UEFI Secure Boot fails flashing

Robotics & Edge Computing Jetson & Embedded Systems Jetson AGX Orin
1

Hello,
I am trying to set up UEFI secure boot (without fuse secure boot, just for testing) but the flashing always fails at a very late state. I am using L4T 36.4 on a Jetson AGX Orin Devkit.
I attached the logs.

I am executing this command:
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --uefi-keys uefi_keys/uefi_keys2.conf jetson-agx-orin-devkit internal

I have set up the key config file, executed the sudo chmod 644 uefi_keys/_out/*.auth command and also sudo tools/ gen_uefi_default_keys_dts.sh uefi_keys/uefi_keys.conf before.
I have placed the resulting UefiDefaultSecurityKeys.dtbo in the /bootloader folder and removed there the existing file that had the same name. Not sure if the last step was necessary, but I tried with and without that step.

Before, I also tried to flash using flash.sh which resulted in errors during the boot up of the Jetson AGX Orin Devkit.

sudo ROOTFS_ENC=1 ./flash.sh --uefi-keys ~/Projects/secureboot/uefi_keys/uefi_keys.conf -i ~/Projects/secureboot/jetson-public-srcs/Linux_for_Tegra/source/jetson-optee-srcs/optee/samples/hwkey-agent/host/tool/gen_ekb/disk_enc.key jetson-agx-orin-devkit internal

I flashed using this command but when I boot there are errors:
ReadEncryptedImage: Failed to read data from partition OpteeDecryptImage: Failed to read data ReadAndroidStyleKernelPartition: OpteeDecryptImage failed Failed to boot recovery: 0 partition

Any help is highly appreciated.

log1.txt (289.8 KB)

3

Hi,
If the device cannot be flashed/booted, please refer to the page to get uart log from the device:
Jetson/General debug - eLinux.org
And get logs of host PC and Jetson device for reference. If you are using custom board, you can compare uart log of developer kit and custom board to get more information.
Also please check FAQs:
Jetson AGX Orin FAQ
If possible, we would suggest follow quick start in developer guide to re-flash the system:
Quick Start — NVIDIA Jetson Linux Developer Guide 1 documentation
And see if the issue still persists on a clean-flashed system.
Thanks!

4

hello andib,

it looks you’re enabling UEFI SecureBoot + Disk encryption.
let’s narrow down the issue, for instance, is it works with only ROOTFS_ENC=1?

5

thank you for your reply JerryChang.
Yes, that was my plan.
When I do only disk encryption it is booting and using the command lsblk I can see that there is an encrypted partition.
However, if I combine it with --uefi-keys or if I do it without the disk encryption, I get errors as described above during booting.
When I only try uefi keys, I get errors like boot\initrd failed image verification, failed to authenticate \boot\initrd, unable to boot via extlinux during the boot of the device.

6

hello andib,

FYI, we’ve verified UEFI Secureboot + Disk encryption with r36.4 on AGX-Orin.
here’re steps for your reference,

  1. Follow document steps to generate PK, KEK, db keys.
  2. Create UEFI keys config file
  3. Generate UefiDefaultSecurityKeys.dtbo
  4. Generate eks_t234.img with below command:
    Modify below two keys in example.sh
    auth_t234.key --> "d9f7b49e3b6264985f1326f541bb43c9"
    sym2_t234.key --> "d9f7b49e3b6264985f1326f541bb43c9"
    $ python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key -in_sym_key2 sym2_t234.key -in_auth_key auth_t234.key -out eks_t234.img
  5. Copy eks_t234.img to $OUT/Linux_for_Tegra/bootloader
  6. Flash:
    $ sudo ROOTFS_ENC=1 ./flash.sh --uefi-keys uefi_keys/uefi_keys.conf -i sym2_t234.key jetson-agx-orin-devkit internal
7

Hi JerryChang,

thank you for your detailed answer and the time you took to try that yourself, I highly appreciate that.

