could you please try nvmassflashgen script before you fused another TX2-4GB,
you should execute in the offline method. here’s sample commands for your reference,
for example, BOARDID=3489 BOARDSKU=0888 FAB=300 FUSELEVEL=fuselevel_production ./nvmassflashgen.sh -u rsa_priv.pem -v sbk.key jetson-tx2-devkit-4gb mmcblk0p1
this will generate a mass-flash image tarball, once complete. i.e. mfi_jetson-tx2-devkit-4gb_encrypt_signed.tbz2
you should extract this tbz2 file, and execute nvmflash.sh to flash the target.
So, I use a command like this and can flash and boot!
But, I run the same command with ROOTFS_ENC=1 set, It fails.
Making system_boot.img...
populating bootfs from /home/mharr418/Documents/enc_rootfs_inv/unpack20/Linux_for_Tegra/rootfs/boot ... done.
populating /extlinux/extlinux.conf ... done.
Sync'ing system_boot.img ... done.
Converting RAW image to Sparse image... done.
system_boot.img built successfully.
Making system_root_encrypted.img...
ERROR: build_enc_root_fsimg: ECID is null .
Is this due to the failed fuse burning? Why then is setting the SBK key when not using ROOTFS_ENC working?
Here is the command with ROOTFS_ENC=1. (when I remove setting this global in my command, then the script works)
I am about ready to move onto the new SOM to test, cannot see any issues here and I think it is something in the fuse burning that is causing all these errors
Remember, the final goal is also to have the rootfs encrypted, ROOTFS_ENC=1
Booting with PKCSBK and odm_production mode is good, but if I add ROOTFS_ENC=1 to my command,
I get this on my screen :
I will now always set FUSELEVEL=fuselevel_production since we had issue reading this before, but I still want to read ECID from the board so I will go to flash.sh and comment these lines out:
#fuselevel is read wrong currently, will test on future boards
#if [ "${fuselevel}" = "" ]; then
get_fuse_level fuselevel hwchipid bootauth;
# fuselevel_unknown or empty will be handled as fuselevel_production
if [ "${fuselevel}" = "fuselevel_unknown" ] || [ "${fuselevel}" = "" ]; then
fuselevel="fuselevel_production";
fi;
echo "SHOWING FUSELEVEL"
echo $fuselevel
echo "${ECID}"
#else
# can not "--skipuid" when function get_fuse_level is skipped.
# SKIPUID="";
#fi;
Other than this, the intended process on 32.6.1 works well. I will be using it on my TX2.
FYI,
you’ll need to create eks.img to enable disk encryption on a fused TX2 platform.
there’s script file, example.sh it’ll use all zeros run gen_ekb.py for generating eks.img.
for example, $L4T_Sources/r32.6.1/Linux_for_Tegra/source/public/atf_and_trusty/trusty/app/nvidia-sample/hwkey-agent/CA_sample/tool/gen_ekb/example.sh
if necessary, you’ll need to replace those keys and creating eks.img. after that, please overwrite the generate file with Linux_for_Tegra/bootloader/eks.img.
because partition update is disabled by fused device. you need to update the eks partition by full flash the target.
for example, $ sudo ROOTFS_ENC=1 ./flash.sh -u pkc.key -v sbk.key jetson-tx2 mmcblk0p1
once system boot-up, please enter mount command to check your file system.
there’ll be crypt keywords if the process is complete.
for example,
$ mount
/dev/mapper/crypt_root on / type ext4 (rw,relatime,data=ordered)
we had verified disk encryption with device fused SBKPKC and adding KEK2.
so, how about running the example.sh, and replace KEK2 as yours to create eks.img. $L4T_Sources/r32.6.1/Linux_for_Tegra/source/public/atf_and_trusty/trusty/app/nvidia-sample/hwkey-agent/CA_sample/tool/gen_ekb/example.sh