Secure boot and Disk Encryption issues in l4t 35.3.1 and 35.5.0

Hi!
I have some issues regarding Secure boot and Disk Encryption on l4t 35.3.1 and 35.5.0.
Issue 1: odmfuse.sh from 35.3.1 breaks PkcPubkeyHash1 and PkcPubkeyHash2 fuses on Orin AGX 32GB
Fuses cfg:

<genericfuse MagicId="0x45535546" version="1.0.0">
    <fuse name="ArmJtagDisable" size="4" value="0x1"/>
    <fuse name="PublicKeyHash" size="64" value="0x764e531b71d55a950cb9dcb969e72450205448aac203236d14a874a9c85c0608ff63418a378c91d0f3517e83a31898c4e5db45221738b04e9632d7772c710ee5"/>
    <fuse name="PkcPubkeyHash1" size="64" value="0x7b2f9d57a2b1d78bced07cc55914dc4f1c36639a9473f7072f5d1cbb622c7d07ff5165bc59ca6d3eed7c0d9968e22824d78f4863818ad861211781191412cf2c"/>
    <fuse name="PkcPubkeyHash2" size="64" value="0x4c4aa57b469b29e44776f4942dc0443fd640db8b8018e94cacdbcfc22dea1881a11f3878342614c9dd9e954a0c2ad30ce14b2d85af90de3e78178c6cc68ab3e2"/>
    <fuse name="OemK1" size="32" value="0xXXXXXXXX"/>
    <fuse name="OemK2" size="32" value="0xYYYYYYYY"/>
    <fuse name="OptInEnable" size="4" value="0x1"/>
    <fuse name="BootSecurityInfo" size="4" value="0x1"/>
    <fuse name="SecurityMode" size="4" value="0x1"/>
</genericfuse>

After burning all fuses from XML including PublicKeyHash, PkcPubkeyHash1, PkcPubkeyHash2 (PKC0, PKC1, PKC2) by means of l4t 35.3.1 odmfuse.sh only PKC0 works. odmfuse.sh and UART logs say that all fuses were burnt successfully, but I can not flash Orin using pkc1 and pkc2.
Orin_fuse_uart_log_35_3_1.txt (27.6 KB)

nv_fuse_read.sh from 35.5.0 shows that PKC1 is zero and PKC2 contains wrong data with repeated 7f6fbd7f7f.

$ sudo nv_fuse_read.sh                                                                                                                                                               
revoke_pk_h0: 0x00000000
revoke_pk_h1: 0x00000000
pk_h1: 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
odminfo: 0x00000000
pk_h2: 0x7f6fbd7f7f6fbd7f7f6fbd7f7f6fbd7f7f6fbd7f7f6fbd7f7f6fbd7f7f6fbd7f7f6fbd7f7f6fbd7f7f6fbd7f7f6fbd7f7f6fbd7f7f6fbd7f7f6fbd7f7f6fbd7f
odmid: 0x0000000000000000
system_fw_field_ratchet1: 0x00000000
system_fw_field_ratchet0: 0x00000000
system_fw_field_ratchet3: 0x00000000
system_fw_field_ratchet2: 0x00000000
optin_enable: 0x00000001
public_key_hash: 0x764e531b71d55a950cb9dcb969e72450205448aac203236d14a874a9c85c0608ff63418a378c91d0f3517e83a31898c4e5db45221738b04e9632d7772c710ee5
ecid: 0x8472624F674C0608
reserved_odm2: 0x00000000
reserved_odm3: 0x00000000
reserved_odm0: 0x00000000
reserved_odm1: 0x00000000
reserved_odm6: 0x00000000
reserved_odm7: 0x00000000
reserved_odm4: 0x00000000
reserved_odm5: 0x00000000
boot_security_info: 0x00000001
security_mode: 0x00000001
odm_lock: 0x00000000

I burnt other Orin AGX module with odmfuse.sh from 35.5.0. All PKCs work, nv_fuse_read.sh shows right PKC hashes.
Do you have fixes for 35.3.1 ?

Issue 2: Disk encryption doesn’t work on fused Orin AGX 32GB in both l4t 35.3.1 and 35.5.0
I use two fused Orins from Issue 1. One of them was fused by means of 35.3.1, other by 35.5.0.
After preparing eks_t234.img with custom oemk key and flashing Orin, disk encryption doesn’t work due to eks_t234.img can not be decrypted by TOS.

E/TC:00 00 ekb_extraction_process:321 Tried all EKB_RKs but still can't extract the EKB image.
E/TC:00 00 jetson_user_key_pta_init:974 jetson_user_key_pta_init: Failed (ffff000f).
E/TC:00 00 call_initcalls:43 Initcall __text_start + 0x001197f8 failed

However if eks_t234.img prepared with default oemk1 for 35.5.0 and default oemk1 for 35.3.1 then disk encryption works!
TOS decrypts EKS successfuly and then encrypted rootfs boots also successfully.
OemK1 and OemK2 are custom keys, they are differ from default oemk keys.
default oemk keys - keys from optee/samples/hwkey-agent/host/tool/gen_ekb/example.sh.

