How to disable OEM firewall on Orin?

future.wang · August 28, 2024, 9:07am

Hi NV team,

Please refer to the attached log file.
Orin platform also has the same problem as in this topic：Kernl Panic：CPU:0, Error:rce-fabric, Errmon:2 Error Code : FIREWALL_ERR

I refer to the following link to turn off OEM firewall：

But it doesn’t seem to work, because the problem still exists.

My steps：
1，add below context to tegra234-mb2-bct-scr-p3701-0000-override.dts

       reg@4673 { /* CBB_CENTRAL_CBB_FIREWALL_NVCSI_ENGINE_BLF, READ_CTL */
            exclusion-info = <0>;

        reg@4674 { /* CBB_CENTRAL_CBB_FIREWALL_NVCSI_ENGINE_BLF, WRITE_CTL */
            exclusion-info = <0>;

        reg@4675 { /* CBB_CENTRAL_CBB_FIREWALL_NVCSI_ENGINE_BLF, CTL_SETTING */
            exclusion-info = <0>;

2，reflash system img

./tegraflash.py  --bl uefi_jetson_with_dtb.bin  --odmdata gbe-uphy-config-0,hsstp-lane-map-3,nvhs-uphy-config-0,hsio-uphy-config-16  --overlay_dtb L4TConfiguration.dtbo,tegra234-p3737-audio-codec-rt5658-40pin.dtbo,tegra234-p3737-overlay.dtbo,tegra234-p3701-overlay.dtbo,  --bldtb tegra234-p3701-0004-p3737-0000.dtb --applet mb1_t234_prod.bin --cmd "flash; reboot"  --cfg flash.xml --chip 0x23 --concat_cpubl_bldtb --cpubl uefi_jetson.bin --minratchet_config tegra234-mb1-bct-ratchet-p3701-0000.dts --device_config tegra234-mb1-bct-device-p3701-0000.dts --misc_config tegra234-mb1-bct-misc-p3701-0000.dts --pinmux_config tegra234-mb1-bct-pinmux-p3701-0000-a04.dtsi --gpioint_config tegra234-mb1-bct-gpioint-p3701-0000.dts --pmic_config tegra234-mb1-bct-pmic-p3701-0000.dts --pmc_config tegra234-mb1-bct-padvoltage-p3701-0000-a04.dtsi --deviceprod_config tegra234-mb1-bct-cprod-p3701-0000.dts --prod_config tegra234-mb1-bct-prod-p3701-0000.dts --scr_config tegra234-mb2-bct-scr-p3701-0000.dts --wb0sdram_config tegra234-p3701-0000-wb0sdram-l4t.dts --br_cmd_config tegra234-mb1-bct-reset-p3701-0000.dts --uphy tegra234-mb1-bct-uphylane-si.dtsi --dev_params tegra234-br-bct-p3701-0000.dts,tegra234-br-bct_b-p3701-0000.dts --mb2bct_cfg tegra234-mb2-bct-misc-p3701-0000.dts  --bins "psc_fw pscfw_t234_prod.bin; mts_mce mce_flash_o10_cr_prod.bin; mb2_applet applet_t234.bin; mb2_bootloader mb2_t234.bin; xusb_fw xusb_t234_prod.bin; dce_fw display-t234-dce.bin; nvdec nvdec_t234_prod.fw; bpmp_fw bpmp_t234-TE990M-A1_prod.bin; bpmp_fw_dtb tegra234-bpmp-3701-0004-3737-0000.dtb; sce_fw camera-rtcpu-sce.img; rce_fw camera-rtcpu-t234-rce.img; ape_fw adsp-fw.bin; spe_fw spe_t234.bin; tos tos-optee_t234.img; eks eks_t234.img"  --sdram_config tegra234-p3701-0000-sdram-l4t.dts  --secondary_gpt_backup  --bct_backup  --boot_chain A

paltform: AGX Orin
BSP: # R35 (release), REVISION: 3.1, GCID: 32827747, BOARD: t186ref

dmesg_2024-08-11_23-49-49.txt (2.2 MB)

JerryChang · August 29, 2024, 5:12am

hello future.wang,

could you please running with flash script instead of tegraflash.py.
$ sudo ./flash.sh -r jetson-agx-orin-devkit mmcblk0p1

future.wang · August 29, 2024, 8:58am

Hi Jerry,

The problem still exists, log is attached
err.log (556.6 KB)

JerryChang · August 29, 2024, 9:07am

hello future.wang,

may I double confirm which register you’re trying to access?

future.wang · August 29, 2024, 9:17am

Hi Jerry，

No specific registers are accessed.
The reason for this problem is that the following trace is enabled, and then the camera image is obtained using the v4l2 standard API.

This problem will not occur if tarce is not enabled!

echo 1 > /sys/kernel/debug/tracing/tracing_on
echo 30720 > /sys/kernel/debug/tracing/buffer_size_kb
echo 1 > /sys/kernel/debug/tracing/events/tegra_rtcpu/enable
echo 1 > /sys/kernel/debug/tracing/events/freertos/enable
echo 2 > /sys/kernel/debug/camrtc/log-level
echo 1 > /sys/kernel/debug/tracing/events/camera_common/enable

future.wang · August 29, 2024, 9:24am

Specific recurrence path:

Enable the trace mentioned above
Pull the camera video stream
Reboot the system

The problem occurs after the reboot command is executed

JerryChang · August 30, 2024, 1:41am

hello future.wang,

actually, you don’t need to configure OEM firewall to enable VI tracing logs.
here’re steps to check tracing logs.

echo 1 > /sys/kernel/debug/tracing/tracing_on
echo 30720 > /sys/kernel/debug/tracing/buffer_size_kb
echo 1 > /sys/kernel/debug/tracing/events/tegra_rtcpu/enable
echo 1 > /sys/kernel/debug/tracing/events/freertos/enable
echo 2 > /sys/kernel/debug/camrtc/log-level
echo > /sys/kernel/debug/tracing/trace
cat /sys/kernel/debug/tracing/trace

future.wang · August 30, 2024, 8:51am

Hi Jerry，

Maybe there is a misunderstanding.
It is not necessary to configure the firewall before enabling trace, but turning on trace will trigger the firewall to report an error.

The current problem is: I need to capture trace, but after enabling trace, it triggers the firewall to report an error. How to solve it?

JerryChang · August 30, 2024, 9:30am

hello future.wang,

that’s incorrect. we never seen OEM firewall by enabling trace.
may I double confirm your Jetpack release version, please examine with… $ cat /etc/nv_tegra_release

future.wang · August 30, 2024, 9:57am

R35 (release), REVISION: 3.1, GCID: 32827747, BOARD: t186ref, EABI: aarch64, DATE: Sun Mar 19 15:19:21 UTC 2023