Error creating massflash package using specifying required keys with -u and -v options on 36.4.4

Robotics & Edge Computing Jetson Systems Jetson Orin NX
1

Hi,
I using version 36.4.4 for Jetson Orin NX 16G board custom and I want to enable Secure Boot for my board. I have generated the PKC and SBK keys as per the instructions, then generated package massflash with command :

sudo BOARDID=3767 FAB=300 BOARDSKU=0000 ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash -u <pkc_private_keyfile> -v <sbk_keyfile> --massflash 5 --external-device sda1 -S 16GiB -c tools/kernel_flash/flash_l4t_external.xml -p “-c bootloader/generic/cfg/flash_t234_qspi.xml --no-systemimg” --network usb0 combox-orin-nx-16G external

And error :

[ 4.8288 ] INFO: compressing nvpva_020_aligned.fw
[ 4.8587 ] INFO: complete compression, nvpva_020_aligned.fw, ratio = 2%
[ 4.8609 ] adding BCH for nvpva_020_aligned_blob_w_bin_aligned.fw
[ 4.8781 ] tegrasign_v3.py --file mb1_t234_prod_aligned_sigheader.bin --key /mnt/update_firmware/sources_build_3644/combox_r36_4_4/secure_keys/SBK/sbk_CB.key --kdf kdf_file=mb1_t234_prod_aligned_sigheader_kdf.yaml
[ 4.8814 ] Perform key derivation on mb1_t234_prod_aligned_sigheader.bin
[ 4.9063 ] Key is a SBK key
[ 4.9063 ] Key Size is 16 bytes
[ 4.9090 ] Performing aes-gcm encryption
[ 4.9102 ] --key b1209c6746381d0e8128c742aa917b95125eb8c973e45f44f8c6c982daa111f1
[ 4.9116 ] --iv 922ef1e81a6be2b4f5a5ac43
[ 4.9121 ] --aad 4d4231429030040000000050000000500104010000000000000000000000000490300400000000000000000000000000361a2ece568c973fbde359678e6b801e00000000922ef1e81a6be2b4f5a5ac43
[ 4.9205 ] Sha saved in mb1_t234_prod_aligned_sigheader_tmp0_encrypt.sha
[ 4.9150 ] tegraparser_v2 --pt flash.xml.bin --update_part_filename A_mb1 mb1_bootloader mb1_t234_prod_aligned_sigheader_encrypt.bin
[ 4.9167 ] INFO: updated file for <A_mb1 mb1_bootloader mb1_t234_prod_aligned_sigheader_encrypt.bin> successfully
[ 4.9196 ] tegraparser_v2 --pt flash.xml.bin --update_part_filename B_mb1 mb1_bootloader mb1_t234_prod_aligned_sigheader_encrypt.bin
[ 4.9217 ] INFO: updated file for <B_mb1 mb1_bootloader mb1_t234_prod_aligned_sigheader_encrypt.bin> successfully
[ 4.9341 ] tegrasign_v3.py --file psc_bl1_t234_prod_aligned_sigheader.bin --key /mnt/update_firmware/sources_build_3644/combox_r36_4_4/secure_keys/SBK/sbk_CB.key --kdf kdf_file=psc_bl1_t234_prod_aligned_sigheader_kdf.yaml
