Will not boot after enabling Security Boot (Jetson AGX Xavier)

@JerryChang I’m leaning towards that I have the default Jetson AGX Xavier DevKit. I did not know there where customize carrier boards.

So where do I go from here. You identified a possible issue, but solution or course of action…

hello dcapers44,

you should assign correct board spec to generate a fuse blob.
may I know the TNSPEC of your Xavier platform?
i.e. # cat /etc/nv_boot_control.conf

dcapers@NUC-Ubuntu-18:~/nvidia/Linux_for_Tegra$ cat rootfs/etc/nv_boot_control.conf 
TNSPEC 2888-400-0006-H.0-1-2-jetson-agx-xavier-devkit-mmcblk0p1
TEGRA_CHIPID 0x19
TEGRA_OTA_BOOT_DEVICE /dev/mmcblk0boot0
TEGRA_OTA_GPT_DEVICE /dev/mmcblk0boot1

hello dcapers44,

it looks strange to report an error for loading device tree blob.
here’s one more thing may need your help for confirmation,
could you please replace the board name as jetson-xavier
for example,
(1) $ sudo BOARDID=2888 FAB=400 BOARDSKU=0006 BOARDREV=H.0 ./flash.sh --no-flash -u RSA_Key.pem -v SBK.txt --user_key User_Key.txt jetson-xavier mmcblk0p1
(2) $ cd bootloader
(3) $ sudo bash ./flashcmd.txt

@JerryChang I’ve tried the suggested steps from your previous post. The Jetson is still freezes upon booting up…

