The device can't start up after flashing one disk encryption image

Read fuse with “sudo ./odmfuse.sh -i 0x19 -k …/…/key/nvidia_rsa_3k_priv.pem -S …/…/key/sbk.hex jetson-xavier-nx-devkit-emmc”, the errors are:
[0007.003] W> Profiler not initialized
[0007.007] E> DEVICE_PROD: Invalid value data = 0, size = 0.
[0007.012] W> device prod register failed
[0007.016] W> Profiler not initialized
[0007.108] I> sdmmc DDR50 mode
[0007.113] I> QSPI Flash Size = 32 MB
[0007.124] I> Qspi initialized successfully
[0007.175] E> Link startup dme_set failed
[0007.179] E> UFS initialization failed
[0007.182] I> UFS is not present

hwkey-agent: 41: hwkey-agent is running!!
hwkey-agent: 315: key_mgnt_processing …
hwkey-agent: 162: ekb_verification: EKB_CMAC verification is not match.
hwkey-agent: 368: key_mgnt_processing: failed (-7)
hwkey-agent: 45: main: Failed to verify or extract EKB (-7).
exit called, thread 0xffffffffea8a4d58, name trusty_app_2_92b92883-f96a-4177
luks-srv: 40: luks-srv is running!!
platform_bootstrap_epilog: trusty bootstrap complete
▒▒

[0006.408] I> Welcome to TBoot-CPU Recovery
▒▒WARNING: no registered clock for FMON_NAFLL_CLUSTER1 (id 281)
fmon_post initialized
▒▒[0006.408] I> Heap: [0xa4000000 … 0xaa000000
[0006.419] I> gpio framework initialized
▒▒clk_set_parent failed for clk i2c2, parent pll_aon (-22)
clk_set_parent failed for clk i2c8, parent pll_aon (-22)
clk_dt_late initialized
machine_check initialized

sku_debugfs initialized
speedo_debugfs initialized
adc_debugfs initialized
Failed to register PTO counter for id 281
Failed to register PTO counter for id 281
Failed to register PTO counter for id 281
Failed to register PTO counter for id 281
clk_debugfs initialized

starting app shell
entering main console loop
] ▒▒[0006.428] I> tegrabl_gpio_driver_register: register ‘nvidia,tegra194-gpio’ driver
[0006.583] I> tegrabl_gpio_driver_register: register ‘nvidia,tegra194-gpio-aon’ driver
[0006.587] I> tegrabl_tca9539_init: i2c bus: 1, slave addr: 0x46
[0006.597] W> fetch_driver_phandle_from_dt: failed to get node with compatible ti,tca9539
[0006.605] W> fetch_driver_phandle_from_dt: failed to get node with compatible nxp,tca9539
[0006.609] W> tegrabl_tca9539_init: failed to fetch phandle from dt
[0006.615] I> tegrabl_tca9539_init: i2c bus: 1, slave addr: 0x44
[0006.624] W> fetch_driver_phandle_from_dt: failed to get node with compatible ti,tca9539
[0006.632] W> fetch_driver_phandle_from_dt: failed to get node with compatible nxp,tca9539
[0006.637] W> tegrabl_tca9539_init: failed to fetch phandle from dt
[0006.645] I> fixed regulator driver initialized
[0006.655] I> CPU: Nvidia Carmel
console5.log (28.2 KB)

please also narrow down the issue, could you please assign all keys but exclude --user_key to verify device flashing status?

If run the following commands, the system can boot normally.
sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./flash.sh --no-flash -u …/…/key/nvidia_rsa_3k_priv.pem -v …/…/key/sbk.hex jetson-xavier-nx-devkit-emmc mmcblk0p1
cd bootloader/
sudo bash ./flashcmd.txt

hello user121369,

I’ll check this internally, please have workarounds to waive user_key for your development.
please refer to Disk Encryption chapter if you’re going to enable ROOTFS_ENC. thanks

ok, thanks!

hello user121369,

BTW,
the error reports kernel image loading failure.
did you change anything in extlinux.conf or other configuration? if the error sustained, you may try to reinstall the SDKmanager (or, delete Linux_for_Tegra) to have fresh new environment to have verification,
thanks

I reinstall the SDKmanager, the error still exists.

