FTPM and OPTEE errors in JP6.2.1 for ORIN NX

Robotics & Edge Computing Jetson Systems Jetson Orin NX
,
1

I want to use fTPM and OP-TEE together with UEFI Secure Boot, so I flashed the Orin NX with JetPack 6.2.1 because it includes fTPM support. The device boots successfully with Secure Boot enabled, but I’m seeing fTPM- and OP-TEE-related failures in the boot logs. What could be causing this issue? Below is a snapshot of the failures, and I’m also attaching the full UART logs.
621-secure-boot.txt (75.4 KB)

��NOTICE:  BL31: v2.8(release):e12e3fa93
NOTICE:  BL31: Built : 08:24:36, Jun 16 2025
I/TC:
I/TC: Non-secure external DT found
I/TC: OP-TEE version: 4.2 (gcc version 11.3.0 (Buildroot 2022.08)) #2 Mon Jun 16 15:35:45 UTC 2025 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html
I/TC: Primary CPU initializing
M/TC: engine AES0 engine [AES/RNG](16) post op: SE0 err_status register 0x10f8 nonzero (value 0x80000000)
M/TC: SE abnormal cond, error info: 0x30040000
M/TC: HW error: d(0), e(0), ro(0x110), rv(0xb0040000), che(0x30), act(0x0)
M/TC: device SE0(0) post op: error_capture 0x30040000
M/TC: AES crypto failed: -17
E/TC:00 00 se_aes_encrypt:35 se_aes_encrypt failed with: -17
I/TC: Derive EKB_RK from #1 fuse key failed, ignored.
M/TC: engine AES0 engine [AES/RNG](16) post op: SE0 err_status register 0x10f8 nonzero (value 0x80000000)
M/TC: SE abnormal cond, error info: 0x30040000
M/TC: HW error: d(0), e(0), ro(0x110), rv(0xb0040000), che(0x30), act(0x0)
M/TC: device SE0(0) post op: error_capture 0x30040000
M/TC: AES crypto failed: -17
E/TC:00 00 se_aes_encrypt:35 se_aes_encrypt failed with: -17
E/TC:00 00 hwkey_derivation_process:452 hwkey_derivation_process: Failed to derive SSK root key (ffff0000)
I/TC: ftpm-helper PTA: fTPM DT or EKB is not available. fTPM provisioning is not supported.
I/TC: Primary CPU switching to normal world boot
��
Jetson UEFI firmware (version 36.4.4-gcid-41062509 built on 2025-06-16T15:25:51+00:00)

Below are the fuse values I’m using to enable OP-TEE support.

||<fuse name=BootSecurityInfo size=4 value=0x2BE9/>|
|---|---|
||<fuse name=SecurityMode size=4 value=0x1/>|
3

*** Please note that this reply is generated by LLM automatically ***

Based on the provided context, it appears that you are experiencing issues with fTPM and OPTEE on your Jetson Orin NX device, which is running JetPack 6.2.1 with Secure Boot enabled. The device boots successfully, but you are seeing fTPM and OPTEE-related failures in the boot logs.

To troubleshoot this issue, let’s break down the possible causes:

  1. fTPM Provisioning: Ensure that you have run the fTPM provisioning script on the Jetson device. This script is required to provision the fTPM EK (Endorsement Key) and EK certificates. If the script has not been run, the fTPM EK may not be properly provisioned, leading to failures.
  2. OPTEE Configuration: Verify that the OPTEE configuration is correct. OPTEE requires specific fuse values to be set to enable support. You have provided the fuse values you are using, but ensure that they match the recommended values for OPTEE support on the Jetson Orin NX.
  3. Secure Boot Configuration: Ensure that the Secure Boot configuration is correct. Secure Boot requires specific keys and certificates to be installed on the device. Verify that the keys and certificates are properly installed and configured.
  4. UEFI Configuration: Verify that the UEFI configuration is correct. UEFI requires specific settings to be configured to enable Secure Boot and fTPM support. Ensure that the UEFI settings are correct and match the recommended values for the Jetson Orin NX.
  5. fTPM and OPTEE Compatibility: Ensure that the fTPM and OPTEE versions are compatible with each other and with the JetPack version you are using. Incompatible versions may cause failures.
  6. Device-Specific Issues: It’s possible that there are device-specific issues that are causing the failures. Ensure that the device is properly configured and that there are no hardware issues.

