SecureBoot on Jetson Orin : Flash Successfull but uefi firmware error

Hello,

For the context, I have been trying to enable secure boot and disk encryption on a orin nx 8gb with a massflash scale. On a not fused board, I have successfully created the massflash with generic passphrase and managed to proceed with disk re-encryption.

However, I have now burned the fuse to enable secure boot with the following config value :

<genericfuse MagicId="0x45535546" version="1.0.0">
    <fuse name="PublicKeyHash" size="64" value="0xaverylong64bytesword"/>
    <fuse name="SecureBootKey" size="32" value="0xaverylong32bytesword"/>
    <fuse name="OemK1" size="32" value="0xaanotherverylong32bytesword"/>
    <fuse name="OemK2" size="32" value="0xyetanotherverylong32bytesword"/>
    <fuse name="BootSecurityInfo" size="4" value="0x20b"/>
    <!-- Activation of the following fuse will disable all other writes to other fuse -->
    <!-- Must be activated in last  -->
    <!-- <fuse name="SecurityMode" size="4" value="0x0"/> -->
</genericfuse>

I recreated my ekb image using the command :

python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key \
  -in_sym_key sym_t234.key \
  -in_sym_key2 sym2_t234.key \
  -in_auth_key auth_t234.key \
  -out eks_t234.img

where sym_t234, sym2_t234 and auth_t234 are randomly generated keys.
Here are the different steps followed to flash the device with an external ssd of 256Gb

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --showlogs -p "-c bootloader/generic/cfg/flash_t234_qspi.xml -T 492830720" --no-flash -u ./pkc.pem -v ./sbk.key jetson-orin-nano-devkit internal

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --showlogs  --no-flash -u ./pkc.pem -v ./sbk.key --external-device nvme0n1p1 -S 235GiB -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append -i ./disk_enc.key jetson-orin-nano-devkit external

sudo ./tools/kernel_flash/l4t_initrd_flash.sh  -u ./pkc.pem -v ./sbk.key  --network usb0 --showlogs --flash-only

I successfully flashed the device, but at first boot here is the log message that I receive from the serial log :

I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled
E/TC:?? 00 jetson_user_key_pta_uefi_vars_auth:904 UEFI variable auth key not set !
E/TC:?? 00 stmm_handle_variable_authentication:910 Failed to get signed CMAC ffff0008

ASSERT [FvbNorFlashStandaloneMm] /out/nvidia/optee.t234-uefi/StandaloneMmOptee_RELEASE/edk2-nvidia/Silicon/NVIDIA/Drivers/FvbNorFlashDxe/VarIntCheck.c(922): ((BOOLEAN)(0==1))

I do not want to verify the payload of the uefi for now. What does this message mean ?

Hello @cleng!

1. Did you edit the script in order to match the OEMK1 that you burned?
2. After generating the EKB image, did you replace it in the Linux_for_Tegra/bootloader/ directory?

This error seems to be related to the EKB image not being updated after the fuse burning process. Also, is important to replace the sym2_t234.key under the /Linux_for_Tegra/ path. At this topic you can found valuable information about updating ekb images, but give it a try and let me know if it helps.

Regards,

Salomon Ramirez
Embedded SW Engineer at RidgeRun
Contact us: support@ridgerun.com
Developers wiki: https://developer.ridgerun.com
Website: www.ridgerun.com

Hello @salomon.ramirez ,

Sorry for the late response, I did but I will make sure that I replace correctly and re-sign the ekb.
I will come back in case of failure (and in case of success)

Hello @salomon.ramirez,

Thanks you for you help ! Yes indeed, recreating the encryption key blob did the trick.

Hello @cleng! Glad to help, happy it worked!

Regards,

Salomon Ramirez
Embedded SW Engineer at RidgeRun
Contact us: support@ridgerun.com
Developers wiki: https://developer.ridgerun.com
Website: www.ridgerun.com

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.