Secure Boot signing error #1170

hesmar · 2023-02-10T08:54:21Z

hesmar
Feb 10, 2023

Hi, I have an issue with getting secure boot to work. Maybe someone can help? I am using a Jetson Nano production module and I am on kirkstone-l4t-32.7.x.

I created a new PKC using the following command:

openssl genrsa -out rsa_priv.pem 2048

Then I added the key to the TEGRA_SIGNING_ARGS variable:

TEGRA_SIGNING_ARGS = "-u <PATH_TO_KEY>"

Somehow, compilation fails on building/signing the bup payload. It says that the key format is invalid:

ERROR: u-boot-bup-payload-1.0-r0 do_deploy: ExecutionError('/build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/temp/run.do_deploy.70401', 1, None, None)
ERROR: Logfile of failure stored in: /build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/temp/log.do_deploy.70401
Log data follows:
| DEBUG: Executing python function extend_recipe_sysroot
| NOTE: Direct dependencies are ['/src/layers/meta-tegra/recipes-bsp/tegra-binaries/tegra-bootfiles_32.7.3.bb:do_populate_sysroot', '/src/layers/meta-tegra/recipes-bsp/tegra-binaries/tegra-redundant-boot-rollback_32.7.3.bb:do_populate_sysroot', '/src/layers/meta-tegra/recipes-bsp/tegra-binaries/tegra210-flashtools-native_32.7.3.bb:do_populate_sysroot', 'virtual:native:/src/layers/meta/recipes-core/coreutils/coreutils_9.0.bb:do_populate_sysroot', 'virtual:native:/src/layers/meta/recipes-kernel/dtc/dtc_1.6.1.bb:do_populate_sysroot']
| NOTE: Installed into sysroot: ['tegra-bootfiles', 'tegra-redundant-boot-rollback', 'tegra210-flashtools-native', 'coreutils-native', 'dtc-native', 'glibc', 'gcc-runtime', 'tegra-helper-scripts-native', 'python3-native', 'flex-native', 'tegra-flashvars', 'mender-custom-flash-layout', 'gettext-minimal-native', 'libtool-native', 'attr-native', 'texinfo-dummy-native', 'xz-native', 'linux-libc-headers', 'libgcc', 'readline-native', 'libnsl2-native', 'util-linux-libuuid-native', 'ncurses-native', 'zlib-native', 'libffi-native', 'bzip2-native', 'libtirpc-native', 'openssl-native', 'gdbm-native', 'sqlite3-native', 'm4-native', 'perl-native', 'gnu-config-native', 'make-native']
| NOTE: Skipping as already exists in sysroot: []
| DEBUG: sed -e 's:^[^/]*/:/build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/recipe-sysroot-native/:g' /build/tmp/sysroots-components/x86_64/python3-native/fixmepath /build/tmp/sysroots-components/x86_64/libtool-native/fixmepath /build/tmp/sysroots-components/x86_64/ncurses-native/fixmepath /build/tmp/sysroots-components/x86_64/openssl-native/fixmepath /build/tmp/sysroots-components/x86_64/perl-native/fixmepath /build/tmp/sysroots-components/x86_64/gnu-config-native/fixmepath | xargs sed -i -e 's:FIXMESTAGINGDIRTARGET:/build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/recipe-sysroot:g; s:FIXMESTAGINGDIRHOST:/build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/recipe-sysroot-native:g' -e 's:FIXME_PSEUDO_SYSROOT:/build/tmp/sysroots-components/x86_64/pseudo-native:g' -e 's:FIXME_HOSTTOOLS_DIR:/build/tmp/hosttools:g' -e 's:FIXME_PKGDATA_DIR:/build/tmp/pkgdata/jetson-nano-emmc-3dvl-ecm-avt:g' -e 's:FIXME_PSEUDO_LOCALSTATEDIR:/build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/pseudo/:g' -e 's:FIXME_LOGFIFO:/build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/temp/fifo.70401:g'
| DEBUG: Python function extend_recipe_sysroot finished
| DEBUG: Executing python function sstate_task_prefunc
| DEBUG: Python function sstate_task_prefunc finished
| DEBUG: Executing shell function do_deploy
| Board ID(3448) version(200) SKU(0002) revision() from environment
| ./tegraflash.py --cfg flash.xml --bl cboot.bin --bct jetson-nano-emmc-3dvl-ecm-avt.cfg --odmdata 0xA4000 --bldtb tegra210-p3448-0002-3dvl-ecm-camera-avt.dtb  --applet nvtboot_recovery.bin    --cmd "sign"  --chip 0x21 --key /src/.secure_files/secure-boot-signing-key.pem
| Welcome to Tegra Flash
| version 1.0.0
| Type ? or help for help and q or quit to exit
| Use ! to execute system commands
| 
| [   0.0058 ] Using default ramcode: 0
| [   0.0058 ] Disable BPMP dtb trim, using default dtb
| [   0.0058 ]
| [   0.0077 ] tegrasign --getmode mode.txt --key /src/.secure_files/secure-boot-signing-key.pem
| [   0.0083 ] Invalid key format
| [   0.0086 ]
| Error: Return value 11
| Command tegrasign --getmode mode.txt --key /src/.secure_files/secure-boot-signing-key.pem
| cp: cannot stat 'signed/*': No such file or directory
| Signing with /src/.secure_files/secure-boot-signing-key.pem ...