To further troubleshoot the issue, you can try the following:

  1. Verify the fTPM EK: Run the fTPM provisioning script again to ensure that the fTPM EK is properly provisioned.
  2. Check the OPTEE Configuration: Verify that the OPTEE configuration is correct and that the fuse values match the recommended values.
  3. Check the Secure Boot Configuration: Verify that the Secure Boot configuration is correct and that the keys and certificates are properly installed and configured.
  4. Check the UEFI Configuration: Verify that the UEFI configuration is correct and that the settings match the recommended values.
  5. Check the fTPM and OPTEE Versions: Verify that the fTPM and OPTEE versions are compatible with each other and with the JetPack version you are using.
  6. Check the Device-Specific Configuration: Verify that the device is properly configured and that there are no hardware issues.

By checking these possible causes and verifying the configurations, you should be able to identify and resolve the issue.

Here is a comparison of the workflows for fTPM manufacturing support:

  • ODM Workflow:
    • ODM Preparation Work
    • ODM EKB Generation
    • ODM Fuseblob Generation
    • QSPI Image Generation (aka lower boot components: lbc)
  • OEM Workflow:
    • OEM Preparation Work
    • OEM Fuseblob Generation
    • OEM EKB Generation
    • UPI Image Generation (aka User Partition Image: UPI)
    • UEFI Image Generation
    • Final Factory Tarball Generation
  • Factory Workflow:
    • Fuse Burning
    • Flashing Images

The ODM workflow is responsible for generating the EKB, fuseblob, and QSPI image, while the OEM workflow is responsible for generating the UPI image, UEFI image, and final factory tarball. The factory workflow is responsible for burning the fuses and flashing the images.

In your case, since you are using JetPack 6.2.1, which includes fTPM support, you should follow the OEM workflow to generate the UPI image, UEFI image, and final factory tarball. Ensure that you have completed the ODM preparation work and have generated the EKB, fuseblob, and QSPI image correctly.

*** Please give the thumbs up if you get answers you like. Or provide feedback to help us improve the answer. ***

4

hello Techgeek,

just an FYI,
the fTPM feature is default enabled in JP-6 public release version.
if you rebuild op-tee without -t options, the fTPM feature will not be included, it’ll lead to rpc related errors in UEFI.

5

Hi JerryChang,

I’m using the default release and haven’t built it with any custom changes.

6

hello Techgeek,

according above.
may I know what fuse variable you’ve fused onto this module?

7

Following are the configured fuse variables.

<fuse name="Kdk0" size="32" value="XXX"/>
<fuse name="PublicKeyHash" size="64" value="XXX"/>
<fuse name="PkcPubkeyHash1" size="64" value="XXX"/>
<fuse name="PkcPubkeyHash2" size="64" value="XXX"/>
<fuse name="SecureBootKey" size="32" value="XXX"/>
<fuse name="PscOdmStatic" size="4" value="0x60"/>
<fuse name="OemK1" size="32" value="XXX"/>
<fuse name="OemK2" size="32" value="XXX"/>
<fuse name="OptInEnable" size="4" value="0x1"/>
<fuse name="ArmJtagDisable" size="4" value="0x1"/>
<fuse name="Apb2JtagDisable" size="4" value="0x1"/>
<fuse name="DebugAuthentication" size="4" value="0x1"/>
<fuse name="CcplexDfdAccessDisable" size="4" value="0x1"/>
<fuse name="BootSecurityInfo" size="4" value="0x2BE9"/>
<fuse name="SecurityMode" size="4" value="0x1"/>
8

hello Techgeek,

you may see-also developer guide, Tool for EKB Generation.
please refer to below to update the key with yours to re-generate EKS image (eks_t234.img) for testing.
$public_sources/r36.4.4/Linux_for_Tegra/source/atf_and_optee/optee/samples/hwkey-agent/host/tool/gen_ekb/example.sh

9

Hi JerryChang,

I have already reviewed the developer documentation and generated the EKB.
I tested with two different EKBs one containing only the OEM_K1, and another that also includes the fTPM database. Below are the two commands I used:

  • Using only OEM_K1
python3 gen_ekb.py -chip t234 -oem_k1_key <oem_k1.key> -in_auth_key <auth_t234.key> -out eks_t234.img
  • Using the EKB with the fTPM database
python3 -c "import secrets; print(secrets.token_hex(64), end='')" > ftpm_sn.key
python3 -c "import secrets; print(secrets.token_hex(32), end='')" > ftpm_eps_seed.key

FTPM_SN=$(cat ftpm_sn.key)
FTPM_EPS=$(cat ftpm_eps_seed.key)

python3 gen_ekb.py \
>   -chip t234 \
>   -oem_k1_key Oem_k1.key \
>   -in_auth_key auth_t234.key \
>   -in_ftpm_sn "$FTPM_SN" \
>   -in_ftpm_eps_seed "$FTPM_EPS" \
>   -out eks_t234_ftpm.img
10

hello Techgeek,

it seems Failing to derive SSK is not a critical issue, op-tee should can keep booting.

you may give it a try to execute $ sudo modprobe tpm_ftpm_tee to load the fTPM driver module.
you may running the script, ftpm_device_provision.sh script to have provision and activate the fTPM.
please see-also..
$public_sources/r36.4.4/Linux_for_Tegra/source/atf_and_optee/optee/samples/ftpm-helper/host/tool/ftpm_device_provision.sh

11

Hi JerryChang,

So, to clarify, even though the errors are being shown in preboot logs, FTPM and OP-TEE are actually working correctly, is that understanding accurate?

