.key";
UEFI_DB_1_CERT_FILE="db_1.crt";
UEFI_DB_2_KEY_FILE="db_2.key";
UEFI_DB_2_CERT_FILE="db_2.crt";
EOF
$ cd ..
$ tools/gen_uefi_default_keys_dts.sh uefi_keys/uefi_keys.conf

and then flash with:

$ sudo ./flash.sh --uefi-keys uefi_keys/uefi_keys.conf jetson-agx-xavier-devkit mmcblk0p1

Let me know if you need more information.

7

hello david.fernandez,

please re-generate a new EKS image to comment out the sym_t194.key although it’s using all 0s.

8

Hi @JerryChang,

Could you elaborate a bit more?

I assume you are talking about using the:

source/public/tegra/optee-src/nv-optee/optee/samples/hwkey-agent/host/tool/gen_ekb/gen_ekb.py

to generate the image in a similar way as in:

source/public/tegra/optee-src/nv-optee/optee/samples/hwkey-agent/host/tool/gen_ekb/example.sh

Now, you say “comment out sym_t194.key although it;s using all 0s”…

So you want me to use this line for sym_t194.key:

echo “00000000000000000000000000000000” > sym_t194.key

What should I use for the rest?

I was not using any special image… just relied in what is in the BSP so far.

I could try with all keys being all 0s, as my devkit is unfused, but what about the FV? As the comment in example.sh says:

code the exact same user specific FV into OP-TEE.

So what is in the current OPTEE image? Is that the value shown in example.sh?

Please let me know a few more details about how to generate it, and if that is all that I should do.

9

Anyway…

Tried using all keys as 0s, and the FV as in the example.sh

It makes no difference for –uefi-keys only… same messages and everything.

Tried adding the –uefi-enc with the sym_t194.key (all 0s) as in the eks_t195.img generated, and I get similar behaviour, but a bit different:

Jetson UEFI firmware (version 6.2-40633251 built on 2025-05-16T01:35:20+00:00)
ESC   to enter Setup.
F11   to enter Boot Manager Menu.
Enter to continue boot.
**  WARNING: Test Key is used.  **
......
      ��I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled
��L4TLauncher: Attempting Direct Boot
OpenAndReadUntrustedFileToBuffer: Failed to open boot\extlinux\extlinux.conf: No
t Found
ProcessExtLinuxConfig:sds Failed to Authenticate boot\extlinux\extlinux.conf (No
t Found)
L4TLauncher: Unable to process extlinux config: Not Found
L4TLauncher: Attempting Kernel Boot
Header not seen
Failed to boot kernel:0 partition
����Shutdown state requested 1
Rebooting system ...

Let me know how do you want all those keys set up, and what tests do you want me to do.

10

hello david.fernandez,

you’ll need to use this specific value for FV, it’s default settings.
please follow below to perform gen_ekb.py 

echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t194
echo "00000000000000000000000000000000" > kek2.key
echo "00000000000000000000000000000000" > sym2_t194.key
echo "00000000000000000000000000000000" > auth_t194.key

python3 gen_ekb.py -chip t194 -kek2_key kek2.key \
        -fv fv_ekb_t194 \
        -in_sym_key2 sym2_t194.key \
        -in_auth_key auth_t194.key \
        -out eks_t194.img

please double check you’re updating EKS image correctly.
you’ll need to replace the new created image with $OUT/Linux_for_Tegra/bootloader/eks_t194.img for image flashing.

11

Hi @JerryChang,

Yes, that is exactly what I am doing to generate the ekb image. And I copied it to the right place.

Only the syn_t194.key is also all 0s, and there is a -in_sym_key sym_t194.key option in the call to gen_ekb.py.

Pretty much as in the example.sh.

Should I omit the sym_t194.key in the gen_ekb.py call?