dcapers@NUC-Ubuntu-18:~/nvidia/Linux_for_Tegra$ cd bootloader/
dcapers@NUC-Ubuntu-18:~/nvidia/Linux_for_Tegra/bootloader$ sudo bash ./flashcmd.txt
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0110 ] Parsing partition layout
[   0.0121 ] tegraparser_v2 --pt secureflash.xml.tmp
[   0.0140 ] 
[   0.0141 ] Boot Rom communication
[   0.0152 ] tegrarcm_v2 --chip 0x19 0 --rcm rcm_1_signed.rcm --rcm rcm_2_signed.rcm
[   0.0162 ] BR_CID: 0xd8021911647d15030c00000013ff0100
[   0.0171 ] Boot Rom communication completed
[   1.0622 ] 
[   2.0680 ] tegrarcm_v2 --isapplet
[   2.0719 ] Applet version 01.00.0000
[   2.0912 ] 
[   2.0913 ] Sending BCTs
[   2.0925 ] tegrarcm_v2 --download bct_bootrom br_bct_BR.bct --download bct_mb1 mb1_bct_MB1.bct_sigheader.encrypt.signed --download bct_mem mem_rcm.bct_sigheader.encrypt.signed
[   2.0937 ] Applet version 01.00.0000
[   2.1302 ] Sending bct_bootrom
[   2.1310 ] [................................................] 100%
[   2.1335 ] Sending bct_mb1
[   2.1371 ] [................................................] 100%
[   2.1417 ] Sending bct_mem
[   2.1886 ] [................................................] 100%
[   2.2717 ] 
[   2.2719 ] Generating blob
[   2.2774 ] tegrahost_v2 --chip 0x19 --generateblob blob.xml blob.bin
[   2.2804 ] number of images in blob are 11
[   2.2827 ] blobsize is 6381592
[   2.2839 ] Added binary blob_nvtboot_recovery_cpu_t194.bin_sigheader.encrypt.signed of size 260032
[   2.2961 ] Added binary blob_nvtboot_recovery_t194.bin_sigheader.encrypt.signed of size 130928
[   2.2983 ] Added binary blob_preboot_c10_prod_cr_sigheader.bin.encrypt.signed of size 24016
[   2.3031 ] Added binary blob_mce_c10_prod_cr_sigheader.bin.encrypt.signed of size 143200
[   2.3069 ] Added binary blob_mts_c10_prod_cr_sigheader.bin.encrypt.signed of size 3430416
[   2.3084 ] Added binary blob_bpmp_t194_sigheader.bin.encrypt.signed of size 856352
[   2.3120 ] Added binary blob_tegra194-a02-bpmp-p2888-a04_sigheader.dtb.encrypt.signed of size 746752
[   2.3135 ] Added binary blob_spe_t194_sigheader.bin.encrypt.signed of size 94960
[   2.3146 ] Added binary blob_tos-trusty_t194_sigheader.img.encrypt.signed of size 402368
[   2.3159 ] Added binary blob_eks_sigheader.img.encrypt.signed of size 5136
[   2.3171 ] Added binary blob_tegra194-p2888-0001-p2822-0000_sigheader.dtb.encrypt.signed of size 287248
[   2.3176 ] 
[   2.3177 ] Sending bootloader and pre-requisite binaries
[   2.3192 ] tegrarcm_v2 --download blob blob.bin
[   2.3206 ] Applet version 01.00.0000
[   2.3361 ] Sending blob
[   2.3363 ] [................................................] 100%
[   3.2338 ] 
[   3.2374 ] tegrarcm_v2 --boot recovery
[   3.2405 ] Applet version 01.00.0000
[   3.2647 ] 
[   4.2701 ] tegrarcm_v2 --isapplet
[   4.9535 ] 
[   4.9577 ] tegrarcm_v2 --ismb2
[   4.9801 ] 
[   4.9847 ] tegradevflash_v2 --iscpubl
[   4.9889 ] Bootloader version 01.00.0000
[   5.0055 ] Bootloader version 01.00.0000
[   5.0056 ] 
[   5.0057 ] Retrieving storage infomation
[   5.0101 ] tegrarcm_v2 --oem platformdetails storage storage_info.bin
[   5.0137 ] Applet is not running on device. Continue with Bootloader
[   5.0330 ] 
[   5.0373 ] tegradevflash_v2 --oem platformdetails storage storage_info.bin
[   5.0416 ] Bootloader version 01.00.0000
[   5.0454 ] Saved platform info in storage_info.bin
[   5.0502 ] 
[   5.0504 ] Flashing the device
[   5.0541 ] tegraparser_v2 --storageinfo storage_info.bin --generategpt --pt secureflash.xml.bin
[   5.0600 ] 
[   5.0645 ] tegradevflash_v2 --pt secureflash.xml.bin --create
[   5.0679 ] Bootloader version 01.00.0000
[   5.0709 ] Erasing sdmmc_boot: 3 ......... [Done]
[   6.1935 ] Writing partition secondary_gpt with gpt_secondary_0_3.bin
[   6.1961 ] [................................................] 100%

[   6.2273 ] Erasing sdmmc_user: 3 ......... [Done]
[   6.9776 ] Writing partition master_boot_record with mbr_1_3.bin
[   6.9797 ] [................................................] 100%
[   6.9814 ] Writing partition primary_gpt with gpt_primary_1_3.bin
[   6.9871 ] [................................................] 100%
[   6.9887 ] Writing partition secondary_gpt with gpt_secondary_1_3.bin
[   7.0088 ] [................................................] 100%