[0008.016] W> keyslot 14 is zero
[0008.046] I> Checking boot.img header magic … [0008.046] E> Invalid header magic
[0008.046] E> Failed to load kernel, abort booting.
[0008.047] E> Failed extlinux boot.
[0008.065] I> Kernel EP: 0x0, DTB: 0x90000000

odmfuseread.sh reports the following error:
smartgiant@smartgiant-HP-Pavilion-Notebook:~/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra$ sudo ./odmfuseread.sh -i 0x19 -k …/…/key/nvidia_rsa_3k_priv.pem -S …/…/key/sbk.hex jetson-xavier-nx-devkit-emmc
[sudo] smartgiant 的密码:
copying soft_fuses(/home/smartgiant/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-soft-fuses-l4t.cfg)… done.
copying soft_fuses(/home/smartgiant/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-soft-fuses-l4t.cfg)… done.
./tegraflash.py --chip 0x19 --applet “/home/smartgiant/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/bootloader/mb1_t194_prod.bin” --skipuid --soft_fuses tegra194-mb1-soft-fuses-l4t.cfg --bins “mb2_applet nvtboot_applet_t194.bin” --cmd “dump eeprom boardinfo cvm.bin;reboot recovery” --encrypt_key “…/…/key/sbk.hex” --key “…/…/key/nvidia_rsa_3k_priv.pem”
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands

[ 0.0045 ] Generating RCM messages
[ 0.0068 ] tegrasign_v3.py --key /home/smartgiant/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/key/sbk.hex --file /home/smartgiant/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/bootloader/mb1_t194_prod.bin --offset 4096
[ 0.0075 ] Assuming zero filled SBK key : not reading /home/smartgiant/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/key/sbk.hex
[ 0.0319 ]
[ 0.0342 ] tegrahost_v2 --chip 0x19 0 --magicid MB1B --appendsigheader /home/smartgiant/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/bootloader/mb1_t194_prod_encrypt.bin zerosbk
[ 0.0349 ] Header already present for /home/smartgiant/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/bootloader/mb1_t194_prod_encrypt.bin
[ 0.0380 ]
[ 0.0402 ] tegrasign_v3.py --getmode mode.txt --key /home/smartgiant/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/key/nvidia_rsa_3k_priv.pem
[ 0.0403 ] Assuming zero filled SBK key : not reading /home/smartgiant/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/key/nvidia_rsa_3k_priv.pem
[ 0.0423 ] tegrasign_v3.py --file /home/smartgiant/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/bootloader/mb1_t194_prod_encrypt_sigheader.bin --key /home/smartgiant/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/key/nvidia_rsa_3k_priv.pem --length 1136 --offset 2960 --pubkeyhash pub_key.key
[ 0.0424 ] Assuming zero filled SBK key : not reading /home/smartgiant/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/key/nvidia_rsa_3k_priv.pem
[ 0.0467 ] tegrahost_v2 --chip 0x19 0 --updatesigheader /home/smartgiant/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/bootloader/mb1_t194_prod_encrypt_sigheader.bin /home/smartgiant/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/bootloader/mb1_t194_prod_encrypt_sigheader.hash zerosbk
[ 0.0501 ]
[ 0.0525 ] tegrabct_v2 --chip 0x19 0 --sfuse tegra194-mb1-soft-fuses-l4t.cfg.pdf sfuse.bin
[ 0.0533 ]
[ 0.0555 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x19 0 --sfuses sfuse.bin --download rcm /home/smartgiant/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/bootloader/mb1_t194_prod_encrypt_sigheader.bin 0 0
[ 0.0562 ] RCM 0 is saved as rcm_0.rcm
[ 0.0590 ] RCM 1 is saved as rcm_1.rcm
[ 0.0590 ] RCM 2 is saved as rcm_2.rcm
[ 0.0590 ] List of rcm files are saved in rcm_list.xml
[ 0.0590 ]
[ 0.0590 ] Signing RCM messages
[ 0.0611 ] tegrasign_v3.py --getmontgomeryvalues montgomery.bin --key /home/smartgiant/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/key/nvidia_rsa_3k_priv.pem --list rcm_list.xml --pubkeyhash pub_key.key
[ 0.0612 ] Assuming zero filled SBK key : not reading /home/smartgiant/nvidia/nvidia_sdk/JetPack_4.6_Linux_JETSON_XAVIER_NX_TARGETS/key/nvidia_rsa_3k_priv.pem
[ 0.0673 ] Copying signature to RCM mesages
[ 0.0695 ] tegrarcm_v2 --chip 0x19 0 --updatesig rcm_list_signed.xml
[ 0.0707 ]
[ 0.0708 ] Boot Rom communication
[ 0.0730 ] tegrarcm_v2 --chip 0x19 0 --rcm rcm_list_signed.xml --skipuid
[ 0.0737 ] RCM version 0X13
[ 0.0746 ] Boot Rom communication failed
[ 5.1474 ]
Error: Return value 3
Command tegrarcm_v2 --chip 0x19 0 --rcm rcm_list_signed.xml --skipuid
Reading board information failed.