| 
| signing images succeeded
| 
| mv: cannot stat '/build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/signed/boot.img.*': No such file or directory
| mv: cannot stat '/build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/signed/*.dtb*': No such file or directory
| mv: cannot stat '/build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/signed/*bct*': No such file or directory
| 
| Creating update payloads for Jetson-3448-200-0002--1-0-jetson-nano-emmc-3dvl-ecm-avt-mmcblk0p1 board ...
| ls: cannot access 'multi_signed/*/*.bct': No such file or directory
| Skipping non-existent files for: part_name=BCT; part_type=bl_and_kernel; part_spec=${_multi_bin_spec}; part_file=$(ls multi_signed/*/*.bct)
| ls: cannot access 'multi_signed/*/tegra210*.dtb.signed': No such file or directory
| Skipping non-existent files for: part_name=RP1; part_type=bl_and_kernel; part_spec=${_multi_bin_spec}; part_file=$(ls multi_signed/*/${kernel_dtb_base_t21x}*.dtb.${signed_ext})
| ls: cannot access 'multi_signed/*/tegra210*.dtb.signed': No such file or directory
| Skipping non-existent files for: part_name=DTB; part_type=bl_and_kernel; part_spec=${_multi_bin_spec}; part_file=$(ls multi_signed/*/${kernel_dtb_base_t21x}*.dtb.${signed_ext})
| ls: cannot access 'multi_signed/*/boot.img.signed': No such file or directory
| Skipping non-existent files for: part_name=LNX; part_type=bl_and_kernel; part_spec=${_multi_bin_spec}; part_file=$(ls multi_signed/*/"${kernel_image_base}".img.${signed_ext})
| creating bl_and_kernel payload
| 
| File /build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/signed/nvtboot.bin.signed does not exist
| File /build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/signed/nvtboot_cpu.bin.signed does not exist
| File /build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/signed/cboot.bin.signed does not exist
| File /build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/signed/warmboot.bin.signed does not exist
| File /build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/signed/sc7entry-firmware.bin.signed does not exist
| File /build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/signed/tos-mon-only.img.signed does not exist
| PARTITION INFO   : multi_signed/3448-200-0002--1-0-jetson-nano-emmc-3dvl-ecm-avt-mmcblk0p1/crc-flash.xml.bin PT 3273 0 3448-200-0002--1-0-jetson-nano-emmc-3dvl-ecm-avt-mmcblk0p1;multi_signed/3448-200-0002--1-0-jetson-nano-emmc-3dvl-ecm-avt-mmcblk0p1/jetson-nano-emmc-3dvl-ecm-avt_bootblob_ver.txt VER 3273 0 3448-200-0002--1-0-jetson-nano-emmc-3dvl-ecm-avt-mmcblk0p1;signed/nvtboot.bin.signed NVC 3273 0 common;signed/nvtboot_cpu.bin.signed TBC 3273 0 common;signed/cboot.bin.signed EBT 3273 0 common;signed/warmboot.bin.signed WB0 3273 0 common;signed/sc7entry-firmware.bin.signed BPF 3273 0 common;signed/tos-mon-only.img.signed TOS 3273 0 common;eks.img EKS 3273 0 common;bmp.blob BMP 3273 0 common
| Traceback (most recent call last):
|   File "/build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/BUP_generator.py", line 659, in <module>
|     main(param)
|   File "/build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/BUP_generator.py", line 652, in main
|     generate_BUP(arg)
|   File "/build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/BUP_generator.py", line 175, in generate_BUP
|     payload_obj.fill_image(blob)
|   File "/build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/BUP_generator.py", line 293, in fill_image
|     binary_handle = open(entry_info[0], 'rb')
| TypeError: expected str, bytes or os.PathLike object, not NoneType
| 
| FAILURE: bl_update_payload not created
| 
| Exiting...
| Board ID(3448) version(300) SKU(0002) revision() from environment
| ./tegraflash.py --cfg flash.xml --bl cboot.bin --bct jetson-nano-emmc-3dvl-ecm-avt.cfg --odmdata 0xA4000 --bldtb tegra210-p3448-0002-3dvl-ecm-camera-avt.dtb  --applet nvtboot_recovery.bin    --cmd "sign"  --chip 0x21 --key /src/.secure_files/secure-boot-signing-key.pem
| Welcome to Tegra Flash
| version 1.0.0
| Type ? or help for help and q or quit to exit
| Use ! to execute system commands
| 
| [   0.0052 ] Using default ramcode: 0
| [   0.0052 ] Disable BPMP dtb trim, using default dtb
| [   0.0052 ]
| [   0.0071 ] tegrasign --getmode mode.txt --key /src/.secure_files/secure-boot-signing-key.pem
| [   0.0077 ] Invalid key format
| [   0.0080 ]
| Error: Return value 11
