Secure boot failed with jetson nano orin

here’s my u-art log:

NOTICE:  BL31: v2.6(release):cec9a2bc3
NOTICE:  BL31: Built : 20:19:41, Feb 19 2024
I/TC: Physical secure memory base 0x27c040000 size 0x3fc0000
I/TC: 
I/TC: Non-secure external DT found

I/TC: OP-TEE version: 3.22 (gcc version 9.3.0 (Buildroot 2020.08)) #2 Tue Feb 20 04:28:56 UTC 2024 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html
I/TC: Primary CPU initializing

I/TC: Primary CPU switching to normal world boot

Jetson UEFI firmware (version 5.0-35550185 built on 2024-02-20T04:21:22+00:00)































































I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled







































E/TC:?? 00 get_rpc_alloc_res:645 RPC allocation failed. Non-secure world result: ret=0xffff0000 ret_origin=0
E/LD:   init_elf:486 sys_open_ta_bin(bc50d971-d4c9-42c4-82cb-343fb7f37896)
E/TC:?? 00 ldelf_init_with_ldelf:131 ldelf failed with res: 0xffff000c













































e[2Je[04De[=3he[2Je[09D

























Jetson UEFI firmware (version 5.0-35550185 built on 2024-02-20T04:21:22+00:00)
ESC   to enter Setup.
F11   to enter Boot Manager Menu.
Enter to continue boot.
**  WARNING: Test Key is used.  **
.
.
.
.
.
.

L4TLauncher: Attempting Direct Boot

EFI stub: Booting Linux Kernel...
EFI stub: Using DTB from configuration table
EFI stub: Loaded initrd from LINUX_EFI_INITRD_MEDIA_GUID device path
EFI stub: Exiting boot services and installing virtual address map...

my env:

  • jetson nano orin devkit nvme board & a pcie nvme ssd
  • jetson linux 35.5
  • SBK.key, oem-k1and ecp521 with fuse
  • after edit example.sh, generate the eks.img

fuse xml is:

<genericfuse MagicId="0x45535546" version="1.0.0">
    <fuse name="PublicKeyHash" size="64" value="0x********************************************************************************************************************************"/>
    <fuse name="SecureBootKey" size="32" value="0x****************************************************************"/>
    <fuse name="OemK1" size="32" value="0x****************************************************************"/>
    <fuse name="BootSecurityInfo" size="4" value="0x20b"/>
    <fuse name="SecurityMode" size="4" value="0x1"/>
</genericfuse>

i have some questions:

  • is fuse have some problem?
  • UEFI device tree need to remove pcie device tree?

hello sindarin,

let’s double check you’ve flashed customize EKS image with your own keys.
you may see-also Topic 270934 for steps to update EKS image accordingly.

My development board has been fused.
Now when I follow the setup to flash the machine, I got error 3

[   0.0842 ] Added binary blob_tos-optee_t234_sigheader_encrypt.img.signed of size 1288096
[   0.0846 ] Added binary blob_eks_t234_sigheader_encrypt.img.signed of size 9232
[   0.0847 ] Added binary blob_boot0.img of size 57933824
[   0.1041 ] Added binary blob_tegra234-p3767-0000-p3768-0000-a0.dtb of size 346795
[   0.1363 ] tegrarcm_v2 --instance 1-1 --chip 0x23 0 --pollbl --download bct_mem mem_rcm_sigheader_encrypt.bct.signed --download blob blob.bin
[   0.1368 ] BL: version 1.4.0.1-t234-54845784-08e631ca last_boot_error: 0
[   0.3033 ] Sending bct_mem
[   0.3127 ] Sending blob
[   0.3986 ] ERROR: might be timeout in USB write.
Error: Return value 3
Command tegrarcm_v2 --instance 1-1 --chip 0x23 0 --pollbl --download bct_mem mem_rcm_sigheader_encrypt.bct.signed --download blob blob.bin
Cleaning up...

When i use -u -v to setup the PKC and SBK, i got error 8

crypt.bin.signed; mts_mce mce_flash_o10_cr_prod_sigheader_encrypt.bin.signed; mb2_applet applet_t234_sigheader_encrypt.bin.signed; mb2_bootloader mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader_encrypt.bin.signed; xusb_fw xusb_t234_prod_sigheader_encrypt.bin.signed; dce_fw display-t234-dce_sigheader_encrypt.bin.signed; nvdec nvdec_t234_prod_sigheader_encrypt.fw.signed; bpmp_fw bpmp_t234-TE980M-A1_prod_sigheader_encrypt.bin.signed; bpmp_fw_dtb tegra234-bpmp-3767-0000-a02-3509-a02_with_odm_sigheader_encrypt.dtb.signed; sce_fw camera-rtcpu-sce_sigheader_encrypt.img.signed; rce_fw camera-rtcpu-t234-rce_sigheader_encrypt.img.signed; ape_fw adsp-fw_sigheader_encrypt.bin.signed; spe_fw spe_t234_sigheader_encrypt.bin.signed; tos tos-optee_t234_sigheader_encrypt.img.signed; eks eks_t234_sigheader_encrypt.img.signed; kernel boot0.img; kernel_dtb tegra234-p3767-0000-p3768-0000-a0.dtb"    --bct_backup  --instance 1-1
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 

 Entering RCM boot

[   0.0197 ] rcm boot with presigned binaries
[   0.0203 ] tegrarcm_v2 --instance 1-1 --new_session --chip 0x23 0 --uid --download bct_br br_bct_BR.bct --download mb1 mb1_t234_prod_aligned_sigheader_encrypt.bin.signed --download psc_bl1 psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed --download bct_mb1 mb1_bct_MB1_sigheader_encrypt.bct.signed
Error: Return value 8
Command tegrarcm_v2 --instance 1-1 --new_session --chip 0x23 0 --uid --download bct_br br_bct_BR.bct --download mb1 mb1_t234_prod_aligned_sigheader_encrypt.bin.signed --download psc_bl1 psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed --download bct_mb1 mb1_bct_MB1_sigheader_encrypt.bct.signed
Cleaning up...

for exmaple.sh, I specified the oem_k1 key and sym_t234.key, other use default.

        -in_ftpm_sn 00000000000000000000 \
        -in_ftpm_eps_seed ftpm_eps_seed_file \
        -in_ftpm_rsa_ek_cert ftpm_rsa_ek_cert.der \
        -in_ftpm_ec_ek_cert ftpm_ec_ek_cert.der \

I don’t know what these things mean, but I don’t have these files. so i delete it in my example.sh.

