Enabling UEFI Secureboot JP 5.1 L4T 35.2.1


After preparing the keys according to this guide and flashing Tegra Linux Sample Rootfs to Xavier AGX devkit using
sudo ./flash.sh -u pkc/pkc --uefi-keys uefi_keys/uefi_keys.conf jetson-xavier mmcblk0p1
command I noticed that UEFI Secureboot was not enabled.

Boot log after flash.sh:

Jetson UEFI firmware (version 2.1-32413640 built on 2023-01-24T23:12:27+00:00)
ESC   to enter Setup.
F11   to enter Boot Manager Menu.
Enter to continue boot.
**  WARNING: Test Key is used.  **

EnrollFromDefaultKeysApp: Cannot set CUSTOM_SECURE_BOOT_MODE: Security Violation

      L4TLauncher: Attempting Direct Boot
EFI stub: Booting Linux Kernel...
EFI stub: Using DTB from configuration table
EFI stub: Loaded initrd from LINUX_EFI_INITRD_MEDIA_GUID device path
EFI stub: Exiting boot services and installing virtual address map...

I also tried to enable it through UEFI Utilities with no success:

user@jetson:~$ sudo efivar -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot
GUID: 8be4df61-93ca-11d2-aa0d-00e098032b8c
Name: "SecureBoot"
	Boot Service Access
	Runtime Service Access
00000000  00                                                |.               |

user@jetson:~$ sudo efi-updatevar -f uefi_keys/_out/db_1.auth db
Failed to update db: Read-only file system

Could you guide how to enable UEFI Secureboot?

Still the issue. Do you have any feedback?

hello nazaraa,

it’s known issue to enable secureboot from UEFI on r35.2.1 release version.

here’s UEFI changes, i.e.
dc1bb4fcc83f97f3f0500096d5b4274e43ea8def, which has fix to allow secure boot enablement on AGX Xavier platform.

you may update the binary to include this change, or, please expect next public release will revise this issue.

Hello, JerryChang,

It works.
Thank you!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.