Cant boot after enable Security Boot(Jetson AGX Xavier)

Hello there,

Last few months we are trying to enable disk encryption with no luck. We really need your help to figure out the issues. We have the worst experience ever with your documentation.

We are using Jetson AGX Xavier production board . We try to enabled the secure boot in our device. We followed following steps to achieve it.
IN THE Bignning(key generated follow u guide)
we try to use “–noburn” and “–no-flash” commend to fuse and flash sign,like this

sudo FAB=400 BOARDID=2888 BOARDSKU=0004 BOARDREV=k.0 CHIPREV=2 ./odmfuse.sh --noburn -i 0x19 --auth SBKPKC -p -k rsa_priv.pem --KEK2 kek2.key -S sbk.key jetson-xavier
sudo  tar -jxvf fuseblob.tbz2
cd bootloader
sudo ./fusecmd

and this commend like

sudo  FAB=400 BOARDID=2888 BOARDSKU=0004 BOARDREV=k.0 CHIPREV=2 ./flash.sh --no-flash --sign  -u rsa_priv.pem -v sbk.key  --user_key usr_flash.key  jetson-xavier mmcblk0p1
cd bootloader
sudo bash ./flashcmd.txt

they all show then error “Error: Return value 22”

i have no way to fix it ,so i change the way to real fuse and flash,followed following steps to achieve it

1.Setup L4T (I get all i need i guess)

2.Ready the encrypt key

➜  ~ cat  kek2.key
3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx5
➜  ~ cat sbk.key 
0xcxxxxxx3 0xdxxxxxx5 0x2xxxxxx1 0x4xxxxxx9
➜  ~ cat iv_hex_file
bad66eb4484983684b992fe54a648bb8
➜  ~ cat usr_eks.key 
bxxxxxx5dxxxxxx2dxxxxxx0cxxxxxx2
➜  ~ cat usr_flash.key 
0xbxxxxxx5 0xdxxxxxx2 0xdxxxxxx0 0xcxxxxxx2
➜  ~ cat ekb.key 
dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1
  1. Fuse device
sudo FAB=400 BOARDID=2888 BOARDSKU=0004 BOARDREV=k.0 CHIPREV=2 ./odmfuse.sh  -i 0x19 -p  -k rsa_priv.pem --KEK2 kek2.key -S sbk.key  jetson-xavier

4.Flash device

sudo  FAB=400 BOARDID=2888 BOARDSKU=0004 BOARDREV=k.0 CHIPREV=2 ./flash.sh   -u rsa_priv.pem -v sbk.key  --user_key usr_flash.key  jetson-xavier mmcblk0p1

The above steps excute successfully but cannot boot . only Nvidia logo showed in the screen
Please help us to figure out the long existing issue. Thanks in advance.

Here are the fuse logs:
fuse_log (80.4 KB)

Here are the flash logs
flash_log (112.1 KB)

1 Like

hello QOP,

let’s starting from your step-1.
had you fuse your Xavier platform before?
the options --auth options meant the authentication types of your current board, it’s the commands to let script understand the details.
so, you should use --auth NS if you’re using non-fuse target,

and…
you should burn the device actually according to your step-3,
could you please perform odmfuseread.sh to ensure the fuse variables.
thanks

Thanks , but when i continue to enable disk ecryption .Always showing a blank screen with nvidia logo.
I followed following steps to achieve it;

  1. Generate EKS blob and replace with the existing eks.img
sudo python3 gen_ekb.py -kek2_key kek2.key   -fv iv_hex_file  -in_sym_key usr_ekb.key  -in_sym_key2 ekb.key  -out eks.img
 cp eks.img Linux_for_Tegra/bootloader/
  1. I use the default partition table on bootloader/t186ref/cfg/flash_t194_sdmmc_enc_rfs.xml
<partition name="APP" type="data">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 419430400 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x8 </allocation_attribute>
            <align_boundary> 4096 </align_boundary>
            <percent_reserved> 0 </percent_reserved>
            <unique_guid> APPUUID </unique_guid>
            <filename> system_boot.img </filename>
            <description> **Required.** Contains the boot partition. This partition must be defined after
              `primary_gpt` so it can be accessed as the fixed known special device
              `/dev/mmcblk0p1`. </description>
        </partition>
        <partition name="APP_b" type="data">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 419430400 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x8 </allocation_attribute>
            <align_boundary> 4096 </align_boundary>
            <percent_reserved> 0 </percent_reserved>
            <unique_guid> APPUUID_b </unique_guid>
            <filename> system_boot.img_b </filename>
            <description> **Required.** Contains the boot partition. This partition must be defined after
              `primary_gpt` so it can be accessed as the fixed known special device
              `/dev/mmcblk0p2`. </description>
        </partition>
 <partition name="APP_ENC" type="data" encrypted="true">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> APP_ENC_SIZE </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <align_boundary> 4096 </align_boundary>
            <unique_guid> APP_ENC_UUID </unique_guid>
            <filename> system_root_encrypted.img </filename>
            <description> **Required.** Contains the encrypted root partition("/"). </description>
        </partition>
        <partition name="APP_ENC_b" type="data" encrypted="true">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> APP_ENC_SIZE </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <align_boundary> 4096 </align_boundary>
            <unique_guid> APP_ENC_UUID_b </unique_guid>
            <filename> system_root_encrypted.img_b </filename>
            <description> **Required.** Contains the encrypted root partition("/"). </description>
        </partition>