[   7.0285 ] Writing partition mb1 with mb1_t194_prod_sigheader.bin.encrypt.signed
[   7.0308 ] [................................................] 100%
[   7.0400 ] Writing partition mb1_b with mb1_t194_prod_sigheader.bin.encrypt.signed
[   7.1481 ] [................................................] 100%
[   7.1573 ] Writing partition spe-fw with spe_t194_sigheader.bin.encrypt.signed
[   7.1829 ] [................................................] 100%
[   7.1870 ] Writing partition spe-fw_b with spe_t194_sigheader.bin.encrypt.signed
[   7.2061 ] [................................................] 100%
[   7.2101 ] Writing partition mb2 with nvtboot_t194_sigheader.bin.encrypt.signed
[   7.2305 ] [................................................] 100%
[   7.2361 ] Writing partition mb2_b with nvtboot_t194_sigheader.bin.encrypt.signed
[   7.2600 ] [................................................] 100%
[   7.2660 ] Writing partition mts-preboot with preboot_c10_prod_cr_sigheader.bin.encrypt.signed
[   7.2895 ] [................................................] 100%
[   7.2905 ] Writing partition mts-preboot_b with preboot_c10_prod_cr_sigheader.bin.encrypt.signed
[   7.3106 ] [................................................] 100%
[   7.3117 ] Writing partition SMD with slot_metadata.bin
[   7.3305 ] [................................................] 100%
[   7.3316 ] Writing partition SMD_b with slot_metadata.bin
[   7.3456 ] [................................................] 100%
[   7.3466 ] Writing partition VER_b with emmc_bootblob_ver.txt
[   7.3603 ] [................................................] 100%
[   7.3618 ] Writing partition VER with emmc_bootblob_ver.txt
[   7.3744 ] [................................................] 100%
[   7.3759 ] Writing partition master_boot_record with mbr_1_3.bin
[   7.3889 ] [................................................] 100%
[   7.3900 ] Writing partition APP with system.img
[   7.3972 ] [................................................] 100%
[ 251.5356 ] Writing partition mts-mce with mce_c10_prod_cr_sigheader.bin.encrypt.signed
[ 251.5634 ] [................................................] 100%
[ 251.5676 ] Writing partition mts-mce_b with mce_c10_prod_cr_sigheader.bin.encrypt.signed
[ 251.5881 ] [................................................] 100%
[ 251.5927 ] Writing partition mts-proper with mts_c10_prod_cr_sigheader.bin.encrypt.signed
[ 251.6123 ] [................................................] 100%
[ 251.7613 ] Writing partition mts-proper_b with mts_c10_prod_cr_sigheader.bin.encrypt.signed
[ 251.7820 ] [................................................] 100%
[ 251.9332 ] Writing partition cpu-bootloader with cboot_t194_sigheader.bin.encrypt.signed
[ 251.9574 ] [................................................] 100%
[ 251.9720 ] Writing partition cpu-bootloader_b with cboot_t194_sigheader.bin.encrypt.signed
[ 251.9931 ] [................................................] 100%
[ 252.0073 ] Writing partition bootloader-dtb with tegra194-p2888-0001-p2822-0000_sigheader.dtb.encrypt.signed
[ 252.0296 ] [................................................] 100%
[ 252.0369 ] Writing partition bootloader-dtb_b with tegra194-p2888-0001-p2822-0000_sigheader.dtb.encrypt.signed
[ 252.0586 ] [................................................] 100%
[ 252.0667 ] Writing partition secure-os with tos-trusty_t194_sigheader.img.encrypt.signed
[ 252.0872 ] [................................................] 100%
[ 252.0997 ] Writing partition secure-os_b with tos-trusty_t194_sigheader.img.encrypt.signed
[ 252.1208 ] [................................................] 100%
[ 252.1330 ] Writing partition eks with eks_sigheader.img.encrypt.signed
[ 252.1538 ] [................................................] 100%
[ 252.1555 ] Writing partition eks_b with eks_sigheader.img.encrypt.signed
[ 252.1741 ] [................................................] 100%
[ 252.1755 ] Writing partition bpmp-fw with bpmp_t194_sigheader.bin.encrypt.signed
[ 252.1951 ] [................................................] 100%
[ 252.2215 ] Writing partition bpmp-fw_b with bpmp_t194_sigheader.bin.encrypt.signed
[ 252.2458 ] [................................................] 100%
[ 252.2778 ] Writing partition bpmp-fw-dtb with tegra194-a02-bpmp-p2888-a04_sigheader.dtb.encrypt.signed
