Hi,
I’ve some question.
With the Jetpack 5.1 version i try to flash a Jetson Xavier NX with disk encryption and UEFI secureboot enabled.
A question stuck in my head, where is gen_ekb in this version ? Does i have to follow another method to flash with UEFI secureboot and disk encryption enable ?
For UEFI, how do i say to use my generated uefi keys . The parameter --uefi-keys {target}/uefi_keys.conf seams to still using default keys.
At boot i’ve got multiple error messages says :
“EnrollFromDefaultKeysApp: Skipped - USER_MODE”
“OpenReadFileToBuffer: boot\extlinux\extlinux.conf (Unsupported)”
“ProcessExtLinuxConfig:sds Failed to Authenticate boot\extlinux\extlinux.conf (Unsupported)”
“L4TLaucnher: Unable to process extlinux config: Unsupported”
If someone can help me
Thank’s in advance
hello romain.lesne,
you may see-also developer guide, Secure Boot, and also UEFI Secureboot.
please download public sources packages, [Driver Package (BSP) Sources] via https://developer.nvidia.com/embedded/jetson-linux-r3531.
please extract op-tee package, and you’ll see script file, gen_ekb.py
.
for example, $public_sources/r35.3.1/Linux_for_Tegra/source/public/atf_and_optee/optee/samples/hwkey-agent/host/tool/gen_ekb/gen_ekb.py
it’s EKB (Encrypted Binary Blob) stores two keys, one is the kernel encryption key, and another one is the LUKS key for disk encryption support.
LUKS disk encryption support with a specific key. you should execute the script file, gen_ekb.py
to generate an eks image. also, in the developer guide, Tool for EKB Generation that sym2.key is equivalent to ekb.key
you may also dig into Disk Encryption for further details.
Hello JerryChang,
I found the optee folder with gen_ekb and i read lot of doc but I’ve another question.
My keys are created and fused but when i flash with this keys and reboot, the /dev/mmcblk0p2 cannot unlock with key. Board say: No key available with this passphrase - “Fail to unlock the encrypted dev”
What does it mean and can i enable disk encryption without UEFI ?
Next subject, i flash my board with my eks image but something went wrong…
[0002.735] I> RSA PSS signature check: OK
[0002.754] I> RSA PSS signature check: OK
[0002.756] I> EKB detected (length: 0x410) @ VA:0x52709400
[0002.757] I> Setting EKB blob info to OPTEE dtb finished.
▒▒NOTICE: BL31: v2.6(release):6363e7382
NOTICE: BL31: Built : 15:09:29, Jan 24 2023
I/TC:
I/TC: Non-secure external DT found
I/TC: OP-TEE version: 3.19 (gcc version 9.3.0 (Buildroot 2020.08)) #2 Tue Jan 24 23:20:42 UTC 2023 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html
I/TC: Primary CPU initializing
E/TC:0 0 ekb_extraction_process:227 Bad parameter: eks image not correct
E/TC:0 0 jetson_user_key_pta_init:801 jetson_user_key_pta_init: Failed (ffff0006).
E/TC:0 0 call_initcalls:43 Initcall __text_start + 0x000c3120 failed
I/TC: Primary CPU switching to normal world boot
▒▒
messageerreur.txt (113.9 KB)
Thank’s
Hi @romain.lesne ,
The error:
May be fixed by adding the generated ekb key to the /bootloader directory. You must replace the eks_t194.img
with your generated ekb key.
Best,
JDiego Delgado
Embedded SW Engineer at RidgeRun
Contact us: support@ridgerun.com
Developers wiki: https://developer.ridgerun.com/
Website: www.ridgerun.com
Hi jdiegodelgado,
Thank’s for your reply but it’s already what i do.