Unfortunately, I am still getting the same errors.
I created the uefi keys and the config:

(base) andi@andi-ssd:~/Projects/jetson-project/Jetson_Linux_R36.4.0_aarch64/Linux_for_Tegra/uefi_keys$ ls
db_1.crt  db_2.crt  KEK.crt  PK.crt  UefiDefaultSecurityKeys.dtbo
db_1.esl  db_2.esl  KEK.esl  PK.esl  UefiDefaultSecurityKeys.dts
db_1.key  db_2.key  KEK.key  PK.key  uefi_keys.conf
(base) andi@andi-ssd:~/Projects/jetson-project/Jetson_Linux_R36.4.0_aarch64/Linux_for_Tegra/uefi_keys$ cat uefi_keys.conf 
UEFI_DB_1_KEY_FILE=db_1.key;  # UEFI payload signing key
UEFI_DB_1_CERT_FILE=db_1.crt; # UEFI payload signing key certificate

UEFI_DEFAULT_PK_ESL=PK.esl
UEFI_DEFAULT_KEK_ESL_0=KEK.esl

UEFI_DEFAULT_DB_ESL_0=db_1.esl
UEFI_DEFAULT_DB_ESL_1=db_2.esl
(base) andi@andi-ssd:~/Projects/jetson-project/Jetson_Linux_R36.4.0_aarch64/Linux_for_Tegra/uefi_keys$

I executed the script:

sudo tools/gen_uefi_keys_dts.sh uefi_keys/uefi_keys.conf

I also generated eks_t234.img and replaced in the bootloader folder as you described.

Is there any other step that you might have done? For example, what should I do with the UefiDefaultSecurityKeys.dtbo file? I also replaced the same file in the bootloader with my generated one, but that didn’t help.
Also, there is the script gen_uefi_default_keys_dts.sh in the /tools folder, which would create some more data as I have read in other posts, for example an _out folder and some .auth files. Is that maybe the file I should use or did I use the correct one?

If any steps are missing or I should do something else, please let me know.

Just to verify, I tried out the burning of the fuses using --test option, which does NOT burn the fuses. That means there is no secure boot enabled. I just wanted to try the burning first without actually burning. After that, I wanted to test UEFI boot and disk encryption, but there I am stuck.
I added the error that is shown on my screen during booting.
I would highly appreciate every further help.
Btw, is there a reason why the sym2 key and the auth key are the same? Furthermore, why did you not use the disk_enc key as described in the disk encryption section?

uefi_secureboot_error
uefi_secureboot_error2048×1536 438 KB

8

I made some small progress, but the problem is not completely solved:

I found this post and added --uefi-enc to my command.

sudo ROOTFS_ENC=1 ./flash.sh --uefi-keys uefi_keys/uefi_keys.conf -i ~/Projects/jetson-project/public_sources/Linux_for_Tegra/source/optee/samples/hwkey-agent/host/tool/gen_ekb/sym2_t234.key --uefi-enc ~/Projects/jetson-project/public_sources/Linux_for_Tegra/source/optee/samples/hwkey-agent/host/tool/gen_ekb/sym_t234.key jetson-agx-orin-devkit internal

Now it says that secure boot is enabled, but some kernel panic is happening because it failed to decrypt the disk.

I added the updated pictures of the screen.

uefi_works
uefi_works2048×1536 396 KB

uefi_kernel_panic
uefi_kernel_panic2048×1536 384 KB

9

hello andib,

there are 4 magic bytes at the beginning of the EKS image, they are: “EEKB”, if these 4 bytes are wrong, you will see “eks image not correct”.
for example,

 hexdump -C -n 4 -s 0x34 eks_t234.img
 00000034 45 45 4b 42 |EEKB|

BTW, please refer to Topic 313695 for fail to unlock the encrypted dev failure.

10

Hi JerryChang,

I just made it work finally! :)
Yesterday I downloaded all the sources again and tried it in a new way and then there was the last problem with the EKB image that you pointed out.

Then I tried it again today in the morning by just adding --uefi-enc to my previous setup, where I also did the rest of my configurations and it worked.

Thank you so much for your help!

11

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.