Any tips?

hello sindarin,

you must given PKC and SBK keys to the command-line for image flashing since it’s a fused device.
besides, it’s EKB (Encrypted Binary Blob) stores two keys, one is the kernel encryption key (sym_key_file), and another one is the LUKS key (sym2_key_file) for disk encryption support. since you’ve using customize sym_t234.key, please refer to Enable UEFI Payload Encryption During the Flashing Process to specify --uefi-enc sym_t234.key to the command-line as well.

hence,
here’s sample command-line to flash a fused target with initrd.
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1 -u PKC.key -v SBK.key --uefi-enc user_encryption.key -p "-c ./bootloader/t186ref/cfg/flash_t234_qspi.xml" -c ./tools/kernel_flash/flash_l4t_t234_nvme.xml --showlogs --network usb0 jetson-orin-nano-devkit nvme0n1p1

after flash, i got log from uart


[0000.080] I> MB1 (version: 1.2.0.0-t234-54845784-562369e5)
[0000.085] I> t234-A01-0-Silicon (0x12347) Prod
[0000.089] I> Boot-mode : Coldboot
[0000.093] I> Entry timestamp: 0x00000000
[0000.096] I> last_boot_error: 0x49490303
[0000.100] I> BR-BCT: preprod_dev_sign: 0
[0000.104] I> rst_source: 0x3, rst_level: 0x1
[0000.108] I> Task: SE error check
[0000.111] I> Task: Bootchain select WAR set
[0000.115] I> Task: Enable SLCG
[0000.118] I> Task: CRC check
[0000.121] I> Task: Initialize MB2 params
[0000.125] I> MB2-params @ 0x40060000
[0000.129] I> Task: Crypto init
[0000.132] I> Task: Perform MB1 KAT tests
[0000.136] I> Task: NVRNG health check
[0000.139] I> NVRNG: Health check success
[0000.143] I> Task: MSS Bandwidth limiter settings for iGPU clients
[0000.149] I> Task: Enabling and initialization of Bandwidth limiter
[0000.155] I> No request to configure MBWT settings for any PC!
[0000.161] I> Task: Secure debug controls
[0000.164] I> Task: strap war set
[0000.168] I> Task: Initialize SOC Therm
[0000.171] I> Task: Program NV master stream id
[0000.176] I> Task: Verify boot mode
[0000.181] I> Task: Alias fuses
[0000.185] W> FUSE_ALIAS: Fuse alias on production fused part is not supported.
[0000.192] I> Task: Print SKU type
[0000.195] I> FUSE_OPT_CCPLEX_CLUSTER_DISABLE = 0x000001c8
[0000.200] I> FUSE_OPT_GPC_DISABLE = 0x00000002
[0000.204] I> FUSE_OPT_TPC_DISABLE = 0x000000f0
[0000.209] I> FUSE_OPT_DLA_DISABLE = 0x00000003
[0000.213] I> FUSE_OPT_PVA_DISABLE = 0x00000001
[0000.217] I> FUSE_OPT_NVENC_DISABLE = 0x00000001
[0000.222] I> FUSE_OPT_NVDEC_DISABLE = 0x00000000
[0000.226] I> FUSE_OPT_FSI_DISABLE = 0x00000001
[0000.230] I> FUSE_OPT_EMC_DISABLE = 0x0000000c
[0000.235] I> FUSE_BOOTROM_PATCH_VERSION = 0x7
[0000.239] I> FUSE_PSCROM_PATCH_VERSION = 0x7
[0000.243] I> FUSE_OPT_ADC_CAL_FUSE_REV = 0x2
[0000.247] I> FUSE_SKU_INFO_0 = 0xd5
[0000.250] I> FUSE_OPT_SAMPLE_TYPE_0 = 0x3 PS 
[0000.255] I> FUSE_PACKAGE_INFO_0 = 0x2
[0000.258] I> SKU: Prod
[0000.260] I> Task: Boost clocks
[0000.263] I> Initializing PLLC2 for AXI_CBB.
[0000.268] I> AXI_CBB : src = 35, divisor = 0
[0000.272] I> Task: Voltage monitor
[0000.275] I> VMON: Vmon re-calibration and fine tuning done
[0000.280] I> Task: UPHY init
[0000.285] I> HSIO UPHY init done
[0000.288] W> Skipping GBE UPHY config
[0000.292] I> Task: Boot device init
[0000.295] I> Boot_device: QSPI_FLASH instance: 0
[0000.300] I> Qspi clock source : pllc_out0
[0000.304] I> QSPI Flash: Macronix 64MB
[0000.308] I> QSPI-0l initialized successfully
[0000.312] I> Task: TSC init
[0000.315] I> Task: Load membct
[0000.318] I> RAM_CODE 0x4000021
[0000.321] I> Loading MEMBCT 
[0000.323] I> Slot: 1
[0000.325] I> Binary[0] block-66816 (partition size: 0x40000)
[0000.331] I> Binary name: MEM-BCT-0
[0000.334] I> Size of crypto header is 8192
[0000.338] I> Size of crypto header is 8192
[0000.342] I> strt_pg_num(66816) num_of_pgs(16) read_buf(0x40050000)
[0000.348] I> BCH of MEM-BCT-0 read from storage
[0000.353] I> BCH address is : 0x40050000
[0000.357] I> MEM-BCT-0 header integrity check is success
[0000.362] I> Binary magic in BCH component 0 is MEM0
[0000.367] I> component binary type is 0
[0000.370] I> strt_pg_num(66832) num_of_pgs(115) read_buf(0x40040000)
[0000.377] I> MEM-BCT-0 binary is read from storage
[0000.382] I> MEM-BCT-0 binary integrity check is success
[0000.387] I> Binary MEM-BCT-0 loaded successfully at 0x40040000 (0xe580)
[0000.394] I> RAM_CODE 0x4000021
[0000.402] I> RAM_CODE 0x4000021
[0000.406] I> Task: Load Page retirement list
[0000.410] I> Task: SDRAM params override
[0000.413] I> Task: Save mem-bct info
[0000.417] I> Task: Carveout allocate
[0000.420] I> RCM blob carveout will not be allocated
[0000.425] I> Update CCPLEX IST carveout from MB1-BCT
[0000.430] I> ECC region[0]: Start:0x0, End:0x0
[0000.434] I> ECC region[1]: Start:0x0, End:0x0
[0000.438] I> ECC region[2]: Start:0x0, End:0x0
[0000.443] I> ECC region[3]: Start:0x0, End:0x0
[0000.447] I> ECC region[4]: Start:0x0, End:0x0
[0000.451] I> Non-ECC region[0]: Start:0x80000000, End:0x80000000
[0000.457] I> Non-ECC region[1]: Start:0x0, End:0x0
[0000.462] I> Non-ECC region[2]: Start:0x0, End:0x0
[0000.466] I> Non-ECC region[3]: Start:0x0, End:0x0
[0000.471] I> Non-ECC region[4]: Start:0x0, End:0x0
[0000.482] E> BL_CARVEOUT: Failed to allocate memory of size 0x4000000 for CO:43.
[0000.489] C> Task 0x20 failed (err: 0x49490303)
[0000.494] E> Top caller module: BL_CARVEOUT, error module: BL_CARVEOUT, reason: 0x03, aux_info: 0x03
[0000.503] C> Boot Info Table status dump :
01111111001110001111111111111111

but the script return success

ha1 checksum matched for /mnt/internal/bct_backup.img
Writing /mnt/internal/bct_backup.img (32768 bytes) into  /dev/mtd0:66715648
Copied 32768 bytes from /mnt/internal/bct_backup.img to address 0x03fa0000 in flash
[ 236]: l4t_flash_from_kernel: Warning: skip writing reserved_partition partition as no image is specified
Writing gpt_secondary_3_0.bin (parittion: secondary_gpt_backup) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/gpt_secondary_3_0.bin
Writing /mnt/internal/gpt_secondary_3_0.bin (16896 bytes) into  /dev/mtd0:66846720
Copied 16896 bytes from /mnt/internal/gpt_secondary_3_0.bin to address 0x03fc0000 in flash
Writing qspi_bootblob_ver.txt (parittion: B_VER) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/qspi_bootblob_ver.txt
Writing /mnt/internal/qspi_bootblob_ver.txt (98 bytes) into  /dev/mtd0:66912256
Copied 98 bytes from /mnt/internal/qspi_bootblob_ver.txt to address 0x03fd0000 in flash
Writing qspi_bootblob_ver.txt (parittion: A_VER) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/qspi_bootblob_ver.txt
Writing /mnt/internal/qspi_bootblob_ver.txt (98 bytes) into  /dev/mtd0:66977792
Copied 98 bytes from /mnt/internal/qspi_bootblob_ver.txt to address 0x03fe0000 in flash
Writing gpt_secondary_3_0.bin (parittion: secondary_gpt) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/gpt_secondary_3_0.bin
Writing /mnt/internal/gpt_secondary_3_0.bin (16896 bytes) into  /dev/mtd0:67091968
Copied 16896 bytes from /mnt/internal/gpt_secondary_3_0.bin to address 0x03ffbe00 in flash
[ 236]: l4t_flash_from_kernel: Successfully flash the qspi
[ 236]: l4t_flash_from_kernel: Flashing success
Flash is successful
Reboot device
Cleaning up...
Log is saved to Linux_for_Tegra/initrdlog/flash_1-10_0_20240807-201448.log 