I’ve already do all this method on previous version of jetpack (4.5) but my method don’t work with this last jetpack. Some changes in this version maybe
I’m stuck with this error but i write the correct key and generate the eks image with gen_ekb.py like i do previously…
If you have other idea
Hi,
I have the same issue, when I generate eks.img with gen_ekb.py and replace bootloader/eks_t194.img but I have
E/TC:0 0 ekb_extraction_process:227 Bad parameter: eks image not correct
Even if I generate custom key for uefi , at boot I see warning you use test key ? Do you have any idea why ? flash.sh with uefi-keys parameter change key ?
Thank you so much .
Hi JulienMoinard,
With some test i did, i conclude same issue.
Someone have a solve or an idea i can follow ?
Thank you so much !
hello romain.lesne,
let’s separate these two, they’re independent. UEFI secureboot and disk encryption.
please see-also Topic 238756 for reference.
besides,
may I know what’s your steps in detail, had you include ROOTFS_ENC
to your flash command-line to generate and flash the encrypted rootfs.
Hello JerryChang,
For explanation, my board is already fuse with odmfuse and works well with encryption with previous version of jetson.
I generate ekb_t194.img with gen_ekb.py and place it in bootloader folder
sudo python3 /local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/gen_ekb.py -kek2_key /tmp/keys/key2.key -fv /local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/fv_ekb -in_sym_key /tmp/keys/user.key -in_sym_key2 /tmp/keys/disk.key -out /local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/eks_t194.img
This is the fv_ekb content : bad66eb4484983684b992fe54a648bb8
There is photon.conf in cti/xavier-nx/photon/ :
#!/bin/bash
source "${LDK_DIR}/p3668.cti-base.common";
DTB_FILE=tegra194-xavier-nx-cti-NGX003.dtb;
disk_enc_enable=1;
EMMC_CFG=flash_l4t_t194_spi_emmc_p3668_enc_rfs.xml;
EMMCSIZE=17179869184;
ext_target_board=cti-xavier-nx-ngx003-00;
I use “flash_l4t_t194_spi_emmc_p3668_enc_rfs.xml” cfg file in my config.
Next i flash with this command :
./flash.sh -R /local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/rootfs -i /tmp/keys/disk.key -u /tmp/keys/rsa.key -v /tmp/keys/sbk.hex --user_key /tmp/keys/user.hex /local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/cti/xavier-nx/photon mmcblk0p1
I’ve already do this in previous version (4.5) and it’s work. What i’ve forgot
ROOTFS_ENC not work, I use disk_enc_enable=1; in photon.conf instead
Here are the console logs when flashing :
log_flash.txt (114.3 KB)
If you see something to tell me
Thank’s a lot
hello romain.lesne,
it is ROOTFS_ENC=1
to enable disk encryption.
would like to double confirm what’s the storage of your Xavier NX using.
for example,
is it with internal eMMC, or, it’s using external NVME.
or… are you going to enable disk encryption to external media, such as NVME?
hello JerryChang,
i double confirm that with eMMC storage.
i try with ROOTFS_ENC=1 but it’s not work…
please see-also Topic 218685 for the steps.
I test some change with ROOTFS_ENC but still not work i have same issue.
What do you means ? Where i add this ? In front of flash command ? Or in the photon.conf ?
After boot, the screen say
nothing to read on input
ERROR: fail to unlock the encrypted dev /dev/mmcblk0p2
And next i’ve a kernel panic
hello romain.lesne,
ROOTFS_ENC=1
should be added in the beginning of flash command. however, this is doing the same by using disk_enc_enable=1;
in flash configuration file.
as you can see, taking the board_config as an example, jetson-xavier-nx-devkit.conf
# Disk encryption support:
elif [[ "${ROOTFS_AB}" == "" && "${ROOTFS_ENC}" == 1 ]]; then
disk_enc_enable=1;
EMMC_CFG=flash_l4t_t194_spi_sd_p3668_enc_rfs.xml;
it’s error reported which failed to unlock the encrypted dev.
since it’s Encrypted Binary Blob (EKB) file to include the disk encryption key, please check you’ve flash eks.img onto the EKS partition of the device.
