Orin crashes during boot in Jetpack 6.0 if optee/atf/tof image is rebuild (with custom FV key)

bj25 · October 14, 2024, 2:29pm

Hello,

I migrated from Linux for Tegra 35.5 (Jetpack 5) to Linux for Tegra 36.3 (Jetpack 6). I use an encrypted disk with custom keys. E.g. a custom FV key. To use a custom FV key optee the fv key in the file source/public/optee/optee_os/core/pta/tegra/jetson_user_key_pta.c has to be changed to the custom one and OpTee has to be rebuild in many steps to finally output a tos.img. This file then has to be copied to bootloader/tos-optee_t234.img and flashed. It even crashes if just OpTee is rebuild and the default FV key is used.

Everything worked in Tegra 35.5 (Jetpack 5). But it crashes during boot in Linux for Tegra 36.3 (Jetpack 6) with the same steps.

Software downloaded

Commands used

      export CROSS_COMPILE_AARCH64_PATH="${PWD}/toolchain"
      export UEFI_STMM_PATH="${PWD}/bootloader/standalonemm_optee_t234.bin"
      echo "CROSS_COMPILE_AARCH64_PATH=${CROSS_COMPILE_AARCH64_PATH}"
      echo "UEFI_STMM_PATH=${UEFI_STMM_PATH}"
      sudo -E ./source/public/optee_src_build.sh -p t234

      export CROSS_COMPILE_AARCH64_PATH="${PWD}/toolchain"
      export CROSS_COMPILE_AARCH64="${CROSS_COMPILE_AARCH64_PATH}/bin/aarch64-buildroot-linux-gnu-"
      echo "CROSS_COMPILE_AARCH64_PATH=${CROSS_COMPILE_AARCH64_PATH}"
      echo "CROSS_COMPILE_AARCH64=${CROSS_COMPILE_AARCH64}"
      cd source/public
      sudo dtc -I dts -O dtb -o ./optee/tegra234-optee.dtb ./optee/tegra234-optee.dts

      export CROSS_COMPILE_AARCH64_PATH="${PWD}/toolchain"
      export CROSS_COMPILE_AARCH64="${CROSS_COMPILE_AARCH64_PATH}/bin/aarch64-buildroot-linux-gnu-"
      echo "CROSS_COMPILE_AARCH64_PATH=${CROSS_COMPILE_AARCH64_PATH}"
      echo "CROSS_COMPILE_AARCH64=${CROSS_COMPILE_AARCH64}"
      cd source/public/arm-trusted-firmware
      sudo -E make BUILD_BASE=./build CROSS_COMPILE="${CROSS_COMPILE_AARCH64}" DEBUG=0 LOG_LEVEL=20 PLAT=tegra SPD=opteed TARGET_SOC=t234 V=0

      sudo ./nv_tegra/tos-scripts/gen_tos_part_img.py --monitor ./source/public/arm-trusted-firmware/build/tegra/t234/release/bl31.bin \
       --os ./source/public/optee/build/t234/core/tee-raw.bin \
       --dtb ./source/public/optee/tegra234-optee.dtb \
       --tostype optee \
       ./nv_tegra/tos-scripts/tos.img

cp ./nv_tegra/tos-scripts/tos.img ./bootloader/tos-optee_t234.img

Error output

--> will be added soon

This worked in Jetpack 5 and crashes in Jetpack 6.

Best regards

carolyuu · October 14, 2024, 2:30pm

Hi,
Please check the quick start in developer guide and make sure you follow the steps one by one:
https://docs.nvidia.com/jetson/archives/r36.3/DeveloperGuide/IN/QuickStart.html
If the device still cannot be flashed/booted, please refer to the page to get uart log from the device:
https://elinux.org/Jetson/General_debug
If you are using custom board, you can compare uart log of developer kit and custom board to get more information.

Thanks!

JerryChang · October 15, 2024, 6:15am

hello bj25,

had you also update below FV vector to rebuilt op-tee binaries?
for instance,
r36.3/Linux_for_Tegra/source/atf_and_optee/optee/optee_os/core/pta/tegra/jetson_user_key_pta.c

/*
 * Random fixed vector for EKB.
 *
 * Note: This vector MUST match the 'fv' vector used for EKB binary
 * generation process.
 * ba d6 6e b4 48 49 83 68 4b 99 2f e5 4a 64 8b b8
 */
static uint8_t fv_for_ekb[] = {
        0xba, 0xd6, 0x6e, 0xb4, 0x48, 0x49, 0x83, 0x68,
        0x4b, 0x99, 0x2f, 0xe5, 0x4a, 0x64, 0x8b, 0xb8,
};

bj25 · October 15, 2024, 5:07pm

Yes, it crashes whether I update it or not.

Note that the in Jetpack 5 (not 6):

if it is updated (same change): it boots successfully with recompiled optee.
if it is not updated: it does throws an error with the wrong key and does not just crash

JerryChang · October 16, 2024, 3:18am

hello bj25,

could you please try with below by running script files to build the ATF and OP-TEE sources.
for instance,
$ ./nv_public_src_build.sh -p t234
$ ./nv_public_src_build_tos.sh -p t234 -u $OUT/Linux_for_Tegra/bootloader/standalonemm_optee_t234.bin -s $OUT/Linux_for_Tegra/nv_tegra/tos-scripts/gen_tos_part_img.py

system · November 6, 2024, 6:49am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Jetson Orin 32G / Devkit board / TOS / Unhandled Exception from EL1 Jetson AGX Orin security	9	28	January 24, 2025
Orin nx disk encryption, the device cannot boot normally Jetson Orin NX security	12	80	August 29, 2024
Op-Tee related question Jetson AGX Orin security , nvbugs	18	1749	January 11, 2024
Initialize OP-TEE with modified fixed vector Jetson AGX Orin security	6	1008	August 24, 2023
About NVIDIA Jetson Linux (L4T) OP-TEE Package Jetson Orin Nano security	14	89	January 13, 2025
How to sign a customized kernel with JetPack 5.0 Developer Preview? Jetson AGX Orin kernel	3	783	May 6, 2022
Boot Failure When Op-Tee is Disabled Jetson Orin Nano boot , security	6	122	December 14, 2024
Orin boot error Jetson AGX Orin boot	13	63	May 12, 2025
Unable to install jetpack 6.1 using SDK Jetson Orin NX jetpack	6	402	October 24, 2024
Can't boot orin nx after flashing custom Kernel Jetson Orin NX boot , reflash , kernel	14	894	January 30, 2024

Orin crashes during boot in Jetpack 6.0 if optee/atf/tof image is rebuild (with custom FV key)

Related topics