EKS preparation for 35.3.1:

python3 gen_ekb.py -chip t234 -oem_k2_key oemk2 \
        -fv ekb_fv\
        -in_sym_key ekb_krn \
        -in_sym_key2 ekb_rfs \
        -out eks_t234.img

if oemk2 is 432646294a404e635266556a586e3272357538782f413f442a472d4b61506453 then disk encryption works else doesn’t.

EKS preparation for 35.5.0:

python3 gen_ekb.py -chip t234 -oem_k1_key oemk1 \
        -fv ekb_fv \
        -in_sym_key ekb_krn \
        -in_sym_key2 ekb_rfs \
        -in_auth_key uefi_var_auth.key \
        -out eks_t234.img

if oemk1 is 2d4a614e645267556b58703273357638792f423f4428472b4b6250655368566d then disk encryption works else doesn’t.

Why default OemK1 and OemK2 are used to decrypt EKS even on fused Orins?
What happend with OemK1 and OemK2 fuses on Orins? Were these fuses really burnt successfully or not?

Issue 3: flash.sh doesn’t work with ROOTFS_ENC=1 and with --uefi-keys at the same time in l4t 35.3.1
sudo -E NO_RECOVERY_IMG=1 ROOTFS_ENC=1 ./flash.sh --uefi-keys keys/uefi_keys.conf jetson-agx-orin-devkit mmcblk0p1

[   0.0316 ] tegrahost_v2 --chip 0x23 0 --magicid MBCT --ratchet_blob ratchet_blob.bin --appendsigheader mb1_cold_boot_bct_MB1_aligned.bct zerosbk
[   0.0319 ] File read failed
Error: Return value 2
Command tegrahost_v2 --chip 0x23 0 --magicid MBCT --ratchet_blob ratchet_blob.bin --appendsigheader mb1_cold_boot_bct_MB1_aligned.bct zerosbk
l4t_sign_image.sh: Error: Unable to find the signed file generated by tegraflash.py
failed.

This command works in l4t 35.5.0.
Do you have any patches for 35.3.1?

hello nazaraa,

please don’t mess up secure packages with L4T versions,
for instance, you should use the public_sources.tbz2 pacakge from jetson-linux-r3550 to create EKS image for your r35.5.0 release version.

we don’t back port the changes usually, please consider moving forward to the latest release for all the fixes.

Hello JerryChang,

please don’t mess up secure packages with L4T versions,
for instance, you should use the public_sources.tbz2 pacakge from jetson-linux-r3550 to create EKS image for your r35.5.0 release version.

I prepared two l4t versions.
For r35.3.1 I used packages only from jetson-linux-r3531 including public_sources.tbz2.
For r35.5.0 I used packages only from jetson-linux-r3550 including public_sources.tbz2

we don’t back port the changes usually

I think It make sense at least to prevent from burning PKC1 and PKC2 hashes in 35.3.1. One of my Orins have two broken PKCs now.

please consider moving forward to the latest release for all the fixes.

I hope the latest release in my case r35.5.0? (not r36.3). We are not ready to move to Jetpack 6 yet.
For r35.5.0 we have still issue with disk encryption. Disk encryption doesn’t work with my custom oemk1 keys, but somehow works with default oemk1 on fused Orins.

that’s due to there’s an issue with using zero keys,
so for that reason, we used a sample key with a specific value for rel-35 release version (r35.5.0) at the moment.
for example,
echo "2d4a614e645267556b58703273357638792f423f4428472b4b6250655368566d" > oem_k1.key

I burnt fuses in 35.5.0 using this xml:

<genericfuse MagicId="0x45535546" version="1.0.0">
    <fuse name="ArmJtagDisable" size="4" value="0x1"/>
    <fuse name="PublicKeyHash" size="64" value="0x764e531b71d55a950cb9dcb969e72450205448aac203236d14a874a9c85c0608ff63418a378c91d0f3517e83a31898c4e5db45221738b04e9632d7772c710ee5"/>
    <fuse name="PkcPubkeyHash1" size="64" value="0x7b2f9d57a2b1d78bced07cc55914dc4f1c36639a9473f7072f5d1cbb622c7d07ff5165bc59ca6d3eed7c0d9968e22824d78f4863818ad861211781191412cf2c"/>
    <fuse name="PkcPubkeyHash2" size="64" value="0x4c4aa57b469b29e44776f4942dc0443fd640db8b8018e94cacdbcfc22dea1881a11f3878342614c9dd9e954a0c2ad30ce14b2d85af90de3e78178c6cc68ab3e2"/>
    <fuse name="OemK1" size="32" value="0xXXXXXXXX"/>
    <fuse name="OemK2" size="32" value="0xYYYYYYYY"/>
    <fuse name="OptInEnable" size="4" value="0x1"/>
    <fuse name="BootSecurityInfo" size="4" value="0x1"/>
    <fuse name="SecurityMode" size="4" value="0x1"/>
</genericfuse>

where OemK1 and OemK2 differ from 2d4a614e645267556b58703273357638792f423f4428472b4b6250655368566d.
Command:
sudo ./odmfuse.sh -X fuses.xml -i 0x23 jetson-agx-orin-devkit
Fuses burned successfully:

...
MagicId=0x45535546 version=0x1
node: name=ArmJtagDisable size=4
  value=0x1
node: name=PublicKeyHash size=64
  value=0x764e531b71d55a950cb9dcb969e72450205448aac203236d14a874a9c85c0608ff63418a378c91d0f3517e83a31898c4e5db45221738b04e9632d7772c710ee5
node: name=PkcPubkeyHash1 size=64
  value=0x7b2f9d57a2b1d78bced07cc55914dc4f1c36639a9473f7072f5d1cbb622c7d07ff5165bc59ca6d3eed7c0d9968e22824d78f4863818ad861211781191412cf2c
node: name=PkcPubkeyHash2 size=64
  value=0x4c4aa57b469b29e44776f4942dc0443fd640db8b8018e94cacdbcfc22dea1881a11f3878342614c9dd9e954a0c2ad30ce14b2d85af90de3e78178c6cc68ab3e2
node: name=OemK1 size=32
  value=MY_OEMK1
node: name=OemK2 size=32
  value=MY_OEMK2
node: name=OptInEnable size=4
  value=0x1
node: name=BootSecurityInfo size=4
  value=0x1
node: name=SecurityMode size=4
  value=0x1
done.
size of FSKP binary 382336
size of Fuse Blob 400
File saved as fskp_t234_updated.bin
done.
*** Start fusing from fuse configuration ... 
./tegraflash.py --sdram_config tegra234-p3701-0000-sdram-l4t.dts --dev_params tegra234-br-bct-p3701-0000.dts --mb2bct_cfg tegra234-mb2-bct-misc-p3701-0000.dts --deviceprod_config tegra234-mb1-bct-cprod-p3701-0000.dts --wb0sdram tegra234-p3701-0000-wb0sdram-l4t.dts --misc_config tegra234-mb1-bct-misc-p3701-0000.dts --pinmux_config tegra234-mb1-bct-pinmux-p3701-0000-a04.dtsi --scr_config tegra234-mb2-bct-scr-p3701-0000.dts --pmc_config tegra234-mb1-bct-padvoltage-p3701-0000-a04.dtsi --pmic_config tegra234-mb1-bct-pmic-p3701-0005.dts --br_cmd_config tegra234-mb1-bct-reset-p3701-0000.dts --prod_config tegra234-mb1-bct-prod-p3701-0000.dts --device_config tegra234-mb1-bct-device-p3701-0000.dts --gpioint_config tegra234-mb1-bct-gpioint-p3701-0000.dts --bldtb tegra234-p3701-0004-p3737-0000.dtb  --bins "mb2_bootloader fskp_t234_updated.bin; mts_mce mce_flash_o10_cr_prod.bin; mb2_applet applet_t234.bin; dce_fw display-t234-dce.bin; xusb_fw xusb_t234_prod.bin; nvdec nvdec_t234_prod.fw; sce_fw camera-rtcpu-sce.img; psc_fw pscfw_t234_prod.bin; rce_fw camera-rtcpu-t234-rce.img; ape_fw adsp-fw.bin; tos tos-optee_t234.img; bpmp_fw bpmp_t234-TE990M-A1_prod.bin; bpmp_fw_dtb tegra234-bpmp-3701-0004-3737-0000.dtb; eks eks_t234.img; kernel boot.img; kernel_dtb tegra234-p3701-0004-p3737-0000.dtb; spe_fw spe_t234.bin" --cfg flash.xml --odmdata gbe-uphy-config-22,hsstp-lane-map-3,nvhs-uphy-config-0,hsio-uphy-config-0,gbe0-enable-10g --chip 0x23 --applet mb1_t234_prod.bin  --concat_cpubl_bldtb --bl uefi_jetson_with_dtb.bin --cpubl uefi_jetson.bin  --cpubl uefi_jetson.bin --concat_cpubl_bldtb --bl uefi_jetson_with_dtb.bin --cmd "burnfuses fuse_bOe8UQ.xml"
Welcome to Tegra Flash
.....
[   3.3059 ] tegrarcm_v2 --chip 0x23 0 --pollbl --download bct_mem mem_rcm_sigheader.bct.encrypt --download blob blob.bin
[   3.3061 ] BL: version 1.4.0.1-t234-54845784-08e631ca last_boot_error: 0
[   3.3324 ] Sending bct_mem
[   3.3760 ] Sending blob
[   4.5118 ] completed
[   4.5118 ] Finish

