Failed to use nv_update_engine after secure boot

779784017 · May 16, 2023, 6:26am

Hi,
I am trying to use nv_update_engine to update A/B firmware with secure boot on tx2nx, based on jp4.6.3.
First, I used the ROOTFS_AB=1 to flash the board and use the nv_update_engine to update kernel, it works and boot with slot B.
Then I tried to flash the board with secure boot and disk encryption, it can boot successfully,I used the nv_update_engine and it shows successful, but when I reboot ,the board boot failed.
So I want to know whats wrong about my operations(I will show my operations below) and how to use the nv_update_engine correctly with secure boot.
My step :
1、flash the board(already fused):
sudo ROOTFS_ENC=1 ROOTFS_AB=1 ./flash.sh -u key/pkc/pkc.pem -v key/sbk/sbk.key -i key/encrypt/encrypt.key --user_key key/user/user_for_flash.key jetson-xavier-nx-devkit-tx2-nx mmcblk0p1
2、generate payload
sudo BOARDID=3636 FAB=301 BOARDSKU=0001 BOARDREV=D.0 FUSELEVEL=fuselevel_production ./build_l4t_bup.sh --multi-spec -u key/pkc/pkc.pem -v key/sbk/sbk.key jetson-xavier-nx-devkit-tx2-nx mmcblk0p1
3、update
sudo nv_update_engine -i bl-only --payload bl_update_payload

The log about debug and nv_update_engine I will attach.
Thanks.
debug.log (12.8 KB)
nv_update_engine.log (3.3 KB)

KevinFFF · May 16, 2023, 8:10am

Hi 779784017,

Are you using the devkit or custom board for TX2?

Could you help to clarify if my understanding is correct as following?

Flash with ROOTFS_AB=1 + nv_update_engine => boot successfully
Flash with ROOTFS_AB=1, ROOTFS_ENC=1 + nv_update_engine => boot failed

779784017 · May 16, 2023, 8:24am

Hi KevinFFF:
I use the devkit to test the function.
and answer the question
1、yes, if I use only the A/B function, I can boot successfully and change the slot A to B
2、yes, I use the ROOTFS_AB and ROOTFS_ENC, with secure boot key, I can boot , but after use nv_update_engine, it boot failed.

KevinFFF · May 17, 2023, 6:54am

Could you help to apply the patch from the following thread to check if it could help?
Flashing an external NNMe with encryption support fails, it it supported or is it a different issue? - #4 by lhoang

779784017 · May 17, 2023, 9:01am

Hi
I modify the l4t_flash_from_kernel.sh and try again, but it still boot failed.And the debug log is the same as before.

KevinFFF · May 18, 2023, 7:30am

Does your board still stop at MB2?

How about if you don’t enable rootfs a/b (only set ROOTFS_ENC=1)?

779784017 · May 18, 2023, 7:38am

Hi:
Sorry that i didn’t clarify the problem, actually after I do the nv_update_engine, the device reboot repeatedly when the cboot check the kernel img invalid, I just cut one loop of the log, the board not stop at any step, it just reboot.

KevinFFF · May 18, 2023, 8:35am

Could you help to provide the full serial console log?

And also try if the following use case would work.
How about if you don’t enable rootfs a/b (only set ROOTFS_ENC=1)?

779784017 · May 18, 2023, 9:15am

I will attach the full log.
And, we need the A/B function, if I dont enable a/b, can nv_update_engine work?
serial.log (89.7 KB)

KevinFFF · May 19, 2023, 7:59am

[0003.213] E> Storage boot failed, err: 724238360
[0003.217] E> A/B loader failure

It seems failed at loading kernel image/dtb.

We will verify this use case (ROOTFS_AB enabled and Encryption enabled) on the devkit and let you know the result.

JerryChang · May 22, 2023, 6:56am

actually, it’s boot failed by key comparison.
for example,

[0003.000] I> cboot: Info: Handle RSA_SBK as RSA.[0003.120] I> Decrypt the buffer ... [0003.204] I> done
[0003.205] I> Checking boot.img header magic ... [0003.210] E> Invalid header magic

note,
the user_key is specified in eks.img.
here’s CA sample, hwkey-agent/CA_sample/tool/gen_ekb/example.sh to generate eks.img, the sym.key as mentioned in the sample is the user_key.
Trusty it retrieves user_key from eks.img, and loads the key into keyslot_14 for decryption.
when flashing, please use --use_key options to specify the user_key.

you may also refer to developer guide, this eks image should created follow-by Tool for EKB Generation section.
BTW,
CA samples were available via [Driver Package (BSP) Sources], you may download from Jetson Linux R32.7.3 | NVIDIA Developer.

miaofeiyu1991 · May 29, 2023, 1:57am

Hi Jerry,

I am taking over the problem now, as we are using the AB slot update method instead of using the flash. sh command.

So do you mean to add the parameter of “-- user key” when executing “nv_update_engine” or the parameter of “-- user key” when executing “build_l4t_bup. sh”?

miaofeiyu1991 · May 29, 2023, 7:55am

I tried adding “-- user key my_user. key” during the generation process “build_l4t_bup. sh”, but there was still no change.