Orinx NX corrupted Bootloader after applying Capsule

Hi,

I’m facing an issue with Orin NX Module. It happens when I use disk encryption with swupdate. After appying the capsule (I mean after reboot the bootloader loads the bar to complete the update.) It get corrupted and I get only.

ASSERT [FvbNorFlashStandaloneMm] /usr/src/debug/standalone-mm-optee-tegra/36.3.0/edk2-nvidia/Silicon/NVIDIA/Drivers/FvbNorFlashDxe/FvbNorFlashStandaloneMm.c(937): ((BOOLEAN)(0==1))

But it works find when disk is not encrypted. So is there any solution / walkaround to solve this ?

hello hussein5,

may I confirm all your steps in details.
besides, did you enable UEFI secureboot?

Nope I don’t enable UEFI Secureboot now. I’ve enabled disk encryption and tried to update through swupdate. IT updates successfully and then reboots and applies the Capsule. Then it gets corrupted at all. Here is a snippet.
edk2-ASSERT-debug.log (526.9 KB)

hello hussein5,

may I also confirm your commands to create generates bootloader and kernel payloads?
besides, since it’s EKS image for saving disk encryption key, did you updating your host with the latest image file before creating payload?

I’m using yocto right now and generated eks.img from Jetpack using:
python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key
-in_sym_key sym_t234.key
-in_sym_key2 sym2_t234.key
-in_auth_key auth_t234.key
-out eks_t234.img

Then I placed the eks in my tegraflash folder and it works fine When I’m using bootslot 0. Then I update using swupdate and reboot. After waiting for uefi load update bar I see the error. I’m becomming. I don’t think That the problem in eks.img as I’m generating it from Jetpack 6 python script.

hello hussein5,

may I also confirm the Jetpack release version you’re working with,
besides, LUKS disk encryption support with a specific key. in the command-line of running gen_ekb.py, that sym2.key is equivalent to disk encryption key.

Hell Jerry,

I’m working on jetpack 6.
and my key is randomly generated. through openssl rand -rand /dev/urandom -hex 16 > sym2_t234.key

hello hussein5,

please share your steps in details, for example, how to repo this locally on Orin NX developer kit.

Hello Jerry,

I untar a .tegraflash into a folder then replace eks.img and then burn using ./initrd-flash script. The key is working fine as it unlocks when am I on the first boot chain (0). And if I force to change the bootchain using nvbootctrl it also works fine. But When I apply the Update it fires the issue that you can see in the logs.

python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key
-in_sym_key sym_t234.key
-in_sym_key2 sym2_t234.key
-in_auth_key auth_t234.key
-out eks_t234.img

tar -xvf argos-image-p3509-a02-p3767-0001.tegraflash.tar.gz -C temp/
cd temp/
rm eks.img
cp ~/ .
sudo ./initrd-flash

hello hussein5,

since initrd_flash took the images under… $OUT/Linux_for_Tegra/tools/kernel_flash/images for flashing.
you may see-also Topic 270934 for steps to update EKS image.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.