Hello,
Thank you for your help I use disk_enc_enable=1 too because variable ROOTFS_ENC have not effect like in the past when I start encryption with your help 2 years ago.
./flash.sh -R /local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/rootfs -i /tmp/keys/disk.key -u /tmp/keys/rsa.key -v /tmp/keys/sbk.hex --user_key /tmp/keys/user.hex /local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/cti/xavier-nx/photon mmcblk0p1
On my side, I have the same issue I generate with the last available gen_ekb.py the bootloader/eks_t194.img (before it was bootloader/eks.img ??)
What is the path of eks image ? bootloader/eks.img or bootloader/eks_t194.img ?
You suggest that we need to ensure that eks.img need to be flashed in EKS partition of the device but the flash.sh command do that for us if we replace the bootloader/eks.img ? or bootloard/eks_t194.img ?
Thank you.
Julien.
hello JulienMoinard,
it’s eks_t194.img
for Xavier series.
had you enable Jetson security? is no, you may running partition flash commands to update this individually.
for example, $ sudo ./flash.sh -r -k eks jetson-xavier-nx-devkit mmcblk0p1
Hello JerryChang,
had you enable Jetson security?
I don’t know Jetson security, you talk about odmfuse and production mode and fuse ?
Best regards
Julien.
sudo ./flash.sh -r -k eks -u /tmp/keys/rsa.key -v /tmp/keys/sbk.hex --user_key /tmp/keys/user.hex -i /tmp/keys/disk.key /local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/cti/xavier-nx/photon/photon mmcblk0p1
When I flash only EKS I got :
Error: Return value 22
Command tegrarcm_v2 --chip 0x19 0 --rcm rcm_list_signed.xml
Failed to flash/read t186ref.
Please find log below :
root@ubuntu:/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra# sudo ./flash.sh -r -k eks -u /tmp/keys/rsa.key -v /tmp/keys/sbk.hex --user_key /tmp/keys/user.hex -i /tmp/keys/disk.key /local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/cti/xavier-nx/photon/photon mmcblk0p1
###############################################################################
# L4T BSP Information:
# R35 , REVISION: 2.1
# User release: 0.0
###############################################################################
Change device boot from mmcblk0p1 to internal
# Target Board Information:
# Name: cti-xavier-nx-ngx003-00, Board Family: t186ref, SoC: Tegra 194,
# OpMode: production, Boot Authentication: SBKPKC,
# Disk encryption: enabled ,
###############################################################################
copying soft_fuses(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-soft-fuses-l4t.cfg)... done.
./tegraflash.py --chip 0x19 --applet "/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/mb1_t194_prod.bin" --skipuid --soft_fuses tegra194-mb1-soft-fuses-l4t.cfg --bins "mb2_applet nvtboot_applet_t194.bin" --cmd "dump eeprom boardinfo cvm.bin;reboot recovery" --key "/tmp/keys/rsa.key" --encrypt_key "/tmp/keys/sbk.hex"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
[ 0.0099 ] Generating RCM messages
[ 0.0141 ] tegrasign_v3.py --file /local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/mb1_t194_prod.bin --key /tmp/keys/sbk.hex --offset 4096
[ 0.0144 ] Key is a SBK key
[ 0.0144 ] Key Size is 16 bytes
[ 0.0357 ] tegrahost_v2 --chip 0x19 0 --magicid MB1B --appendsigheader /local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/mb1_t194_prod_encrypt.bin zerosbk
