I run into an OTA issue that the OTA process on the Orin Nano devkit (with PKC and SBK enabled) didnt even pass nv_ota_start.sh (log attached). Below is the relevant info:
The Orin Nano devkit I am using has been burnt with PKC and SBK;
The nvme of the devkit is running the R35-4 with PKC and SBK enabled;
The command I used to generate ota payload package is
sudo -E ./tools/ota_tools/version_upgrade/l4t_generate_ota_package.sh -u pkc.pem -v sbk.key --external-device nvme0n1 jetson-orin-nano-devkit R35-4
The command, nv_ota_start.sh, failed as (the complete log is attached)
"Sha1 checksum for /tmp/recovery-dtb_alt_part.tmp (4a412d84552a04cc06f7ed1e414e7e23e93ed495 != 6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c) does not match
recovery-dtb_alt needs to be erased
Current update state: err.
Enter error update state, exiting update process…
Failed to run “update_specified_partitions_alt recovery-dtb /ota_work/external_device/images-R35-ToT/tegra234-p3767-0003-p3768-0000-a0.dtb.rec /tmp/sha1sum.tmp”
Failed to run “install_partition_with_alt /ota_work/external_device/images-R35-ToT recovery-dtb”
Failed to run “update_partition_with_alt /ota_work recovery-dtb”
Failed to run “update_misc_partitions /ota_work”
Is there anything I did wrong or miss for OTA? BTW, I have another Orin Nano devkit but without PKC or SBK burnt, and the OTA on it succeeds. Please let me know if any more info is needed. Thank you very much!
Both BASE and TARGET are the same version, R35.4.1. I didn’t find an existing log file for package generation like for nv_ota_start.sh, so I just redirected the console output of package generation to a file, otaPlPkgGen.log, as attached.
I am not sure if it is worth to mention an observation I have that if the devkit is running R35.4.1 with all secure boot stuff enabled, including PKC, SBK, UEFI payload authentication, UEFI payload encryption, the OTA process with the same package (generated with -u -v options) can pass nv_ota_start.sh, i.e. nv_ota_start.sh finishes, but still failed at the next reboot as it cannot reboot into recovery image. otaPlPkgGen.log (673.6 KB)
Thank you for prompt reply. Please let me know if any more info is needed!
Do you use the same pkc.pem and sbk.key for the board and the OTA package?
You have to use the same key for the fused device with OTA update.
It seems you could run nv_ota_start.sh.
Please share the OTA update log after you run reboot command to trigger update.
Yes, the devkit has been fused with PKC, SBK, and OemK1.
Yes, I have used the same keys for the devkit and the OTA package.
I have resolved the issue that the nv_ota_start.sh failed at “Current update state: err.”. This is because somehow my devkit’s current recovery dtb image and recovery dtb alt image are the same, and also the same as the new recovery dtb image, which is an invalid combination to check_update_state() of nv_ota_update_alt_part.func. As Line#245 of nv_ota_update_alt_part.func shows, if the current recovery dtb image is already “new” and the current recovery dtb alt image is not “erased” yet, then the current recovery dtb alt image must be “old”, which will return “S3” to erase the alt image. Otherwise, it is taken as an invalid state. I relaxed this check by removing the check of the “newness” of the alt image, that is, enter “S3” as long as the current recovery dtb image is new and the current recovery dtb alt image is not erased yet. After the modification, the nv_ota_start.sh is able to finish, and the reboot is also successful. As for why my devkit has such weird combination, it may be because as practice, my devkit switches between basic secure boot (PKC and SBK) and UEFI secure boot (UEFI payload authentication and encryption) for OTA tries.
Two follow-up questions I have for OTA with Orin Nano are:
does the current OTA process support UEFI secure boot (UEFI payload authentication and encryption)?
does the current OTA process support disk encryption?
If so, where can I find instructions? Thank you very much!