There is no data in the ssd

it looks like you’ve using incorrect CFG file for flashing.
please share your complete steps for cross-check.

by jtop, our part number is 699-13767-0003-300 M.2
our flash script is:

# generate key
openssl ecparam -name secp521r1 -genkey -noout -out ecp521.pem
openssl rand -hex 32 > SBK.key
openssl rand -hex 32 > K1.key

./tegrasign_v3.py --pubkeyhash ecp521.pubkey ecp521.hash --key ecp521.pem
# fill the hash,oemk1,sbk to the odmfuse.xml

# fuse
# skip

# gen_ekb
# use same with the Linux_for_Tegra.35.5 sources
./example.sh
# but i don't know how to get device_id_cert.der
# so i remove it
python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key \
        -fv fv_ekb_t234 \
        -in_sym_key sym_t234.key \
        -in_sym_key2 sym2_t234.key \
        -in_auth_key auth_t234.key \
        -out eks_t234.img

# flash in Linux_for_Tegra.35.5
./tools/kernel_flash/l4t_initrd_flash.sh -u ecp521.pem -v SBK.key  --network usb0 --no-flash --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" jetson-orin-nano-devkit-nvme internal


./flash.sh -u ecp521.pem -v SBK.key  --no-flash -k A_eks jetson-orin-nano-devkit-nvme internal


cp bootloader/eks_t234_sigheader* ./tools/kernel_flash/images/internal/.


ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh -u ecp521.pem -v SBK.key  --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/./tools/kernel_flash/l4t_initrd_flash.sh.xml --external-only --append --network usb0 jetson-orin-nano-devkit-nvme external


./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1 -u ecp521.pem -v SBK.key  --uefi-enc gen_ekb/sym_t234.key -p "-c ./bootloader/t186ref/cfg/flash_t234_qspi.xml" -c ./tools/kernel_flash/flash_l4t_t234_nvme.xml --showlogs --network usb0 jetson-orin-nano-devkit-nvme internal

hello sindarin,

you may try revise 1st steps as jetson-agx-orin-devkit,
Orin series they’re sharing the same EKS binary file, it’s a trick for calling flash script to create sign/encrypt EKS image. you don’t need to provide such PKC/SBK keys for EKS image generation.
for instance, $ ./flash.sh --no-flash -k A_eks jetson-agx-orin-devkit internal
besides, please also confirm there’s no error reported, and you’ve eks_t234_sigheader.img.encrypt created correctly before copying it to kernel_flash/ for Orin Nano.

I encountered an error with use ./flash.sh --no-flash -k A_eks jetson-agx-orin-devkit internal

[   1.5238 ] Booting to recovery mode
[   1.5243 ] tegrarcm_v2 --chip 0x23 0 --reboot recovery
[   1.5248 ] MB2 Applet version 01.00.0000
Board ID(3767) version(300) sku(0003) revision(P.1)
Chip SKU(00:00:00:D5) ramcode(00:00:00:02) fuselevel(fuselevel_production) board_FAB(300)
Error: Unrecognized module SKU 0003

by the way, i use the script as

cp bootloader/eks_t234_sigheader* ./tools/kernel_flash/images/internal/.

because of ./flash.sh --no-flash -k A_eks jetson-orin-nano-devkit-nvme internal generate result is eks_t234_sigheader_encrypt.img.signed not eks_t234_sigheader.img.encrypt, but I don’t think it errors

hello sindarin,

please give it a try with following…
$ sudo SKIP_EEPROM_CHECK=1 BOARDID="3701" FAB="300" BOARDSKU="0004" BOARDREV="C.2" CHIP_SKU=00:00:00:D2 ./flash.sh --no-flash -k A_eks jetson-agx-orin-devkit internal

hello jerryChang
thanks for your reply

i follow the sudo SKIP_EEPROM_CHECK=1 BOARDID="3701" FAB="300" BOARDSKU="0004" BOARDREV="C.2" CHIP_SKU=00:00:00:D2 ./flash.sh --no-flash -k A_eks jetson-agx-orin-devkit internal
here is the log of my flash script ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1 -u ecp521.pem -v SBK.key --uefi-enc gen_ekb/sym_t234.key -p "-c ./bootloader/t186ref/cfg/flash_t234_qspi.xml" -c ./tools/kernel_flash/flash_l4t_t234_nvme.xml --showlogs --network usb0 jetson-orin-nano-devkit-nvme external

**********************************************
*                                            *
*  Step 1: Build the flashing environment    *
*                                            *
**********************************************
Create flash environment 0
/home/caster/Linux_for_Tegra.35.5/bootloader /home/caster/Linux_for_Tegra.35.5
/home/caster/Linux_for_Tegra.35.5
Finish creating flash environment 0.
****************************************************
*                                                  *
*  Step 2: Boot the device with flash initrd image *
*                                                  *
****************************************************
/home/caster/Linux_for_Tegra.35.5/temp_initrdflash/bootloader0 /home/caster/Linux_for_Tegra.35.5
./tegraflash.py --bl uefi_jetson_with_dtb_sigheader_encrypt.bin.signed --bct br_bct_BR.bct --securedev  --bldtb tegra234-p3767-0003-p3768-0000-a0.dtb --applet rcm_2_signed.rcm --applet_softfuse rcm_1_signed.rcm --cmd "rcmboot"  --cfg secureflash.xml --chip 0x23 --mb1_bct mb1_bct_MB1_sigheader_encrypt.bct.signed --mem_bct mem_rcm_sigheader_encrypt.bct.signed --mb1_cold_boot_bct mb1_cold_boot_bct_MB1_sigheader_encrypt.bct.signed --mb1_bin mb1_t234_prod_aligned_sigheader_encrypt.bin.signed --psc_bl1_bin psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed --mem_bct_cold_boot mem_coldboot_aligned_sigheader_encrypt.bct.signed  --bins "psc_fw pscfw_t234_prod_sigheader_encrypt.bin.signed; mts_mce mce_flash_o10_cr_prod_sigheader_encrypt.bin.signed; mb2_applet applet_t234_sigheader_encrypt.bin.signed; mb2_bootloader mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader_encrypt.bin.signed; xusb_fw xusb_t234_prod_sigheader_encrypt.bin.signed; dce_fw display-t234-dce_sigheader_encrypt.bin.signed; nvdec nvdec_t234_prod_sigheader_encrypt.fw.signed; bpmp_fw bpmp_t234-TE950M-A1_prod_sigheader_encrypt.bin.signed; bpmp_fw_dtb tegra234-bpmp-3767-0003-3509-a02_with_odm_sigheader_encrypt.dtb.signed; sce_fw camera-rtcpu-sce_sigheader_encrypt.img.signed; rce_fw camera-rtcpu-t234-rce_sigheader_encrypt.img.signed; ape_fw adsp-fw_sigheader_encrypt.bin.signed; spe_fw spe_t234_sigheader_encrypt.bin.signed; tos tos-optee_t234_sigheader_encrypt.img.signed; eks eks_t234_sigheader_encrypt.img.signed; kernel boot0.img; kernel_dtb tegra234-p3767-0003-p3768-0000-a0.dtb"    --secondary_gpt_backup  --bct_backup  --instance 1-10
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 

