but on boot, I get the following after which it reboots into the EFI shell
etson UEFI firmware (version 5.0-35550185 built on 2024-02-20T04:21:22+00:00)
ESC to enter Setup.
F11 to enter Boot Manager Menu.
Enter to continue boot.
** WARNING: Test Key is used. **
......
��I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled
��L4TLauncher: Attempting Direct Boot
��E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0006
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
��OpenAndReadFileToBuffer: \boot\initrd failed signature verification: Security Vi
olation
ExtLinuxBoot:sds Failed to Authenticate \boot\initrd (Security Violation)
L4TLauncher: Unable to boot via extlinux: Security Violation
L4TLauncher: Attempting Kernel Boot
��E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0006
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
��ReadEncryptedImage: Failed to read data from partition
OpteeDecryptImage: Failed to read data
ReadAndroidStyleKernelPartition: OpteeDecryptImage failed
Failed to boot kernel:0 partition
����Shutdown state requested 1
Rebooting system ...
I can flash it for uefi secureboot or disk encruption but not combined
for generetating keys for encryption i did ran the following
# [T194 example]
# This is default KEK2 root key for unfused board
echo "00000000000000000000000000000000" > kek2.key
# This is the fixed vector for deriving EKB root key from fuse.
# It is expected user to replace the FV below with a user specific
# FV, and code the exact same user specific FV into OP-TEE.
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t194
# Generate user-defined symmetric key files
# For each key, uncomment the random generate key and comment out the next line for production
openssl rand -rand /dev/urandom -hex 16 > sym_t194.key
# echo "00000000000000000000000000000000" > sym_t194.key
openssl rand -rand /dev/urandom -hex 16 > sym2_t194.key
# echo "00000000000000000000000000000000" > sym2_t194.key
openssl rand -rand /dev/urandom -hex 16 > auth_t194.key
# echo "00000000000000000000000000000000" > auth_t194.key
python3 ../gen_ekb.py -chip t194 -kek2_key kek2.key \
-fv fv_ekb_t194 \
-in_sym_key sym_t194.key \
-in_sym_key2 sym2_t194.key \
-in_auth_key auth_t194.key \
-out eks_t194.img
after which I copyed the eks_t194.img to the Linux_for_Tegra/bootloader/
and copyed sym2_t194.key to Linux_for_Tegra/
for creating the keys for uefi I ran the following commands from the Linux_for_Tegra folder
let’s narrow down the issue,
please check you’re able to boot up with disk encryption only (i.e. ROOTFS_ENC=1)
according to r35.6.0 release node,
please moving to the latest JP-5 release version if that’s booting failure with UEFI secureboot.
re-cap the fixed issue as below…
Issue-4554302: Boot issue in UEFI variable authentication.
I could boot it with encryption in Jetson 35.6/jetpack 5.1.4
my steps
generate ekb using gen_ekb.py from optee(git://nv-tegra.nvidia.com/tegra/optee-src/nv-optee.git) on tag jetson_35.6 using the following script
#!/bin/bash
# Copyright (c) 2024, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
# SPDX-License-Identifier: BSD-2-Clause
# [T194 example]
# This is default KEK2 root key for unfused board
echo "00000000000000000000000000000000" > kek2.key
# This is the fixed vector for deriving EKB root key from fuse.
# It is expected user to replace the FV below with a user specific
# FV, and code the exact same user specific FV into OP-TEE.
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t194
# Generate user-defined symmetric key files
# A random generate key is recommended for production, and a specified key is recommended for testing
# For each key, there are reference examples for generating random key and specifying keys.
openssl rand -rand /dev/urandom -hex 16 > sym_t194.key
# echo "00000000000000000000000000000000" > sym_t194.key
openssl rand -rand /dev/urandom -hex 16 > sym2_t194.key
# echo "00000000000000000000000000000000" > sym2_t194.key
openssl rand -rand /dev/urandom -hex 16 > auth_t194.key
# echo "00000000000000000000000000000000" > auth_t194.key
python3 gen_ekb.py -chip t194 -kek2_key kek2.key \
-fv fv_ekb_t194 \
-in_sym_key sym_t194.key \
-in_sym_key2 sym2_t194.key \
-in_auth_key auth_t194.key \
-out eks_t194.img
copy eks_t194.img to Linux_for_Tegra/bootloader/
copy sym2_t194.key to Linux_for_Tegra/
flash using the following command
sudo ROOTFS_ENC=1 ./flash.sh -i "./sym2_t194.key" jetson-xavier-nx-devkit mmcblk0p1 | tee ../flashing_script.log
Are you using Xavier NX with SD module or eMMC module?
It seems like eMMC module in original post (jetson-xavier-nx-devkit-emmc).
Why you specify jetson-xavier-nx-devkit currently which is used for SD module?
I started using the EMMC module, I have changed to the SD card module as it made more sense for something else I was doing. Does it make a difference if I am using the SD card module or the EMMC?
I used the same EKS image for the UEFI flash as I did for the enc flash
Could you also perform this when you are verifying to enable UEFI secureboot?
And check if you would still hit the following errors during boot up.
ÿäE/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0006
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
E/TA: decrypt_image:99 TEE_InvokeTACommand failed with res = 0xffff0007
i regenerated the eks image with the same keys exipts i removed the -in_sym_key sym_t194.key \ as requsted
this time it booted stating secureboot in able.
what is the sym key used for?
sym_t194.key is UEFI payload encryption key.
If the EKS contains the UEFI payload encryption key and UEFI secure boot is enabled, L4TLauncher will assume that UEFI payload encryption is enabled and will attempt to decrypt the UEFI payloads.
We will remove this key in default eks image in next JP5.x release.