[ 0.0376 ] Header already present for /local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/mb1_t194_prod_encrypt.bin
[ 0.0462 ] tegrasign_v3.py --key /tmp/keys/rsa.key --getmode mode.txt
[ 0.0479 ] Key size is 256 bytes
[ 0.0512 ] tegrasign_v3.py --file /local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/mb1_t194_prod_encrypt_sigheader.bin --key /tmp/keys/rsa.key --length 1136 --getmontgomeryvalues montgomery.bin --offset 2960 --pubkeyhash pub_key.key
[ 0.0522 ] Key size is 256 bytes
[ 0.0707 ] Saving pkc public key in pub_key.key
[ 0.0712 ] tegrahost_v2 --chip 0x19 0 --pubkeyhash pub_key.key --setmontgomeryvalues montgomery.bin --updatesigheader /local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/mb1_t194_prod_encrypt_sigheader.bin /local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/mb1_t194_prod_encrypt_sigheader.sig oem-rsa
[ 0.0787 ] tegrabct_v2 --chip 0x19 0 --sfuse tegra194-mb1-soft-fuses-l4t.cfg.pdf sfuse.bin
[ 0.0819 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x19 0 --sfuses sfuse.bin --download rcm /local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/mb1_t194_prod_encrypt_sigheader.bin 0 0
[ 0.0828 ] RCM 0 is saved as rcm_0.rcm
[ 0.0854 ] RCM 1 is saved as rcm_1.rcm
[ 0.0856 ] RCM 2 is saved as rcm_2.rcm
[ 0.0857 ] List of rcm files are saved in rcm_list.xml
[ 0.0857 ]
[ 0.0857 ] Signing RCM messages
[ 0.0895 ] tegrasign_v3.py --key /tmp/keys/rsa.key --list rcm_list.xml --getmontgomeryvalues montgomery.bin --pubkeyhash pub_key.key
[ 0.0907 ] Key size is 256 bytes
[ 0.1376 ] Saving pkc public key in pub_key.key
[ 0.1364 ] Copying signature to RCM mesages
[ 0.1393 ] tegrarcm_v2 --chip 0x19 0 --updatesig rcm_list_signed.xml --pubkeyhash pub_key.key
[ 0.1410 ] Boot Rom communication
[ 0.1439 ] tegrarcm_v2 --chip 0x19 0 --rcm rcm_list_signed.xml --skipuid
[ 0.1446 ] RCM version 0X190001
[ 0.1487 ] Boot Rom communication completed
[ 2.1943 ] tegrarcm_v2 --isapplet
[ 2.1967 ] Applet version 01.00.0000
[ 2.2367 ] tegrarcm_v2 --ismb2
[ 2.2774 ] tegrahost_v2 --chip 0x19 --align nvtboot_applet_t194_aligned.bin
[ 2.2783 ] header_magic: 50000ea
[ 2.2831 ] tegrasign_v3.py --key /tmp/keys/sbk.hex --list nvtboot_applet_t194_aligned.bin_list.xml
[ 2.2836 ] Key is a SBK key
[ 2.2836 ] Key Size is 16 bytes
[ 2.2943 ] tegrahost_v2 --chip 0x19 0 --updatesigheader nvtboot_applet_t194_aligned.bin.encrypt nvtboot_applet_t194_aligned.bin.hash zerosbk
[ 2.2997 ] tegrahost_v2 --chip 0x19 --align nvtboot_applet_t194.bin_aligned.encrypt
[ 2.3011 ] header_magic: 1b7f5d74
[ 2.3034 ] tegrahost_v2 --appendsigheader nvtboot_applet_t194.bin_aligned.encrypt oem-rsa-sbk --chip 0x19 0 --magicid PLDT
[ 2.3049 ] adding BCH for nvtboot_applet_t194.bin_aligned.encrypt
[ 2.3114 ] tegrasign_v3.py --key /tmp/keys/rsa.key --list nvtboot_applet_t194.bin_aligned_sigheader.encrypt_list.xml --pubkeyhash pub_key.key
[ 2.3129 ] Key size is 256 bytes
[ 2.3297 ] Saving pkc public key in pub_key.key
[ 2.3317 ] tegrahost_v2 --chip 0x19 0 --updatesigheader nvtboot_applet_t194.bin_aligned_sigheader.encrypt.signed nvtboot_applet_t194.bin_aligned_sigheader.encrypt.sig oem-rsa --pubkeyhash pub_key.key
[ 2.3385 ] tegrarcm_v2 --download mb2 nvtboot_applet_t194.bin_sigheader.encrypt.signed
[ 2.3397 ] Applet version 01.00.0000
[ 2.3780 ] Sending mb2
[ 2.3780 ] [................................................] 100%
[ 2.4425 ] tegrarcm_v2 --boot recovery
