After enabling UEFI Secure Boot, I’m unable to use the sudo command. I’m getting the following error:
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
I’ve attached the UART logs for reference.
UEFI_UART_log.txt (77.1 KB)
hello Techgeek,
it doesn’t looks correct, may I know your steps in details for image flashing to enable UEFI secureboot.
Below are the steps to enable UEFI Secure Boot during the flashing process,
Generate RSA key pairs, certificates and EFI signature list File
openssl req -newkey rsa:2048 -nodes -keyout PK.key -new -x509 -sha256 -days 365 -subj "/CN=my Platform Key/" -out PK.crt
cert-to-efi-sig-list -g "${GUID}" PK.crt PK.esl
Generate the KEK RSA key and certificate:
openssl req -newkey rsa:2048 -nodes -keyout KEK.key -new -x509 -sha256 -days 365 -subj "/CN=my Key Exchange Key/" -out KEK.crt
cert-to-efi-sig-list -g "${GUID}" KEK.crt KEK.esl
Generate the db_1 RSA Key and certificate.
openssl req -newkey rsa:2048 -nodes -keyout db_1.key -new -x509 -sha256 -days 365 -subj "/CN=my Signature Database key/" -out db_1.crt
cert-to-efi-sig-list -g "${GUID}" db_1.crt db_1.esl
Generate the db_2 RSA Key and certificate.
openssl req -newkey rsa:2048 -nodes -keyout db_2.key -new -x509 -sha256 -days 365 -subj "/CN=my another Signature Database key/" -out db_2.crt
cert-to-efi-sig-list -g "${GUID}" db_2.crt db_2.esl
Create the UEFI Keys Config File
UEFI_DB_1_KEY_FILE="db_1.key"; # UEFI payload signing key
UEFI_DB_1_CERT_FILE="db_1.crt"; # UEFI payload signing key certificate
UEFI_DEFAULT_PK_ESL="PK.esl"
UEFI_DEFAULT_KEK_ESL_0="KEK.esl"
UEFI_DEFAULT_DB_ESL_0="db_1.esl"
UEFI_DEFAULT_DB_ESL_1="db_2.esl"
Generate the UEFI Secure Boot DTBO
sudo tools/gen_uefi_keys_dts.sh uefi_keys/uefi_keys.conf
Flash the board with the --uefi_keys option
sudo ./flash.sh -u rsa3k-0.pem -v SBK.key --uefi-keys UEFI_KEYS/uefi_keys.conf jetson-orin-nano-devkit-nvme internal
hello Techgeek,
it seems you’re only flashing the internal storage, please also re-flash the external storage to enable UEFI secureboot.
you may refer to the steps in.. $OUT/Linux_for_Tegra/tools/README_uefi_secureboot.txt
or..
here’s sample flash command for your reference,
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1 -u <pkc_keyfile> [-v <sbk_keyfile>] --uefi-keys uefi_keys/uefi_keys.conf -p "-c ./bootloader/generic/cfg/flash_t234_qspi.xml" -c ./tools/kernel_flash/flash_l4t_t234_nvme.xml --showlogs --network usb0 jetson-orin-nano-devkit nvme0n1p1
BTW,
please also check developer guide,
Environment Variables and also the commands to untar the files and assemble the rootfs.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.