I am trying to use nv_update_engine to update A/B firmware with secure boot on tx2nx, based on jp4.6.3.
First, I used the ROOTFS_AB=1 to flash the board and use the nv_update_engine to update kernel, it works and boot with slot B.
Then I tried to flash the board with secure boot and disk encryption, it can boot successfully,I used the nv_update_engine and it shows successful, but when I reboot ,the board boot failed.
So I want to know whats wrong about my operations(I will show my operations below) and how to use the nv_update_engine correctly with secure boot.
My step :
1、flash the board(already fused):
sudo ROOTFS_ENC=1 ROOTFS_AB=1 ./flash.sh -u key/pkc/pkc.pem -v key/sbk/sbk.key -i key/encrypt/encrypt.key --user_key key/user/user_for_flash.key jetson-xavier-nx-devkit-tx2-nx mmcblk0p1
sudo BOARDID=3636 FAB=301 BOARDSKU=0001 BOARDREV=D.0 FUSELEVEL=fuselevel_production ./build_l4t_bup.sh --multi-spec -u key/pkc/pkc.pem -v key/sbk/sbk.key jetson-xavier-nx-devkit-tx2-nx mmcblk0p1
sudo nv_update_engine -i bl-only --payload bl_update_payload
I use the devkit to test the function.
and answer the question
1、yes, if I use only the A/B function, I can boot successfully and change the slot A to B
2、yes, I use the ROOTFS_AB and ROOTFS_ENC, with secure boot key, I can boot , but after use nv_update_engine, it boot failed.
Sorry that i didn’t clarify the problem, actually after I do the nv_update_engine, the device reboot repeatedly when the cboot check the kernel img invalid, I just cut one loop of the log, the board not stop at any step, it just reboot.
the user_key is specified in eks.img.
here’s CA sample, hwkey-agent/CA_sample/tool/gen_ekb/example.sh to generate eks.img, the sym.key as mentioned in the sample is the user_key.
Trusty it retrieves user_key from eks.img, and loads the key into keyslot_14 for decryption.
when flashing, please use --use_key options to specify the user_key.