The device can't start up after flashing one disk encryption image

The board is always in Force Recovery mode , why?

ahh… I did not check carefully. here’s --test options in your fuse commands, which did not really fuse burning the target.
furthermore, please also check Topic 158361 for the steps to fuse burning Xavier NX eMMC modules.
please have fuse burn the target with fuseblob, and you should also enable odm_production_mode to fuse the target.
thanks

Sorry, I ran the following command before.
sudo ./odmfuse.sh -i 0x19 -k …/…/key/nvidia_rsa_3k_priv.pem --KEK2 …/…/key/key2.hex -S …/…/key/sbk .hex --disable-jtag jetson- xavier-nx-devkit-emmc

Now, I run:
sudo ./odmfuse.sh -i 0x19 -k …/…/key/nvidia_rsa_3k_priv.pem --KEK2 …/…/key/key2.hex -S …/…/key/sbk.hex - -disable-jtag -p jetson-xavier-nx-devkit-emmc
The attachments are for odmfuse.sh and serial console log.
console.log (17.0 KB)
odmfuse.log (100.2 KB)

hello user121369,

could you please use --noburn to create fuseblob, having two steps approaches to fuse the board and share the results.
thanks

The results are in the attachment.
console1.log (16.4 KB)
odmfuse1.log (100.4 KB)

you’ll need to assign FAB, BOARDID, BOARDSKU and BOARDREV in order to run in the offline mode,
please check Topic 158361 for the steps to fuse burning Xavier NX eMMC modules.

The following command failed.
tar xpvf fuseblob.tbz2,
odmfuse2.log (82.9 KB)

hello user121369,

there’s permission error due to file already exist. you may try remove those files bootloader/encrypted_signed_t19x/ then extract the package again for verification.
or, you may deliver this fuseblob to other flashing machine to deploy the flashing process.
please resolve untar failure and perform next step to flash the device, looking forward to your test results.
thanks

console3.log (13.0 KB)
odmfuse3.log (6.9 KB)

Now, the board starts successfully.

Do I need to follow these commands to flash the system?
$ sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./flash.sh --no-flash -u rsa_priv.pem -v sbk.key jetson-xavier-nx-devkit-emmc mmcblk0p1
$ cd bootloader/
$ sudo bash ./flashcmd.txt

If run the following commands, the system can boot normally.
sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./flash.sh --no-flash -u …/…/key/nvidia_rsa_3k_priv.pem -v …/…/key/sbk.hex jetson-xavier-nx-devkit-emmc mmcblk0p1
cd bootloader/
sudo bash ./flashcmd.txt

But when I run these commands, the system halt.
sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./flash.sh --no-flash -u …/…/key/nvidia_rsa_3k_priv.pem -v …/…/key/sbk.hex --user_key …/…/key/kernel.hex -i …/…/key/disk.hex jetson-xavier-nx-devkit-emmc mmcblk0p1
cd bootloader/
sudo bash ./flashcmd.txt
console4.log (52.9 KB)

hello user121369,

the -i options is used to assign the key for disk encryption. the disk encryption key is store in the EKB partition
had you create the Encrypted Binary Blob (EKB) and update the EKS partition of the device? ​you may refer to Tool for EKB Generation session to create the eks_image_file; please perform image flashing again to update the partition. note, partition update is disabled since you’ve enable Jetson security.
please also refer to Disk Encryption chapter for more details.
thanks

$ python3 gen_ekb.py -kek2_key <kek2_fuse_key_file>
-fv <fv_for_ekb_ek>
-in_sym_key <sym_key_file>
-in sym_key2 <sym2_key_file>
-out <eks_image_file>
The step has been executed and copied generated eks_image_file to bootloader/eks.img.

note, partition update is disabled since you’ve enable Jetson security.
why???

Also, when I run sudo ./odmfuse.sh -i 0x19 -k …/…/key/nvidia_rsa_3k_priv.pem -S …/…/key/sbk.hex jetson-xavier-nx-devkit-emmc , the generated fuze information is shown in the attachment.
fuse_info.txt (761 Bytes)

sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./flash.sh --no-flash -u …/…/key/nvidia_rsa_3k_priv.pem -v …/…/key/sbk.hex --user_key …/…/key/kernel.hex jetson-xavier-nx-devkit-emmc mmcblk0p1
The previous comand flash board, the system also halts.