[ 2.4433 ] Applet version 01.00.0000
[ 3.5039 ] tegrarcm_v2 --isapplet
[ 3.5439 ] tegrarcm_v2 --ismb2
[ 3.5447 ] MB2 Applet version 01.00.0000
[ 3.5841 ] tegrarcm_v2 --ismb2
[ 3.5857 ] MB2 Applet version 01.00.0000
[ 3.6252 ] Retrieving board information
[ 3.6284 ] tegrarcm_v2 --oem platformdetails chip chip_info.bin
[ 3.6292 ] MB2 Applet version 01.00.0000
[ 3.7105 ] Saved platform info in chip_info.bin
[ 3.7339 ] Chip minor revision: 2
[ 3.7340 ] Bootrom revision: 0xf
[ 3.7341 ] Ram code: 0x0
[ 3.7342 ] Chip sku: 0xde
[ 3.7342 ] Chip Sample: non es
[ 3.7494 ] Retrieving EEPROM data
[ 3.7496 ] tegrarcm_v2 --oem platformdetails eeprom cvm /local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/cvm.bin
[ 3.7511 ] MB2 Applet version 01.00.0000
[ 3.8248 ] Saved platform info in /local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/cvm.bin
[ 3.9048 ] Rebooting to recovery mode
[ 3.9071 ] tegrarcm_v2 --ismb2
[ 3.9078 ] MB2 Applet version 01.00.0000
[ 3.9440 ] Rebooting to recovery mode
[ 3.9457 ] tegrarcm_v2 --reboot recovery
[ 3.9470 ] MB2 Applet version 01.00.0000
Board ID(3668) version(200) sku(0001) revision(G.0)
lz4c installed at /usr/bin/lz4c
Compressing /local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/t186ref/tegra194-a02-bpmp-p3668-a00.dtb ...
NVDISP+UEFI in bootloader/nvdisp-init.bin ..
Using UUID 95741d73-4fa9-4fdf-8414-307353f5556d for mounting root APP partition.
Using UUID 526e787b-8f14-411d-8dea-ccf3a7805578 for mounting root APP_enc partition.
Using UUID 047dbdc4-d825-4dc1-a8aa-94a06736969f for mounting boot APP partition.
copying bctfile(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-memcfg-p3668-0001-a00.cfg)... done.
copying bctfile1(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-memcfg-sw-override.cfg)... done.
copying minratchet_config(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-ratchet-p3668.cfg)... done.
copying device_config(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/t186ref/BCT/tegra19x-mb1-bct-device-qspi-p3668.cfg)... done.
copying misc_cold_boot_config(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-misc-l4t.cfg)... done.
copying misc_config(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-misc-flash.cfg)... done.
copying pinmux_config(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/t186ref/BCT/tegra19x-xavier-nx-cti-mb1-pinmux-p3668-a01.cfg)... done.
copying gpioint_config(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-gpioint-p3668-0001-a00.cfg)... done.
copying pmic_config(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-pmic-p3668-0001-a00.cfg)... done.
copying pmc_config(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/t186ref/BCT/tegra19x-mb1-padvoltage-p3668-a01.cfg)... done.
copying prod_config(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/t186ref/BCT/tegra19x-mb1-prod-p3668-0001-a00.cfg)... done.
copying scr_config(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-scr-cbb-mini-p3668.cfg)... done.
copying scr_cold_boot_config(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-scr-cbb-mini-p3668.cfg)... done.
copying bootrom_config(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-reset-p3668-0001-a00.cfg)... done.
copying dev_params(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-br-bct-qspi-l4t.cfg)... done.
copying dev_params_b(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-br-bct_b-qspi-l4t.cfg)... done.
