We are running into the RAS Error during flash and then Recursive CPU error after we boot our device with JP 5.1.2. We have noticed that these errors go away if we bypass the trusty/Optee steps described below. Note that we are not using disk encryption but just generating eks.img (by using gen_tos_part_img.py) and putting it in the bootloader directory as described in the following steps as described below (from Optee/trusty documentation). This is a custom production board. These steps used to work in the JP 4.x previously. We have not changed any keys. Our flash command looks like following. The bootloader fails in the beginning without getting to kernel. I have attached flash uart logs and then the boot that happens right after it. Any tips or hints to what we may be doing wrong is greatly appreciated.
Thank you. flash_and_boot_uart.log (240.0 KB)
Thank you, do you know which files on the Jetson NX need to be updated once we migrate upgrade our devices from 4.x to 5.1.2, our upgrade process is manual; is it image in the /boot directory or are there other files? We do not want to flash every device for our upgrade since some of them are remote running in production.
I had never try updating from JP-4.x to JP-5.x manually.
anyways, there’re secure-os, (tos-optee_t194_sigheader.img.encrypt) and eks (eks_t194_sigheader.img.encrypt) partitions they’re related to OP-TEE.
you may give it a try to update these two for confirmation.
That is very helpful, thank you JerryChang,
With trusty (previous version in JP 4.x) we used to generate the eks.img also using our keys (see below). Has this step been eliminated from JP5 or can we still generate the eks.img this way.
Thank you JerryChang
I noticed that the new gen_ekb.py program in the above example takes an additional key (compared to the older version), it is the in_sym_key2 key, a 16 byte hex key. I assume that we just need to generate this key on the build machine and the device does not need to know (or be fused) with/about this key. Is that correct?
EKB (Encrypted Binary Blob) stores two keys, one is the kernel encryption key (sym_key_file), and another one is the LUKS key (sym2_key_file) for disk encryption support.
LUKS disk encryption support with a specific key. you should execute the script file, gen_ekb.py to generate an image. also, in the developer guide, [Tool for EKB Generation] that sym2.key is equivalent to ekb.key