 Entering RCM boot

[   0.0197 ] mb1_t234_prod_aligned_sigheader_encrypt.bin.signed filename is from --mb1_bin
[   0.0197 ] psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed filename is from --psc_bl1_bin
[   0.0197 ] rcm boot with presigned binaries
[   0.0203 ] tegrarcm_v2 --instance 1-10 --new_session --chip 0x23 0 --uid --download bct_br br_bct_BR.bct --download mb1 mb1_t234_prod_aligned_sigheader_encrypt.bin.signed --download psc_bl1 psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed --download bct_mb1 mb1_bct_MB1_sigheader_encrypt.bct.signed
[   0.0209 ] BR_CID: 0xEB012344705DD5046C000000010381C0
[   0.0260 ] Sending bct_br
[   0.0303 ] Sending mb1
[   0.0308 ] Sending psc_bl1
[   0.0459 ] Sending bct_mb1
[   0.0517 ] Generating blob for T23x
[   0.0526 ] tegrahost_v2 --chip 0x23 0 --generateblob blob.xml blob.bin
[   0.0530 ] The number of images in blob is 18
[   0.0532 ] blobsize is 75436826
[   0.0532 ] Added binary blob_uefi_jetson_with_dtb_sigheader_encrypt.bin.signed of size 2924608
[   0.0711 ] Added binary blob_pscfw_t234_prod_sigheader_encrypt.bin.signed of size 375168
[   0.0714 ] Added binary blob_mce_flash_o10_cr_prod_sigheader_encrypt.bin.signed of size 190592
[   0.0715 ] Added binary blob_applet_t234_sigheader_encrypt.bin.signed of size 277312
[   0.0716 ] Not supported type: mb2_applet
[   0.0716 ] Added binary blob_mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader_encrypt.bin.signed of size 438768
[   0.0717 ] Added binary blob_xusb_t234_prod_sigheader_encrypt.bin.signed of size 164864
[   0.0718 ] Added binary blob_display-t234-dce_sigheader_encrypt.bin.signed of size 9097216
[   0.0746 ] Added binary blob_nvdec_t234_prod_sigheader_encrypt.fw.signed of size 294912
[   0.0754 ] Added binary blob_bpmp_t234-TE950M-A1_prod_sigheader_encrypt.bin.signed of size 1051136
[   0.0757 ] Added binary blob_tegra234-bpmp-3767-0003-3509-a02_with_odm_sigheader_encrypt.dtb.signed of size 110080
[   0.0758 ] Added binary blob_camera-rtcpu-sce_sigheader_encrypt.img.signed of size 166304
[   0.0759 ] Added binary blob_camera-rtcpu-t234-rce_sigheader_encrypt.img.signed of size 537952
[   0.0760 ] Added binary blob_adsp-fw_sigheader_encrypt.bin.signed of size 400864
[   0.0761 ] Added binary blob_spe_t234_sigheader_encrypt.bin.signed of size 270336
[   0.0761 ] Added binary blob_tos-optee_t234_sigheader_encrypt.img.signed of size 1127568
[   0.0765 ] Added binary blob_eks_t234_sigheader_encrypt.img.signed of size 9232
[   0.0765 ] Added binary blob_boot0.img of size 57651200
[   0.0950 ] Added binary blob_tegra234-p3767-0003-p3768-0000-a0.dtb of size 347610
[   0.1258 ] tegrarcm_v2 --instance 1-10 --chip 0x23 0 --pollbl --download bct_mem mem_rcm_sigheader_encrypt.bct.signed --download blob blob.bin
[   0.1263 ] BL: version 1.2.0.0-t234-54845784-562369e5 last_boot_error: 0
[   0.3031 ] Sending bct_mem
[   0.3076 ] Sending blob
[   2.8993 ] RCM-boot started