Hello JerryChang,
Is there a solution to this problem?

hello user121369,

this failure, Boot Rom communication failed usually due to intermittent device communication.
are you using a VM? or, is this a Laptop?

Laptop。
The problem only is reported when running odmfuseread.sh.

Can you give an example list of commands to flash a disk encrypted image for a new Jetson Xavier NX device?

hello user121369

here’s the sample command-line to enable disk encryption.
$ sudo ROOTFS_ENC=1 ./flash.sh -i "./ekb.key" jetson-xavier-nx-devkit mmcblk0p1

you may enable the Jetson security, to burn the target with PKC+SBK.
in addition, please also have EKS partition updated, you should burn the EKB key you would like to used for disk encryption,
here’s Tool for EKB Generation, that eks image file is the one need to be updated.

To enable the Jetson security, may I use the following commands?
sudo ./odmfuse.sh -p -i 0x19 -k ./rsa.pem -S ./sbk.hex --KEK2 ./key2.hex --disable-jtag jetson-xavier-nx-devkit-emmc
sudo gen_ekb.py -kek2_key key2.n0x -fv FV.n0x -in_sym_key kernel.n0x -in_sym_key2 disk.n0x -out eks.img
sudo cp eks.img bootloader/
sudo ROOTFS_ENC=1 ./flash.sh -u ./rsa.pem -v ./sbk.hex --user_key ./kernel.hex -i ./disk.hex jetson-xavier-nx-devkit-emmc mmcblk0p1

yes.

FYI,
you should only need one-time process to burn the fuse by execute odmfuse.sh , it’s a non-reversible process, you cannot revert the bit once you’ve changing a value of a fuse bit from 0 to 1.
those commands, -k ./rsa.pem, it’s PKC to sign the images; -S ./sbk.hex, it’s the SBK for encrypting the images.

After running the above commands, the system is still stuck. The error:
ipc-unittest-srv: 329: Init unittest services!!!
hwkey-agent: 41: hwkey-agent is running!!
hwkey-agent: 315: key_mgnt_processing …
hwkey-agent: 162: ekb_verification: EKB_CMAC verification is not match.
hwkey-agent: 368: key_mgnt_processing: failed (-7)
hwkey-agent: 45: main: Failed to verify or extract EKB (-7).
exit called, thread 0xffffffffea8a4d58, name trusty_app_2_92b92883-f96a-4177
luks-srv: 40: luks-srv is running!!
platform_bootstrap_epilog: trusty bootstrap complete