[ 4.9368 ] Perform key derivation on psc_bl1_t234_prod_aligned_sigheader.bin
[ 4.9613 ] Key is a SBK key
[ 4.9613 ] Key Size is 16 bytes
[ 4.9640 ] Performing aes-gcm encryption
[ 4.9650 ] --key fd17d3eeae1f62c97c5be1b53909b311909f756ba758fb8e71dab095fb8a8e06
[ 4.9668 ] --iv 2597303a81c18039f560ebda
[ 4.9668 ] --aad 5053434230c1010000001200000412000603020000000000000000000000000430c1010000000000000000000000000034c47235ac96ab37647892bc4a794bbc000000002597303a81c18039f560ebda
[ 4.9720 ] Sha saved in psc_bl1_t234_prod_aligned_sigheader_tmp0_encrypt.sha
[ 4.9667 ] tegraparser_v2 --pt flash.xml.bin --update_part_filename A_psc_bl1 psc_bl1 psc_bl1_t234_prod_aligned_sigheader_encrypt.bin
[ 4.9686 ] INFO: updated file for <A_psc_bl1 psc_bl1 psc_bl1_t234_prod_aligned_sigheader_encrypt.bin> successfully
[ 4.9718 ] tegraparser_v2 --pt flash.xml.bin --update_part_filename B_psc_bl1 psc_bl1 psc_bl1_t234_prod_aligned_sigheader_encrypt.bin
[ 4.9743 ] INFO: updated file for <B_psc_bl1 psc_bl1 psc_bl1_t234_prod_aligned_sigheader_encrypt.bin> successfully
[ 4.9743 ]
[ 4.9860 ] tegrasign_v3.py --file tsec_t234_sigheader.bin --key /mnt/update_firmware/sources_build_3644/combox_r36_4_4/secure_keys/SBK/sbk_CB.key --kdf kdf_file=tsec_t234_sigheader_kdf.yaml
[ 4.9891 ] Perform key derivation on tsec_t234_sigheader.bin
[ 5.0139 ] Key is a SBK key
[ 5.0139 ] Key Size is 16 bytes
[ 5.3680 ] Traceback (most recent call last):
File “/mnt/update_firmware/sources_build_3644/combox_r36_4_4/bootloader/tegrasign_v3_internal.py”, line 2216, in do_key_derivation
return do_kdf_oem_enc(kdf_list, p_key, blockSize)
File “/mnt/update_firmware/sources_build_3644/combox_r36_4_4/bootloader/tegrasign_v3_internal.py”, line 1619, in do_kdf_oem_enc
if (do_kdf_oem(params_slist, params, kdf_list, p_key, blockSize, p_key.kdf.compress, dk_ctx) == False):
File “/mnt/update_firmware/sources_build_3644/combox_r36_4_4/bootloader/tegrasign_v3_internal.py”, line 1869, in do_kdf_oem
ret_str = run_command(command)
File “/mnt/update_firmware/sources_build_3644/combox_r36_4_4/bootloader/tegrasign_v3_util.py”, line 719, in run_command
raise tegrasign_exception('Return value = ’ + str(return_code) +
tegrasign_v3_util.tegrasign_exception: ‘Return value = -11 . Command = tegraopenssl --kdfoem /mnt/update_firmware/sources_build_3644/combox_r36_4_4/bootloader/v3_aeskdf_462999.raw’

