Device does not boot after enabling uefi keys

weylerstefan · August 28, 2025, 12:35pm

Hi,

currently I am running these command to successfully flash a jetson orin nano super, with a signed bootloader, rootfs encryption as well as a/b boot enabled:

$ sudo ROOTFS_AB=1 ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --no-flash -u ./ecp256.pem -v ./sbk.key  --showlogs -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" jetson-orin-nano-devkit-super internal  

$ sudo ROOTFS_AB=1 ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh -u ./ecp256.pem -v ./sbk.key --showlogs --no-flash --external-device nvme0n1p1 -i "./sym2_t234.key"  -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_ab_enc.xml --external-only  -p "-T 240000000" --append --network usb0 jetson-orin-nano-devkit external 

$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -u ./ecp256.pem -v ./sbk.key --network usb0 --flash-only

However, when I add the uefi_keys.conf file to the command after generating the UefiDefaultSecurityKeys.dtbo - I get the following error in the serial console:

…��I/TC: Reserved shared memory is disabledI/TC: Dynamic shared memory is 
enabledI/TC: Normal World virtualization support is disabledI/TC: Asynchronous 
notifications are disabled��L4TLauncher: Attempting Recovery Boot��E/TA:   
decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0006E/TA:   
decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007E/TA:  
decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007E/TA:  
decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007E/TA:  
decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007E/TA: 
decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007E/TA:
decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007E/TA:   
decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007E/TA:   
decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007E/TA:   
decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007E/TA:   
decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007E/TA:   
decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007E/TA:   
decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007UEFI 
Interactive Shell v2.2
EDK II
UEFI v2.70 (EDK II, 0x00010000)
Mapping table
FS2: Alias(s):HD2b:;BLK1:….

The device will boot into the Boot Shell. These are the used flashing commands:

sudo ROOTFS_AB=1 ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --no-flash -u ./ecp256.pem -v ./sbk.key --uefi-keys ./uefi_keys.conf --showlogs -p “-c bootloader/generic/cfg/flash_t234_qspi.xml” jetson-orin-nano-devkit-super internal

sudo ROOTFS_AB=1 ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh -u ./ecp256.pem -v ./sbk.key --uefi-keys ./uefi_keys.conf --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key  -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_ab_enc.xml --external-only  -p “-T 240000000” --append --network usb0 jetson-orin-nano-devkit external

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -u ./ecp256.pem -v ./sbk.key --uefi-keys ./uefi_keys.conf  --network usb0 --flash-only

The fuses: PublicKeyHash, SecureBootKey, OemK1 and BootSecurityInfo “0x3EA” have been burned. All flashing commands seem to complete successfully.

Help is greatly appreciated.

carolyuu · August 28, 2025, 12:49pm

*** Please note that this reply is generated by LLM automatically ***

Based on the provided context, it appears that you are trying to flash a Jetson Orin Nano Super with a signed bootloader, rootfs encryption, and A/B boot enabled, using the flash.sh command. However, when you add the uefikeys.conf file to the command, you encounter an error in the serial console, causing the device to boot into the Boot Shell.

To troubleshoot this issue, let’s break down the flashing commands and the error message:

Flashing commands:
- sudo ROOTFS_ENC=1 ./flash.sh -i "./ekb.key" jetson-orin-nano-devkit mmcblk0p1
- sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --showlogs -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" -i ./ekb.key --no-flash jetson-orin-nano-devkit internal
- sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --showlogs --no-flash --external-device nvme0n1p1 -S 16GiB -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append -i ./ekb.key jetson-orin-nano-devkit external
- sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --showlogs --flash-only
Error message:
- The device boots into the Boot Shell, indicating a failure in the flashing process.

Comparing the flashing commands, we can see that the first command uses the flash.sh script, while the subsequent commands use the l4t_initrd_flash.sh script. The uefikeys.conf file is not mentioned in the first command, but it is likely being used in the subsequent commands.

To resolve the issue, you can try the following:

Verify that the uefikeys.conf file is correctly generated and formatted.
Check that the UefiDefaultSecurityKeys.dtbo file is correctly generated and formatted.
Ensure that the uefikeys.conf file is being used correctly in the flashing commands.
Try removing the uefikeys.conf file from the flashing commands and see if the device boots successfully.
If the device boots successfully without the uefikeys.conf file, try re-generating the UefiDefaultSecurityKeys.dtbo file and re-adding the uefikeys.conf file to the flashing commands.

Additionally, you can refer to the Jetson Linux Developer Guide for more information on configuring UEFI secure boot and using the uefikeys.conf file.

