QOP
April 7, 2022, 9:24am
1
Hello there,
Last few months we are trying to enable disk encryption with no luck. We really need your help to figure out the issues. We have the worst experience ever with your documentation.
We are using Jetson AGX Xavier production board . We try to enabled the secure boot in our device. We followed following steps to achieve it.
IN THE Bignning (key generated follow u guide)
we try to use “–noburn” and “–no-flash” commend to fuse and flash sign,like this
sudo FAB=400 BOARDID=2888 BOARDSKU=0004 BOARDREV=k.0 CHIPREV=2 ./odmfuse.sh --noburn -i 0x19 --auth SBKPKC -p -k rsa_priv.pem --KEK2 kek2.key -S sbk.key jetson-xavier
sudo tar -jxvf fuseblob.tbz2
cd bootloader
sudo ./fusecmd
and this commend like
sudo FAB=400 BOARDID=2888 BOARDSKU=0004 BOARDREV=k.0 CHIPREV=2 ./flash.sh --no-flash --sign -u rsa_priv.pem -v sbk.key --user_key usr_flash.key jetson-xavier mmcblk0p1
cd bootloader
sudo bash ./flashcmd.txt
they all show then error “Error: Return value 22”
i have no way to fix it ,so i change the way to real fuse and flash,followed following steps to achieve it
1.Setup L4T (I get all i need i guess)
2.Ready the encrypt key
➜ ~ cat kek2.key
3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx5
➜ ~ cat sbk.key
0xcxxxxxx3 0xdxxxxxx5 0x2xxxxxx1 0x4xxxxxx9
➜ ~ cat iv_hex_file
bad66eb4484983684b992fe54a648bb8
➜ ~ cat usr_eks.key
bxxxxxx5dxxxxxx2dxxxxxx0cxxxxxx2
➜ ~ cat usr_flash.key
0xbxxxxxx5 0xdxxxxxx2 0xdxxxxxx0 0xcxxxxxx2
➜ ~ cat ekb.key
dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1
Fuse device
sudo FAB=400 BOARDID=2888 BOARDSKU=0004 BOARDREV=k.0 CHIPREV=2 ./odmfuse.sh -i 0x19 -p -k rsa_priv.pem --KEK2 kek2.key -S sbk.key jetson-xavier
4.Flash device
sudo FAB=400 BOARDID=2888 BOARDSKU=0004 BOARDREV=k.0 CHIPREV=2 ./flash.sh -u rsa_priv.pem -v sbk.key --user_key usr_flash.key jetson-xavier mmcblk0p1
The above steps excute successfully but cannot boot . only Nvidia logo showed in the screen
Please help us to figure out the long existing issue. Thanks in advance.
Here are the fuse logs:
fuse_log (80.4 KB)
Here are the flash logs
flash_log (112.1 KB)
1 Like
hello QOP,
let’s starting from your step-1.
had you fuse your Xavier platform before?
the options --auth
options meant the authentication types of your current board, it’s the commands to let script understand the details.
so, you should use --auth NS
if you’re using non-fuse target,
and…
you should burn the device actually according to your step-3,
could you please perform odmfuseread.sh
to ensure the fuse variables.
thanks
QOP
April 8, 2022, 8:19am
4
Thanks , but when i continue to enable disk ecryption .Always showing a blank screen with nvidia logo.
I followed following steps to achieve it;
Generate EKS blob and replace with the existing eks.img
sudo python3 gen_ekb.py -kek2_key kek2.key -fv iv_hex_file -in_sym_key usr_ekb.key -in_sym_key2 ekb.key -out eks.img
cp eks.img Linux_for_Tegra/bootloader/
I use the default partition table on bootloader/t186ref/cfg/
flash_t194_sdmmc_enc_rfs.xml
<partition name="APP" type="data">
<allocation_policy> sequential </allocation_policy>
<filesystem_type> basic </filesystem_type>
<size> 419430400 </size>
<file_system_attribute> 0 </file_system_attribute>
<allocation_attribute> 0x8 </allocation_attribute>
<align_boundary> 4096 </align_boundary>
<percent_reserved> 0 </percent_reserved>
<unique_guid> APPUUID </unique_guid>
<filename> system_boot.img </filename>
<description> **Required.** Contains the boot partition. This partition must be defined after
`primary_gpt` so it can be accessed as the fixed known special device
`/dev/mmcblk0p1`. </description>
</partition>
<partition name="APP_b" type="data">
<allocation_policy> sequential </allocation_policy>
<filesystem_type> basic </filesystem_type>
<size> 419430400 </size>
<file_system_attribute> 0 </file_system_attribute>
<allocation_attribute> 0x8 </allocation_attribute>
<align_boundary> 4096 </align_boundary>
<percent_reserved> 0 </percent_reserved>
<unique_guid> APPUUID_b </unique_guid>
<filename> system_boot.img_b </filename>
<description> **Required.** Contains the boot partition. This partition must be defined after
`primary_gpt` so it can be accessed as the fixed known special device
`/dev/mmcblk0p2`. </description>
</partition>
<partition name="APP_ENC" type="data" encrypted="true">
<allocation_policy> sequential </allocation_policy>
<filesystem_type> basic </filesystem_type>
<size> APP_ENC_SIZE </size>
<file_system_attribute> 0 </file_system_attribute>
<allocation_attribute> 0x8 </allocation_attribute>
<percent_reserved> 0 </percent_reserved>
<align_boundary> 4096 </align_boundary>
<unique_guid> APP_ENC_UUID </unique_guid>
<filename> system_root_encrypted.img </filename>
<description> **Required.** Contains the encrypted root partition("/"). </description>
</partition>
<partition name="APP_ENC_b" type="data" encrypted="true">
<allocation_policy> sequential </allocation_policy>
<filesystem_type> basic </filesystem_type>
<size> APP_ENC_SIZE </size>
<file_system_attribute> 0 </file_system_attribute>
<allocation_attribute> 0x8 </allocation_attribute>
<percent_reserved> 0 </percent_reserved>
<align_boundary> 4096 </align_boundary>
<unique_guid> APP_ENC_UUID_b </unique_guid>
<filename> system_root_encrypted.img_b </filename>
<description> **Required.** Contains the encrypted root partition("/"). </description>
</partition>
3.Update board config file p2972-0000.conf.common ;I just modify the disk_enc_enable = 1
ODMDATA=0x9190000;
CHIPID=0x19;
EMMC_CFG=flash_t194_sdmmc.xml;
BOOTPARTSIZE=8388608;
EMMCSIZE=31276924928;
ITS_FILE=;
BPFDTB_FILE=tegra194-a01-bpmp-p2888-a01.dtb;
DTB_FILE=tegra194-p2888-0001-p2822-0000.dtb;
TBCDTB_FILE=tegra194-p2888-0001-p2822-0000.dtb;
ROOTFSSIZE=28GiB;
CMDLINE_ADD="console=ttyTCU0,115200n8 console=tty0 fbcon=map:0 net.ifnames=0 rootfstype=ext4";
target_board="t186ref";
... .....
