I am attempting to enable UEFI secureboot on a custom Orin NX-based board. After programming my images, instead of booting up L4tLauncher, it’s dropping into the UEFI shell. The device boots off of QSPI, with the subsequent images in NVME. I have no fuses programmed.
Using the debug version of the UEFI firmware, when I attempt to flash the board over USB, an error appears on the console:
Process SysPrep0000 (Enroll Default Keys App) ...
add-symbol-file /home/steve/nvidia-uefi-35.3.1/Build/Jetson/DEBUG_GCC5/AARCH64/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp/DEBUG/EnrollFromDefaultKeysApp.dll 0x3F75D8000
Loading driver at 0x003F75D7000 EntryPoint=0x003F75DBD98 EnrollFromDefaultKeysApp.efi
EnrollFromDefaultKeysApp: Cannot set CUSTOM_SECURE_BOOT_MODE: Security Violation
During the subsequent boot, I see:
Jetson UEFI firmware (version r35.3.1-d0c8c1ad built on 2024-02-07T18:10:28-05:0
0)
ESC to enter Setup.
F11 to enter Boot Manager Menu.
Enter to continue boot.
**********************************
** WARNING: Test Key is used. **
**********************************
** WARNING: Test Key is used. **
add-symbol-file /home/steve/nvidia-uefi-35.3.1/Build/Jetson/DEBUG_GCC5/AARCH64/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp/DEBUG/EnrollFromDefaultKeysApp.dll 0x428DD8000
Loading driver at 0x00428DD7000 EntryPoint=0x00428DDBD98 EnrollFromDefaultKeysApp.efi
EnrollFromDefaultKeysApp: Skipped - USER_MODE
It attempts to boot of off NVME:
[Bds]Booting UEFI WD IX SN530 SDBPNPZ-512G-XI 21081L800049 1
But then moves on to a network boot:
[Bds]Booting UEFI HTTPv4 (MAC:48B02DF7AEFD)
Eventually it gives up on this and drops out to the UEFI shell.
My guess is that the inability to enroll the keys is leading to it deciding the images are not properly signed and therefore not booting them. Assuming that’s correct…
What can cause the security violation?
Another posting indicated that there needs to be a non-zero keys in the EKS image. I have done that, following example.sh as described in the Disk Encryption secureboot documentation. However, the information regarding UEFI in example.sh is not clear. While UEFI uses OpenSSL-generated RSA keys (PK, KEK, DB), example.sh indicates that the files uefi_pub.key and uefi_enc.key should be created with simple hex strings.
How do the RSA UEFI keys passed via --uefi-keys and put into UefiDefaultSecurityKeys.dtbo relate to the uefi key files put into eks_t234.img by gen_ekb.py?
I’m building the image using:
sudo BOARDID=$BOARDID BOARDSKU=$BOARDSKU FAB=$BOARDFAB \
EXTOPTIONS="--uefi-keys uefi_keys/uefi_keys.conf" \
./tools/kernel_flash/l4t_initrd_flash.sh \
--no-flash \
-c flash_t234_custom_nvme.xml \
-p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml --uefi-keys uefi_keys/uefi_keys.conf" \
-S 470GiB \
--external-device nvme0n1p1 \
--network usb0 \
--showlogs \
jetson-orin-nx-custom external
and I’m programming the board with:
sudo BOARDID=$BOARDID BOARDSKU=$BOARDSKU FAB=$BOARDFAB \
EXTOPTIONS="--uefi-keys $UEFI_KEY_DIR/uefi_keys.conf" \
./tools/kernel_flash/l4t_initrd_flash.sh \
--flash-only \
-c flash_t234_custom_nvme.xml \
-p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml --uefi-keys uefi_keys/uefi_keys.conf" \
-S 470GiB \
--external-device nvme0n1p1 \
--network usb0 \
--showlogs \
jetson-orin-nx-custom external
Thanks,
Steve