Custom keys for Orin NX disk encryption

Hello,
I’m using an Orin NX 16GB on a Orin Nano carrier board with no fuses burnt. The goal was to enable disk encryption for more security, but unfortunatelty it doesn’t work with custom keys.
Here is working method from here
1.Untar all sources to working dir
2. Generate images for QSPI:
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
3. Generate the key:
$ echo "f0e0d0c0b0a001020304050607080900" > ekb.key
4. Generate images for external storage device:
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
5. Flash images into the both storage devices:
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only
After that board boots and disk is encrypted, but the key used here is test key, so it doesn’t suit my wishes.
And this is my method that I read from here
1.Untar all sources to working dir
2.Untar nvidia-jetson-optee-source
3.Generate new eks image for keys with updated example.sh
Contents are:

#!/bin/bash

# [T194 example]
# This is default KEK2 root key for unfused board
echo "00000000000000000000000000000000" > kek2.key

# This is the fixed vector for deriving EKB root key from fuse.
# It is expected user to replace the FV below with a user specific
# FV, and code the exact same user specific FV into OP-TEE.
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t194

# Generate user-defined symmetric key files
# openssl rand -rand /dev/urandom -hex 16 > sym_t194.key
# openssl rand -rand /dev/urandom -hex 16 > sym2_t194.key
echo "00000000000000000000000000000000" > sym_t194.key
echo "00000000000000000000000000000000" > sym2_t194.key

python3 gen_ekb.py -chip t194 -kek2_key kek2.key \
        -fv fv_ekb_t194 \
        -in_sym_key sym_t194.key \
        -in_sym_key2 sym2_t194.key \
        -out eks_t194.img

# [T234 example]
# Fill your OEM_K1 fuse key value
echo "telegasrazbega777" > oem_k1.key

# This is the fixed vector for deriving EKB root key from fuse.
# It is expected user to replace the FV below with a user specific
# FV, and code the exact same user specific FV into OP-TEE.
echo "aad66eb4484983684b992fe54a648bb8" > fv_ekb_t234

# Generate user-defined symmetric key files
openssl rand -rand /dev/urandom -hex 32 > sym_t234.key    # kernel/kernel-dtb encryption key
openssl rand -rand /dev/urandom -hex 16 > sym2_t234.key   # disk encryption key
#echo "0000000000000000000000000000000000000000000000000000000000000000" > sym_t234.key
#echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key
echo "ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100" > device_id.cert    # Not used

python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key \
        -fv fv_ekb_t234 \
        -in_sym_key sym_t234.key \
        -in_sym_key2 sym2_t234.key \
        -in_device_id device_id.cert \
        -out eks_t234.img

After that I execute script

cd source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/
./example.sh

4.Copy new eks image and key to Linux_for_Tegra/bootloader and Linux_for_Tegra respectively

cp ./source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/sym2_t234.key ./ekb.key
rm ./bootloader/eks.img
cp ./source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/eks_t234.img ./bootloader/eks.img
rm ./bootloader/eks_t234.img
cp ./source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/eks_t234.img ./bootloader/eks_t234.img

5.Generate images for external storage device:
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
6. Generate images for QSPI:
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
7. Generate images for external storage device:
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
8. Flash images into the both storage devices:
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

But unfortunately, it has no effect and on boot gives ERROR: fail to unlock the encrypted dev /dev/nvme0n1p2. in UART logs.
Could you please give a guide what am I doing wrong or what is the proper way to enable disk encryption with custom keys?

Hi,

Disk encryption can only be enabled on a device that has been fused:
https://docs.nvidia.com/jetson/archives/r35.4.1/DeveloperGuide/text/SD/Security/SecureBoot.html

that’s incorrect. Disk encryption can be enable without secureboot.

hello alex.iakov1337,

for working with customize keys. you’ll need to update the EKS image with your own keys.
may I know all the customize keys you’re using?

basically, you should follow below steps to flash the target with disk encryption.
FYI, EKB (Encrypted Binary Blob) stores two keys, one is the kernel encryption key (sym_key_file), and another one is the LUKS key (sym2_key_file) for disk encryption support.

here’re steps for your reference.
assume you’re only using customize sym2 key file.
(1) Modify the optee/samples/hwkey-agent/host/tool/gen_ekb/example.sh for using non-zero key.
i.e. $ echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key to generate new eks image.

(2) since it’s Orin NX, you’ll need to generate a new sign/encrypt file, i.e. eks_t234_sigheader.img.encrypt
please copy sym2_t234.key and generated eks_t234.img to… $OUT/Linux_for_Tegra/bootloader/eks_t234.img
by execute flash script locally, $ sudo ./flash.sh --no-flash -r -k A_eks -i "sym2_t234.key" jetson-agx-orin-devkit mmcblk0p1

note, -r command to skips building system.img and reusing the existing one.
this may fail if you did not running this flash command-line before.