Skip generating encrypted UDA partition
Existing bootloader(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/nvtboot_cpu_t194.bin) reused.
copying initrd(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/l4t_initrd.img)... done.
prepare_luks_initrd: Begin to copy binaries into initrd
36188 blocs
51595 blocs
prepare_luks_initrd: Finish copying binaries into initrd
done.
bl is uefi
Making Boot image... done.
Not signing of boot.img
Existing sosfile(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/mb1_t194_prod.bin) reused.
Existing tegraboot(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/nvtboot_t194.bin) reused.
Existing cpu_bootloader(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/nvtboot_cpu_t194.bin) reused.
Existing mb2blfile(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/nvtboot_recovery_t194.bin) reused.
Existing mtspreboot(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/preboot_c10_prod_cr.bin) reused.
Existing mcepreboot(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/mce_c10_prod_cr.bin) reused.
Existing mtsproper(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/mts_c10_prod_cr.bin) reused.
Existing mb1file(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/mb1_t194_prod.bin) reused.
Existing bpffile(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/bpmp-2_t194.bin) reused.
Existing bpfdtbfile(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/tegra194-a02-bpmp-p3668-a00_lz4.dtb) reused.
Existing scefile(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/camera-rtcpu-sce.img) reused.
Existing camerafw(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/camera-rtcpu-t194-rce.img) reused.
Existing apefile(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/adsp-fw.bin) reused.
Existing spefile(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/spe_t194.bin) reused.
Existing wb0boot(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/warmboot_t194_prod.bin) reused.
Existing tosfile(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/tos-optee_t194.img) reused.
Existing eksfile(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/eks_t194.img) reused.
copying soft_fuses(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-soft-fuses-l4t.cfg)... done.
copying dtbfile(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/kernel/dtb/tegra194-xavier-nx-cti-NGX003.dtb)... done.
Copying nv_boot_control.conf to rootfs
Reusing existing system_boot.img & system_root_encrypted.img...
done.
Not signing of kernel-dtb
Existing tbcfile(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/nvdisp-init.bin) reused.
Skip generating EFI system partition image.
copying tbcdtbfile(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/kernel/dtb/tegra194-xavier-nx-cti-NGX003.dtb)... done.
copying cfgfile(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/t186ref/cfg/flash_l4t_t194_spi_emmc_p3668_enc_rfs.xml) to flash.xml... done.
done.
Existing flasher(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/nvtboot_recovery_cpu_t194.bin) reused.
Existing flashapp(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/bootloader/tegraflash.py) reused.
*** Updating [eks] with eks_t194.img ***
copying overlay_dtb(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/kernel/dtb/L4TConfiguration.dtbo)... done.
copying overlay_dtb(/local/dev/photon-5.1/nvidia_sdk/JetPack_5.1_Linux_JETSON/Linux_for_Tegra/kernel/dtb/tegra194-p3668-p3509-overlay.dtbo)... done.
