OEM authentication of kernel payload failed!

Why is there such an error
“backup kernel” can be booted
But after modifying DTS
replace /boot/Image to replace “primary kernel”
And run
./flash.sh -r -k kernel-dtb jetson-xavier mmcblk0p1

After rebooting, enter “primary kernel” to boot normally

But I encountered the following error when resuming the meeting after power failure
Resulting in the need to reboot to enter “backup kernel”
Replace /boot/Image again to boot from “primary kernel”

I> [1]: “primary kernel”
I> [2]: “backup kernel”
I> Enter choice:
I> Continuing with default option: 1
I> Loading kernel …
I> Loading kernel binary from rootfs …
I> rootfs path: /sdmmc_user/boot/Image
I> Loading kernel sig file from rootfs …
I> rootfs path: /sdmmc_user/boot/Image.sig
I> Validate kernel …
I> T19x: Authenticate kernel (bin_type: 37), max size 0x5000000
E> digest on binary did not match!!
C> OEM authentication of kernel payload failed!
W> Failed to validate kernel binary from rootfs (err=1077936152, fail=0)
W> Security fuse not burned, ignore validation failure
I> restore load_size to 34879496

hello channinglan,

did you have sign/encryption of your kernel image? i.e. /boot/Image
may I also know which release you’re working with, did you compile the kernel image with the same public release package?

user@ubuntu:~$ cat /etc/nv_tegra_release

R32 (release), REVISION: 6.1, GCID: 27863751, BOARD: t186ref, EABI: aarch64, DATE: Mon Jul 26 19:36:31 UTC 2021

“backup kernel”
“primary kernel”
Use the same SDK, just change the DTS test

did you have sign/encryption of your kernel image? i.e. /boot/Image ???
How to check it ??

If I keep the power on, I can replace the boot/Image and then restart the soft boot, it can boot normally
But if you copy the original Image to Image.backup, after replacing the new Image and then power off… It will fail to boot… Only the original burned Image.backup can be selected to boot.

hello channinglan,

did you replace /boot/Image.sig as your customize kernel image?
that’s an incorrect process; when kernel developers developing their kernel, the best practice to workaround this issue is to delete Image.sig (assume that unfused board is used).
apparently, when kernel development is complete, a valid Image.sig must be generated and placed in /boot folder.