EKB problem - what does this mean?

Robotics & Edge Computing Jetson & Embedded Systems Jetson Orin Nano
1

Hi,

I successfully fused an Orin Nano devkit (SBK, PKC, OEM_K1/2, KDK) using a config file similar to the one at the end of this post. Then, I created an EKB with uefi variables authentication key, correct fixed vector, OEM_K1 and the two sym keys using the example.sh script from here and flashed the device.
I can successfully boot and see “EFI stub: UEFI Secure Boot is enabled.” before Linux boots up.

But there is a bunch of error message during boot which confuses me.
Can someone please tell me what goes wrong?

NOTICE: BL31: v2.6(release):l4t-r35.5.0
NOTICE: BL31: Built : 2024-02-20 04:11:16
[ 2.662094] Camera-FW on t234-rce-safe ready SHA1=55ecd57d (crt 13.131 ms, total boot 308.597 ms)
I/TC: Physical secure memory base 0x27c040000 size 0x3fc0000
I/TC:
I/TC: Non-secure external DT found
I/TC: OP-TEE version: 3.22 (gcc version 11.4.0 (GCC)) #1 Tue Feb 20 04:38:03 UTC 2024 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check Porting guidelines — OP-TEE documentation documentation
I/TC: Primary CPU initializing
M/TC: engine AES0 engine AES/RNG AES DONE: SE0 err_status register 0x10f8 nonzero (value 0x80000000)
M/TC: SE abnormal cond, error info: 0x30040000
M/TC: HW error: d(0), e(0), ro(0x110), rv(0xb0040000), che(0x30), act(0x0)
M/TC: device SE0(0) AES DONE: error_capture 0x30040000
M/TC: AES crypto failed: -17
E/TC:00 00 se_aes_encrypt:35 se_aes_encrypt failed with: -17
I/TC: Derive EKB_RK from #1 fuse key failed, ignored.
M/TC: engine AES0 engine AES/RNG AES DONE: SE0 err_status register 0x10f8 nonzero (value 0x80000000)
M/TC: SE abnormal cond, error info: 0x30040000
M/TC: HW error: d(0), e(0), ro(0x110), rv(0xb0040000), che(0x30), act(0x0)
M/TC: device SE0(0) AES DONE: error_capture 0x30040000
M/TC: AES crypto failed: -17
E/TC:00 00 se_aes_encrypt:35 se_aes_encrypt failed with: -17
E/TC:00 00 hwkey_derivation_process:369 hwkey_derivation_process: Failed to derive SSK root key (ffff0000)

Fuse config file:

<genericfuse MagicId="0x45535546" version="1.0.0">
    <fuse name="PublicKeyHash" size="64" value="0x12547fdeab4387b000e20f12547fdeab4387b000e20f12547fdeab4387b000e20f12547fdeab4387b000e20f12547fdeab4387b000e20f12547fdeab4387b000"/>
    <fuse name="PkcPubkeyHash1" size="64" value="0x54654984a656546ffec5b654654e654654f654654d654e654f65421a054654984a656546ffec5b654654e654654f654654d654e654f65421a054654984a65654"/>
    <fuse name="PkcPubkeyHash2" size="64" value="0x12345678901234567890b654654e654654f654654d654e654f65421a054654984a656546ffec5b654654e654654f654654d654e654f65421a054654984a65651"/>
    <fuse name="SecureBootKey" size="32" value="0x123456789012345678901234567890123456789012345678901234567890e34f"/>
    <fuse name="OemK1" size="32" value="0x123456789012345678901234567890123456789012345678901234567890e34f"/>
    <fuse name="OemK2" size="32" value="0x123456789012345678901234567890123456789012345678901234567890e34f"/>
    <fuse name="Kdk0" size="32" value="0x123456789012345678901234567890123456789012345678901234567890e34f"/>
    <fuse name="PscOdmStatic" size="4" value="0x60"/>     <!-- OEM_K1 to “encrypt” and OEM_K2 to “KDK(key derive)" -->
    <fuse name="OptInEnable" size="4" value="0x1"/>       <!-- enable rollback protection -->
    <fuse name="BootSecurityInfo" size="4" value="0x2A09"/>
    <fuse name="SecurityMode" size="4" value="0x1"/>      <!-- enable Secure Boot --> 
    <fuse name="OdmLock" size="4" value="0x1"/>           <!-- prevent burning further ODM fuses -->
</genericfuse>
3

hello business37,

let’s narrow down the issue,
could you please exclude UEFI SecureBoot to confirm you’re able to boot-up the target.
thanks

4

I did flash with UEFI Secureboot enabled, it successfully boots, still I see the error:

I> MB2 finished

NOTICE: BL31: v2.6(release):l4t-r35.5.0
NOTICE: BL31: Built : 2024-02-20 04:11:16
[ 2.655244] Camera-FW on t234-rce-safe ready SHA1=55ecd57d (crt 13.128 ms, total boot 308.623 ms)
I/TC: Physical secure memory base 0x27c040000 size 0x3fc0000
I/TC:
I/TC: Non-secure external DT found
I/TC: OP-TEE version: 3.22 (gcc version 11.4.0 (GCC)) #1 Tue Feb 20 04:38:03 UTC 2024 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check Porting guidelines — OP-TEE documentation documentation
I/TC: Primary CPU initializing
M/TC: engine AES0 engine AES/RNG AES DONE: SE0 err_status register 0x10f8 nonzero (value 0x80000000)
M/TC: SE abnormal cond, error info: 0x30040000
M/TC: HW error: d(0), e(0), ro(0x110), rv(0xb0040000), che(0x30), act(0x0)
M/TC: device SE0(0) AES DONE: error_capture 0x30040000
M/TC: AES crypto failed: -17
E/TC:00 00 se_aes_encrypt:35 se_aes_encrypt failed with: -17
I/TC: Derive EKB_RK from #1 fuse key failed, ignored.
M/TC: engine AES0 engine AES/RNG AES DONE: SE0 err_status register 0x10f8 nonzero (value 0x80000000)
M/TC: SE abnormal cond, error info: 0x30040000
M/TC: HW error: d(0), e(0), ro(0x110), rv(0xb0040000), che(0x30), act(0x0)
M/TC: device SE0(0) AES DONE: error_capture 0x30040000
M/TC: AES crypto failed: -17
E/TC:00 00 se_aes_encrypt:35 se_aes_encrypt failed with: -17
E/TC:00 00 hwkey_derivation_process:369 hwkey_derivation_process: Failed to derive SSK root key (ffff0000)
I/TC: Primary CPU switching to normal world boot
Jetson UEFI firmware (version v35.5.0 built on 2024-02-26T13:44:31+00:00)

5

hello business37,

it’s error of hwkey-agent TA/CA,
please refer to Secure Samples section for the diagram which gives an overview of secure sample applications.

since it’s fused board, please double check you’ve follow Tool for EKB Generation to include all your OEM_K1, and also add the UEFU auth key to create/update new EKB image correctly.

7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.