3.Update board config file p2972-0000.conf.common ;I just modify the disk_enc_enable = 1

ODMDATA=0x9190000;
CHIPID=0x19;
EMMC_CFG=flash_t194_sdmmc.xml;
BOOTPARTSIZE=8388608;
EMMCSIZE=31276924928;
ITS_FILE=;
BPFDTB_FILE=tegra194-a01-bpmp-p2888-a01.dtb;
DTB_FILE=tegra194-p2888-0001-p2822-0000.dtb;
TBCDTB_FILE=tegra194-p2888-0001-p2822-0000.dtb;
ROOTFSSIZE=28GiB;
CMDLINE_ADD="console=ttyTCU0,115200n8 console=tty0 fbcon=map:0 net.ifnames=0 rootfstype=ext4";
target_board="t186ref";
... .....
rootfs_ab=0;
disk_enc_enable=1;
# Rootfs A/B:
if [[ "${ROOTFS_AB}" == 1 && "${ROOTFS_ENC}" == "" ]]; then
        rootfs_ab=1;
        EMMC_CFG=flash_t194_sdmmc_rootfs_ab.xml;
        ROOTFSSIZE=14GiB;
        SMDFILE="slot_metadata.bin.rootfsAB";
# Disk encryption support:
elif [[ "${ROOTFS_AB}" == "" && "${ROOTFS_ENC}" == 1 ]]; then
        disk_enc_enable=1;
        EMMC_CFG=flash_t194_sdmmc_enc_rfs.xml;
# Rootfs A/B + Disk encryption support:
elif [[ "${ROOTFS_AB}" == 1 && "${ROOTFS_ENC}" == 1 ]]; then
        rootfs_ab=1;
        disk_enc_enable=1;
        EMMC_CFG=flash_t194_sdmmc_enc_rootfs_ab.xml;
        ROOTFSSIZE=14GiB;
        SMDFILE="slot_metadata.bin.rootfsAB";
fi;

  1. Run flash script
sudo ROOTFS_ENC=1  ./flash.sh --sign -u rsa_priv.pem -v sbk.key -i ekb.key --user_key usr_flash.key jetson-xavier mmcblk0p1

The above steps excute successfully but cannot boot . only Nvidia logo showed in the screen

add i also try to replace the cboot as u said in the two topics Black Screen after enable SecureBOOT and disk encryption and Will not boot after enabling Security Boot (Jetson AGX Xavier) - #58 by JerryChang
but that’s seems no work and even just show black screen without logo

Please help us to figure out the long existing issue. Thanks in advance.

hello QOP,

just for confirmation, are you able to enable secureBoot now?
which JetPack release you’re using, there’s an issue with r32.5.1 to enable disk encryption, please moving to r32.6.1 or later to include the fixes.

thanks
now I can enable secureBoot ,and i use all this packs


u mean the bug had been fixed in the later version .
that let me confused why i cant boot from disk encrypted.

I also consult this topic Enabling disk encryption doesn't boot the device // Jetson Xavier NX // P3668-0001
and try modify luks1 flash and luks2 flash all failed.
oh,by the way this is my info
2022-04-08 16-43-42 的屏幕截图

hello QOP,

could you please remove --sign in the command-line?
please also review the keys, the user_key is specified in eks.img.
according to documentation: gen_ekb to generate eks.img, the sym.key is the user_key; it’s Trusty retrieves user_key from eks.img, and loads the key into keyslot_14 for decryption. when flashing, please use --use_key options to specify the user_key.

BTW,
please refer to Topic 208615 to check you’ve include these patches.
thanks

ok i will try ,there is one thing i want to know which i should use in disk_encryption_helper.func “luks1” or " luks2"

# Add the LUKS header
	eval ${GEN_LUKS_PASS_CMD} | ${CRYPTSETUP_BIN} \
		--type luks1 \
		-c aes-cbc-essiv:sha256 \
		-s 128 \
		--uuid "${__rootfsuuid}" \
		luksFormat \
		${loop_dev};
	chkerr "Add LUKS header on ${__localsysfile} failed.";

please use luks1 to maintain backward compatibility, thanks

hello
I try to use the commend:

sudo ROOTFS_ENC=1  ./flash.sh -u rsa_priv.pem -v sbk.key -i ekb.key jetson-xavier mmcblk0p1

cant boot and show this


if it is the reason that i dont use “user_key” resuslt in the error?
by the way why every time i flash the disk encryption using so much time almost 1.2 hours ,is that a nomal condition?
and i am flashing with u suggestion “ could you please remove --sign in the command-line?”
cant boot just show nvidia logo

hello JerryChang
i find the reason why i cant boot . As i changed the iv_hex_file rather than using u default value.
now i can boot ,but two new issues has arisen:
1.In what case i can modify the iv_hex_file to get a eks.img
2. what is the passphrash to unlock the crypt_root and the crypt_UDA


thanks

Looks lie the further discussion is in the topic:
Disk Encryption of External sda in jatson AGX xavier(RS32.7.1 js4.6.1)

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.