Jetson won't boot after update TOS image


I’m testing the OP-TEE feature on JetPack 5.1. I’m following the instructions from atf_and_optee_README.txt but at the end it says:

Verifying the Image
To verify the image:
1. Replace the default TOS image file with the newly generated TOS
   image. The default TOS image file is located at:

2. Perform either of these tasks:
   - Flash the system as normal.
     This is useful for flashing a new system or replacing the
     entire operating system.
   - Re-flash the TOS image using these partition flash commands:
       sudo ./ -k secure-os <your_board_conf_file> mmcblk0p1
       sudo ./ -k secure-os jetson-xavier-nx-devkit mmcblk0p1

3. Copy all the files under ./optee/install/t<platform> to the target.

When I generate the TOS.img, I used the command that comes along with the instructions:

Generate the tos.img with the commands:
   ./ \
       --monitor ./atf_build/arm-trusted-firmware/build/tegra/t<platform>/release/bl31.bin \
       --os ./optee/build/t<platform>/core/tee-raw.bin \
       --dtb ./optee/tegra<platform>-optee.dtb \
       --tostype optee \

So I change the name of the tos.img for tos-optee_t194.img and move it to the bootloader.
Then I reflash the entire OS. And it won’t boot. It get stuck in the booting process showing some logs like:

failed to start nvpmodel
failed to start refresh fwupd
see systemctl status fwupd-refresh.system

Am I missing one step of the instructions here? Or there is an extra step that I’m not taking?


JDiego Delgado
Embedded SW Engineer at RidgeRun
Contact us:
Developers wiki:

hello jdiegodelgado,

it looks incorrect naming,
please refer to flash configuration file, i.e. TOSFILE="bootloader/tos_t194.img";
please update the TOS binary naming and please try again.


I renamed the file from tos.img to tos_t194.img, then moved it to the bootloader directory, and finally re-flashed the whole OS again. But I got the same result. It won’t boot.
Am I missing something?


hello jdiegodelgado,

could you please share your target flashing messages and also serial logs for system boot-up.


Thanks for your support. I enabled the serial communication by using minicom. Please find the logs attached to this post.

Strange thing is that I could configure the platform by using the serial port. Before that I was using the GUI option to try to configure the platform (select language, region, user name, password, etc, etc) but it got stuck in the boot logs every time.
Now it seems that I could to it but using the serial console.

minicom.cap (91.0 KB)

Now I have some doubts about OP-TEE. How can I check that the new TOS image was flashed? I added the “hello world” trust app from this link: GitHub - linaro-swg/optee_examples: OP-TEE Sample Applications to Linux_for_Tegra/source/public/nvidia-jetson-optee-source/optee/samples and modified the Makefiles to build it.
How can I know that this worked? How can I see this “hello world”?

Also, what these logs mean? Should I be worried for them?

[  262.288465] loop: disagrees about version of symbol module_layout
[  273.908896] zram: disagrees about version of symbol module_layout
[  275.073970] mtd: disagrees about version of symbol module_layout
[  275.379002] fuse: disagrees about version of symbol module_layout
[  597.928165] fuse: disagrees about version of symbol module_layout



Another doubt, in the atf_and_optee_README.txt instructions, after f;ashing the board, there’s a step that says:

Copy all the files under ./optee/install/t<platform> to the target.

Which location could be a good place to put these files within the platform?


hello jdiegodelgado,

it looks it’s stuck here for waiting system configuration.

[   32.806104] Please complete system configuration setup on the serial port provided by Jetson's USB device mode connection. e.g. /dev/ttyUSBx where x can 0, 1, 2 etc.

you may refer to Skipping oem-config.
could you please try running below $OUT/Linux_for_Tegra/tools/ to creates a default user accounts for testing.


I tested skipping the oem-config by running the /Linux_for_Tegra/tools/ It seems to work fine (please see the logs attached below).

But some logs called my attention, for instance this one:

E/TC:0 0 jetson_user_key_pta_init:700 jetson_user_key_pta_init: Failed (f0100006).

Why does jetson_user_key_pta_init failed? How do I know that the new Trusted OS is working properly?

minicom.cap (83.6 KB)

Also, I noticed that inside the Linux_for_Tegra/bootloader/ path, originally you find two symlink files:

  • tos_t194.img
  • tos_t234.img

They look like this: tos_t234.img -> tos-optee_t234.img.
When I created my new tos.img, should I renamed it for tos_t194.img, move it to the Linux_for_Tegra/bootloader/ path, and then made it a symlink that points to tos-optee_t194.img?


Hi @JerryChang ,

Can you please provide guidance on this doubt?


hello jdiegodelgado,

yes, for running, you should given different TOS image names for different platforms.
you may see-also flash configuration file.
Orin series, TOSFILE="bootloader/tos_t234.img";
Xavier series, TOSFILE="bootloader/tos_t194.img";

you may looking bootloader logs.
there’ll be BL31 and also OP-TEE version and built times. it shall be match your host machine build time after your TOS image has updated.

had you flash user_key which is specified in the eks.img.
there’s EKB (Encrypted Binary Blob) stores two keys, one is the kernel encryption key, and another one is the LUKS key for disk encryption support.
it’s boot-up process to derive keys from SE keyslots. this is error reported if there’s no keys available.

@JerryChang ,

Thanks again for your support. I was able to fixed the jetson_user_key_pta_init failed by generating the EKB key.
Now my question would be regarding the step 3 of the atf_and_optee_README.txt, precisely on the Generating the tos.img with ATF and OP-TEE images section, which says:

3. Copy all the files under ./optee/install/t<platform> to the target.
Now my next question is about the "helloworld ta" that I added to the OP-TEE sou

Where exactly should I copy these files within the Jetson Xavier AGX platform?