[ 252.3033 ] [................................................] 100%
[ 252.3275 ] Writing partition bpmp-fw-dtb_b with tegra194-a02-bpmp-p2888-a04_sigheader.dtb.encrypt.signed
[ 252.3511 ] [................................................] 100%
[ 252.3745 ] Writing partition xusb-fw with xusb_sil_rel_fw
[ 252.3962 ] [................................................] 100%
[ 252.4019 ] Writing partition xusb-fw_b with xusb_sil_rel_fw
[ 252.4079 ] [................................................] 100%
[ 252.4122 ] Writing partition rce-fw with camera-rtcpu-rce_sigheader.img.encrypt.signed
[ 252.4204 ] [................................................] 100%
[ 252.4301 ] Writing partition rce-fw_b with camera-rtcpu-rce_sigheader.img.encrypt.signed
[ 252.4506 ] [................................................] 100%
[ 252.4584 ] Writing partition adsp-fw with adsp-fw_sigheader.bin.encrypt.signed
[ 252.4778 ] [................................................] 100%
[ 252.4807 ] Writing partition adsp-fw_b with adsp-fw_sigheader.bin.encrypt.signed
[ 252.5003 ] [................................................] 100%
[ 252.5031 ] Writing partition sc7 with warmboot_t194_prod_sigheader.bin.encrypt.signed
[ 252.5230 ] [................................................] 100%
[ 252.5254 ] Writing partition sc7_b with warmboot_t194_prod_sigheader.bin.encrypt.signed
[ 252.5454 ] [................................................] 100%
[ 252.5478 ] Writing partition BMP with bmp.blob
[ 252.5666 ] [................................................] 100%
[ 252.5729 ] Writing partition BMP_b with bmp.blob
[ 252.5919 ] [................................................] 100%
[ 252.5983 ] Writing partition recovery with recovery_sigheader.img.encrypt.signed
[ 252.6178 ] [................................................] 100%
[ 254.8962 ] Writing partition recovery-dtb with tegra194-p2888-0001-p2822-0000.dtb.rec
[ 254.9107 ] [................................................] 100%
[ 254.9201 ] Writing partition kernel-bootctrl with kernel_bootctrl.bin
[ 254.9399 ] [................................................] 100%
[ 254.9422 ] Writing partition kernel-bootctrl_b with kernel_bootctrl.bin
[ 254.9542 ] [................................................] 100%
[ 254.9560 ] Writing partition kernel with boot_sigheader.img.encrypt.signed
[ 254.9685 ] [................................................] 100%
[ 256.8463 ] Writing partition kernel_b with boot_sigheader.img.encrypt.signed
[ 256.8575 ] [................................................] 100%
[ 258.7332 ] Writing partition kernel-dtb with kernel_tegra194-p2888-0001-p2822-0000_sigheader.dtb.encrypt.signed
[ 258.7506 ] [................................................] 100%
[ 258.7592 ] Writing partition kernel-dtb_b with kernel_tegra194-p2888-0001-p2822-0000_sigheader.dtb.encrypt.signed
[ 258.7802 ] [................................................] 100%
[ 258.8063 ] 
[ 258.8103 ] tegradevflash_v2 --write BCT br_bct_BR.bct
[ 258.8137 ] Bootloader version 01.00.0000
[ 258.8169 ] Writing partition BCT with br_bct_BR.bct
[ 258.8181 ] [................................................] 100%
[ 258.8740 ] 
[ 258.8829 ] tegradevflash_v2 --write MB1_BCT mb1_cold_boot_bct_MB1.bct_sigheader.encrypt.signed
[ 258.8864 ] Bootloader version 01.00.0000
[ 258.8897 ] Writing partition MB1_BCT with mb1_cold_boot_bct_MB1.bct_sigheader.encrypt.signed
[ 258.8914 ] [................................................] 100%
[ 258.9095 ] 
[ 258.9117 ] tegradevflash_v2 --write MB1_BCT_b mb1_cold_boot_bct_MB1.bct_sigheader.encrypt.signed
[ 258.9137 ] Bootloader version 01.00.0000
[ 258.9164 ] Writing partition MB1_BCT_b with mb1_cold_boot_bct_MB1.bct_sigheader.encrypt.signed
[ 258.9184 ] [................................................] 100%
[ 258.9379 ] 
[ 258.9461 ] tegradevflash_v2 --write MEM_BCT mem_coldboot_sigheader.bct.signed
[ 258.9492 ] Bootloader version 01.00.0000
[ 258.9522 ] Writing partition MEM_BCT with mem_coldboot_sigheader.bct.signed
[ 258.9541 ] [................................................] 100%
[ 258.9710 ] 
[ 258.9750 ] tegradevflash_v2 --write MEM_BCT_b mem_coldboot_sigheader.bct.signed
[ 258.9786 ] Bootloader version 01.00.0000
[ 258.9817 ] Writing partition MEM_BCT_b with mem_coldboot_sigheader.bct.signed
[ 258.9837 ] [................................................] 100%
[ 259.0013 ] 
[ 259.0014 ] Flashing completed