rootfs_ab=0;
disk_enc_enable=1;
# Rootfs A/B:
if [[ "${ROOTFS_AB}" == 1 && "${ROOTFS_ENC}" == "" ]]; then
rootfs_ab=1;
EMMC_CFG=flash_t194_sdmmc_rootfs_ab.xml;
ROOTFSSIZE=14GiB;
SMDFILE="slot_metadata.bin.rootfsAB";
# Disk encryption support:
elif [[ "${ROOTFS_AB}" == "" && "${ROOTFS_ENC}" == 1 ]]; then
disk_enc_enable=1;
EMMC_CFG=flash_t194_sdmmc_enc_rfs.xml;
# Rootfs A/B + Disk encryption support:
elif [[ "${ROOTFS_AB}" == 1 && "${ROOTFS_ENC}" == 1 ]]; then
rootfs_ab=1;
disk_enc_enable=1;
EMMC_CFG=flash_t194_sdmmc_enc_rootfs_ab.xml;
ROOTFSSIZE=14GiB;
SMDFILE="slot_metadata.bin.rootfsAB";
fi;
Run flash script
sudo ROOTFS_ENC=1 ./flash.sh --sign -u rsa_priv.pem -v sbk.key -i ekb.key --user_key usr_flash.key jetson-xavier mmcblk0p1
The above steps excute successfully but cannot boot . only Nvidia logo showed in the screen
add i also try to replace the cboot as u said in the two topics Black Screen after enable SecureBOOT and disk encryption and Will not boot after enabling Security Boot (Jetson AGX Xavier) - #58 by JerryChang
but that’s seems no work and even just show black screen without logo
Please help us to figure out the long existing issue. Thanks in advance.
hello QOP,
just for confirmation, are you able to enable secureBoot now?
which JetPack release you’re using, there’s an issue with r32.5.1 to enable disk encryption, please moving to r32.6.1 or later to include the fixes.
QOP
April 8, 2022, 8:38am
6
thanks
now I can enable secureBoot ,and i use all this packs
u mean the bug had been fixed in the later version .
that let me confused why i cant boot from disk encrypted.
I also consult this topic Enabling disk encryption doesn't boot the device // Jetson Xavier NX // P3668-0001
and try modify luks1 flash and luks2 flash all failed.
oh,by the way this is my info
hello QOP,
could you please remove --sign
in the command-line?
please also review the keys, the user_key is specified in eks.img.
according to documentation: gen_ekb to generate eks.img, the sym.key
is the user_key; it’s Trusty retrieves user_key from eks.img, and loads the key into keyslot_14 for decryption. when flashing, please use --use_key options to specify the user_key.
BTW,
please refer to Topic 208615 to check you’ve include these patches.
thanks
QOP
April 8, 2022, 8:55am
8
ok i will try ,there is one thing i want to know which i should use in disk_encryption_helper.func “luks1” or " luks2"
# Add the LUKS header
eval ${GEN_LUKS_PASS_CMD} | ${CRYPTSETUP_BIN} \
--type luks1 \
-c aes-cbc-essiv:sha256 \
-s 128 \
--uuid "${__rootfsuuid}" \
luksFormat \
${loop_dev};
chkerr "Add LUKS header on ${__localsysfile} failed.";
please use luks1
to maintain backward compatibility, thanks
QOP
April 8, 2022, 10:22am
10
hello
I try to use the commend:
sudo ROOTFS_ENC=1 ./flash.sh -u rsa_priv.pem -v sbk.key -i ekb.key jetson-xavier mmcblk0p1
cant boot and show this
if it is the reason that i dont use “user_key” resuslt in the error?
by the way why every time i flash the disk encryption using so much time almost 1.2 hours ,is that a nomal condition?
and i am flashing with u suggestion “ could you please remove
--sign
in the command-line?”
cant boot just show nvidia logo
QOP
April 11, 2022, 5:16am
11
hello JerryChang
i find the reason why i cant boot . As i changed the iv_hex_file rather than using u default value.
now i can boot ,but two new issues has arisen:
1.In what case i can modify the iv_hex_file to get a eks.img
2. what is the passphrash to unlock the crypt_root and the crypt_UDA
thanks
system
Closed
May 11, 2022, 5:59am
15
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.