fTPM provisioning fails with "Invalid provision mode!" on Jetson Orin (JP-6.2.2)

mori.ycb.c2 · June 2, 2026, 9:28am

Environment

Device: reComputer Industrial Orin J401
JetPack: 6.2.2 (L4T R36.5.0)
OP-TEE: fTPM feature enabled

Issue Summary

fTPM device provisioning fails with “Invalid provision mode!” error when running ftpm_device_provision.sh. The TEEC_InvokeCommand returns error code 0xffff000a origin 0x4.

Steps Taken

In addition to the procedure being carried out in Topic367455,
I performed the following steps to enable the fTPM EK verification function:
- Generating the fTPM EK Verification Data
- Setting up a Dedicated Jetson Device
Re-flashed the device
After boot, executed the fTPM provisioning script

Expected vs Actual Behavior

Expected:
fTPM provisioning completes successfully with both RSA and ECC EK certificates created.

Actual:

Provisioning fails with “Invalid provision mode!”
Only RSA_EK_HANDLE (0x81010001) is registered
ECC_EK_HANDLE (0x81010002) is not registered

Error Output

Provisioning script error:

root@test-desktop:/home/test/Documents/ftpm_prov# sudo ./ftpm_device_provision.sh -r ek_cert_rsa.der -e ek_cert_ec.der -p owner
[fTPM device]: === fTPM device provisioning ===
[fTPM device]: === Extracting the EK Certs from EKB ===
ca_query_prov_mode: TEEC_InvokeCommand failed 0xffff000a origin 0x4
Invalid provision mode!
Could not open file or uri for loading certificate from ek_cert_rsa.der
2030B0A5FFFF0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=file
2030B0A5FFFF0000:error:80000002:system library:file_open:No such file or directory:../providers/implementations/storemgmt/file_store.c:267:calling stat(ek_cert_rsa.der)
Unable to load certificate
[ftpm device]: fTPM provisioning failed.

Current TPM State

After the failed provisioning attempt, I verified the TPM state:

Summary:

✅ RSA_EK_HANDLE (0x81010001): Present and functional
❌ ECC_EK_HANDLE (0x81010002): Not registered
❌ No NV indices found

Checking TPM handles:

root@test-desktop:~# tpm2_getcap handles-persistent -T device:/dev/tpmrm0
- 0x81010001

root@test-desktop:~# tpm2_getcap handles-nv-index -T device:/dev/tpmrm0
root@test-desktop:~#

RSA EK public key details:

root@test-desktop:~# tpm2_readpublic -c 0x81010001 -f pem -o ekPub.pem
name: 000b3182143e9809d9af4bae757ba0e62fe29dec069fcd0c1288386f204c90491703
qualified name: 000b71e8069ad0efaebb07333d567bb6e75fbe7f3863ba698e4eae6826d7aa151118
name-alg:
  value: sha256
  raw: 0xb
attributes:
  value: fixedtpm|fixedparent|sensitivedataorigin|adminwithpolicy|restricted|decrypt
  raw: 0x300b2
type:
  value: rsa
  raw: 0x1
exponent: 65537
bits: 2048
scheme:
  value: null
  raw: 0x10
scheme-halg:
  value: (null)
  raw: 0x0
sym-alg:
  value: aes
  raw: 0x6
sym-mode:
  value: cfb
  raw: 0x43
sym-keybits: 128
rsa: c2f0f7464e4659adf2e1aee8e533bc9da7e90958800be5ec7f832106c7540b3f5a4a07fd1c4535e331615f97eec3b979cfc2b4251e7670e0f3d2bba2a94001fd796c2d525556c33125bc691c19879100aed00fbc7f78b959e85abba520a4fde99079069454e56e4f72d6b7396f50bf9a2df964c258c9d38b257895f5c99136260bc6d1cf54db7fa2520ea29fad12ca96349ca808e2195afdb72dda44acbade92d5d588ac2bb7833c1438c3c82d68ff76cb92c96c016966a6dc37ad067faebe67589e6414eaca38576f27383e45116c70df20c33f906a1a3e65c5096f75287e7388058ded1bec0cafefc6db85c355dd4caa69e5bd3b6927a984215e69b95869b5
authorization policy: 837197674484b3f81a90cc8d46a5d724fd52d76e06520b64f2a1da1b331469aa

Exported public key:

root@test-desktop:~# cat ekPub.pem
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwvD3Rk5GWa3y4a7o5TO8
nafpCViAC+Xsf4MhBsdUCz9aSgf9HEU14zFhX5fuw7l5z8K0JR52cODz0ruiqUAB
/XlsLVJVVsMxJbxpHBmHkQCu0A+8f3i5Wehau6UgpP3pkHkGlFTlbk9y1rc5b1C/
mi35ZMJYydOLJXiV9cmRNiYLxtHPVNt/olIOop+tEsqWNJyoCOIZWv23LdpErLre
ktXViKwrt4M8FDjDyC1o/3bLkslsAWlmptw3rQZ/rr5nWJ5kFOrKOFdvJzg+RRFs
cN8gwz+Qaho+ZcUJb3UofnOIBY3tG+wMr+/G24XDVd1MqmnlvTtpJ6mEIV5puVhp
tQIDAQAB
-----END PUBLIC KEY-----
root@test-desktop:~#

Questions

What does the “Invalid provision mode!” error indicate, and how can I resolve it?
Why is the ECC_EK_HANDLE (0x81010002) missing after flashing?
Are there any missing prerequisites or configuration steps?