| Command tegrasign --getmode mode.txt --key /src/.secure_files/secure-boot-signing-key.pem
| cp: cannot stat 'signed/*': No such file or directory
| Signing with /src/.secure_files/secure-boot-signing-key.pem ...
| 
| signing images succeeded
| 
| mv: cannot stat '/build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/signed/boot.img.*': No such file or directory
| mv: cannot stat '/build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/signed/*.dtb*': No such file or directory
| mv: cannot stat '/build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/signed/*bct*': No such file or directory
| 
| Creating update payloads for Jetson-3448-300-0002--1-0-jetson-nano-emmc-3dvl-ecm-avt-mmcblk0p1 board ...
| ls: cannot access 'multi_signed/*/*.bct': No such file or directory
| Skipping non-existent files for: part_name=BCT; part_type=bl_and_kernel; part_spec=${_multi_bin_spec}; part_file=$(ls multi_signed/*/*.bct)
| ls: cannot access 'multi_signed/*/tegra210*.dtb.signed': No such file or directory
| Skipping non-existent files for: part_name=RP1; part_type=bl_and_kernel; part_spec=${_multi_bin_spec}; part_file=$(ls multi_signed/*/${kernel_dtb_base_t21x}*.dtb.${signed_ext})
| ls: cannot access 'multi_signed/*/tegra210*.dtb.signed': No such file or directory
| Skipping non-existent files for: part_name=DTB; part_type=bl_and_kernel; part_spec=${_multi_bin_spec}; part_file=$(ls multi_signed/*/${kernel_dtb_base_t21x}*.dtb.${signed_ext})
| ls: cannot access 'multi_signed/*/boot.img.signed': No such file or directory
| Skipping non-existent files for: part_name=LNX; part_type=bl_and_kernel; part_spec=${_multi_bin_spec}; part_file=$(ls multi_signed/*/"${kernel_image_base}".img.${signed_ext})
| creating bl_and_kernel payload
| 
| File /build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/signed/nvtboot.bin.signed does not exist
| File /build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/signed/nvtboot_cpu.bin.signed does not exist
| File /build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/signed/cboot.bin.signed does not exist
| File /build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/signed/warmboot.bin.signed does not exist
| File /build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/signed/sc7entry-firmware.bin.signed does not exist
| File /build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/signed/tos-mon-only.img.signed does not exist
| PARTITION INFO   : multi_signed/3448-200-0002--1-0-jetson-nano-emmc-3dvl-ecm-avt-mmcblk0p1/crc-flash.xml.bin PT 3273 0 3448-200-0002--1-0-jetson-nano-emmc-3dvl-ecm-avt-mmcblk0p1;multi_signed/3448-300-0002--1-0-jetson-nano-emmc-3dvl-ecm-avt-mmcblk0p1/crc-flash.xml.bin PT 3273 0 3448-300-0002--1-0-jetson-nano-emmc-3dvl-ecm-avt-mmcblk0p1;multi_signed/3448-200-0002--1-0-jetson-nano-emmc-3dvl-ecm-avt-mmcblk0p1/jetson-nano-emmc-3dvl-ecm-avt_bootblob_ver.txt VER 3273 0 3448-200-0002--1-0-jetson-nano-emmc-3dvl-ecm-avt-mmcblk0p1;multi_signed/3448-300-0002--1-0-jetson-nano-emmc-3dvl-ecm-avt-mmcblk0p1/jetson-nano-emmc-3dvl-ecm-avt_bootblob_ver.txt VER 3273 0 3448-300-0002--1-0-jetson-nano-emmc-3dvl-ecm-avt-mmcblk0p1;signed/nvtboot.bin.signed NVC 3273 0 common;signed/nvtboot_cpu.bin.signed TBC 3273 0 common;signed/cboot.bin.signed EBT 3273 0 common;signed/warmboot.bin.signed WB0 3273 0 common;signed/sc7entry-firmware.bin.signed BPF 3273 0 common;signed/tos-mon-only.img.signed TOS 3273 0 common;eks.img EKS 3273 0 common;bmp.blob BMP 3273 0 common
| Traceback (most recent call last):
|   File "/build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/BUP_generator.py", line 659, in <module>
|     main(param)
|   File "/build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/BUP_generator.py", line 652, in main
|     generate_BUP(arg)
|   File "/build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/BUP_generator.py", line 175, in generate_BUP
|     payload_obj.fill_image(blob)
|   File "/build/tmp/work/jetson_nano_emmc_3dvl_ecm_avt-3dvl-linux/u-boot-bup-payload/1.0-r0/bup-payload/BUP_generator.py", line 293, in fill_image
|     binary_handle = open(entry_info[0], 'rb')
| TypeError: expected str, bytes or os.PathLike object, not NoneType
| 
| FAILURE: bl_update_payload not created
| 
| Exiting...
| WARNING: exit code 1 from a shell command.
NOTE: recipe u-boot-bup-payload-1.0-r0: task do_deploy: Failed
ERROR: Task (/src/layers/meta-tegra/recipes-bsp/u-boot/u-boot-bup-payload.bb:do_deploy) failed with exit code '1'