Console info:
[0006.601] I> Detect filesystem
[0006.629] I> Loading extlinux.conf …
[0006.629] I> Loading extlinux.conf binary from rootfs …
[0006.629] I> rootfs path: /sdmmc_user/boot/extlinux/extlinux.conf
[0006.672] I> Loading extlinux.conf sig file from rootfs …
[0006.672] I> rootfs path: /sdmmc_user/boot/extlinux/extlinux.conf.sig
[0006.697] I> Validate extlinux.conf …
[0006.697] I> T19x: Authenticate extlinux.conf (bin_type: 54), max size 0x2000
[0006.699] I> RSA PSS signature check: OK
[0006.699] W> keyslot 14 is zero
[0006.700] E> No valid entry found in extlinux.conf!
[0006.700] I> Loading kernel …
[0006.700] I> No kernel binary path
[0006.700] I> Continue to load from partition …
[0006.705] W> No valid slot number is found in scratch register
[0006.711] W> Return default slot: _a
[0006.714] I> A/B: bin_type (37) slot 0
[0006.718] I> Loading kernel from partition
[0006.722] I> Loading partition kernel at 0xa4b10000 from device(0x1)
[0007.470] I> Validate kernel …
[0007.470] I> T19x: Authenticate kernel (bin_type: 37), max size 0x5000000
[0007.472] I> RSA PSS signature check: OK
[0007.851] W> keyslot 14 is zero
[0007.882] I> Checking boot.img header magic … [0007.882] E> Invalid header magic
[0007.883] E> Failed to load kernel, abort booting.
[0007.883] E> Failed extlinux boot.
[0007.902] I> Kernel EP: 0x0, DTB: 0x90000000
[0007.902]
[0007.903] -----------------------------------------------
[0007.905] Synchronous Exception: UNKNOWN EXCEPTION
[0007.907] -----------------------------------------------
[0007.908]
[0007.909] ESR 0x2000000: ec 0x0, il 0x1, iss 0x0
[0007.911] -----------------------------------------------
[0007.913] [Stack Trace]
[0007.913]
[0007.914] => pc:0x00000000, sp:0xA0EB5530
[0007.915] => pc:0xA060F790, sp:0xA0EB5760
[0007.919] => pc:0xA060F7A4, sp:0xA0EB57B0
[0007.923] => pc:0xA060F58C, sp:0xA0EB57E0
[0007.927] => pc:0xA060EB00, sp:0xA0EB57F0
[0007.931] => pc:0xA060EAD4, sp:0xA0EB5800
[0007.935] -----------------------------------------------
[0007.940] iframe 0xa0eb5440:
[0007.943] x0 0x 90000000 x1 0x 0 x2 0x 0 x3 0x 0
[0007.952] x4 0x 0 x5 0x 20 x6 0x b200123 x7 0x ffffffc0
[0007.961] x8 0x 0 x9 0xffffffffffffffff x10 0x 6 x11 0x 2
[0007.970] x12 0x 1 x13 0x 40 x14 0x 1 x15 0x 2c0
[0007.979] x16 0x 1500 x17 0x 438 x18 0x 0 x19 0x 0
[0007.988] x20 0x 0 x21 0x 0 x22 0x 0 x23 0x 0
[0007.997] x24 0x 0 x25 0x 0 x26 0x 0 x27 0x 0
[0008.006] x28 0x 0 x29 0x a0eb5760 lr 0x a060f744 sp 0x a0eb5530
[0008.015] elr 0x 0
[0008.018] spsr 0x 400003c9
[0008.022] -----------------------------------------------
[0008.027] panic (caller 0xa0601238): die
[0008.031] HALT: spinning forever…

hello user121369,

do you really have 0xf as your SBK keys,
please also narrow down the issue, could you please assign all keys but exclude --user_key to verify device flashing status?

the concept of Secureboot is to prevent execution of unauthorized code during boot process through chain-of-trust;
those authenticates boot components (such as, Boot Configuration Table, bootloader binaries, and warmboot vector) were signed using private key, (i.e. PKC). hence, the partition update is disabled. please do fully flash if partition update is necessary.

do you really have 0xf as your SBK keys,
no, the keys are :
Fuse reading is done. The fuse values have been saved in: /home/smartgiant/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/bootloader/fuse_info.txt
PublicKeyHash: ad934b083bf5c7473f8131a36335914ac1fad41e69a74d7656d4bece3678cac7
SecureBootKey: 734725617a320932a782b32404e2fa95
Kek0: 00000000000000000000000000000000
Kek1: 00000000000000000000000000000000
Kek2: b39325610a323da2a713b33fc423fa24
Kek256: 0000000000000000000000000000000000000000000000000000000000000000
BootSecurityInfo: 00000006
JtagDisable: 00000001
SecurityMode: 00000000
SwReserved: 00000000
DebugAuthentication: 00000000
OdmId: 0000000000000000
OdmLock: 00000000
ReservedOdm0: 00000000
ReservedOdm1: 00000000
ReservedOdm2: 00000000
ReservedOdm3: 00000000
ReservedOdm4: 00000000
ReservedOdm5: 00000000
ReservedOdm6: 00000000
ReservedOdm7: 00000000
ReservedOdm8: 00000000
ReservedOdm9: 00000000
ReservedOdm10: 00000000
ReservedOdm11: 00000000

