Hello,
I’m using an Orin NX 16GB on a Orin Nano carrier board with no fuses burnt. The goal was to enable disk encryption for more security, but unfortunatelty it doesn’t work with custom keys.
Here is working method from here
1.Untar all sources to working dir
2. Generate images for QSPI: $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
3. Generate the key: $ echo "f0e0d0c0b0a001020304050607080900" > ekb.key
4. Generate images for external storage device: $ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
5. Flash images into the both storage devices: $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only
After that board boots and disk is encrypted, but the key used here is test key, so it doesn’t suit my wishes.
And this is my method that I read from here
1.Untar all sources to working dir
2.Untar nvidia-jetson-optee-source
3.Generate new eks image for keys with updated example.sh
Contents are:
#!/bin/bash
# [T194 example]
# This is default KEK2 root key for unfused board
echo "00000000000000000000000000000000" > kek2.key
# This is the fixed vector for deriving EKB root key from fuse.
# It is expected user to replace the FV below with a user specific
# FV, and code the exact same user specific FV into OP-TEE.
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t194
# Generate user-defined symmetric key files
# openssl rand -rand /dev/urandom -hex 16 > sym_t194.key
# openssl rand -rand /dev/urandom -hex 16 > sym2_t194.key
echo "00000000000000000000000000000000" > sym_t194.key
echo "00000000000000000000000000000000" > sym2_t194.key
python3 gen_ekb.py -chip t194 -kek2_key kek2.key \
-fv fv_ekb_t194 \
-in_sym_key sym_t194.key \
-in_sym_key2 sym2_t194.key \
-out eks_t194.img
# [T234 example]
# Fill your OEM_K1 fuse key value
echo "telegasrazbega777" > oem_k1.key
# This is the fixed vector for deriving EKB root key from fuse.
# It is expected user to replace the FV below with a user specific
# FV, and code the exact same user specific FV into OP-TEE.
echo "aad66eb4484983684b992fe54a648bb8" > fv_ekb_t234
# Generate user-defined symmetric key files
openssl rand -rand /dev/urandom -hex 32 > sym_t234.key # kernel/kernel-dtb encryption key
openssl rand -rand /dev/urandom -hex 16 > sym2_t234.key # disk encryption key
#echo "0000000000000000000000000000000000000000000000000000000000000000" > sym_t234.key
#echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key
echo "ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100" > device_id.cert # Not used
python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key \
-fv fv_ekb_t234 \
-in_sym_key sym_t234.key \
-in_sym_key2 sym2_t234.key \
-in_device_id device_id.cert \
-out eks_t234.img
After that I execute script
cd source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/
./example.sh
4.Copy new eks image and key to Linux_for_Tegra/bootloader and Linux_for_Tegra respectively
But unfortunately, it has no effect and on boot gives ERROR: fail to unlock the encrypted dev /dev/nvme0n1p2. in UART logs.
Could you please give a guide what am I doing wrong or what is the proper way to enable disk encryption with custom keys?
for working with customize keys. you’ll need to update the EKS image with your own keys.
may I know all the customize keys you’re using?
basically, you should follow below steps to flash the target with disk encryption.
FYI, EKB (Encrypted Binary Blob) stores two keys, one is the kernel encryption key (sym_key_file), and another one is the LUKS key (sym2_key_file) for disk encryption support.
here’re steps for your reference.
assume you’re only using customize sym2 key file.
(1) Modify the optee/samples/hwkey-agent/host/tool/gen_ekb/example.sh for using non-zero key.
i.e. $ echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key to generate new eks image.
(2) since it’s Orin NX, you’ll need to generate a new sign/encrypt file, i.e. eks_t234_sigheader.img.encrypt
please copy sym2_t234.key and generated eks_t234.img to… $OUT/Linux_for_Tegra/bootloader/eks_t234.img
by execute flash script locally, $ sudo ./flash.sh --no-flash -r -k A_eks -i "sym2_t234.key" jetson-agx-orin-devkit mmcblk0p1
note, -r command to skips building system.img and reusing the existing one.
this may fail if you did not running this flash command-line before.
(4) Run below command to update EKS partition individually for your Orin NX. $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh -k A_eks --flash-only --showlogs
Hi JerryChang, step 2 always fail with Reusing existing system.img... file does not exist. Also eks_t234_sigheader.img.encrypt doesn’t update.
Logs here - generate_image.log (18.1 KB)
When trying to flash new EKS I get another error and it is constant - flash_error.log (3.6 KB)
Could you point what am I doing wrong? Attaching commands here(Assuming sym2_t234.key has value b7a15a781ab258bae33a93069b1186ad:
P.S. I’ve tried to flash without regenerating eks_t234_sigheader.img.encrypt and using test key. All works fine, so it’s not cable problem, somehow one command broke whole flashing process.
P.P.S. executtion of, $ sudo ./flash.sh --no-flash -k A_eks -i "sym2_t234.key" jetson-agx-orin-devkit mmcblk0p1(without -r) still gives this error
So, it turns out that this process is sensitive to building order. I’ve managed to flash new EKS image and new system on my jetson. Here are my commands:
After that you need to put jetson in RM again and execute sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only. Jetson successfully boots and disk is encrypted.
But there is one thing I doubt: when jetsoon is booting it gives WARNING: Test key is in use. Is it normal @JerryChang ?
And another thing: there is always 59Gb of encrypted space, is there a way to fill all disk during flashing process and encrypt it?
you may review the xml file to revise the partition size.
for instance, please refer to the UDA partition’s size for disk encryption configuration,
it’s the flash configuration file, flash_t234_qspi_sd_enc_rootfs_ab.xml.
hi JerryChang,
Unfortunately, I have no progress in extending rootfs size on my nvme. This is lsblk && cat /sys/block/nvme0n1/size output with flashing commands, without edit in flash_l4t_t234_nvme_rootfs_enc.xml
When trying to use another number
please check $OUT/Linux_for_Tegra$ vim tools/kernel_flash/README_initrd_flash.txt for samples.
you may see-also Workflow 10 by adding -S <APP-size> to specify the rootfs size.
[ 4.9803 ] End sector for APP_ENC, expected at: 122159070, actual: 0
Error: Return value 4
Command tegraparser_v2 --generategpt --pt flash.xml.bin
Error: /home/user/Desktop/Linux_for_Tegra/bootloader/signed/flash.idx is not found
Error: failed to relocate images to /home/user/Desktop/Linux_for_Tegra/tools/kernel_flash/images
And when flashing:
[ 3.5350 ] End sector for APP_ENC, expected at: 122159070, actual: 0
Error: Return value 4
Command tegraparser_v2 --generategpt --pt flash.xml.bin
Cleaning up...
Do you know what could be the reason?
UPD: no results, I think my problem is out of topic, so closing it
