Secure Boot Failed on Jetson Orin Nano Dev Kit

Issue Overview

Users are experiencing secure boot failures on the Nvidia Jetson Orin Nano Developer Kit. The issue occurs during the boot process, with the system failing to properly initialize and boot into the operating system. Specific symptoms include:

• Error messages in the UART log indicating secure boot failure
• Failure to load and initialize OP-TEE (Trusted Execution Environment)
• UEFI firmware failing to boot properly
• System booting into old, unencrypted OS instead of newly flashed encrypted rootfs

The problem appears to be related to issues with key generation, EKS (Encrypted Key Blob) image creation, and flashing of secure boot components.

Possible Causes

1. Incorrect or missing cryptographic keys for secure boot
2. Improperly generated or signed EKS image
3. Misconfiguration of fuse settings
4. Incompatible or outdated firmware/software versions
5. Issues with UEFI variable authentication
6. Problems with fTPM (firmware Trusted Platform Module) initialization
7. Errors in the flashing process or incorrect flash configuration

Troubleshooting Steps, Solutions & Fixes

1. Verify and regenerate cryptographic keys:

   • Ensure all required keys (PKC, SBK, OEMK1, etc.) are correctly generated
   • Use the following commands to generate necessary keys:

     openssl ecparam -name secp521r1 -genkey -noout -out ecp521.pem
     openssl rand -hex 32 > SBK.key
     openssl rand -hex 32 > K1.key
     

2. Properly generate the EKS image:

   • Use the correct example.sh script from the matching BSP version
   • Include all necessary keys and certificates in the EKS generation process
   • Run the following command to generate the EKS image:

     python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key \
             -fv fv_ekb_t234 \
             -in_sym_key sym_t234.key \
             -in_sym_key2 sym2_t234.key \
             -in_auth_key auth_t234.key \
             -out eks_t234.img
     

3. Verify fuse configuration:

   • Double-check the odmfuse.xml file for correct hash, OEMK1, and SBK values
   • Ensure fuse settings match the keys used in the EKS generation process

4. Update to the latest BSP version:

   • Download and install the latest Jetson Linux BSP (Board Support Package)
   • Ensure all components (bootloader, UEFI, OP-TEE) are up-to-date

5. Configure UEFI variable authentication:

   • Include the UEFI variable authentication key in the EKS image
   • Refer to the OP-TEE source files for correct EKS image creation, specifically the gen_ekb tool

6. Generate and include fTPM files:

   • Create necessary fTPM files using the following commands:

     echo "ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100" > device_id.cert
     openssl rand -hex 32 > ftpm_eps_seed_file
     openssl genrsa -out ftpm_rsa_ek_priv.pem 2048
     openssl rsa -in ftpm_rsa_ek_priv.pem -pubout -out ftpm_rsa_ek_pub.pem
     openssl req -new -x509 -key ftpm_rsa_ek_priv.pem -out ftpm_rsa_ek_cert.pem -days 365 -subj "/CN=fTPM RSA EK Cert"
     openssl x509 -in ftpm_rsa_ek_cert.pem -outform der -out ftpm_rsa_ek_cert.der
     openssl ecparam -name prime256v1 -genkey -noout -out ftpm_ec_ek_priv.pem
     openssl ec -in ftpm_ec_ek_priv.pem -pubout -out ftpm_ec_ek_pub.pem
     openssl req -new -x509 -key ftpm_ec_ek_priv.pem -out ftpm_ec_ek_cert.pem -days 365 -subj "/CN=fTPM EC EK Cert"
     openssl x509 -in ftpm_ec_ek_cert.pem -outform der -out ftpm_ec_ek_cert.der
     

7. Perform a clean flash of the system:

   • Use the following command to flash the system, including the newly generated EKS image:

     sudo ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1 -u ecp521.pem -v SBK.key --uefi-enc gen_ekb/sym_t234.key -p "-c ./bootloader/t186ref/cfg/flash_t234_qspi.xml" -c ./tools/kernel_flash/flash_l4t_t234_nvme.xml --showlogs --network usb0 jetson-orin-nano-devkit-nvme internal
     

8. Verify EKS image update:

   • Check that the eks_t234_sigheader.img.encrypt file is correctly generated and placed in the $OUT/Linux_for_Tegra/tools/kernel_flash/images/ directory

9. If issues persist, try flashing without disk encryption:

   • Modify the flash command to exclude encryption options and verify if the basic secure boot process works

10. Monitor UART logs during boot:

    • Analyze the UART output for specific error messages or failure points
    • Look for indications of OP-TEE initialization failures or UEFI boot issues

If problems continue after trying these steps, consider reaching out to Nvidia support for further assistance, as there may be hardware-specific issues or more complex software interactions at play.