/home/caster/Linux_for_Tegra.35.5
***************************************
*                                     *
*  Step 3: Start the flashing process *
*                                     *
***************************************
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for device to expose ssh ......RTNETLINK answers: File exists
RTNETLINK answers: File exists
Waiting for device to expose ssh ...Run command: flash on fc00:1:1:0::2
SSH ready
blockdev: cannot open /dev/mmcblk0boot0: No such file or directory
[ 0]: l4t_flash_from_kernel: Starting to create gpt for emmc
Active index file is /mnt/internal/flash.idx
Number of lines is 76
max_index=75
[ 2]: l4t_flash_from_kernel: Successfully create gpt for emmc
[ 2]: l4t_flash_from_kernel: Starting to create gpt for external device
Active index file is /mnt/external/flash.idx
Number of lines is 76
max_index=75
[ 4]: l4t_flash_from_kernel: Successfully create gpt for external device
[ 4]: l4t_flash_from_kernel: Starting to flash to emmc
[ 4]: l4t_flash_from_kernel: Starting to flash to external device
Active index file is /mnt/internal/flash.idx
Active index file is /mnt/external/flash.idx
Flash index file is /mnt/internal/flash.idx
Number of lines is 76
max_index=75
Number of lines is 76
max_index=75
Number of lines is 76
max_index=75
[ 4]: l4t_flash_from_kernel: Starting to flash to qspi
QSPI storage size: 67108864 bytes.
[ 6]: l4t_flash_from_kernel: Successfully flash the emmc
[ 6]: l4t_flash_from_kernel: Successfully flash the external device
Erased 67108864 bytes from address 0x00000000 in flash
Flash index file is /mnt/internal/flash.idx
Number of lines is 76
max_index=75
Writing br_bct_BR.bct (parittion: BCT) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/br_bct_BR.bct
Writing /mnt/internal/br_bct_BR.bct (8192 bytes) into  /dev/mtd0:0
Copied 8192 bytes from /mnt/internal/br_bct_BR.bct to address 0x00000000 in flash
[ 197]: l4t_flash_from_kernel: QSPI erase block size is 65536
[ 197]: l4t_flash_from_kernel: Writing 16 copies of /mnt/internal/br_bct_BR.bct
Writing /mnt/internal/br_bct_BR.bct (8192 bytes) into  /dev/mtd0:65536
Copied 8192 bytes from /mnt/internal/br_bct_BR.bct to address 0x00010000 in flash
Writing /mnt/internal/br_bct_BR.bct (8192 bytes) into  /dev/mtd0:131072
Copied 8192 bytes from /mnt/internal/br_bct_BR.bct to address 0x00020000 in flash
Writing /mnt/internal/br_bct_BR.bct (8192 bytes) into  /dev/mtd0:196608
Copied 8192 bytes from /mnt/internal/br_bct_BR.bct to address 0x00030000 in flash
Writing /mnt/internal/br_bct_BR.bct (8192 bytes) into  /dev/mtd0:262144
Copied 8192 bytes from /mnt/internal/br_bct_BR.bct to address 0x00040000 in flash
Writing /mnt/internal/br_bct_BR.bct (8192 bytes) into  /dev/mtd0:327680
Copied 8192 bytes from /mnt/internal/br_bct_BR.bct to address 0x00050000 in flash
Writing /mnt/internal/br_bct_BR.bct (8192 bytes) into  /dev/mtd0:393216
Copied 8192 bytes from /mnt/internal/br_bct_BR.bct to address 0x00060000 in flash
Writing /mnt/internal/br_bct_BR.bct (8192 bytes) into  /dev/mtd0:458752
Copied 8192 bytes from /mnt/internal/br_bct_BR.bct to address 0x00070000 in flash
Writing /mnt/internal/br_bct_BR.bct (8192 bytes) into  /dev/mtd0:524288
Copied 8192 bytes from /mnt/internal/br_bct_BR.bct to address 0x00080000 in flash
Writing /mnt/internal/br_bct_BR.bct (8192 bytes) into  /dev/mtd0:589824
Copied 8192 bytes from /mnt/internal/br_bct_BR.bct to address 0x00090000 in flash
Writing /mnt/internal/br_bct_BR.bct (8192 bytes) into  /dev/mtd0:655360
Copied 8192 bytes from /mnt/internal/br_bct_BR.bct to address 0x000a0000 in flash
Writing /mnt/internal/br_bct_BR.bct (8192 bytes) into  /dev/mtd0:720896
Copied 8192 bytes from /mnt/internal/br_bct_BR.bct to address 0x000b0000 in flash
Writing /mnt/internal/br_bct_BR.bct (8192 bytes) into  /dev/mtd0:786432
Copied 8192 bytes from /mnt/internal/br_bct_BR.bct to address 0x000c0000 in flash
Writing /mnt/internal/br_bct_BR.bct (8192 bytes) into  /dev/mtd0:851968
Copied 8192 bytes from /mnt/internal/br_bct_BR.bct to address 0x000d0000 in flash
Writing /mnt/internal/br_bct_BR.bct (8192 bytes) into  /dev/mtd0:917504
Copied 8192 bytes from /mnt/internal/br_bct_BR.bct to address 0x000e0000 in flash
Writing /mnt/internal/br_bct_BR.bct (8192 bytes) into  /dev/mtd0:983040
Copied 8192 bytes from /mnt/internal/br_bct_BR.bct to address 0x000f0000 in flash
Writing mb1_t234_prod_aligned_sigheader_encrypt.bin.signed (parittion: A_mb1) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/mb1_t234_prod_aligned_sigheader_encrypt.bin.signed
Writing /mnt/internal/mb1_t234_prod_aligned_sigheader_encrypt.bin.signed (280976 bytes) into  /dev/mtd0:1048576
Copied 280976 bytes from /mnt/internal/mb1_t234_prod_aligned_sigheader_encrypt.bin.signed to address 0x00100000 in flash
Writing psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed (parittion: A_psc_bl1) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed
Writing /mnt/internal/psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed (122864 bytes) into  /dev/mtd0:1572864
Copied 122864 bytes from /mnt/internal/psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed to address 0x00180000 in flash
Writing mb1_cold_boot_bct_MB1_sigheader_encrypt.bct.signed (parittion: A_MB1_BCT) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/mb1_cold_boot_bct_MB1_sigheader_encrypt.bct.signed
Writing /mnt/internal/mb1_cold_boot_bct_MB1_sigheader_encrypt.bct.signed (17328 bytes) into  /dev/mtd0:1835008
Copied 17328 bytes from /mnt/internal/mb1_cold_boot_bct_MB1_sigheader_encrypt.bct.signed to address 0x001c0000 in flash
Writing mem_coldboot_aligned_sigheader_encrypt.bct.signed (parittion: A_MEM_BCT) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/mem_coldboot_aligned_sigheader_encrypt.bct.signed
Writing /mnt/internal/mem_coldboot_aligned_sigheader_encrypt.bct.signed (243712 bytes) into  /dev/mtd0:1966080
Copied 243712 bytes from /mnt/internal/mem_coldboot_aligned_sigheader_encrypt.bct.signed to address 0x001e0000 in flash
[ 198]: l4t_flash_from_kernel: Warning: skip writing A_tsec-fw partition as no image is specified
Writing nvdec_t234_prod_sigheader_encrypt.fw.signed (parittion: A_nvdec) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/nvdec_t234_prod_sigheader_encrypt.fw.signed
Writing /mnt/internal/nvdec_t234_prod_sigheader_encrypt.fw.signed (294912 bytes) into  /dev/mtd0:3276800
Copied 294912 bytes from /mnt/internal/nvdec_t234_prod_sigheader_encrypt.fw.signed to address 0x00320000 in flash
Writing mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader_encrypt.bin.signed (parittion: A_mb2) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader_encrypt.bin.signed
Writing /mnt/internal/mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader_encrypt.bin.signed (438768 bytes) into  /dev/mtd0:4325376
Copied 438768 bytes from /mnt/internal/mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader_encrypt.bin.signed to address 0x00420000 in flash
Writing xusb_t234_prod_sigheader_encrypt.bin.signed (parittion: A_xusb-fw) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/xusb_t234_prod_sigheader_encrypt.bin.signed
Writing /mnt/internal/xusb_t234_prod_sigheader_encrypt.bin.signed (164864 bytes) into  /dev/mtd0:4849664
Copied 164864 bytes from /mnt/internal/xusb_t234_prod_sigheader_encrypt.bin.signed to address 0x004a0000 in flash
Writing bpmp_t234-TE950M-A1_prod_sigheader_encrypt.bin.signed (parittion: A_bpmp-fw) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/bpmp_t234-TE950M-A1_prod_sigheader_encrypt.bin.signed
Writing /mnt/internal/bpmp_t234-TE950M-A1_prod_sigheader_encrypt.bin.signed (1051136 bytes) into  /dev/mtd0:5111808
Copied 1051136 bytes from /mnt/internal/bpmp_t234-TE950M-A1_prod_sigheader_encrypt.bin.signed to address 0x004e0000 in flash
Writing tegra234-bpmp-3767-0003-3509-a02_with_odm_sigheader_encrypt.dtb.signed (parittion: A_bpmp-fw-dtb) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/tegra234-bpmp-3767-0003-3509-a02_with_odm_sigheader_encrypt.dtb.signed
Writing /mnt/internal/tegra234-bpmp-3767-0003-3509-a02_with_odm_sigheader_encrypt.dtb.signed (110080 bytes) into  /dev/mtd0:6684672
Copied 110080 bytes from /mnt/internal/tegra234-bpmp-3767-0003-3509-a02_with_odm_sigheader_encrypt.dtb.signed to address 0x00660000 in flash
Writing pscfw_t234_prod_sigheader_encrypt.bin.signed (parittion: A_psc-fw) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/pscfw_t234_prod_sigheader_encrypt.bin.signed
Writing /mnt/internal/pscfw_t234_prod_sigheader_encrypt.bin.signed (375168 bytes) into  /dev/mtd0:10878976
Copied 375168 bytes from /mnt/internal/pscfw_t234_prod_sigheader_encrypt.bin.signed to address 0x00a60000 in flash
Writing mce_flash_o10_cr_prod_sigheader_encrypt.bin.signed (parittion: A_mts-mce) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/mce_flash_o10_cr_prod_sigheader_encrypt.bin.signed
Writing /mnt/internal/mce_flash_o10_cr_prod_sigheader_encrypt.bin.signed (190592 bytes) into  /dev/mtd0:11665408
Copied 190592 bytes from /mnt/internal/mce_flash_o10_cr_prod_sigheader_encrypt.bin.signed to address 0x00b20000 in flash
Writing sc7_t234_prod_sigheader_encrypt.bin.signed (parittion: A_sc7) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/sc7_t234_prod_sigheader_encrypt.bin.signed
Writing /mnt/internal/sc7_t234_prod_sigheader_encrypt.bin.signed (184544 bytes) into  /dev/mtd0:12189696
Copied 184544 bytes from /mnt/internal/sc7_t234_prod_sigheader_encrypt.bin.signed to address 0x00ba0000 in flash
Writing psc_rf_t234_prod_sigheader_encrypt.bin.signed (parittion: A_pscrf) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/psc_rf_t234_prod_sigheader_encrypt.bin.signed
Writing /mnt/internal/psc_rf_t234_prod_sigheader_encrypt.bin.signed (122320 bytes) into  /dev/mtd0:12386304
Copied 122320 bytes from /mnt/internal/psc_rf_t234_prod_sigheader_encrypt.bin.signed to address 0x00bd0000 in flash
Writing mb2rf_t234_sigheader_encrypt.bin.signed (parittion: A_mb2rf) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/mb2rf_t234_sigheader_encrypt.bin.signed
Writing /mnt/internal/mb2rf_t234_sigheader_encrypt.bin.signed (122752 bytes) into  /dev/mtd0:12582912
Copied 122752 bytes from /mnt/internal/mb2rf_t234_sigheader_encrypt.bin.signed to address 0x00c00000 in flash
Writing uefi_jetson_with_dtb_sigheader_encrypt.bin.signed (parittion: A_cpu-bootloader) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/uefi_jetson_with_dtb_sigheader_encrypt.bin.signed
Writing /mnt/internal/uefi_jetson_with_dtb_sigheader_encrypt.bin.signed (2924608 bytes) into  /dev/mtd0:12713984
Copied 2924608 bytes from /mnt/internal/uefi_jetson_with_dtb_sigheader_encrypt.bin.signed to address 0x00c20000 in flash
Writing tos-optee_t234_sigheader_encrypt.img.signed (parittion: A_secure-os) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/tos-optee_t234_sigheader_encrypt.img.signed
Writing /mnt/internal/tos-optee_t234_sigheader_encrypt.img.signed (1127568 bytes) into  /dev/mtd0:16384000
Copied 1127568 bytes from /mnt/internal/tos-optee_t234_sigheader_encrypt.img.signed to address 0x00fa0000 in flash
[ 212]: l4t_flash_from_kernel: Warning: skip writing A_smm-fw partition as no image is specified
Writing eks_t234_sigheader_encrypt.img.signed (parittion: A_eks) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/eks_t234_sigheader_encrypt.img.signed
Writing /mnt/internal/eks_t234_sigheader_encrypt.img.signed (9232 bytes) into  /dev/mtd0:22675456
Copied 9232 bytes from /mnt/internal/eks_t234_sigheader_encrypt.img.signed to address 0x015a0000 in flash
Writing display-t234-dce_with_kernel_tegra234-p3767-0003-p3768-0000-a0_aligned_blob_w_bin_sigheader_encrypt.bin.signed (parittion: A_dce-fw) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/display-t234-dce_with_kernel_tegra234-p3767-0003-p3768-0000-a0_aligned_blob_w_bin_sigheader_encrypt.bin.signed
Writing /mnt/internal/display-t234-dce_with_kernel_tegra234-p3767-0003-p3768-0000-a0_aligned_blob_w_bin_sigheader_encrypt.bin.signed (736656 bytes) into  /dev/mtd0:22937600
Copied 736656 bytes from /mnt/internal/display-t234-dce_with_kernel_tegra234-p3767-0003-p3768-0000-a0_aligned_blob_w_bin_sigheader_encrypt.bin.signed to address 0x015e0000 in flash
Writing spe_t234_sigheader_encrypt.bin.signed (parittion: A_spe-fw) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/spe_t234_sigheader_encrypt.bin.signed
Writing /mnt/internal/spe_t234_sigheader_encrypt.bin.signed (270336 bytes) into  /dev/mtd0:28180480
Copied 270336 bytes from /mnt/internal/spe_t234_sigheader_encrypt.bin.signed to address 0x01ae0000 in flash
Writing camera-rtcpu-t234-rce_sigheader_encrypt.img.signed (parittion: A_rce-fw) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/camera-rtcpu-t234-rce_sigheader_encrypt.img.signed
Writing /mnt/internal/camera-rtcpu-t234-rce_sigheader_encrypt.img.signed (537952 bytes) into  /dev/mtd0:28770304
Copied 537952 bytes from /mnt/internal/camera-rtcpu-t234-rce_sigheader_encrypt.img.signed to address 0x01b70000 in flash
Writing adsp-fw_sigheader_encrypt.bin.signed (parittion: A_adsp-fw) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/adsp-fw_sigheader_encrypt.bin.signed
Writing /mnt/internal/adsp-fw_sigheader_encrypt.bin.signed (400864 bytes) into  /dev/mtd0:29818880
Copied 400864 bytes from /mnt/internal/adsp-fw_sigheader_encrypt.bin.signed to address 0x01c70000 in flash
[ 215]: l4t_flash_from_kernel: Warning: skip writing A_reserved_on_boot partition as no image is specified
Writing mb1_t234_prod_aligned_sigheader_encrypt.bin.signed (parittion: B_mb1) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/mb1_t234_prod_aligned_sigheader_encrypt.bin.signed
Writing /mnt/internal/mb1_t234_prod_aligned_sigheader_encrypt.bin.signed (280976 bytes) into  /dev/mtd0:33292288
Copied 280976 bytes from /mnt/internal/mb1_t234_prod_aligned_sigheader_encrypt.bin.signed to address 0x01fc0000 in flash
Writing psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed (parittion: B_psc_bl1) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed
Writing /mnt/internal/psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed (122864 bytes) into  /dev/mtd0:33816576
Copied 122864 bytes from /mnt/internal/psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed to address 0x02040000 in flash
Writing mb1_cold_boot_bct_MB1_sigheader_encrypt.bct.signed (parittion: B_MB1_BCT) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/mb1_cold_boot_bct_MB1_sigheader_encrypt.bct.signed
Writing /mnt/internal/mb1_cold_boot_bct_MB1_sigheader_encrypt.bct.signed (17328 bytes) into  /dev/mtd0:34078720
Copied 17328 bytes from /mnt/internal/mb1_cold_boot_bct_MB1_sigheader_encrypt.bct.signed to address 0x02080000 in flash
Writing mem_coldboot_aligned_sigheader_encrypt.bct.signed (parittion: B_MEM_BCT) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/mem_coldboot_aligned_sigheader_encrypt.bct.signed
Writing /mnt/internal/mem_coldboot_aligned_sigheader_encrypt.bct.signed (243712 bytes) into  /dev/mtd0:34209792
Copied 243712 bytes from /mnt/internal/mem_coldboot_aligned_sigheader_encrypt.bct.signed to address 0x020a0000 in flash
[ 217]: l4t_flash_from_kernel: Warning: skip writing B_tsec-fw partition as no image is specified
Writing nvdec_t234_prod_sigheader_encrypt.fw.signed (parittion: B_nvdec) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/nvdec_t234_prod_sigheader_encrypt.fw.signed
Writing /mnt/internal/nvdec_t234_prod_sigheader_encrypt.fw.signed (294912 bytes) into  /dev/mtd0:35520512
Copied 294912 bytes from /mnt/internal/nvdec_t234_prod_sigheader_encrypt.fw.signed to address 0x021e0000 in flash
Writing mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader_encrypt.bin.signed (parittion: B_mb2) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader_encrypt.bin.signed
Writing /mnt/internal/mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader_encrypt.bin.signed (438768 bytes) into  /dev/mtd0:36569088
Copied 438768 bytes from /mnt/internal/mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader_encrypt.bin.signed to address 0x022e0000 in flash
Writing xusb_t234_prod_sigheader_encrypt.bin.signed (parittion: B_xusb-fw) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/xusb_t234_prod_sigheader_encrypt.bin.signed
Writing /mnt/internal/xusb_t234_prod_sigheader_encrypt.bin.signed (164864 bytes) into  /dev/mtd0:37093376
Copied 164864 bytes from /mnt/internal/xusb_t234_prod_sigheader_encrypt.bin.signed to address 0x02360000 in flash