��NOTICE:  BL31: v2.8(release):e12e3fa93
NOTICE:  BL31: Built : 08:24:36, Jun 16 2025
I/TC:
I/TC: Non-secure external DT found
I/TC: OP-TEE version: 4.2 (gcc version 11.3.0 (Buildroot 2022.08)) #2 Mon Jun 16 15:35:45 UTC 2025 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html
I/TC: Primary CPU initializing
M/TC: engine AES0 engine [AES/RNG](16) post op: SE0 err_status register 0x10f8 nonzero (value 0x80000000)
M/TC: SE abnormal cond, error info: 0x30040000
M/TC: HW error: d(0), e(0), ro(0x110), rv(0xb0040000), che(0x30), act(0x0)
M/TC: device SE0(0) post op: error_capture 0x30040000
M/TC: AES crypto failed: -17
E/TC:00 00 se_aes_encrypt:35 se_aes_encrypt failed with: -17
I/TC: Derive EKB_RK from #1 fuse key failed, ignored.
M/TC: engine AES0 engine [AES/RNG](16) post op: SE0 err_status register 0x10f8 nonzero (value 0x80000000)
M/TC: SE abnormal cond, error info: 0x30040000
M/TC: HW error: d(0), e(0), ro(0x110), rv(0xb0040000), che(0x30), act(0x0)
M/TC: device SE0(0) post op: error_capture 0x30040000
M/TC: AES crypto failed: -17
E/TC:00 00 se_aes_encrypt:35 se_aes_encrypt failed with: -17
E/TC:00 00 hwkey_derivation_process:452 hwkey_derivation_process: Failed to derive SSK root key (ffff0000)
I/TC: ftpm-helper PTA: fTPM DT or EKB is not available. fTPM provisioning is not supported.
I/TC: Primary CPU switching to normal world boot
��
Jetson UEFI firmware (version 36.4.4-gcid-41062509 built on 2025-06-16T15:25:51+00:00)

I also ran sudo modprobe tpm_ftpm_tee as you suggested. Before running this command, checking with lsmod | grep tpm didn’t show any output. But after running modprobe, I see the following:

tpm_ftpm_tee           16384  0

To summarize, if I see tpm_ftpm_tee 16384 0 in the output, does that mean FTPM and OP-TEE have been provisioned properly, and the preboot log errors can be ignored?

12

Hi JerryChang,

SO I tried checking TPM functionality but getting below errors.

~$ sudo tpm2_pcrread

ERROR:tcti:src/tss2-tcti/tcti-device.c:452:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0
ERROR:tcti:src/tss2-tcti/tcti-device.c:452:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: No such file or directory
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0
WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:614:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0
WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:254:tctildr_get_default() No standard TCTI could be loaded
ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
ERROR: Could not load tcti, got: "(null)"
13

hello Techgeek,

please check kernel logs $ dmesg | grep -i tpm for more details.

BTW,
you may also try to load TPM manually,
please test again with.. $ modprobe tpm_tis_core;modprobe tpm_tis, modprobe tpm_tis_spi

14

Follwing are the kernel logs followed by $ modprobe tpm_tis_core;modprobe tpm_tis, modprobe tpm_tis_spi output -

[    0.000000] efi: RTPROP=0x26d82f198 TPMFinalLog=0x25e3f0000 SMBIOS=0xffff0000 SMBIOS 3.0=0x26d220000 MEMATTR=0x26716d018 ESRT=0x26719d018 TPMEventLog=0x25e408018 RNG=0x25a930018 MEMRESERVE=0x25e40ac18
[    7.004747] ftpm-tee firmware:ftpm: ftpm_tee_probe: tee_client_open_session failed, err=ffff3024
[    7.004763] ftpm-tee: probe of firmware:ftpm failed with error -22

modprobe: FATAL: Module tpm_tis, not found in directory /lib/modules/5.15.148-tegra
15

hello Techgeek,

please rebuilt with debug logs enabled.
you may try to update OPTEE directory, i.e. optee/optee_os/core/pta/tegra/, and replace all macro of DMSG with IMSG.

17

Hello! We can also consider using SecEdge SEC-TPM, which is an implementation of the NVIDIA fTPM . Nvidia also suggest SecEdge SEC-TPM development kits available online now