Do you have any idea what's wrong here?

madisongh · 2023-02-10T10:25:22Z

madisongh
Feb 10, 2023
Maintainer

This looks like the main cause of the problem:

| [   0.0077 ] tegrasign --getmode mode.txt --key /src/.secure_files/secure-boot-signing-key.pem
| [   0.0083 ] Invalid key format
| [   0.0086 ]
| Error: Return value 11

So first check that the PEM file you provided actually contains a valid RSA private key.

If it is, then check what version of OpenSSL you have on your host system. If it's OpenSSL 3.0 or later, note that the format of private key files changed from earlier versions of OpenSSL, and you'll have to use the -traditional flag on the openssl genrsa command to have it generate output in a form compatible with tegrasign.

1 reply

hesmar Feb 10, 2023
Author

Perfect, thanks a lot! Using the -traditional flag worked.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OpenEmbedded for Tegra

Secure Boot signing error #1170

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

OpenEmbedded for Tegra

Secure Boot signing error #1170

hesmar Feb 10, 2023

Replies: 1 comment · 1 reply

madisongh Feb 10, 2023 Maintainer

hesmar Feb 10, 2023 Author

hesmar
Feb 10, 2023

Replies: 1 comment 1 reply

madisongh
Feb 10, 2023
Maintainer

hesmar Feb 10, 2023
Author