**EKB CMAC Failure on Nvidia Jetson Orin Nano Dev Board**

ByPiveral Hours Updated on

Issue Overview

Users of the Nvidia Jetson Orin Nano Dev board have reported encountering an EKB CMAC error during the boot process after fusing the device with specific keys. The error manifests as a failure to extract the EKB image, leading to boot failures.

Symptoms:

  • The error message indicates a mismatch in the EKB signature, specifically stating "EKB signature mismatch when using #0 EKB_RK" and "Tried all EKB_RKs but still can’t extract the EKB image."
  • The device fails to boot normally, switching to a normal world boot after the error.

Context:

  • The issue occurs after fusing the Orin Nano with RSA-3k PublicKeyHash and OEM keys (OemK1 and OemK2).
  • Users have attempted to regenerate the EKS image following instructions from the nv-optee README but continue to encounter the CMAC failure.

Hardware and Software Specifications:

  • Device: Nvidia Jetson Orin Nano
  • Software: L4T 35.5.0, OP-TEE version 3.22
  • Fused with: RSA-3k PublicKeyHash, OemK1, and OemK2

Frequency:

The issue appears consistently among users who have followed similar procedures for fusing and generating EKS images.

Impact:

The inability to boot due to this error significantly hampers user experience and functionality, preventing access to the device for development or deployment purposes.

Possible Causes

  • Hardware Incompatibilities or Defects: Incorrectly fused keys or missing fuse variables can lead to extraction failures.

  • Software Bugs or Conflicts: Ambiguities in documentation regarding key generation and flashing processes may result in incorrect configurations.

  • Configuration Errors: Failure to set necessary flags or parameters during key generation can lead to mismatches in expected values.

  • Driver Issues: Outdated or incorrect drivers may not support the required functionalities for proper booting.

  • Environmental Factors: Power supply issues or temperature extremes could affect device performance but are less likely in this context.

  • User Errors or Misconfigurations: Incorrectly following instructions for key generation or flashing can lead to these errors, particularly if custom keys are used without proper verification.

Troubleshooting Steps, Solutions & Fixes

  1. Verify Fuse Variables:

    • Ensure that OemK1 and OemK2 are correctly fused. Check against odmfuse.xml for accuracy.
    • If necessary, re-fuse with known correct values.

  2. Regenerate EKS Image:

    • Follow these steps to regenerate the EKS image: 
      python ./gen_ekb.py \
    -chip t234 \
    -oem_k1_key ./oem_k1.key \
    -fv ./fv_ekb_t234 \
    -in_sym_key ./sym_t234.key \
    -in_sym_key2 ./sym2_t234.key \
    -in_auth_key ./auth_t234.key \
    -out ./eks_t234.img
    • Ensure that oem_k1.key matches the fused values.

  3. Set OEM Key to Zero for Testing:

    • If issues persist, try setting oem_k1.key to all zeros: 
      echo "0000000000000000000000000000000000000000000000000000000000000000" > oem_k1.key

  4. Patch OP-TEE for Debugging:

    • Add debug statements in OP-TEE to print out values of FV and EKB CMAC during boot for verification against expected values.

  5. Check Fixed Vector (FV) Configuration:

    • Ensure that the FV used in key generation matches what is set in OP-TEE. This involves checking jetson_user_key_pta.c for consistency.

  6. Consult Documentation and Community Resources:

    • Review NVIDIA’s official documentation on L4T 35.5.0 for any updates or changes regarding EKS image generation.
    • Engage with community forums for shared experiences and solutions (e.g., similar discussions like Topic 284400).

  7. Driver Updates:

    • Ensure that all drivers are up-to-date and compatible with L4T 35.5.0.

  8. Testing on Different Hardware Configurations:

    • If possible, test with another Orin Nano device that has been successfully configured to isolate whether the issue is hardware-specific.

Recommended Approach

Multiple users have reported success by ensuring that both OemK1 and OemK2 are correctly fused with known values before regenerating the EKS image. This step should be prioritized if issues arise after initial attempts at resolution.

Unresolved Aspects

Further investigation may be needed into specific combinations of custom keys and their interaction with the fusing process, as well as any potential undocumented bugs within the current software version being used.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *