Failed to use nv_update_engine after secure boot

I am trying to use nv_update_engine to update A/B firmware with secure boot on tx2nx, based on jp4.6.3.
First, I used the ROOTFS_AB=1 to flash the board and use the nv_update_engine to update kernel, it works and boot with slot B.
Then I tried to flash the board with secure boot and disk encryption, it can boot successfully,I used the nv_update_engine and it shows successful, but when I reboot ,the board boot failed.
So I want to know whats wrong about my operations(I will show my operations below) and how to use the nv_update_engine correctly with secure boot.
My step :
1、flash the board(already fused):
sudo ROOTFS_ENC=1 ROOTFS_AB=1 ./ -u key/pkc/pkc.pem -v key/sbk/sbk.key -i key/encrypt/encrypt.key --user_key key/user/user_for_flash.key jetson-xavier-nx-devkit-tx2-nx mmcblk0p1
2、generate payload
sudo BOARDID=3636 FAB=301 BOARDSKU=0001 BOARDREV=D.0 FUSELEVEL=fuselevel_production ./ --multi-spec -u key/pkc/pkc.pem -v key/sbk/sbk.key jetson-xavier-nx-devkit-tx2-nx mmcblk0p1
sudo nv_update_engine -i bl-only --payload bl_update_payload

The log about debug and nv_update_engine I will attach.
debug.log (12.8 KB)
nv_update_engine.log (3.3 KB)

Hi 779784017,

Are you using the devkit or custom board for TX2?

Could you help to clarify if my understanding is correct as following?

  1. Flash with ROOTFS_AB=1 + nv_update_engine => boot successfully
  2. Flash with ROOTFS_AB=1, ROOTFS_ENC=1 + nv_update_engine => boot failed

Hi KevinFFF:
I use the devkit to test the function.
and answer the question
1、yes, if I use only the A/B function, I can boot successfully and change the slot A to B
2、yes, I use the ROOTFS_AB and ROOTFS_ENC, with secure boot key, I can boot , but after use nv_update_engine, it boot failed.

Could you help to apply the patch from the following thread to check if it could help?
Flashing an external NNMe with encryption support fails, it it supported or is it a different issue? - #4 by lhoang

I modify the and try again, but it still boot failed.And the debug log is the same as before.

Does your board still stop at MB2?

How about if you don’t enable rootfs a/b (only set ROOTFS_ENC=1)?

Sorry that i didn’t clarify the problem, actually after I do the nv_update_engine, the device reboot repeatedly when the cboot check the kernel img invalid, I just cut one loop of the log, the board not stop at any step, it just reboot.

Could you help to provide the full serial console log?

And also try if the following use case would work.
How about if you don’t enable rootfs a/b (only set ROOTFS_ENC=1)?

I will attach the full log.
And, we need the A/B function, if I dont enable a/b, can nv_update_engine work?
serial.log (89.7 KB)

[0003.213] E> Storage boot failed, err: 724238360
[0003.217] E> A/B loader failure

It seems failed at loading kernel image/dtb.

We will verify this use case (ROOTFS_AB enabled and Encryption enabled) on the devkit and let you know the result.

actually, it’s boot failed by key comparison.
for example,

[0003.000] I> cboot: Info: Handle RSA_SBK as RSA.[0003.120] I> Decrypt the buffer ... [0003.204] I> done
[0003.205] I> Checking boot.img header magic ... [0003.210] E> Invalid header magic

the user_key is specified in eks.img.
here’s CA sample, hwkey-agent/CA_sample/tool/gen_ekb/ to generate eks.img, the sym.key as mentioned in the sample is the user_key.
Trusty it retrieves user_key from eks.img, and loads the key into keyslot_14 for decryption.
when flashing, please use --use_key options to specify the user_key.

you may also refer to developer guide, this eks image should created follow-by Tool for EKB Generation section.
CA samples were available via [Driver Package (BSP) Sources], you may download from Jetson Linux R32.7.3 | NVIDIA Developer.

Hi Jerry,

I am taking over the problem now, as we are using the AB slot update method instead of using the flash. sh command.

So do you mean to add the parameter of “-- user key” when executing “nv_update_engine” or the parameter of “-- user key” when executing “build_l4t_bup. sh”?

I tried adding “-- user key my_user. key” during the generation process “build_l4t_bup. sh”, but there was still no change.

hello miaofeiyu1991,

(1) the user_key is specified in eks.img, had you update EKS partition yet?
(2) when you adding --user_key, had you also specified SBK key by -v options? please share the complete command-line you running

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.