Writing bpmp_t234-TE950M-A1_prod_sigheader_encrypt.bin.signed (parittion: B_bpmp-fw) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/bpmp_t234-TE950M-A1_prod_sigheader_encrypt.bin.signed
Writing /mnt/internal/bpmp_t234-TE950M-A1_prod_sigheader_encrypt.bin.signed (1051136 bytes) into  /dev/mtd0:37355520
Copied 1051136 bytes from /mnt/internal/bpmp_t234-TE950M-A1_prod_sigheader_encrypt.bin.signed to address 0x023a0000 in flash
Writing tegra234-bpmp-3767-0003-3509-a02_with_odm_sigheader_encrypt.dtb.signed (parittion: B_bpmp-fw-dtb) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/tegra234-bpmp-3767-0003-3509-a02_with_odm_sigheader_encrypt.dtb.signed
Writing /mnt/internal/tegra234-bpmp-3767-0003-3509-a02_with_odm_sigheader_encrypt.dtb.signed (110080 bytes) into  /dev/mtd0:38928384
Copied 110080 bytes from /mnt/internal/tegra234-bpmp-3767-0003-3509-a02_with_odm_sigheader_encrypt.dtb.signed to address 0x02520000 in flash
Writing pscfw_t234_prod_sigheader_encrypt.bin.signed (parittion: B_psc-fw) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/pscfw_t234_prod_sigheader_encrypt.bin.signed
Writing /mnt/internal/pscfw_t234_prod_sigheader_encrypt.bin.signed (375168 bytes) into  /dev/mtd0:43122688
Copied 375168 bytes from /mnt/internal/pscfw_t234_prod_sigheader_encrypt.bin.signed to address 0x02920000 in flash
Writing mce_flash_o10_cr_prod_sigheader_encrypt.bin.signed (parittion: B_mts-mce) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/mce_flash_o10_cr_prod_sigheader_encrypt.bin.signed
Writing /mnt/internal/mce_flash_o10_cr_prod_sigheader_encrypt.bin.signed (190592 bytes) into  /dev/mtd0:43909120
Copied 190592 bytes from /mnt/internal/mce_flash_o10_cr_prod_sigheader_encrypt.bin.signed to address 0x029e0000 in flash
Writing sc7_t234_prod_sigheader_encrypt.bin.signed (parittion: B_sc7) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/sc7_t234_prod_sigheader_encrypt.bin.signed
Writing /mnt/internal/sc7_t234_prod_sigheader_encrypt.bin.signed (184544 bytes) into  /dev/mtd0:44433408
Copied 184544 bytes from /mnt/internal/sc7_t234_prod_sigheader_encrypt.bin.signed to address 0x02a60000 in flash
Writing psc_rf_t234_prod_sigheader_encrypt.bin.signed (parittion: B_pscrf) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/psc_rf_t234_prod_sigheader_encrypt.bin.signed
Writing /mnt/internal/psc_rf_t234_prod_sigheader_encrypt.bin.signed (122320 bytes) into  /dev/mtd0:44630016
Copied 122320 bytes from /mnt/internal/psc_rf_t234_prod_sigheader_encrypt.bin.signed to address 0x02a90000 in flash
Writing mb2rf_t234_sigheader_encrypt.bin.signed (parittion: B_mb2rf) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/mb2rf_t234_sigheader_encrypt.bin.signed
Writing /mnt/internal/mb2rf_t234_sigheader_encrypt.bin.signed (122752 bytes) into  /dev/mtd0:44826624
Copied 122752 bytes from /mnt/internal/mb2rf_t234_sigheader_encrypt.bin.signed to address 0x02ac0000 in flash
Writing uefi_jetson_with_dtb_sigheader_encrypt.bin.signed (parittion: B_cpu-bootloader) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/uefi_jetson_with_dtb_sigheader_encrypt.bin.signed
Writing /mnt/internal/uefi_jetson_with_dtb_sigheader_encrypt.bin.signed (2924608 bytes) into  /dev/mtd0:44957696
Copied 2924608 bytes from /mnt/internal/uefi_jetson_with_dtb_sigheader_encrypt.bin.signed to address 0x02ae0000 in flash
Writing tos-optee_t234_sigheader_encrypt.img.signed (parittion: B_secure-os) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/tos-optee_t234_sigheader_encrypt.img.signed
Writing /mnt/internal/tos-optee_t234_sigheader_encrypt.img.signed (1127568 bytes) into  /dev/mtd0:48627712
Copied 1127568 bytes from /mnt/internal/tos-optee_t234_sigheader_encrypt.img.signed to address 0x02e60000 in flash
[ 230]: l4t_flash_from_kernel: Warning: skip writing B_smm-fw partition as no image is specified
Writing eks_t234_sigheader_encrypt.img.signed (parittion: B_eks) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/eks_t234_sigheader_encrypt.img.signed
Writing /mnt/internal/eks_t234_sigheader_encrypt.img.signed (9232 bytes) into  /dev/mtd0:54919168
Copied 9232 bytes from /mnt/internal/eks_t234_sigheader_encrypt.img.signed to address 0x03460000 in flash
Writing display-t234-dce_with_kernel_tegra234-p3767-0003-p3768-0000-a0_aligned_blob_w_bin_sigheader_encrypt.bin.signed (parittion: B_dce-fw) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/display-t234-dce_with_kernel_tegra234-p3767-0003-p3768-0000-a0_aligned_blob_w_bin_sigheader_encrypt.bin.signed
Writing /mnt/internal/display-t234-dce_with_kernel_tegra234-p3767-0003-p3768-0000-a0_aligned_blob_w_bin_sigheader_encrypt.bin.signed (736656 bytes) into  /dev/mtd0:55181312
Copied 736656 bytes from /mnt/internal/display-t234-dce_with_kernel_tegra234-p3767-0003-p3768-0000-a0_aligned_blob_w_bin_sigheader_encrypt.bin.signed to address 0x034a0000 in flash
Writing spe_t234_sigheader_encrypt.bin.signed (parittion: B_spe-fw) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/spe_t234_sigheader_encrypt.bin.signed
Writing /mnt/internal/spe_t234_sigheader_encrypt.bin.signed (270336 bytes) into  /dev/mtd0:60424192
Copied 270336 bytes from /mnt/internal/spe_t234_sigheader_encrypt.bin.signed to address 0x039a0000 in flash
Writing camera-rtcpu-t234-rce_sigheader_encrypt.img.signed (parittion: B_rce-fw) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/camera-rtcpu-t234-rce_sigheader_encrypt.img.signed
Writing /mnt/internal/camera-rtcpu-t234-rce_sigheader_encrypt.img.signed (537952 bytes) into  /dev/mtd0:61014016
Copied 537952 bytes from /mnt/internal/camera-rtcpu-t234-rce_sigheader_encrypt.img.signed to address 0x03a30000 in flash
Writing adsp-fw_sigheader_encrypt.bin.signed (parittion: B_adsp-fw) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/adsp-fw_sigheader_encrypt.bin.signed
Writing /mnt/internal/adsp-fw_sigheader_encrypt.bin.signed (400864 bytes) into  /dev/mtd0:62062592
Copied 400864 bytes from /mnt/internal/adsp-fw_sigheader_encrypt.bin.signed to address 0x03b30000 in flash
[ 233]: l4t_flash_from_kernel: Warning: skip writing B_reserved_on_boot partition as no image is specified
[ 233]: l4t_flash_from_kernel: Warning: skip writing uefi_variables partition as no image is specified
[ 233]: l4t_flash_from_kernel: Warning: skip writing uefi_ftw partition as no image is specified
[ 233]: l4t_flash_from_kernel: Warning: skip writing worm partition as no image is specified
Writing bct_backup.img (parittion: BCT-boot-chain_backup) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/bct_backup.img
Writing /mnt/internal/bct_backup.img (32768 bytes) into  /dev/mtd0:66715648
Copied 32768 bytes from /mnt/internal/bct_backup.img to address 0x03fa0000 in flash
[ 233]: l4t_flash_from_kernel: Warning: skip writing reserved_partition partition as no image is specified
Writing gpt_secondary_3_0.bin (parittion: secondary_gpt_backup) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/gpt_secondary_3_0.bin
Writing /mnt/internal/gpt_secondary_3_0.bin (16896 bytes) into  /dev/mtd0:66846720
Copied 16896 bytes from /mnt/internal/gpt_secondary_3_0.bin to address 0x03fc0000 in flash
Writing qspi_bootblob_ver.txt (parittion: B_VER) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/qspi_bootblob_ver.txt
Writing /mnt/internal/qspi_bootblob_ver.txt (109 bytes) into  /dev/mtd0:66912256
Copied 109 bytes from /mnt/internal/qspi_bootblob_ver.txt to address 0x03fd0000 in flash
Writing qspi_bootblob_ver.txt (parittion: A_VER) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/qspi_bootblob_ver.txt
Writing /mnt/internal/qspi_bootblob_ver.txt (109 bytes) into  /dev/mtd0:66977792
Copied 109 bytes from /mnt/internal/qspi_bootblob_ver.txt to address 0x03fe0000 in flash
Writing gpt_secondary_3_0.bin (parittion: secondary_gpt) into /dev/mtd0
Sha1 checksum matched for /mnt/internal/gpt_secondary_3_0.bin
Writing /mnt/internal/gpt_secondary_3_0.bin (16896 bytes) into  /dev/mtd0:67091968
Copied 16896 bytes from /mnt/internal/gpt_secondary_3_0.bin to address 0x03ffbe00 in flash
[ 234]: l4t_flash_from_kernel: Successfully flash the qspi
[ 234]: l4t_flash_from_kernel: Flashing success
Flash is successful
Reboot device
Cleaning up...

