I found there was a new note in the jetson 35.5.0 doc that says “OTA upgrade is not supported on Jetson devices with UEFI secure boot enabled”, but I didn’t find any detail either in the OTA doc or in the secureboot doc. Why was that unsupported in jetson 35.5.0 but not before jetson 35.4.1, and what will happen if I do image based OTA following the update guide to update a UEFI secureboot enabled jetson 35.5.0 device?
Hi chai5419,
Yes, we don’t support image-based OTA with secureboot enabled since /boot/initrdand /boot/extlinux/extlinux.conf are both signed/encrypted.
You may update or boot failed.
Thanks for reply, and I have 2 more questions:
- The tip doesn’t appear in 35.4.1 doc, does it mean OTA with UEFI secureboot enabled is supported in 35.4.1 and I can do this following the image based OTA doc?
- As I found in doc that both initrd and extlinux.conf are signed in 35.4.1 and 35.5.0, does it mean that these files are not encrypted before 35.4.1 but encrypted after 35.5.0? Is it possible that I generate the OTA package with the same key encrypted initrd and extlinux.conf?
No, both releases not support OTA with secureboot enabled.
Since we support OTA with disk-encryption enabled in R35.5.0 so that we also note the state for secureboot in doc.
They are encrypted if you enable disk-encryption no matter for which releases.
If you don’t enable disk-encryption, I think they are not encrypted.
Does it mean if disk-encryption is not enabled, OTA with secureboot enabled is capable for jetson 35.4.1?
Correct.
Hi! What are my options for encrypted OTA updates in 35.5.0 and onwards?
Please add ROOTFS_ENC=1 when you are running l4t_generate_ota_package.sh to generate OTA package.
You may also add -i ekb.key in this command to specify your key file for disk-encryption.
Thanks! This worked for me, however I have a new issue outlined here: During OTA update: No space left on device
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.