(3) Copy sign/encrypt binary to initrd image folder.
$ cp $OUT/inux_for_Tegra/bootloader/eks_t234_sigheader.img.encrypt $OUT/Linux_for_Tegra/tools/kernel_flash/images/internal/eks_t234_sigheader.img.encrypt

(4) Run below command to update EKS partition individually for your Orin NX.
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh -k A_eks --flash-only --showlogs

Hi JerryChang, step 2 always fail with Reusing existing system.img... file does not exist. Also eks_t234_sigheader.img.encrypt doesn’t update.
Logs here - generate_image.log (18.1 KB)
When trying to flash new EKS I get another error and it is constant - flash_error.log (3.6 KB)
Could you point what am I doing wrong? Attaching commands here(Assuming sym2_t234.key has value b7a15a781ab258bae33a93069b1186ad:

cd $SCRIPT_DIR/Linux_for_Tegra
cp ./source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/sym2_t234.key ./sym2_t234.key
rm ./bootloader/eks_t234.img
cp ./source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/eks_t234.img ./bootloader/eks_t234.img

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
#sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
sudo ./flash.sh --no-flash -r -k A_eks -i "sym2_t234.key" jetson-agx-orin-devkit mmcblk0p1
cp ./bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/eks_t234_sigheader.img.encrypt
sudo ./tools/kernel_flash/l4t_initrd_flash.sh -k A_eks --flash-only --showlogs

P.S. I’ve tried to flash without regenerating eks_t234_sigheader.img.encrypt and using test key. All works fine, so it’s not cable problem, somehow one command broke whole flashing process.

P.P.S. executtion of, $ sudo ./flash.sh --no-flash -k A_eks -i "sym2_t234.key" jetson-agx-orin-devkit mmcblk0p1(without -r) still gives this error

So, it turns out that this process is sensitive to building order. I’ve managed to flash new EKS image and new system on my jetson. Here are my commands:

./example.sh

cd $SCRIPT_DIR/Linux_for_Tegra


cp ./source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/sym2_t234.key ./sym2_t234.key
rm ./bootloader/eks_t234.img
cp ./source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/eks_t234.img ./bootloader/eks_t234.img

sudo ./flash.sh --no-flash -k A_eks -i "sym2_t234.key" jetson-agx-orin-devkit mmcblk0p1
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
cp ./bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/eks_t234_sigheader.img.encrypt
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --netwo>
sudo ./tools/kernel_flash/l4t_initrd_flash.sh -k A_eks --flash-only --showlogs

After that you need to put jetson in RM again and execute sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only. Jetson successfully boots and disk is encrypted.

But there is one thing I doubt: when jetsoon is booting it gives WARNING: Test key is in use. Is it normal @JerryChang ?

And another thing: there is always 59Gb of encrypted space, is there a way to fill all disk during flashing process and encrypt it?

hello alex.iakov1337,

it’s reported by UEFI. you may refer to the public sources,
for example, https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Universal/BdsDxe/BdsEntry.c
this is normal message since the UEFI Secureboot has not enabled.

you may review the xml file to revise the partition size.
for instance, please refer to the UDA partition’s size for disk encryption configuration,
it’s the flash configuration file, flash_t234_qspi_sd_enc_rootfs_ab.xml.

        <partition name="UDA" type="data" encrypted="true">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 419430400 </size>
1 Like

hi JerryChang,
Unfortunately, I have no progress in extending rootfs size on my nvme. This is lsblk && cat /sys/block/nvme0n1/size output with flashing commands, without edit in flash_l4t_t234_nvme_rootfs_enc.xml
image
When trying to use another number

<partition name="UDA" type="data" encrypted="true">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 819430400 </size>

Flashing process gives an error:

Error: Could not stat device /dev/mmcblk0 - No such file or directory.
Flash failure

My goal is to extend rootfs size to disk size(my disk is 119.2GB, I want to make crypt_root approximately this size)

hello alex.iakov1337,

please check $OUT/Linux_for_Tegra$ vim tools/kernel_flash/README_initrd_flash.txt for samples.
you may see-also Workflow 10 by adding -S <APP-size> to specify the rootfs size.

When I’m trying to specify rootfs size with:

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 -S 50GiB jetson-orin-nano-devkit external

It gives an error:

[   4.9803 ] End sector for APP_ENC, expected at: 122159070, actual: 0
Error: Return value 4
Command tegraparser_v2 --generategpt --pt flash.xml.bin
Error: /home/user/Desktop/Linux_for_Tegra/bootloader/signed/flash.idx is not found
Error: failed to relocate images to /home/user/Desktop/Linux_for_Tegra/tools/kernel_flash/images

And when flashing:

[   3.5350 ] End sector for APP_ENC, expected at: 122159070, actual: 0
Error: Return value 4
Command tegraparser_v2 --generategpt --pt flash.xml.bin
Cleaning up...

Do you know what could be the reason?

UPD: no results, I think my problem is out of topic, so closing it

you may creating a new topic to follow-up this.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.