but run
sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./odmfuse.sh -i 0x19 -k …/…/key/nvidia_rsa_3k_priv.pem --KEK2 …/…/key/key2.hex -S …/…/key/sbk.hex --disable-jtag --noburn -p --auth SBKPKC jetson-xavier-nx-devkit-emmc,
now the keys are
PublicKeyHash: ad934b083bf5c7473f8131a36335914ac1fad41e69a74d7656d4bece3678cac7
SecureBootKey: ffffffffffffffffffffffffffffffff
Kek0: ffffffffffffffffffffffffffffffff
Kek1: ffffffffffffffffffffffffffffffff
Kek2: ffffffffffffffffffffffffffffffff
Kek256: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
BootSecurityInfo: 00000006
JtagDisable: 00000001
SecurityMode: 00000001
SwReserved: 00000000
DebugAuthentication: 00000000
OdmId: 0000000000000000
OdmLock: 00000000
ReservedOdm0: 00000000
ReservedOdm1: 00000000
ReservedOdm2: 00000000
ReservedOdm3: 00000000
ReservedOdm4: 00000000
ReservedOdm5: 00000000
ReservedOdm6: 00000000
ReservedOdm7: 00000000
ReservedOdm8: 00000000
ReservedOdm9: 00000000
ReservedOdm10: 00000000
ReservedOdm11: 00000000

Read fuse with “sudo ./odmfuse.sh -i 0x19 -k …/…/key/nvidia_rsa_3k_priv.pem -S …/…/key/sbk.hex jetson-xavier-nx-devkit-emmc”, the errors are:
[0007.003] W> Profiler not initialized
[0007.007] E> DEVICE_PROD: Invalid value data = 0, size = 0.
[0007.012] W> device prod register failed
[0007.016] W> Profiler not initialized
[0007.108] I> sdmmc DDR50 mode
[0007.113] I> QSPI Flash Size = 32 MB
[0007.124] I> Qspi initialized successfully
[0007.175] E> Link startup dme_set failed
[0007.179] E> UFS initialization failed
[0007.182] I> UFS is not present

hwkey-agent: 41: hwkey-agent is running!!
hwkey-agent: 315: key_mgnt_processing …
hwkey-agent: 162: ekb_verification: EKB_CMAC verification is not match.
hwkey-agent: 368: key_mgnt_processing: failed (-7)
hwkey-agent: 45: main: Failed to verify or extract EKB (-7).
exit called, thread 0xffffffffea8a4d58, name trusty_app_2_92b92883-f96a-4177
luks-srv: 40: luks-srv is running!!
platform_bootstrap_epilog: trusty bootstrap complete
▒▒

[0006.408] I> Welcome to TBoot-CPU Recovery
▒▒WARNING: no registered clock for FMON_NAFLL_CLUSTER1 (id 281)
fmon_post initialized
▒▒[0006.408] I> Heap: [0xa4000000 … 0xaa000000
[0006.419] I> gpio framework initialized
▒▒clk_set_parent failed for clk i2c2, parent pll_aon (-22)
clk_set_parent failed for clk i2c8, parent pll_aon (-22)
clk_dt_late initialized
machine_check initialized

sku_debugfs initialized
speedo_debugfs initialized
adc_debugfs initialized
Failed to register PTO counter for id 281
Failed to register PTO counter for id 281
Failed to register PTO counter for id 281
Failed to register PTO counter for id 281
clk_debugfs initialized

starting app shell
entering main console loop
] ▒▒[0006.428] I> tegrabl_gpio_driver_register: register ‘nvidia,tegra194-gpio’ driver
[0006.583] I> tegrabl_gpio_driver_register: register ‘nvidia,tegra194-gpio-aon’ driver
[0006.587] I> tegrabl_tca9539_init: i2c bus: 1, slave addr: 0x46
[0006.597] W> fetch_driver_phandle_from_dt: failed to get node with compatible ti,tca9539
[0006.605] W> fetch_driver_phandle_from_dt: failed to get node with compatible nxp,tca9539
[0006.609] W> tegrabl_tca9539_init: failed to fetch phandle from dt
[0006.615] I> tegrabl_tca9539_init: i2c bus: 1, slave addr: 0x44
[0006.624] W> fetch_driver_phandle_from_dt: failed to get node with compatible ti,tca9539
[0006.632] W> fetch_driver_phandle_from_dt: failed to get node with compatible nxp,tca9539
[0006.637] W> tegrabl_tca9539_init: failed to fetch phandle from dt
[0006.645] I> fixed regulator driver initialized
[0006.655] I> CPU: Nvidia Carmel
console5.log (28.2 KB)

please also narrow down the issue, could you please assign all keys but exclude --user_key to verify device flashing status?

If run the following commands, the system can boot normally.
sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./flash.sh --no-flash -u …/…/key/nvidia_rsa_3k_priv.pem -v …/…/key/sbk.hex jetson-xavier-nx-devkit-emmc mmcblk0p1
cd bootloader/
sudo bash ./flashcmd.txt

hello user121369,

I’ll check this internally, please have workarounds to waive user_key for your development.
please refer to Disk Encryption chapter if you’re going to enable ROOTFS_ENC. thanks