JetPack 5.1.3 - Boot error with all security enabled

Hi,

We tried flashing JetPack 5.1.3 on an Orin NX with all the security features , but on boot the device gave the following error on UART:

\xFF\xE4I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled
E/TC:?? 00 jetson_user_key_pta_uefi_vars_auth:861 Auth key is not set in EKB.
E/TC:?? 00 stmm_handle_variable_authentication:910 Failed to get signed CMAC ffff0008

ASSERT [FvbNorFlashStandaloneMm] /dvs/git/dirty/git-master_linux/out/nvidia/optee.t234-uefi/StandaloneMmOptee_RELEASE/edk2-nvidia/Silicon/NVIDIA/Drivers/FvbNorFlashDxe/VarIntCheck.c(900): ((BOOLEAN)(0==1))
\xFF\xFF\xFF

We used the exact same commands that we used with 5.1.2 previously, and they worked without problems. All the key generations are done as in the documentation, and when flashing 5.1.2, the device booted properly.

Did anyone else encounter this problem? Does anyone know where the issue might be?

I encountered the same issue.
My Jetson Orin Nano still can’s boot up. I tried to reflash with sdk manager and reburn sd card, but neither could help.
Hope there is a solution.

hi all,

we’ve also reproduce this on developer kit, let me arrange resources for investigation.

Hi, I get the same error after udate the Jetson_Xavier_NX_QSPI_35.1.tbz2 from a running jetson-nx-jp461-sd-card-image. I could not correct this error with new jetson-nx image with sd card only. Maybe there is a way with JTAG, but I did’nt now how.
I get the message :
Ubuntu 20.04.6 LTS linux ttyTCU0

linux login: [ 1072.821436] Trying to unregister non-registered hwtime source
[ 1076.307582] nvgpu: 17000000.gv11b nvgpu_timeout_expired_msg_cpu:94 [ERR] Timeout detected @ gp10b_gr_init_wait_empty+0x168/0x2a0 [nvgpu]
after that the board may damaged:
0003.453] W> No board IDs available
[0003.456] E> Failed to get board id info!
[0003.460] E> Failed: Unknown device 6
[0003.468] I> Found 41 partitions in QSPI_FLASH (instance 0)
and then I could not recover from ASSERT [FvbNorFlashStandaloneMm]

hi all,

it’s due to UEFI variable protection feature is always enabled, you should provide UEFI variable authentication key in EKS image, otherwise UEFI will block the booting.

please follow the steps as below.

  1. Please visit jetson-linux-r3550 page to access the [Driver Package (BSP) Sources] package.
  2. Please extract op-tee tarball, and entering optee/samples/hwkey-agent/host/tool/gen_ekb
  3. IF you’ve OEM_K1 burned, please modify the script example.sh and replace the test OEM_K1 with your customize key.
  4. The example.sh contains a default UEFI variables authentication key (i.e. auth_t234.key). BTW, It is recommended that users use randomly generated auth_t234.key.
  5. Execute the script example.sh, and you’ll have a new EKS image, eks_t234.img.
  6. Please update EKS image accordingly, and re-flash the target. you may see-also Topic 270934 for steps to update EKS image.

Hi Jerry,

I’ve a problem in understanding the support matrix for jetson xavier nx deveoper board. In my opinion the problem to flash with sdk manager jetpack 6 with ubuntu 22.04.4 LTS and flasback the ospi to former working state with ubuntu 18.x and jetson-nx-jp461-sd-card-image.zip . Maybe jetpack 6 does not support qspi for jp461 and so I reflect to use docker image for ubuntu 18.x - but I don’t know if it is possible with jetpack 4.6 or 5.02. Or is the problem not in QSPI partition /dev/mtd0 than in board EEPROM ? I recognized that the board without SD card inserted goes to recovery state and than I could update with jetpack. The reason are the other warnings end errors during first booting JP513 image which I logged .

hello reckert,

that sounds another failure combination instead of Jetson security, please submit a new discussion thread for following-up.

I have created a new topic for FvbNorFlashStandaloneMm.c(868): ((BOOLEAN)(0==1 after flashing Jetson_Xavier_NX_QSPI_35

hi all,

please aware we’re able to resolve this by re-generate a new EKS image.
you may see-also comment #8 for the steps.