./tegraflash.py --bl nvtboot_recovery_cpu_t194.bin --bldtb tegra194-xavier-nx-cti-NGX003.dtb --chip 0x19 --applet mb1_t194_prod.bin --sdram_config tegra194-mb1-bct-memcfg-p3668-0001-a00.cfg,tegra194-memcfg-sw-override.cfg --minratchet_config tegra194-mb1-bct-ratchet-p3668.cfg --device_config tegra19x-mb1-bct-device-qspi-p3668.cfg --misc_cold_boot_config tegra194-mb1-bct-misc-l4t.cfg --misc_config tegra194-mb1-bct-misc-flash.cfg --pinmux_config tegra19x-xavier-nx-cti-mb1-pinmux-p3668-a01.cfg --gpioint_config tegra194-mb1-bct-gpioint-p3668-0001-a00.cfg --pmic_config tegra194-mb1-bct-pmic-p3668-0001-a00.cfg --pmc_config tegra19x-mb1-padvoltage-p3668-a01.cfg --prod_config tegra19x-mb1-prod-p3668-0001-a00.cfg --scr_config tegra194-mb1-bct-scr-cbb-mini-p3668.cfg --scr_cold_boot_config tegra194-mb1-bct-scr-cbb-mini-p3668.cfg --br_cmd_config tegra194-mb1-bct-reset-p3668-0001-a00.cfg --dev_params tegra194-br-bct-qspi-l4t.cfg,tegra194-br-bct_b-qspi-l4t.cfg --soft_fuses tegra194-mb1-soft-fuses-l4t.cfg --cfg flash.xml --bin "mb2_bootloader nvtboot_recovery_t194.bin; mts_preboot preboot_c10_prod_cr.bin; mts_mce mce_c10_prod_cr.bin; mts_proper mts_c10_prod_cr.bin; bpmp_fw bpmp-2_t194.bin; bpmp_fw_dtb tegra194-a02-bpmp-p3668-a00_lz4.dtb; spe_fw spe_t194.bin; tos tos-optee_t194.img; eks eks_t194.img; bootloader_dtb tegra194-xavier-nx-cti-NGX003.dtb" --odmdata 0xB8190000 --overlay_dtb L4TConfiguration.dtbo,tegra194-p3668-p3509-overlay.dtbo,, --bldtb tegra194-xavier-nx-cti-NGX003.dtb --cmd "signwrite eks eks_t194.img; reboot" --key "/tmp/keys/rsa.key" --bct_backup --boot_chain A
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
[ 0.0158 ] tegrasign_v3.py --key /tmp/keys/rsa.key --getmode mode.txt
[ 0.0168 ] Key size is 256 bytes
[ 0.0157 ] header_magic: 40000
[ 0.0181 ] tegrahost_v2 --chip 0x19 --align 1_eks_t194_aligned.img
[ 0.0209 ] tegrahost_v2 --chip 0x19 0 --magicid --appendsigheader 1_eks_t194_aligned.img oem-rsa
[ 0.0216 ] adding BCH for 1_eks_t194_aligned.img
[ 0.0250 ] tegrasign_v3.py --key /tmp/keys/rsa.key --list 1_eks_t194_aligned_sigheader.img_list.xml --pubkeyhash pub_key.key
[ 0.0262 ] Key size is 256 bytes
[ 0.0449 ] Saving pkc public key in pub_key.key
[ 0.0463 ] tegrahost_v2 --chip 0x19 0 --pubkeyhash pub_key.key --updatesigheader 1_eks_t194_aligned_sigheader.img.signed 1_eks_t194_aligned_sigheader.img.sig oem-rsa
[ 0.0478 ] Generating RCM messages
[ 0.0489 ] tegrahost_v2 --chip 0x19 0 --magicid MB1B --appendsigheader mb1_t194_prod.bin zerosbk
[ 0.0496 ] Header already present for mb1_t194_prod.bin
[ 0.0613 ] tegrasign_v3.py --key /tmp/keys/rsa.key --getmode mode.txt
[ 0.0625 ] Key size is 256 bytes
