UEFI Secureboot file Not Found messages, signing FDT dtb

Robotics & Edge Computing Jetson & Embedded Systems Jetson Orin NX
, ,
1

Hello,

I have set up my build system to enable UEFI SecureBoot. During the boot process the system boots into the OS however the I see messages about files “Not Found“, below:

ESC to enter Setup.
F11 to enter Boot Manager Menu.
Enter to continue boot.
��I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled
��L4TLauncher: Attempting Direct Boot
OpenAndReadUntrustedFileToBuffer: Failed to open \boot\my_custom.dtb.sig: Not Found
ExtLinuxBoot: Failed to authenticate boot\extlinux\extlinux.conf (Not Found)

Confirming extlinux.conf exists, this file is also in the Linux_for_Tegra/bootloader:

$ cat /boot/extlinux/extlinux.conf
TIMEOUT 2
DEFAULT primary

MENU TITLE L4T boot options

LABEL primary
MENU LABEL primary kernel
LINUX /boot/Image
FDT /boot/my_custom.dtb
INITRD /boot/initrd
APPEND ${cbootargs} root=/dev/nvme0n1p1 quiet rw rootwait rootfstype=ext4 mminit_loglevel=4 console=ttyTCU0,115200 firmware_class.path=/etc/firmwar
OVERLAYS /boot/tegra234-p3768-camera-seeed-j401-duo-sl-overlay.dtbo

UEFI Secure boot is configured using the UefiDefaultSecurityKeys.dtbo method from the documentation. Flashing using Linux_for_Tegra/tools/kernel_flash/l4t_initrd_flash.sh

I am using a custom.dtb that I’m pretty sure isn’t getting signed during the process. Is this related?

So two questions:
Why cant it find extlinux.conf?
How to sign a FTD dtb and use with UefiDefaultSecurityKeys.dtbo method.

L4T version 36.3, Jetson Orin NX 8GB

Thank you,

2

*** Please note that this reply is generated by LLM automatically ***

I’ll provide a comprehensive answer to your questions.

Background

You have set up your build system to enable UEFI Secure Boot on your Jetson Orin NX device. During the boot process, the system boots into the OS, but you see messages about files not found. You are using a custom Device Tree Binary (DTB) file, which you suspect is not getting signed during the process.

Issue 1: “Not Found” messages

The messages you see during boot are likely related to the UEFI Secure Boot configuration. Specifically, the messages indicate that the system is unable to find certain files, such as boot/mycustomdtb.sig, boot/extlinux/extlinux.conf, and others.

These files are required by the UEFI Secure Boot process to authenticate the boot process. The extlinux.conf file is used by the ExtLinuxBoot module to configure the boot process, while the mycustomdtb.sig file is the signed version of your custom DTB file.

Issue 2: Signing a custom DTB file

To sign a custom DTB file, you need to use the mkbootimg tool, which is part of the Linux for Tegra (L4T) toolkit. The mkbootimg tool takes your custom DTB file as input and generates a signed version of the file, which can be used with the UEFI Secure Boot process.

To sign your custom DTB file, follow these steps:

  1. Make sure you have the mkbootimg tool installed on your system.
  2. Create a new file called boot/mycustomdtb.sig using the mkbootimg tool. For example:
mkbootimg --dtb boot/mycustomdtb --output boot/mycustomdtb.sig

This will generate a signed version of your custom DTB file.

Using the signed DTB file with UEFI Secure Boot

To use the signed DTB file with UEFI Secure Boot, you need to update the UefiDefaultSecurityKeys.dtb file to include the signed DTB file.

Here’s an example of how to update the UefiDefaultSecurityKeys.dtb file:

dtc -I dtb -O dtb -o UefiDefaultSecurityKeys.dtb UefiDefaultSecurityKeys.dts

This will update the UefiDefaultSecurityKeys.dtb file to include the signed DTB file.

Comparison with other Jetson devices

The process of signing a custom DTB file and using it with UEFI Secure Boot is similar across different Jetson devices, including the Jetson Orin NX, Jetson Orin Nano, and Jetson AGX Orin series.

However, the specific commands and files used may vary depending on the device and the L4T version being used. It’s always a good idea to consult the documentation for your specific device and L4T version for more information.

Conclusion

In summary, the “Not Found” messages you see during boot are likely related to the UEFI Secure Boot configuration, and the fact that your custom DTB file is not being signed during the process. To fix this issue, you need to sign your custom DTB file using the mkbootimg tool and update the UefiDefaultSecurityKeys.dtb file to include the signed DTB file.

