Xavier NX Boot error

I get a startup error when using NVIDIA Jetson Linux 35.5.0

I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are disabled

ASSERT [FvbNorFlashStandaloneMm] /dvs/git/dirty/git-master_linux/out/nvidia/optee.t194-uefi/StandaloneMmOptee_RELEASE/edk2-nvidia/Silicon/NVIDIA/Drivers/FvbNorFlashDxe/FvbNorFlashStandaloneMm.c(868): ((BOOLEAN)(0==1))

At the same time, I used the eks.img generated by myself

1 Like

hello easyzoom,

may I have more details about what all security you’ve enabled.

BTW,
since you’re now using r35.5.0, you may notice we’ve used a sample key for OEM_K1
please refer to example.sh for op-tee tarball,
for example,
echo "2d4a614e645267556b58703273357638792f423f4428472b4b6250655368566d" > oem_k1.key
please use this sample key if you’re not fusing the target for OEM_K1 fuse variable.

Hi JerryChang,
I am using Xavier NX, so I don’t need to use oem_k1.key.

Hi JerryChang,
The security policy I use is the default

hello easyzoom,

may I still have more details about what all security you’ve enabled.
for instance, PKC, SBK, Disk Encryption
etc, what’s the combination you’ve enabled?

Hi JerryChang,
I have not enabled PKC, SBK, Disk Encryption
etc. Currently I only use eks.img and optee.

Hi JerryChang,
I suspect it is caused by UEFI Variable Protection. The articleSecure Boot — NVIDIA Jetson Linux Developer Guide 1 documentation mentions “UEFI variable protection can be independently enabled”. How can I use it?

hello easyzoom,

how you generate a EKS image. did you follow the sample script, example.sh?
may I know your steps to update this binary file.
besides, are you using all the same keys within the script, or, you’re using some customize keys.

Hi JerryChang,
I did not use the format in gen_ekb.py to generate uefi-key

def pack_key(f, tag):
    fmt = "<II"
    with open(f, 'rb') as fd:
        content = fd.read().strip()
        key = codecs.decode(content, 'hex')
        key_header = struct.pack(fmt, tag, len(key))
        key_blob = key_header + key
        return key_blob

I added the uefi-key value directly to eks.img without using the pack_key function structure. I also modified the optee code to parse the uefi-key.

hello easyzoom,

you must generate EKB according to example.sh, otherwise OP-TEE cannot decrypt EKB correctly.
this will cause the UEFI auth key to not exist, and then fail to boot up normally.

Hi JerryChang,
I found that the UEFI auth key must be set to “00000000000000000000000000000000” before it can boot. Can’t I change the UEFI auth key value?

hello easyzoom,

UEFI variable protection feature is always enabled, you should provide UEFI variable authentication key. otherwise UEFI will block the booting.
you may give it a try to specify auth_t234.key in EKS image for confirmation.

please see-also developer guide,
https://docs.nvidia.com/jetson/archives/r35.5.0/DeveloperGuide/SD/Security/OpTee.html#tool-for-ekb-generation

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.