Orin_fuse_uart_log_35_5_0.txt (25.7 KB)
Then I prepared eks_t234.img with MY_OEMK1 in oemk1 and replaced it in bootloader/eks_t234.img:

python3 gen_ekb.py -chip t234 -oem_k1_key oemk1 \
        -fv ekb_fv \
        -in_sym_key ekb_krn \
        -in_sym_key2 ekb_rfs \
        -in_auth_key uefi_var_auth.key \
        -out eks_t234.img

Then flashed Orin:

sudo NO_RECOVERY_IMG=1 ROOTFS_ENC=1 ./flash.sh -u keys/pkc0 -i keys/ekb_rfs --uefi-keys keys/uefi_keys.conf orin-agx-cb3 mmcblk0p1

Boot failed. Got error in UART boot log:

��NOTICE:  BL31: v2.6(release):cec9a2bc3
NOTICE:  BL31: Built : 20:19:41, Feb 19 2024
I/TC: Physical secure memory base 0x83c040000 size 0x3fc0000
I/TC: 
��DCE: FW Boot Done
��I/TC: Non-secure external DT found
I/TC: OP-TEE version: 3.22 (gcc version 9.3.0 (Buildroot 2020.08)) #2 Tue Feb 20 04:28:56 UTC 2024 a4
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.hl
I/TC: Primary CPU initializing
I/TC: Test OEM keys are being used. This is insecure for shipping products!
E/TC:00 00 ekb_extraction_process:321 Tried all EKB_RKs but still can't extract the EKB image.
E/TC:00 00 jetson_user_key_pta_init:974 jetson_user_key_pta_init: Failed (ffff000f).
E/TC:00 00 call_initcalls:43 Initcall __text_start + 0x001197f8 failed
I/TC: Primary CPU switching to normal world boot
��
  Jetson UEFI firmware (version 5.0-35550185 built on 2024-02-20T04:21:22+00:00)

Then I prepared eks_t234.img with 2d4a614e645267556b58703273357638792f423f4428472b4b6250655368566d in oemk1 and replaced it in bootloader/eks_t234.img:

python3 gen_ekb.py -chip t234 -oem_k1_key oemk1 \
        -fv ekb_fv \
        -in_sym_key ekb_krn \
        -in_sym_key2 ekb_rfs \
        -in_auth_key uefi_var_auth.key \
        -out eks_t234.img

Then reflashed Orin
Booted successfully.

Why I booted successfuly with default oemk1 key on fused Orin?
Why I can not boot with MY_OEMK1 on fused Orin?

hello nazaraa,

you may check public_sources.tbz2 for OP-TEE sources.
that’s due to below…
$public_sources/atf_and_optee/optee/optee_os/core/drivers/tegra/t234/tegra_se_aes_rng.c

static TEE_Result tegra_se_init(void)
{

        /* OEM_K1: 2d4a614e645267556b58703273357638792f423f4428472b4b6250655368566d */
        const uint8_t oem_k1_test[] = { 
                0x2d, 0x4a, 0x61, 0x4e, 0x64, 0x52, 0x67, 0x55,
                0x6b, 0x58, 0x70, 0x32, 0x73, 0x35, 0x76, 0x38,
                0x79, 0x2f, 0x42, 0x3f, 0x44, 0x28, 0x47, 0x2b,
                0x4b, 0x62, 0x50, 0x65, 0x53, 0x68, 0x56, 0x6d,

         if ((bsi & BSI_OEM_KEY_VALID_MASK) == 0) {
                 ret = tegra_se_ccc_set_test_oem_keys(oem_k1_test, oem_k2_test);

FYI,
the next JP-5 release version (i.e. JP-5.1.4) has those default keys removed.

Hello JerryChang,

the next JP-5 release version (i.e. JP-5.1.4) has those default keys removed.

The next JP-5.1.4 has not been released yet. Could you provide fixed tos-optee_t234.img or instructions to patch public_sources.tbz2 for 35.5.0 ?

hello nazaraa,

we usually not back-port the fixes, please replace oemk1 key as current solution.

Hello JerryChang,

I think that It is unusual case. It is insecure to replace the test key with production key in source code. I would like to get solution based on the oemk1 fuse burnt in Orin.
As I understand there is no working solution for disk encryption based on fused Orin for JP5 now. So
we can not use our devices outdoor until JP-5.1.4 released. That is very pity.

Please consider to provide secure solution for disk encryption for JP-5.1.3 before JP-5.1.4 released.

BTW, When JP-5.1.4 is going to be released?

it’ll be available soon, it’s schedule to early September this year.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.