[ 259.0015 ] Coldbooting the device
[ 259.0031 ] tegrarcm_v2 --ismb2
[ 259.0272 ] 
[ 259.0289 ] tegradevflash_v2 --reboot coldboot
[ 259.0304 ] Bootloader version 01.00.0000
[ 259.0488 ] 

@JerryChang Any more suggestions? Is there something wrong with my Jetson AGX Xavier that I can’t enable secure boot?

hello dcapers44,

are you using the combination as r32.4.3 SecureBoot package + r32.5 JetPack release?

if yes,
could you please replace secureBoot package for verification,
there’s R32.5 secureBoot package via L4T | NVIDIA Developer page, this somehow did not present in the download center…

@JerryChang I am using the following:

Secure Boot - secureboot_R32.5.0_aarch64.tbz2
L4T - Tegra186_Linux_R32.5.0_aarch64.tbz2

hello dcapers44,

FYI,
we have verified with l4t-r32.5.1 JetPack release + r32.5 secureBoot package on Xavier-32GB fused device.
here’re commands to flash the board.
the flash process is complete and this device is able to boot-up.
for example,
$ sudo BOARDID=2888 FAB=400 BOARDSKU=0004 BOARDREV=K.0 ./flash.sh --no-flash -u rsa_priv.pem -v sbk.key jetson-xavier mmcblk0p1
$ sudo bash ./flashcmd.txt

since you’re having error when loading and extracting kernel-dtb after validation,

[0009.649] E> fdt_open_into fail (FDT_ERR_BADMAGIC)                             
[0009.649] E> Error (727449637) extracting the kernel DTB

there’s a failure, FDT_ERR_BADMAGIC. which seems the kernel-dtb’s magic number is wrong.
suspect the kernel-dtb image didn’t be signed/encrypted properly.
could you please review your commands, assigned keys, and these process should based-on r32.5 packages.
thanks

@JerryChang I was able to boot my Jetson AG Xavier with the info you provided in your last post… Thank you.

sudo BOARDID=2888 FAB=400 BOARDSKU=0004 BOARDREV=K.0 ./flash.sh --no-flash -u RSA_Key.pem -v SBK.txt jetson-xavier mmcblk0p1
sudo BOARDID=2888 FAB=400 BOARDSKU=0004 BOARDREV=K.0 ./flash.sh --no-flash -u RSA_Key.pem -v SBK.txt jetson-xavier mmcblk0p1
sudo bash ./flashcmd.txt

Now I want to know why I can’t use user key, SBK, and PKC key-sign when flashing the Jetson? Is this something that I can do with my Jetson?

sudo BOARDID=2888 FAB=400 BOARDSKU=0004 BOARDREV=K.0 ./flash.sh --no-flash -u RSA_Key.pem -v SBK.txt --user_key User_Key.txt jetson-xavier mmcblk0p1

hello dcapers44,

suggest you may refer to developer guide, Preparing the User Key to prepare the user_key.

The user key is stored in the Encrypted keyblob (EKB) in encrypted form. The Secure Engine (SE) retrieves the user key from the EKB and uses it to decrypt the kernel image files.
Please make sure you use the same user_key in EKB generation and also flashing the device.
thanks

hello dcapers44,

moreover,
you have to first replace the eks.img in bootloader folder with the eks.img you built using your own user_key for image flashing.
please also note that key format is different used in eks.img generation and flash.sh.

for example,
if a key, ffeeddccbbaa99887766554433221101 is used to generate eks.img.
the corresponding key, 0xffeeddcc 0xbbaa9988 0x77665544 0x33221101 MUST be used as user_key in flash command.

please have confirmation and share the results.
thanks