[ 0.0653 ] tegrasign_v3.py --file mb1_t194_prod_sigheader.bin --key /tmp/keys/rsa.key --length 1136 --getmontgomeryvalues montgomery.bin --offset 2960 --pubkeyhash pub_key.key
[ 0.0665 ] Key size is 256 bytes
[ 0.0857 ] Saving pkc public key in pub_key.key
[ 0.0871 ] tegrahost_v2 --chip 0x19 0 --pubkeyhash pub_key.key --setmontgomeryvalues montgomery.bin --updatesigheader mb1_t194_prod_sigheader.bin mb1_t194_prod_sigheader.sig oem-rsa
[ 0.0941 ] tegrabct_v2 --chip 0x19 0 --sfuse tegra194-mb1-soft-fuses-l4t.cfg sfuse.bin
[ 0.0981 ] tegrabct_v2 --chip 0x19 0 --ratchet_blob ratchet_blob.bin --minratchet tegra194-mb1-bct-ratchet-p3668.cfg
[ 0.0994 ] FwIndex: 1, MinRatchetLevel: 0
[ 0.0997 ] FwIndex: 2, MinRatchetLevel: 0
[ 0.0998 ] FwIndex: 3, MinRatchetLevel: 0
[ 0.0998 ] FwIndex: 4, MinRatchetLevel: 0
[ 0.0998 ] FwIndex: 5, MinRatchetLevel: 0
[ 0.0998 ] FwIndex: 6, MinRatchetLevel: 0
[ 0.0998 ] FwIndex: 7, MinRatchetLevel: 0
[ 0.0998 ] FwIndex: 11, MinRatchetLevel: 0
[ 0.0998 ] FwIndex: 12, MinRatchetLevel: 0
[ 0.0998 ] FwIndex: 13, MinRatchetLevel: 0
[ 0.0998 ] FwIndex: 14, MinRatchetLevel: 0
[ 0.0998 ] FwIndex: 15, MinRatchetLevel: 0
[ 0.0998 ] FwIndex: 16, MinRatchetLevel: 0
[ 0.0998 ] FwIndex: 17, MinRatchetLevel: 0
[ 0.0998 ] FwIndex: 18, MinRatchetLevel: 0
[ 0.0998 ] FwIndex: 19, MinRatchetLevel: 0
[ 0.0998 ] FwIndex: 30, MinRatchetLevel: 0
[ 0.0998 ] FwIndex: 31, MinRatchetLevel: 0
[ 0.0998 ]
[ 0.1022 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x19 0 --sfuses sfuse.bin --download rcm mb1_t194_prod_sigheader.bin 0 0
[ 0.1044 ] RCM 0 is saved as rcm_0.rcm
[ 0.1055 ] RCM 1 is saved as rcm_1.rcm
[ 0.1056 ] RCM 2 is saved as rcm_2.rcm
[ 0.1057 ] List of rcm files are saved in rcm_list.xml
[ 0.1057 ]
[ 0.1057 ] Signing RCM messages
[ 0.1098 ] tegrasign_v3.py --key /tmp/keys/rsa.key --list rcm_list.xml --getmontgomeryvalues montgomery.bin --pubkeyhash pub_key.key
[ 0.1109 ] Key size is 256 bytes
[ 0.1540 ] Saving pkc public key in pub_key.key
[ 0.1523 ] Copying signature to RCM mesages
[ 0.1556 ] tegrarcm_v2 --chip 0x19 0 --updatesig rcm_list_signed.xml --pubkeyhash pub_key.key
[ 0.1577 ] Boot Rom communication
[ 0.1595 ] tegrarcm_v2 --chip 0x19 0 --rcm rcm_list_signed.xml
[ 0.1602 ] BR_CID: 0xd8021911647c05c4080000000bff80c0
[ 0.1610 ] RCM version 0X190001
[ 0.1662 ] Bootrom returned error 22
[ 0.2052 ] Boot Rom communication failed
[ 0.2052 ]
Error: Return value 22
Command tegrarcm_v2 --chip 0x19 0 --rcm rcm_list_signed.xml
Failed to flash/read t186ref.
hello JulienMoinard,
is this board fused before? you don’t have to assign PKC, SBK, KEK… keys if this device has not fused.
please share test results by running flash script with -k eks
to perform partition flash.