UEFI Secure Boot remains in Standard Mode and does not enforce signature verification after enabling custom keys

tuan100220 · October 10, 2025, 3:48am

Description:
I have enabled UEFI Secure Boot on my Jetson Xavier platform and successfully provisioned my own PK, KEK, and db keys using the `fflash.sh --uefi-keys option.
The system boots normally, and efivar shows that SecureBoot is enabled (Value: 01) and SetupMode is disabled (`Value:Value: 00).
However, the firmware still reports “Secure Boot Mode: Standard Mode” and “WARNING: Test Key detected” in the UEFI log.

Even when booting unsigned images (not si

Additionally, the UEFI setup menu does not allow switching from Standard Mode to Custom Mode.
The option appears grCustom Mode.

Steps to Reproduce:

Generate PK, KEK, and db keys using OpenSSL.

Create uefi_keys.conf and flash using:

sudo ./flash.sh --uefi-keys uefi_keys/uefi_keys.conf <target> mmcblk0p1

Boot the device and verify Secure Boot status:

efivar -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot
efivar -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SetupMode
efi-readvar

Secure Boot is Enabled, Setup Mode is Disabled, and custom PK/KEK/db certificates appear correctly.
Attempt to boot with unsigned boot.img or kernel — system still boots successfully.
UEFI setup menu shows Secure Boot Mode <Standard Mode> and the warning:
```
** WARNING: Test key detected **
```

Expected Behavior:
After provisioning custom PK/KEK/db keys and switching out of Setup Mode, the firmware should enter Custom Mode and enforce signature verification — booting should fail for unsigned or untrusted images.

Actual Behavior:

Secure Boot remains in Standard Mode.
Warning “Test key detected” appears even with custom keys.
Unsigned images still boot successfully (no verification failure).
Cannot manually switch to Custom Mode in the UEFI configuration interface.

Additional Information:

Platform: Jetson Xavier
JetPack / L4T version: (e.g., JetPack 5.1.3)
Flash command used:
sudo ./flash.sh --uefi-keys uefi_keys/uefi_keys.conf <target> mmcblk0p1
Verified efivars:
```
SecureBoot = 01
SetupMode = 00
```
PK, KEK, and db entries visible under /sys/firmware/efi/efivars/

tuan100220 · October 10, 2025, 4:03am

This is log debug :
admin@tegra-ubuntu:~$ sudo mokutil --sb-state
SecureBoot enabled
admin@tegra-ubuntu:~$ sudo efi-readvar
Variable PK, length 837
PK: List 0, type X509
Signature 0, size 809, owner 9f8d71f3-106e-4764-93df-dc425301f36b
Subject:
CN=my Platform Key
Issuer:
CN=my Platform Key
Variable KEK, length 845
KEK: List 0, type X509
Signature 0, size 817, owner e122486c-daa3-4f28-8529-6e0ef334eba8
Subject:
CN=my Key Exchange Key
Issuer:
CN=my Key Exchange Key
Variable db, length 1730
db: List 0, type X509
Signature 0, size 829, owner b523ef53-bb0a-4856-9302-4f214be45f99
Subject:
CN=my Signature Database key
Issuer:
CN=my Signature Database key
db: List 1, type X509
Signature 0, size 845, owner 54d5aa02-1184-4cfd-948e-63ae51bf324e
Subject:
CN=my another Signature Database key
Issuer:
CN=my another Signature Database key
Variable dbx has no entries
Variable MokList has no entries
admin@tegra-ubuntu:~$ sudo hexdump -C /sys/firmware/efi/efivars/SetupMode-*
00000000 06 00 00 00 00 |…|
00000005
admin@tegra-ubuntu:~$ sudo hexdump -C /sys/firmware/efi/efivars/SecureBoot-*
00000000 06 00 00 00 01 |…|
00000005
admin@tegra-ubuntu:~$

JerryChang · October 13, 2025, 5:28am

hello tuan100220,

it does not check/verify the signature if OemKeyValid and SecurityMode are not burned.
please see-also Topic 337248 for reference.

tuan100220 · October 13, 2025, 6:11am

Hi,

I want to test UEFI Secure Boot on Xavier NX. To modify or set the OemKeyValid and SecurityMode flags, do I have to burn the eFuses, or is there a way to adjust them temporarily for testing without permanently writing to fuses?

Thanks!

JerryChang · October 13, 2025, 7:40am

hello tuan100220,

that’s not possible, fuse burning operations are high-risk because they cannot be reversed.

tuan100220 · October 13, 2025, 7:54am

Thank you, I understand the issue now. I will look into how to burn the eFuses.

JerryChang · October 13, 2025, 8:03am

hello tuan100220,

please refer to developer guide for the SecureBoot chapter.
BTW, you may see-also Topic 158361 for the steps we’ve fused/flashed Xavier NX developer kit, although it’s tested on JetPack-4.4

tuan100220 · October 13, 2025, 8:07am

yes. thanks

system · November 5, 2025, 5:27am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How do we test UEFI secure boot on Jetson Xavier NX in development environment Jetson Xavier NX security	2	590	April 27, 2023
Verify signauture of UEFI Firmware - UEFI Platform Vendor Key Feature Jetson AGX Orin security	7	225	September 22, 2025
Enabling UEFI Secureboot JP 5.1 L4T 35.2.1 Jetson AGX Xavier security , nvbugs	4	1665	March 29, 2023
Boot signed UEFI bootloader on a system with no fuses burnt Jetson Orin NX security , uefi	9	245	February 24, 2025
BSP 35.6.2 does not seem to boot properly when using UEFI secure boot Jetson AGX Xavier boot , security , nvbugs	10	197	September 24, 2025
Jetson Orin AGX Boot fail after UEFI Secureboot flash 36.3 (Devkit) Jetson AGX Orin security	6	370	June 3, 2024
Xavier NX Boot error Jetson Xavier NX boot	12	468	May 27, 2024
UEFI Secure Boot fails flashing Jetson AGX Orin security	9	536	December 18, 2024
Orin NX UEFI can't enroll keys Jetson Orin NX security	12	895	February 29, 2024
UEFI Secureboot JP 5.1.1 L4T 35.3.1 Jetson AGX Xavier security	23	2347	May 17, 2023

UEFI Secure Boot remains in Standard Mode and does not enforce signature verification after enabling custom keys

Related topics