when the machine reboot, i got these log from uart

NOTICE:  BL31: v2.6(release):346877e39
NOTICE:  BL31: Built : 12:32:40, Aug  1 2023
I/TC: Physical secure memory base 0x27c040000 size 0x3fc0000
I/TC: 
I/TC: Non-secure external DT found

I/TC: OP-TEE version: 3.21 (gcc version 9.3.0 (Buildroot 2020.08)) #2 Tue Aug  1 19:39:55 UTC 2023 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html
I/TC: Primary CPU initializing

I/TC: Primary CPU switching to normal world boot

Jetson UEFI firmware (version 4.1-33958178 built on 2023-08-01T19:34:02+00:00)


I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled


E/TC:?? 00 get_rpc_alloc_res:645 RPC allocation failed. Non-secure world result: ret=0xffff0000 ret_origin=0
E/LD:   init_elf:486 sys_open_ta_bin(bc50d971-d4c9-42c4-82cb-343fb7f37896)
E/TC:?? 00 ldelf_init_with_ldelf:131 ldelf failed with res: 0xffff000c

e[2Je[04De[=3he[2Je[09D

after flash, system not flash into the board

optee report configuration be insecure,Is it related with fuse config?
what does the UEFI fails mean, it’s there a wrong key in the eks image?

hello sindarin,

those were failure due to you did not given dTPM for EKS image creation.
it’s UEFI needs to talk with the fTPM TA at least once to check whether the TA exists.

since there’re some default keys,
please try running with example.sh again with those default keys.

i’m not found any fTPM documents from nvidia Jetson dev guide and default keys from public_sources.tbz2.
according to other posts, i copy the device_id.cert and generate ftpm files

echo "ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100" > device_id.cert

# seed file generate
openssl rand -hex 32 > ftpm_eps_seed_file

#rsa ek cert
openssl genrsa -out ftpm_rsa_ek_priv.pem 2048
openssl rsa -in ftpm_rsa_ek_priv.pem -pubout -out ftpm_rsa_ek_pub.pem
openssl req -new -x509 -key ftpm_rsa_ek_priv.pem -out ftpm_rsa_ek_cert.pem -days 365 -subj "/CN=fTPM RSA EK Cert"
openssl x509 -in ftpm_rsa_ek_cert.pem -outform der -out ftpm_rsa_ek_cert.der

# ec ek cert
openssl ecparam -name prime256v1 -genkey -noout -out ftpm_ec_ek_priv.pem
openssl ec -in ftpm_ec_ek_priv.pem -pubout -out ftpm_ec_ek_pub.pem
openssl req -new -x509 -key ftpm_ec_ek_priv.pem -out ftpm_ec_ek_cert.pem -days 365 -subj "/CN=fTPM EC EK Cert"
openssl x509 -in ftpm_ec_ek_cert.pem -outform der -out ftpm_ec_ek_cert.der

but problem still exist. i still can’t flash the luks encrypt rootfs to the board.
after the script says sucessful, devkit board boot into old system without any encrypt

hello sindarin,

since the UEFI variable protection feature is always enabled. you should provide UEFI variable authentication key in EKS image, otherwise UEFI will block the booting.
could you please refer to OP-TEE source files of EKS image creation, for example, $public_sources/atf_and_optee/optee/samples/hwkey-agent/host/tool/gen_ekb

did you means i must follow the docs secure boot to sign the UEFI payload?

hello sindarin,

you need to use the same release version sample.sh to build a new eks.img which will include an auth key.
did you access jetson-linux-r3550 for downloading [Driver Package (BSP) Sources] package?

you may further narrow down the issue,
for instance, please also check flash without disk encryption for verification.

hello JerryChang
I’m sure the example.sh and gen_ekb.py copied from right package souce,and i use sudo ./tools/kernel_flash/l4t_initrd_flash.sh -u ecp521.pem -v SBK.key --network usb0 --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" jetson-orin-nano-devkit-nvme internal to flash the internal storage after signed the eks_t234.img.

Now the eks_t234.img generate by script

python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key \
        -fv fv_ekb_t234 \
        -in_sym_key sym_t234.key \
        -in_sym_key2 sym2_t234.key \
        -in_auth_key auth_t234.key \
        -out eks_t234.img

here the table of keys:

OEMK1 key for test :  same with fuse.xml
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t234
echo "0000000000000000000000000000000000000000000000000000000000000000" > sym_t234.key
echo "d9f7b49e3b6264985f1326f541bb43c9" > auth_t234.key
echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key

hello sindarin,

as you may know…
l4t_initrd_flash it took binary files under $OUT/Linux_for_Tegra/tools/kernel_flash/images/ to flash onto your Orin Nano target.
however, it’s flash script to perform sign/encrypt to convert eks_t234.img as eks_t234_sigheader.img.encrypt format
in order to confirm you’ve update EKS image correctly, please see-also Topic 270934 for steps to re-flash the target.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.