[ 5.3685 ] Traceback (most recent call last):
File “/mnt/update_firmware/sources_build_3644/combox_r36_4_4/bootloader/tegrasign_v3_internal.py”, line 2216, in do_key_derivation
return do_kdf_oem_enc(kdf_list, p_key, blockSize)
File “/mnt/update_firmware/sources_build_3644/combox_r36_4_4/bootloader/tegrasign_v3_internal.py”, line 1619, in do_kdf_oem_enc
if (do_kdf_oem(params_slist, params, kdf_list, p_key, blockSize, p_key.kdf.compress, dk_ctx) == False):
File “/mnt/update_firmware/sources_build_3644/combox_r36_4_4/bootloader/tegrasign_v3_internal.py”, line 1869, in do_kdf_oem
ret_str = run_command(command)
File “/mnt/update_firmware/sources_build_3644/combox_r36_4_4/bootloader/tegrasign_v3_util.py”, line 719, in run_command
raise tegrasign_exception('Return value = ’ + str(return_code) +
tegrasign_v3_util.tegrasign_exception: ‘Return value = -11 . Command = tegraopenssl --kdfoem /mnt/update_firmware/sources_build_3644/combox_r36_4_4/bootloader/v3_aeskdf_462999.raw’

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/mnt/update_firmware/sources_build_3644/combox_r36_4_4/bootloader/tegrasign_v3.py”, line 586, in tegrasign
if (do_key_derivation(p_keylist[0], kdf_list, internal[“–block”]) != True):
File “/mnt/update_firmware/sources_build_3644/combox_r36_4_4/bootloader/tegrasign_v3_internal.py”, line 2232, in do_key_derivation
raise tegrasign_exception(“Unknown %s requested for key derivation encryption. Error %s” %(p_key.src_file, str(e)))
tegrasign_v3_util.tegrasign_exception: “Unknown tsec_t234_sigheader.bin requested for key derivation encryption. Error ‘Return value = -11 . Command = tegraopenssl --kdfoem /mnt/update_firmware/sources_build_3644/combox_r36_4_4/bootloader/v3_aeskdf_462999.raw’”

[ 5.3685 ] Encounter exception when signing
[ 5.3685 ] “Unknown tsec_t234_sigheader.bin requested for key derivation encryption. Error ‘Return value = -11 . Command = tegraopenssl --kdfoem /mnt/update_firmware/sources_build_3644/combox_r36_4_4/bootloader/v3_aeskdf_462999.raw’”

I tested by running tegraopenssl without any input value and it works:./bootloader/tegraopenssl --kdfoem /dev/null=> File reading failed
but when there is input value it crashes:

ubuntu@ubuntu:/mnt/update_firmware/sources_build_3644/combox_r36_4_4$ sudo bootloader/tegraopenssl --kdfoem bootloader/v3_aeskdf_462999.raw
Segmentation fault
ubuntu@ubuntu:/mnt/update_firmware/sources_build_3644/combox_r36_4_4$

I checked with gdb and it crashed at the EVP_MD_CTX_reset()

ubuntu@ubuntu:/mnt/update_firmware/sources_build_3644/combox_r36_4_4$ sudo gdb --args bootloader/tegraopenssl --kdfoem bootloader/v3_aeskdf_462999.raw
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04.2) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type “show copying” and “show warranty” for details.
This GDB was configured as “x86_64-linux-gnu”.
Type “show configuration” for configuration details.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.

For help, type “help”.
Type “apropos word” to search for commands related to “word”…
Reading symbols from bootloader/tegraopenssl…
(gdb) run
Starting program: /mnt/update_firmware/sources_build_3644/combox_r36_4_4/bootloader/tegraopenssl --kdfoem bootloader/v3_aeskdf_462999.raw

Program received signal SIGSEGV, Segmentation fault.
0x0807386d print EVP_MD_CTX_reset()
(gdb)bt
#0 0x0807386d print EVP_MD_CTX_reset()
#1 0x0807b0ac in hmac_ctx_cleanup()
#2 0x0807b4a6 print HMAC_CTX_free()
#3 0x0804c068 in nv_hmac_sha256 ()
#4 0x0804a20a in main()

Now, how can i solve this problem ?
Thanks

5

hello duc.tran1,

may I have confirmation, here’re several questions..
Q1. were you able to re-flash this target, combox-orin-nx-16G?
Q2. why there’s option with --external-device sda1, is it usb flash drive?
Q3. that error has reported when creating massflash package?

6

Hi JerryChang,

  1. If I don’t use the -u and -v options, the massflash package can flash the combox-orin-nx-16G board successfully.

2.It’s a SATA SSD, not a USB drive. The system boots from this SSD.

3.Yes, the error occurred during the massflash package creation.

7

hello duc.tran1,

let’s try again with the following..
$ sudo BOARDID=3767 FAB=300 BOARDSKU=0000 ./tools/kernel_flash/l4t_initrd_flash.sh -u PKC.key -v SBK.key --no-flash --massflash 1 --external-device sda1 -c ./tools/kernel_flash/flash_l4t_external.xml -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" --showlogs --network usb0 combox-orin-nx-16G internal

after massflash process has complete,
you may try extract the mfi package, and running with flash-only directly for testing.

BTW,
is this target fused before? if not, you may see-also readme file to create massfuse blob.
for instance, $OUT/Linux_for_Tegra/bootloader/README_Massfuse.txt

8

Hi, JerryChang

I tried running with internal and it still gives the same error. And, I running with just the PKC key and massflash package was successfully create.
I tried checking the bytes, permissions and format of the SBK key and they were all correct but running the SBK key failed.
And I have never merged with my motherboard.