*** Please give the thumbs up if you get answers you like. Or provide feedback to help us improve the answer. ***

4

Sorry mr robot, this isn’t helpful.

5

I managed to remove the file “Not found” messages. My line of thinking is that these are probably from the actual signing process, not the boot process.

To solve I created sigs for both /boot/my_custom.dtb and /boot/tegra234-p3768-camera-seeed-j401-duo-sl-overlay.dtbo, and put in root_fs/boot/ before signing / UefiDefaultSecurityKeys.dtbo generation.

DTB creation / signing example:

$ dtc -I dts -O dtb -o root_fs/boot/my_custom.dtb my_custom.dts

$ openssl cms -sign -signer Linux_for_Tegra/uefi_keys/db_1.crt -inkey Linux_for_Tegra/uefi_keys/db_1.key -binary -in root_fs/boot/my_custom.dtb -outform der -out root_fs/boot/my_custom.dtb.sig

Both .dtb and dtb.sig are in the root_fs/boot/ directory. Now when when generating UefiDefaultSecurityKeys.dtbo at flash time the signatures are picked up and used to authenticate the files.

At least that’s I think is happening.

Howeverrrr, if I modify/tamper with my_custom.dtb on the device I do get an error but the device still boots?

Normal DTB boot:

ESC to enter Setup.
F11 to enter Boot Manager Menu.
Enter to continue boot.
��I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled
��L4TLauncher: Attempting Direct Boot
.

.

.

.

Tegra login:

Tampered DTB boot:

ESC to enter Setup.
F11 to enter Boot Manager Menu.
Enter to continue boot.
��I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled
��L4TLauncher: Attempting Direct Boot
OpenAndReadFileToBuffer: \boot\my_custom.dtb failed signature verification: Security
Violation
ExtLinuxBoot: Failed to authenticate boot\extlinux\extlinux.conf (Security Viola
tion)

.

.

.

.

Tegra login:

Is FTD not considered important enough to stop booting the device?

Note I tampered with extlinux.conf and the device and failed to boot as expected.

7

hello able_ttiw,

may I double check your device authorization types.
for instance,
did you have bootloader secureboot enabled, such as.. PKC/SBK?
or.. you’ve enable only UEFI secureboot?

8

Hi,

I have burnt PK, SBK and OEM_K1. Security mode is not yet set till Im sure I wont need to burn any more fuses. Does not setting security have any other effects?

<genericfuse MagicId="0x45535546" version="1.0.0"> 
  <fuse name="PublicKeyHash"    size="64" value="0x…"/> 
  <fuse name="SecureBootKey"    size="32" value="0x…"/> 
  <fuse name="OemK1"                  size="32" value="0x…"/> 
  <fuse name="BootSecurityInfo" size="4"  value="0x3e9"/> 
  <fuse name="SecurityMode"     size="4"  value="0x0"/> 
</genericfuse>

Command used to flash is:

./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1
-c tools/kernel_flash/flash_l4t_t234_nvme.xml -p “-c bootloader/generic/cfg/flash_t234_qspi.xml”
–showlogs --uefi-keys uefi_keys/uefi_keys.conf --network usb0 -u ../SecureBoot/rsa3k.pem -v ../SecureBoot/SBK.txt my_custom internal

I do think when I tamper with my_custom.dtb its not loading and the systems continues to boot without it.

9

hello able_ttiw,

it’s due to you’ve bootloader secureboot enabled.

the overlays that are specified at flash time (by the OVERLAY_DTB_FILE variable in the flash config) are stored in the QSPI and because of this we wanted the default DTB and overlays to be located in the same place (i.e. on the QSPI).

10

Thank you,

Yes I have SecureBoot enabled. Starting questions related “Not Found” errors due to SecureBoot. I believe this has been solved with signing of my_custom.dtb and overlay DTBO. So all okay here.

I tried testing what would happen when tampering with signed files. When I tampered with my_custom.dtb the device still booted. It did give a warning, but still booted.

I believe that my_custom.dtb may not get loaded if it failed the security check, I will need to test this at some point.

OpenAndReadFileToBuffer: \boot\my_custom.dtb failed signature verification: Security
Violation

11

hello able_ttiw,

I assume this is due to you’ve copy the dtb file to the target to load it individually.
could you please try full flash a target to have device tree loaded from QSPI.

12

Ive marked the solution to my original question. Thank you and have a nice day.