Jetson AGX Orin fTPM with OP-TEE: EKB Extraction and SSK Derivation Failure under Secure Boot

Robotics & Edge Computing Jetson Systems Jetson AGX Orin
, , , ,
1

Hi,

I am trying to enable fTPM with OP-TEE on a Jetson AGX Orin 64GB, and I am getting the following error during EKB key derivation / extraction:

��NOTICE: BL31: v2.8(release):l4t-r36.4.4
NOTICE: BL31: Built : 2025-06-16 15:14:01
I/TC:
I/TC: Non-secure external DT found
I/TC: OP-TEE version: 4.2 (gcc version 13.4.0 (GCC)) #1 Mon Jun 16 15:53:22 UTC 2025 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html
I/TC: Primary CPU initializing
M/TC: engine AES0 engine [AES/RNG](16) post op: SE0 err_status register 0x10f8 nonzero (value 0x80000000)
M/TC: SE abnormal cond, error info: 0x30040000
M/TC: HW error: d(0), e(0), ro(0x110), rv(0xb0040000), che(0x30), act(0x0)
M/TC: device SE0(0) post op: error_capture 0x30040000
M/TC: AES crypto failed: -17
E/TC:00 00 se_aes_encrypt:35 se_aes_encrypt failed with: -17
I/TC: Derive EKB_RK from #1 fuse key failed, ignored.
M/TC: engine AES0 engine [AES/RNG](16) post op: SE0 err_status register 0x10f8 nonzero (value 0x80000000)
M/TC: SE abnormal cond, error info: 0x30040000
M/TC: HW error: d(0), e(0), ro(0x110), rv(0xb0040000), che(0x30), act(0x0)
M/TC: device SE0(0) post op: error_capture 0x30040000
M/TC: AES crypto failed: -17
E/TC:00 00 se_aes_encrypt:35 se_aes_encrypt failed with: -17
E/TC:00 00 hwkey_derivation_process:452 hwkey_derivation_process: Failed to derive SSK root key (ffff0000)
E/TC:00 00 ekb_extraction_process:404 Tried all EKB_RKs but still can’t extract the EKB image.
E/TC:00 00 jetson_user_key_pta_init:1154 jetson_user_key_pta_init: Failed (ffff000f).
E/TC:00 00 call_initcalls:43 Initcall __text_start + 0x0016b620 failed
I/TC: Primary CPU switching to normal world boot
��

I am using secure boot with the fuses burned with the following valures:

genericfuse MagicId=“0x45535546” version=“1.0.0”

fuse name=“OdmId” size=“8” value=“0x0000000000000001”/>
fuse name=“OdmInfo” size=“4” value=“0x0001”/>
fuse name=“OptInEnable” size=“4” value=“0x1”/>
fuse name=“PublicKeyHash” size=“64” value=“******”/>
fuse name=“PkcPubkeyHash1” size=“64” value=“******”/>
fuse name=“PkcPubkeyHash2” size=“64” value=“******”/>
fuse name=“SecureBootKey” size=“32” value=“******”/>
fuse name=“Kdk0” size=“32” value=“******”/>
fuse name=“PscOdmStatic” size=“4” value=“0x00000060”/>
fuse name=“OemK1” size=“32” value=“******”/>
fuse name=“OemK2” size=“32” value=“******”/>
fuse name=“BootSecurityInfo” size=“4” value=“0x2be9”/>
!-- →
/genericfuse>

and used the odm_ekb_gen.py script to create the ekb.

what is the reason for this error? is there a problem with how i flashed the fuses or is it a problem with creation of the ekb?

any help with solving the issue will be greatly appreciated.

5

Thats seems to be an known issue, we’re investigating this issue, will update the status once got more result. Thanks

6

hello arielz742,

FYI, we’ve test fTPM works with an Orin platform on JP-6.2/r36.4.3, which has PKC+SBK+OEM_K1+KDK fused.
please see-also Topic 353623 for the details.

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.