[0005.943] I> Validate extlinux.conf …
[0005.947] I> T19x: Authenticate extlinux.conf (bin_type: 54), max size 0x2000
[0005.954] C> pcp hash validation failed!!!
[0005.958] C> OEM authentication of extlinux.conf header failed!
[0005.963] W> Failed to validate extlinux.conf binary from rootfs (err=353697816, fail=0)
[0005.971] E> Security fuse is burned, abort loading binary from rootfs
[0005.978] E> Failed to find/load /boot/extlinux/extlinux.conf
[0005.983] I> Loading kernel …
[0005.986] I> No kernel binary path
[0005.989] I> Continue to load from partition …
[0005.994] W> No valid slot number is found in scratch register
[0006.000] W> Return default slot: _a
[0006.003] I> A/B: bin_type (37) slot 0
[0006.007] I> Loading kernel from partition
[0006.011] I> Loading partition kernel at 0xa4b20000 from device(0x1)
[0006.762] I> Validate kernel …
[0006.763] I> T19x: Authenticate kernel (bin_type: 37), max size 0x5000000
[0006.764] I> RSA PSS signature check: OK
[0007.181] W> keyslot 14 is zero
[0007.197] I> Checking boot.img header magic … [0007.197] E> Invalid header magic
[0007.198] E> Failed to load kernel, abort booting.
[0007.198] E> Failed extlinux boot.
[0007.199] I> removable_boot_load_kernel_and_dtb: force NVME bdev to close !!!
[0007.199] E> NVME (5) boot failed, err: 0x2b2b0018
[0007.199] I> ########## Fixed storage boot ##########
[0007.204] I> Loading kernel-bootctrl from partition
[0007.209] I> Loading partition kernel-bootctrl at 0xa4b20000 from device(0x1)
[0007.223] W> tegrabl_get_kernel_bootctrl: magic number(0x00000000) is invalid
[0007.223] W> tegrabl_get_kernel_bootctrl: use default dummy boot control data
[0007.230] I> Already published: 00010003
[0007.233] I> Look for boot partition
[0007.237] I> Fallback: assuming 0th partition is boot partition
[0007.242] I> Detect filesystem
[0007.276] I> Loading extlinux.conf …
[0007.276] I> Loading extlinux.conf binary from rootfs …
[0007.276] I> rootfs path: /sdmmc_user/boot/extlinux/extlinux.conf
[0007.361] I> Loading extlinux.conf sig file from rootfs …
[0007.362] I> rootfs path: /sdmmc_user/boot/extlinux/extlinux.conf.sig
[0007.435] I> overload load_size to 874 (from 880)
[0007.435] I> Validate extlinux.conf …
[0007.435] I> T19x: Authenticate extlinux.conf (bin_type: 54), max size 0x2000
[0007.437] I> RSA PSS signature check: OK
[0007.437] W> keyslot 14 is zero
[0007.438] E> No valid entry found in extlinux.conf!
err.log (34.0 KB)

could you please share the content of extlinux.conf, thanks

extlinux.conf (733 Bytes)

TIMEOUT 30
DEFAULT primary

MENU TITLE L4T boot options

LABEL primary
MENU LABEL primary kernel
LINUX /boot/Image
INITRD /boot/initrd
APPEND ${cbootargs} quiet

When testing a custom kernel, it is recommended that you create a backup of

the original kernel and add a new entry to this file so that the device can

fallback to the original kernel. To do this:

1, Make a backup of the original kernel

sudo cp /boot/Image /boot/Image.backup

2, Copy your custom kernel into /boot/Image

3, Uncomment below menu setting lines for the original kernel

4, Reboot

LABEL backup

MENU LABEL backup kernel

LINUX /boot/Image.backup

INITRD /boot/initrd

APPEND ${cbootargs}

hello JerryChang, I can read the value of Kek2 with odmfuseread.sh?

Why

hello user121369,

please have a try to remove this line for loading the kernel image via partition, thanks
for example,

LABEL primary
MENU LABEL primary kernel
LINUX /boot/Image
INITRD /boot/initrd
APPEND ${cbootargs} quiet