9

hello duc.tran1,

FYI,
here’s massflash command-line I’ve tested, which has create mfi package correctly.
$ sudo BOARDID=3767 FAB=300 BOARDSKU=0000 ./tools/kernel_flash/l4t_initrd_flash.sh -u ~/Desktop/Keys/Orin_Nano-8GB_key/ecp521_v3_0.pem -v ~/Desktop/Keys/Orin_Nano-8GB_key/sbk-256.key --no-flash --massflash 1 --external-device nvme0n1p1 -c tools/kernel_flash/flash_l4t_external.xml -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" --showlogs --network usb0 jetson-orin-nano-devkit internal
for instance,

Massflash package is generated at ~/nvidia/nvidia_sdk/JetPack_6.2.1_Linux_JETSON_ORIN_NANO_TARGETS/Linux_for_Tegra/mfi_jetson-orin-nano-devkit.tar.gz
Success
Cleaning up...
Finish generating flash package.
Put device in recovery mode, run with option --flash-only to flash device.

since it’s error related to SBK key, please also check developer guide, Prerequisites Secure Boot.

10

Hi,

By the way, i have a question :
Here the steps I took

1. Generate PKC private and public keys using EDCSA-P256

# Private

openssl ecparam -name prime256v1 -genkey -noout -out ecp256_CB.pem

# Public

openssl ec -in ecp256_CB.pem -pubout -out pkc_CB.pubkey

2. Generate PublicKeyHash

sudo ../path/tegrasign_v3.py \

--pubkeyhash pkc_CB.pubkey ecp256_CB.hash \\

--key ecp256_CB.pem

3. Create SBK key

sudo openssl rand 16 > sbk_CB.key

sudo xxd -p sbk_CB.key

4. Create config file

    <fuse name="PublicKeyHash" size="64" value="0x3c6……….."/>

    <fuse name="SecureBootKey" size="32" value="0x00fb9………."/>

    <fuse name="BootSecurityInfo" size="4" value="0x2"/>

    <fuse name="SecurityMode" size="4" value="0x1"/>

5. Generate file flash with PKC-SBK

sudo BOARDID=3767 FAB=300 BOARDSKU=0000 ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash -u <pkc_private_keyfile> [-v <sbk_keyfile>] \

--massflash 5 --external-device sda1 -S 16GiB -c tools/kernel_flash/flash_l4t_external.xml -p \

“-c bootloader/generic/cfg/flash_t234_qspi.xml --no-systemimg” \

--network usb0 combox-orin-nx-16G external

6. Use odmfuse.sh to burn fuse keys

sudo ../path/odmfuse.sh --auth SBKPKC \

--cfg ../path/ecp256_conf.xml \\

--chip 0x23 --disable-fuse-verify \\

--no-flash combox-orin-nx-16G

I looked up some documentation and found that running odmfuse.sh first writes the fuse keys then generates the massflash package. But I did the opposite, generating the massflash first then running odmfuse.sh
So is my step valid and does it have anything to do with the SBK key error?

Thanks

11

hello duc.tran1,

you should give it another try to exclude --no-systemimg for running massflash process.

it seems incorrect of the --auth settings, it’s indicates the board’s current authentication status.
so, it should be --auth NS since it’s your 1st time to burn fuse.
for instance,
this --auth option is only needed in offline mode, it’s indicating the current fuse status of the board. there’re three options need to enabled all together for the offline approach, (a) board info, (b) --noburn, (c) --auth.
here’s a demonstration of fuse command.
$ sudo FAB=500 BOARDID=3701 BOARDSKU=0000 BOARDREV=H.0 CHIPREV=1 CHIP_SKU=00 FUSELEVEL=fuselevel_production ./odmfuse.sh --noburn --auth NS -i 0x23 -k rsa_priv-3k.pem -S sbk-256.key jetson-agx-orin-devkit

13

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.