Cant boot after enable Security Boot(Jetson AGX Xavier)

Robotics & Edge Computing Jetson & Embedded Systems Jetson AGX Xavier
, ,
4

Thanks , but when i continue to enable disk ecryption .Always showing a blank screen with nvidia logo.
I followed following steps to achieve it;

  1. Generate EKS blob and replace with the existing eks.img 
sudo python3 gen_ekb.py -kek2_key kek2.key   -fv iv_hex_file  -in_sym_key usr_ekb.key  -in_sym_key2 ekb.key  -out eks.img
 cp eks.img Linux_for_Tegra/bootloader/
  1. I use the default partition table on bootloader/t186ref/cfg/flash_t194_sdmmc_enc_rfs.xml
<partition name="APP" type="data">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 419430400 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x8 </allocation_attribute>
            <align_boundary> 4096 </align_boundary>
            <percent_reserved> 0 </percent_reserved>
            <unique_guid> APPUUID </unique_guid>
            <filename> system_boot.img </filename>
            <description> **Required.** Contains the boot partition. This partition must be defined after
              `primary_gpt` so it can be accessed as the fixed known special device
              `/dev/mmcblk0p1`. </description>
        </partition>
        <partition name="APP_b" type="data">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 419430400 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x8 </allocation_attribute>
            <align_boundary> 4096 </align_boundary>
            <percent_reserved> 0 </percent_reserved>
            <unique_guid> APPUUID_b </unique_guid>
            <filename> system_boot.img_b </filename>
            <description> **Required.** Contains the boot partition. This partition must be defined after
              `primary_gpt` so it can be accessed as the fixed known special device
              `/dev/mmcblk0p2`. </description>
        </partition>
 <partition name="APP_ENC" type="data" encrypted="true">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> APP_ENC_SIZE </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <align_boundary> 4096 </align_boundary>
            <unique_guid> APP_ENC_UUID </unique_guid>
            <filename> system_root_encrypted.img </filename>
            <description> **Required.** Contains the encrypted root partition("/"). </description>
        </partition>
        <partition name="APP_ENC_b" type="data" encrypted="true">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> APP_ENC_SIZE </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <align_boundary> 4096 </align_boundary>
            <unique_guid> APP_ENC_UUID_b </unique_guid>
            <filename> system_root_encrypted.img_b </filename>
            <description> **Required.** Contains the encrypted root partition("/"). </description>
        </partition>

3.Update board config file p2972-0000.conf.common ;I just modify the disk_enc_enable = 1

ODMDATA=0x9190000;
CHIPID=0x19;
EMMC_CFG=flash_t194_sdmmc.xml;
BOOTPARTSIZE=8388608;
EMMCSIZE=31276924928;
ITS_FILE=;
BPFDTB_FILE=tegra194-a01-bpmp-p2888-a01.dtb;
DTB_FILE=tegra194-p2888-0001-p2822-0000.dtb;
TBCDTB_FILE=tegra194-p2888-0001-p2822-0000.dtb;
ROOTFSSIZE=28GiB;
CMDLINE_ADD="console=ttyTCU0,115200n8 console=tty0 fbcon=map:0 net.ifnames=0 rootfstype=ext4";
target_board="t186ref";
... .....
rootfs_ab=0;
disk_enc_enable=1;
# Rootfs A/B:
if [[ "${ROOTFS_AB}" == 1 && "${ROOTFS_ENC}" == "" ]]; then
        rootfs_ab=1;
        EMMC_CFG=flash_t194_sdmmc_rootfs_ab.xml;
        ROOTFSSIZE=14GiB;
        SMDFILE="slot_metadata.bin.rootfsAB";
# Disk encryption support:
elif [[ "${ROOTFS_AB}" == "" && "${ROOTFS_ENC}" == 1 ]]; then
        disk_enc_enable=1;
        EMMC_CFG=flash_t194_sdmmc_enc_rfs.xml;
# Rootfs A/B + Disk encryption support:
elif [[ "${ROOTFS_AB}" == 1 && "${ROOTFS_ENC}" == 1 ]]; then
        rootfs_ab=1;
        disk_enc_enable=1;
        EMMC_CFG=flash_t194_sdmmc_enc_rootfs_ab.xml;
        ROOTFSSIZE=14GiB;
        SMDFILE="slot_metadata.bin.rootfsAB";
fi;
  1. Run flash script
sudo ROOTFS_ENC=1  ./flash.sh --sign -u rsa_priv.pem -v sbk.key -i ekb.key --user_key usr_flash.key jetson-xavier mmcblk0p1

The above steps excute successfully but cannot boot . only Nvidia logo showed in the screen

add i also try to replace the cboot as u said in the two topics Black Screen after enable SecureBOOT and disk encryption and Will not boot after enabling Security Boot (Jetson AGX Xavier) - #58 by JerryChang
but that’s seems no work and even just show black screen without logo

Please help us to figure out the long existing issue. Thanks in advance.