In comparison to other similar issues, such as the one mentioned in the context (“[Orin Nano NVME] SKU 003 Enable UEFI secure boot by OTA from 35.5.0 to 35.6.0”), it appears that the issue is specific to the use of the uefikeys.conf file and the flashing commands. Therefore, the solution will likely involve modifying the flashing commands or the uefikeys.conf file to resolve the issue.

*** Please give the thumbs up if you get answers you like. Or provide feedback to help us improve the answer. ***

weylerstefan · August 28, 2025, 3:04pm

I can only repeat myself.. just like in my last request:

Unfortunately I think the LLM is hallucinating or not reading correctly.

“first command uses the flash.sh" → not true

I think answers from llms should be reviewed by internal staff before posting. Making the end user reviewing it is not the right approach. The answer does not give any new information or hints on the issue at hand.

JerryChang · August 29, 2025, 2:24am

hello weylerstefan,

may I know what keys you’ve used for UEFI Secure Boot?
for instance, please refer to Prepare the PK, KEK, db Keys, they’re using RSA2048.

BTW, you may see-also Topic 330638.
we’ve verified UEFI Secureboot + Disk Encryption + Rootfs-AB on Orin Nano/r36.4.3

weylerstefan · August 29, 2025, 10:03am

Hi Jerry - i went by the docs. So what I did is this:

cd to <LDK_DIR>
mkdir uefi_keys
cd uefi_keys
GUID=$(uuidgen)

openssl req -newkey rsa:2048 -nodes -keyout PK.key  -new -x509 -sha256 -days 3650 -subj “/CN=my Platform Key/” -out PK.crtcert-to-efi-sig-list -g “${GUID}” PK.crt PK.esl

openssl req -newkey rsa:2048 -nodes -keyout KEK.key  -new -x509 -sha256 -days 3650 -subj “/CN=my Key Exchange Key/” -out KEK.crtcert-to-efi-sig-list -g “${GUID}” KEK.crt KEK.esl

openssl req -newkey rsa:2048 -nodes -keyout db_1.key  -new -x509 -sha256 -days 3650 -subj “/CN=my Signature Database key/” -out db_1.crtcert-to-efi-sig-list -g “${GUID}” db_1.crt db_1.esl

openssl req -newkey rsa:2048 -nodes -keyout db_2.key  -new -x509 -sha256 -days 3650 -subj “/CN=my another Signature Database key/” -out db_2.crtcert-to-efi-sig-list -g “${GUID}” db_2.crt db_2.esl

I am just guessing, but I can see that in your tests, you didn’t fuse the board before. So maybe fusing does not work in combination with UEFI Secureboot + Disk Encryption + Rootfs-AB?

Or there might be a Bug in Version 36.4.4? Thats the version I am using.

JerryChang · September 1, 2025, 1:56am

hello weylerstefan,

please setup serial console to gather the complete UART logs for reference.

weylerstefan · September 1, 2025, 12:08pm

Tested with an unfused board and repeatet the steps (using the default oem1key for the eks image. And got the same result. So it must have todo with me creating the wrong uefi keys.

logs.txt (41.5 KB)

JerryChang · September 2, 2025, 3:03am

hello weylerstefan,

L4TLauncher cannot detect whether UEFI payload encryption is enabled.
if the EKS contains the UEFI payload encryption key and UEFI secure boot is enabled, L4TLauncher will assume that UEFI payload encryption is enabled and will attempt to decrypt the UEFI payloads.

let’s provide UEFI variable authentication key (auth_t234.key) to re-create EKS image.
otherwise UEFI will block the booting.

weylerstefan · September 2, 2025, 2:01pm

Got it to work with providing —uefi-enc parameter, thx.

Topic		Replies	Views
UEFI Secure Boot fails flashing Jetson AGX Orin security	9	275	December 18, 2024
Orin Nano Devkit showing error during boot Jetson Orin Nano boot , board-design	2	178	May 22, 2024
SecureBoot on Jetson Orin : Flash Successfull but uefi firmware error Jetson Orin NX security	5	114	February 4, 2025
Orin NX UEFI can't enroll keys Jetson Orin NX security	12	786	February 29, 2024
UEFI booting failed Jetson Orin Nano uefi	12	223	October 14, 2024
[L4T 35.4.1] How to get both UEFI SecureBoot and burning software fuses Jetson Orin Nano security	7	392	May 22, 2024
How to flash UEFI firmware uefi_jetson.bin Jetson Orin Nano uefi	5	474	November 5, 2024
UEFI payload encryption on Orin Nano dev kit Jetson Orin Nano security	9	1146	October 25, 2023
Enabling disk encryption and secureboot on internal device 36.3 Jetson AGX Orin security	19	471	July 5, 2024
Jetson Orin Nano Building the miniUEFI Jetson Orin Nano uefi	3	56	March 31, 2025

Device does not boot after enabling uefi keys

Related topics