Can not flash clone APP_ENC image

Hi everyone,
I used the featureDisk Encryptionto encryp the root file system.
And Now i need to flash existed rootfs from NX board, i used the command

sudo ROOTFS_ENC=1 ./flash.sh -r -G app_enc.img -k APP_ENC jetson-xavier-nx-devkit-emmc mmcblk0p1

And flash

cp app_enc.img bootloader/system_root_encrypted.img
sudo ROOTFS_ENC=1 ./flash.sh -r -k APP_ENC jetson-xavier-nx-devkit-emmc mmcblk0p1

When i flashed over, the NX cannot boot normally. The log is

hvc_sysfs: hypervisor is not present
[    6.804799] ALSA device list:
[    6.804905]   No soundcards found.
[    6.806131] Freeing unused kernel memory: 3968K
[    6.818040] Run /init as init process
��WARNING: clock_disable: clk_power_ungate on gated domain 27 for gpcclk
Root device found: UUID=b4c2f670-3c0d-489a-80be-b309c530a96d
[    7.137969] tegra_cec 3960000.tegra_cec: Can't find physical address.
[    7.138144] tegra_cec 3960000.tegra_cec: tegra_cec_init Done.
[    7.221342] random: ld-linux-aarch6: uninitialized urandom read (4 bytes read)
[    7.274966] random: ld-linux-aarch6: uninitialized urandom read (4 bytes read)
[    8.614626] tegra-xusb 3610000.xhci: entering ELPG done
[    8.860531] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00
[    8.860771] CPU: 5 PID: 1 Comm: bash Not tainted 5.10.104-tegra #1
[    8.860906] Hardware name: Unknown NVIDIA Jetson Xavier NX Developer Kit/NVIDIA Jetson Xavier NX Developer Kit, BIOS 3.1-32827747 03/19/2023
[    8.861161] Call trace:
[    8.861245]  dump_backtrace+0x0/0x1d0
[    8.861322]  show_stack+0x30/0x40
[    8.861395]  dump_stack+0xd8/0x138
[    8.861468]  panic+0x17c/0x384
[    8.861556]  do_exit+0xaa8/0xab0
[    8.861640]  do_group_exit+0x4c/0xb0
[    8.861715]  __arm64_sys_exit_group+0x28/0x30
[    8.861810]  el0_svc_common.constprop.0+0x80/0x1d0
[    8.861910]  do_el0_svc+0x38/0xb0
[    8.861984]  el0_svc+0x1c/0x30
[    8.862051]  el0_sync_handler+0xa8/0xb0
[    8.862131]  el0_sync+0x16c/0x180
[    8.862204] SMP: stopping secondary CPUs
[    8.862313] Kernel Offset: 0x2326486c0000 from 0xffff800010000000
[    8.862577] PHYS_OFFSET: 0xffffbd12c0000000
[    8.862879] CPU features: 0x8240002,03802a30
[    8.863180] Memory Limit: none
[    8.863752] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00 ]---

So what do i need to do next?

Thank you,
Best Regards,
Ultwcz1997

hello ultwcz1997,

did you test clone/restore on the same board?
had you update the EKS image since user_key is specified in eks.img.
BTW, please gather the complete console logs for reference,
thanks

Hi, @JerryChang
did you test clone/restore on the same board?

Not, because i worry about data loss.

had you update the EKS image since user_key is specified in eks.img.

i have tried to flash all partitions.
sudo ROOTFS_ENC=1 ./flash.sh -r jetson-xavier-nx-devkit-emmc mmcblk0p1, but it still boot successfully.

The whole console logs
console-log (56.6 KB)

Thank you.

since you’ve enable Disk Encryption, you’ll also need to update eks.img, and given --use_key options to specify the user_key into flash command-line.
for example,

Usage: sudo ./flash.sh [options] <target_board> <rootdev>
  Where,
        target board: Valid target board name.
        rootdev: Proper root device.

        -i <enc rfs key file>-- key for disk encryption support.

        --user_key <key_file>   User provided key file (16-byte) to encrypt user images,
                                like kernel, kernel-dtb and initrd.
                                If user_key is specified, SBK key (-v) has to be specified.
                                For now, user_key file must contain all 0's.

please refer to developer guide, Disk Encryption — Jetson Linux Developer Guide documentation.

Hi @JerryChang

Thanks for your reply,
I used option -i to generate image to flash Jetson device

sudo ROOTFS_ENC=1 ./flash.sh -i “./ekb.key” jetson-xavier-nx-devkit-emmc mmcblk0p1

But i can not use --user_key before, So what value should i set?

Thank you. ^_^

hello ultwcz1997,

may I double confirm the release version you’re working with?

FYI,
the option --user_key is only supported in JP-4 to encrypt/decrypt user images, such as kernel/kernel-dtb. however, this is removed in JP-5.
you cannot use --user_key options in the JP-5, or it may cause unexpected issues.

Hi
may I double confirm the release version you’re working with?

JetPack5.1.1

R35 (release), REVISION: 3.1, GCID: 32827747, BOARD: t186ref, EABI: aarch64, DATE: Sun Mar 19 15:19:21 UTC 2023

Hi @JerryChang
The same board can flash clone Image successfully, but when i changed to another board, it failed to boot.

Hi @JerryChang,
Now i don’t know how to reflash a cloned image with disk encryption.

Could you please give me some pieces of advice?

Thank you.

Hi @JerryChang,
I found a post in the forums:

Does this mean we can not flash an APP_ENC clone image from NX to another NX? Because ECID is unique.

ya, that’s correct.

Oh, it’s no good.

How to flash mass production with disk encryption?

it’s only possible for per-device flashing with disk encryption enabled.

Thank you for your reply.

So it can not clone images using -k APP_ENC with disk encryption enabled like -G APP with disk encryption disabled and flash another device.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.