Can I do an image-based update on a disk encrypted Jetson?

Details for my Tegra

# R35 (release), REVISION: 5.0, GCID: 35550185, BOARD: t186ref, EABI: aarch64, DATE: Tue Feb 20 04:46:31 UTC 2024

Distro details

Linux tegra-ubuntu 5.10.192-tegra #1 SMP PREEMPT Mon Feb 19 20:19:53 PST 2024 aarch64 aarch64 aarch64 GNU/Linux

I have a device I’d like to update in the future via a tarball of the root file system, but I’m going to be flashing it with encryption enabled, and then fetch the key from the luks-serv (if I’m getting that right) during boot.

I wanted to write a wrapper around this such that a public key signature verification (with a challenge) can allow the OTA to happen from within the mounted disk via a request for the encryption key or something of that sort.

Is there a C library that allows me to write such checks around the luks-serve so as to let me such logic?

Alternatively, can a virtual disk partition be encrypted via luks-serv?

hello sabhinav,

please refer to developer guide, OTA Upgrades with Disk Encryption Enabled.

This is great! However, when running this with the -i leaves me vulnerable, in that I’ll have to send my key OTA for an update, which isn’t ideal for me. Is there a way to write software to request the key from the OPTEE or the like?

Thanks!

hello sabhinav,

no, it’s given -i to create an OTA payload package on your host.