Enabling disk encryption and secureboot on internal device 36.3

Hello,

Im trying to flash the jetson orin agx 36.3 devkit, with both secuerboto and disk encryption enable for my internal disk Im using this command is it the correct one:

sudo ROOTFS_ENC=1 ./flash.sh -i “./disk_enc.key” --uefi-keys uefi_keys/uefi_keys.conf jetson-agx-orin-devkit internal

The flash is working, but the screen after boot is black.

For more context this is the error that I get during the boot:
Jetson System firmware version 36.3.0-gcid-36191598 date 2024-05-06T16:58:59+00:
00
ESC to enter Setup.
F11 to enter Boot Manager Menu.
Enter to continue boot.

��I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled
��L4TLauncher: Attempting Direct Boot
��E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0006
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
��OpenAndReadFileToBuffer: \boot\initrd failed signature verification: Security Vi
olation
ExtLinuxBoot:sds Failed to Authenticate \boot\initrd (Security Violation)
L4TLauncher: Unable to boot via extlinux: Security Violation
L4TLauncher: Attempting Kernel Boot
��E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0006
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
��ReadEncryptedImage: Failed to read data from partition
OpteeDecryptImage: Failed to read data
ReadAndroidStyleKernelPartition: OpteeDecryptImage failed
Failed to boot kernel:0 partition
����Shutdown state requested 1

I’ve already shared in other posts the steps that I followed to enable secureboot and sign the payloads, this is getting annoying cause I dunno why the boot fail to verify initrd signature, this is literally the first boot for the jetson I didn’t change any payload.

Hi elhamriothman,

I think we can just discuss in one topic for the similar issue.
Please let me check your log and try if we can reproduce the same issue locally.

Alright kevin im kinda in hurry but I appreciate the fast response, good luck!

replied in another topic for you.

Hey Kevin I still can’t figure out how to enable disk encryption and uefi secureboot at the same time, did you manage to find anything on your side.

Again here is the command that I used:

sudo ROOTFS_ENC=1 ./flash.sh -i “./disk_enc.key” --uefi-keys uefi_keys/uefi_keys.conf jetson-agx-orin-devkit internal

To enable disk-encryption, you can just add ROOTFS_ENC=1 in your flash command.

To enable UEFI secureboot, please refer to the Enabling UEFI Secureboot at Flashing Time about the example for AGX Orin.

That’s what I did: sudo ROOTFS_ENC=1 ./flash.sh -i “./disk_enc.key” --uefi-keys uefi_keys/uefi_keys.conf jetson-agx-orin-devkit internal

I don’t see you specify PKC/SBK key in this command.

Yes, im only intersted in the UEFI secureboot that’s why Im not using the PKC/SBK key in the command.

It seems you’ve enabled UEFI secureboot successfully as you mentioned in Jetson AGX Orin, updating image while secureboot active not working [36.3/ devkit] - #12 by elhamriothman

I did but I can’t seem to flash the jetson orin with both the uefi secureboot and the disk encryptuion at the same time, how do you guys do that can’t I can’t seem to find it on the jetson documentation?

Do you mean that you can either enable UEFI secureboot or disk-encryption?
But you can not enable them at the same time?

If you enable both of them, then it would boot failed. Is my understanding correct?

Is there any error during flash?

Yes indeed.

I’ve checked with internal that it seems there’s UEFI secureboot issue in R36.3.

Ok so for now I can’t combine the uefi secureboot with the disk encryption.

Correct! We are still working on the UEFI secureboot issue in Jetpack 6.

BTW,
please refer to Generate Signed UEFI Payloads.
please double check you’ve all UEFI payloads been signed with UEFI security keys.

1 Like

Ok, thank you so much for the information.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.