For completeness, this is the final image:

$ hexdump -vC bootloader/eks_t194.img 
00000000  00 04 00 00 4e 56 45 4b  42 50 00 00 01 00 00 00  |....NVEKBP......|
00000010  b8 ff 2a f4 73 85 a1 e6  a5 12 90 ce b0 ff 4e f0  |..*.s.........N.|
00000020  50 00 00 00 45 45 4b 42  00 00 00 00 00 00 00 00  |P...EEKB........|
00000030  4c 41 7b df 2b a5 2b 3e  de 8e e7 b4 97 07 a2 dc  |LA{.+.+>........|
00000040  91 73 4d 98 4b 5c 97 cd  c2 f8 bf c4 46 dc c0 1f  |.sM.K\......F...|
00000050  b6 10 3d 88 9a b0 26 8c  0e 22 ed 9b 4f e9 50 ba  |..=...&.."..O.P.|
00000060  fa e7 74 61 eb 66 e7 80  56 32 d3 a8 3e b6 cf 36  |..ta.f..V2..>..6|
00000070  7d 02 e2 f2 6c fc 99 34  b0 c0 51 44 2f 6c 46 b0  |}...l..4..QD/lF.|
00000080  1d 3d 85 93 e9 f5 32 ba  14 e6 f2 a1 e5 31 c8 25  |.=....2......1.%|
00000090  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000000a0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000000b0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000000c0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000000d0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000000e0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000000f0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000100  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000110  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000120  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000130  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000140  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000150  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000160  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000170  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000180  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000190  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000001a0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000001b0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000001c0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000001d0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000001e0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000001f0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000200  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000210  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000220  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000230  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000240  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000250  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000260  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000270  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000280  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000290  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000002a0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000002b0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000002c0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000002d0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000002e0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000002f0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000300  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000310  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000320  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000330  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000340  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000350  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000360  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000370  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000380  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000390  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000003a0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000003b0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000003c0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000003d0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000003e0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
000003f0  74 74 74 74 74 74 74 74  74 74 74 74 74 74 74 74  |tttttttttttttttt|
00000400  74 74 74 74                                       |tttt|
12

hello david.fernandez,

yes, as the example above, please omit sym_t194.key to create a new EKS image.

13

Hi @JerryChang,

That seems to work:

...

Jetson UEFI firmware (version 6.2-40633251 built on 2025-05-16T01:35:20+00:00)
ESC   to enter Setup.
F11   to enter Boot Manager Menu.
Enter to continue boot.
**  WARNING: Test Key is used.  **
......
      ��I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled
��L4TLauncher: Attempting Direct Boot
OpenAndReadUntrustedFileToBuffer: Failed to open boot\extlinux\extlinux.conf: No
t Found
ProcessExtLinuxConfig:sds Failed to Authenticate boot\extlinux\extlinux.conf (No
t Found)
L4TLauncher: Unable to process extlinux config: Not Found
L4TLauncher: Attempting Kernel Boot
EFI stub: Booting Linux Kernel...
EFI stub: UEFI Secure Boot is enabled.
EFI stub: Using DTB from configuration table
EFI stub: Loaded initrd from LINUX_EFI_INITRD_MEDIA_GUID device path
EFI stub: Exiting boot services and installing virtual address map...
��I/TC: Secondary CPU 1 initializing
I/TC: Secondary CPU 1 switching to normal world boot
I/TC: Secondary CPU 2 initializing
I/TC: Secondary CPU 2 switching to normal world boot
I/TC: Secondary CPU 3 initializing
I/TC: Secondary CPU 3 switching to normal world boot
I/TC: Secondary CPU 4 initializing
I/TC: Secondary CPU 4 switching to normal world boot
I/TC: Secondary CPU 5 initializing
I/TC: Secondary CPU 5 switching to normal world boot
I/TC: Secondary CPU 6 initializing
I/TC: Secondary CPU 6 switching to normal world boot
I/TC: Secondary CPU 7 initializing
I/TC: Secondary CPU 7 switching to normal world boot
��[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x4e0f0040]
[    0.000000] Linux version 5.10.216-tegra (david.fernandez@df-laptop) (aarch64-linux-gcc.br_real (Buildroot 2020.08) 9.3.0, GNU ld (GNU Binutils) 2.33.1) #1 SMP PREEMPT Thu Aug 28 20:19:36 BST 2025
[    0.000000] Machine model: Jetson-AGX
[    0.000000] efi: EFI v2.70 by EDK II
[    0.000000] efi: RTPROP=0x875e71b98 SMBIOS=0xc7bb0000 SMBIOS 3.0=0x87b730000 MEMATTR=0x8759cd018 ESRT=0x8759cf018 RNG=0x869c30018 MEMRESERVE=0x86a5a8f18 
[    0.000000] random: crng init done
...

I take, when using proper keys burned into fuses, we should generate them all, including sym_t194.key, and modify optee to have it?

Regards

David

15

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.