I am attempting to flash the JP36.3 to my Orin AGX with UEFI payload signing and encrypting enabled.
I use the following command line:
sudo ./flash.sh --uefi-keys uefi_keys/uefi_keys.conf --uefi-enc /home/default_keys/nvidia-jetson-optee-source/optee/samples/hwkey-agent/host/tool/gen_ekb/sym_t234.key jetson-agx-orin-devkit internal
But I get the following error.
###############################################################################
# L4T BSP Information:
# R36 , REVISION: 3.0
# User release: 0.0
###############################################################################
uefi_enc_content= 010203040506070809a0b0c0d0e0f001
Error: key size has to be 64
/home/default_keys/nvidia-jetson-optee-source/optee/samples/hwkey-agent/host/tool/gen_ekb/sym_t234.key
is the file generated by /home/default_keys/nvidia-jetson-optee-source/optee/samples/hwkey-agent/host/tool/gen_ekb/example.sh
and just contains “010203040506070809a0b0c0d0e0f001”.
The doc states the key should be 256 bits, so I modified the example.sh in nvidia-jetson-optee-source/optee/samples/hwkey-agent/host/tool/gen_ekb
to use a 256 bit long key. I tried “010203040506070809a0b0c0d0e0f001010203040506070809a0b0c0d0e0f001” and “0000000000000000000000000000000000000000000000000000000000000000”. The flashing succeeds, but UEFI boot fails.
Every time I run example.sh I copy the eks_t234.img generated to the bootloader folder prior to flashing.
What am I doing wrong?
I have not flashed OEM_K2 and am hoping to be able to just use the default fuse key. This is what is in the stock example.sh: “432646294a404e635266556a586e3272357538782f413f442a472d4b61506453” for the default OEM_K2. Is this the correct value to use?
I have verified that if I only use --uefi-keys
and not --uefi-enc
, the OS boots OK. So I think the issues is purely with the UEFI encryption.
EDIT
Here is the error when I boot after flashing with --uefi-enc. It then drops to the UEFI shell.
I> Current Boot-Chain Slot: 0
I> BR-BCT Boot-Chain is 0, and status is 1. Set UPDATE_BRBCT bit to 0
I> Task: Burn RESERVED_ODM0 fuse
I> Task: Lock fusing
I> Task: Clear dec source key
I> MB2 finished��NOTICE: BL31: v2.8(release):e12e3fa93
NOTICE: BL31: Built : 09:56:21, May 6 2024
I/TC:
I/TC: Non-secure external DT found
I/TC: OP-TEE version: 3.22 (gcc version 11.3.0 (Buildroot 2022.08)) #2 Mon May 6 17:07:49 UTC 2024 4
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.hl
I/TC: Primary CPU initializing
I/TC: Test OEM keys are being used. This is insecure for shipping products!
E/TC:00 00 ekb_extraction_process:216 Bad parameter: eks image not correct
E/TC:00 00 jetson_user_key_pta_init:1049 jetson_user_key_pta_init: Failed (ffff0006).
E/TC:00 00 call_initcalls:43 Initcall __text_start + 0x0016f250 failed
I/TC: Primary CPU switching to normal world boot
��
Jetson UEFI firmware (version 36.3.0-gcid-36191598 built on 2024-05-06T16:58:59+00:00)��I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled
I/TC: WARNING: Test UEFI variable auth key is being used !
I/TC: WARNING: UEFI variable protection is not fully enabled !
��
Jetson System firmware version 36.3.0-gcid-36191598 date 2024-05-06T16:58:59+00:
00
ESC to enter Setup.
F11 to enter Boot Manager Menu.
Enter to continue boot.
…
��I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled
E/TA: is_user_key_exists:65 TEE_InvokeTACommand failed with res = 0xffff0001
��L4TLauncher: Attempting Recovery Boot
Android image header not seen
Failed to boot recovery:0 partition