Any insights would be greatly appreciated!

JerryChang · June 3, 2026, 6:33am

hello mori.ycb.c2,

mori.ycb.c2:

[fTPM device]: === fTPM device provisioning ===
[fTPM device]: === Extracting the EK Certs from EKB ===
ca_query_prov_mode: TEEC_InvokeCommand failed 0xffff000a origin 0x4
Invalid provision mode!
Could not open file or uri for loading certificate from ek_cert_rsa.der

may I know all your key combinations, did you also enable UEFI payload encryption (--uefi-enc) on fused Orin-NX?
could you please also share the bootloader logs for cross check.

BTW,
we’ve tested fTPM, please refer to Topic 353623 for some crucial steps.

mori.ycb.c2 · June 4, 2026, 3:28am

hello JerryChang,

may I know all your key combinations, did you also enable UEFI payload encryption (–uefi-enc) on fused Orin-NX?

Based on the information from the cheat sheet below, I’d like to share these details with you.
Could you please verify whether this information fully covers the key combinations and the UEFI payload encryption status?

UPI Image Generation (aka User Partition Image: UPI)

Note
In the commands below, the key in --uefi-enc <key> option is used for UEFI payload encryption. This key value is the sym_t234.key defined and added into the EKB by the OEM.

The OEM EKB generation specifies --in_sym_key ~/JETSONNX/oem-keys/sym_t234.key:

~/JETSONNX/Linux_for_Tegra/source/optee/samples/ftpm-helper/host/tool$ ./oem_ekb_gen.py \
-oem_k1_key ~/JETSONNX/oem-keys/OemK1.key \
-in_sym_key ~/JETSONNX/oem-keys/sym_t234.key \
-in_sym_key2 ~/JETSONNX/oem-keys/sym2_t234.key \
-in_auth_key ~/JETSONNX/oem-keys/auth_t234.key \
-in_ftpm_odm_ekb odm_out

For flashing specifies --uefi-enc ~/JETSONNX/oem-keys/sym_t234.key:

sudo BOARDID=3767 FAB=301 BOARDSKU=0000 CHIP_SKU=00:00:00:D3 RAMCODE_ID=1 ./tools/kernel_flash/l4t_initrd_flash.sh \
--external-device nvme0n1p1 \
-u ~/JETSONNX/odm-keys/rsa3k.pem \
-v ~/JETSONNX/odm-keys/sbk-32.key \
--uefi-keys ~/JETSONNX/oem-keys/uefi-keys/uefi_keys.conf \
--uefi-enc ~/JETSONNX/oem-keys/sym_t234.key \
-c tools/kernel_flash/flash_l4t_t234_nvme.xml \
-p "-c bootloader/generic/cfg/flash_t234_qspi.xml" \
--showlogs \
--network usb0 \
recomputer-industrial-orin-j401 internal

could you please also share the bootloader logs for cross check.

Will dmesg logs suffice? I will attach them.

dmesg.log (74.0 KB)

mori.ycb.c2 · June 17, 2026, 7:29am

hello JerryChang,

Is the key combination for UEFI payload encryption (–uefi-enc) correct?
If there are any other additional information or feedback, sharing it would be greatly appreciated.

JerryChang · June 25, 2026, 2:27am

hello mori.ycb.c2,

unfortunately, we will need bootloader logs for cross check.
please setup serial console to gather the details.

Topic		Replies	Views
Can fTPM still work without being provisioned? Jetson Orin NX security	6	255	September 22, 2025
Accessing fTPM-helper from a Trusted Application on Jetson Jetson Orin Nano security , ftpm	21	677	November 18, 2025
Step-by-Step Guide to Implementing fTPM Provisioning on Jetson AGX Orin for TLS Secure Communication Jetson AGX Orin security	3	407	June 5, 2025
fTPM implementation in a Jetson Orin Nano Devkit Jetson Orin Nano nvbugs , tpm	4	476	April 1, 2025
FTPM and OPTEE errors in JP6.2.1 for ORIN NX Jetson Orin NX security , inception	14	233	December 18, 2025
About fTPM online provisioning Jetson Orin NX ftpm	3	141	September 18, 2025
Question about fTPM offline provisioning Jetson Orin NX ftpm	3	221	September 11, 2025
fTPM still failing with 0xffff0008 after EKS/EKB regeneration Jetson Orin Nano security , ftpm	18	290	January 16, 2026
fTPM Implementation and Provisioning Jetson Orin NX tpm	6	410	April 10, 2025
fTPM online provisioning release date Jetson Orin NX	3	146	August 22, 2025