Data encryption on AGX Jetson Orin

I can’t get a grip on how to make disk encryption work. I have a jetson nx Orin 64gb and I use a 1 tb nvme and auvidea x230d board and Jetpack 5.1.1 or 5.1.2 (whichever is best).
I would like to use disk encryption on the nvme (alternatively on a partition in the internal storage). How should I do? I couldn’t manage to make it works with what I found on the documentation.
Thanks in advance.

Hello @michele.marchiani,

How is everything going?

May we ask, what have you tried so far?

So we can maybe review other possible options or the process you followed.

regards,
Andrew

Hi michele.marchiani,

Since you are using the custom carrier board, are you using the custom BSP package released from your vendor?

Are you booting from NVMe SSD?

Have you referred to the following instruction to enable disk-encryption for your NVMe SSD?

I have tried this lately:

a. create default key
$ echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key

b. create internal
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-agx-orin-devkit internal

c. create external
(you may specify 461373440 for num_sectors in <base BSP>/tools/kernel_flash/flash_l4t_t234_nvme_rootfs_ab_enc.xml)
$ sudo  ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -S 100GiB -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0  jetson-agx-orin-devkit external

d. flash both
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

But it get stuck at point d in ‘Waiting for target to boot-up’.
I tried following the README_initrd_flash,txt with no luck.

Thanks in advance.

Yes I’m using the custom BSP package. I have no trouble flashing it both from emmc and nvme without using disk encryption, the problems start when I try to use it.
Which ‘following instruction’?

Hello @michele.marchiani,

Thanks for getting back and sharing the details to the process you are currently following.

First we would suggest following this NVIDIA Documentation on how to enable disk encryption. There are a couple extra steps in there you might be missing. For instance, modifying the config file used to flash to set encrypted attribute of APP_ENC to true.

Please let us know once you verify if all the steps are being completed. If you still have issues, we could dig a bit deeper into the issue.

In the meantime, you could share your boot logs so we can review them.

regards,
Andrew

Sorry for missing the link.
Disk Encryption — Jetson Linux Developer Guide documentation (nvidia.com)

You may also refer to the following thread to enable disk encryption, which has been verified from us.
Disk Encryption on Orin NX NVMe Not working - #22 by JerryChang

Please check the serial console log at this moment.

Why you use the board config of AGX Orin to your Orin NX module?
Which module you are using…?

Please also share the result of the following command on your board for further check.

$ cat /etc/nv_boot_control.conf

Oh sorry. We are using an AGX Orin.

This is the result of ```
cat /etc/nv_boot_control.conf

TNSPEC 3701-500-0004-L.0-1-1-auvidea-agx-orin-
COMPATIBLE_SPEC 3701--0004--1--auvidea-agx-orin-
TEGRA_LEGACY_UPDATE false
TEGRA_BOOT_STORAGE mmcblk0
TEGRA_EMMC_ONLY false
TEGRA_CHIPID 0x23
TEGRA_OTA_BOOT_DEVICE /dev/mtdblock0
TEGRA_OTA_GPT_DEVICE /dev/mtdblock0
I am now working on activating serial console log.

complete_try.txt (42.5 KB)
This is the boot logs from all the commands I posted earlier where at the end it doesn’t boot and gets stuck at ‘Waiting for target to boot-up’.

after_boot_try.txt (56.9 KB)

It then boots and produces this log but only after the flash process stops.

Please let me know if this is the type of log you were asking. I’ll keep trying following the guides you gave me but I still find it hard to follow them. I do not know exactly what operation and commands to execute.

Thanks again for your help,
Michele

I’ve moved your topic to the correct category for AGX Orin.

It seems you boot up stuck in UEFI.

And it enters into recovery kernel.

Can you simply try to enable disk-encryption for internal eMMC with the following command? (remove NVMe SSD first)

$ sudo ROOTFS_ENC=1 ./flash.sh jetson-agx-orin-devkit mmcblk0p1

I tried this command, the flash process worked but then the Jetson fails to boot ( it doesn’t even reach the white nvidia boot page). Here’s the boot log. Thank you again for your help.
boot_logs.txt (85.4 KB)

[   13.137066] ERROR: fail to unlock the encrypted dev /dev/mmcblk0p2.
[   13.146770] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00

It seems failed to unlocked the encrypted partition so that there’s kernel panic.

Okay, you also have to specify the key during flash as following:

$ sudo ROOTFS_ENC=1 ./flash.sh jetson-agx-orin-devkit -i "./disk_enc.key" mmcblk0p1

You can refer to Disk Encryption — NVIDIA Jetson Linux Developer Guide 1 documentation for detailed steps for this.

The documentation refers to the OP-TEE library but following the link in OP-TEE: Open Portable Trusted Execution Environment — Jetson Linux Developer Guide documentation I cannot find the file referenced in the flashing Jetson Orin section, for example $ cd optee/samples/hwkey-agent/host/tool/gen_ekb/ . Where can I download the right library to use custom key?
Using this line : $ sudo ROOTFS_ENC=1 ./flash.sh jetson-agx-orin-devkit -i “./disk_enc.key” mmcblk0p1 . We managed to make it work secured. The next step would be to use a custom key, how can we accomplish that?
Again thanks for your help.

There should be a script (example.sh) under optee/samples/hwkey-agent/host/tool/gen_ekb/ available to be used to generate eks image

You can refer to atf_and_optee_README.txt for detailed steps.