Disk Encryption: fail to unlock the encrypted dev /dev/nvme0n1p2


I’m using a Jetson Orin Nano Devkit with JetPack SDK 5.1.2 and BSP 35.4.1. A Ubuntu 20.04 Linux host. OpTee from https://developer.nvidia.com/embedded/l4t/r35_release_v1.0/sources/public_sources.tbz2. Samsung 960 Pro NVME. There is no SDCard plugged in during this entire process.

I am trying to get disk encryption working with the default/test fuse keys with the OpTee image generated by example.sh on an NVME before I then get it working with custom keys with secure boot enabled. Everything appears to correctly flash, but I am left with a Jetson that boots to NVME with a blinking cursor followed by a black screen and then it restarts and repeats. I’ve copied the commands and the output below.

For some reason it can’t decrypt /dev/nvme0n1p2 but I believe I am using the correct keys, images and commands and everything completes successfully.

sudo systemctl stop udisks2
sudo -s echo -1 > /sys/module/usbcore/parameters/autosuspend
apt-get install cryptsetup
mkdir tmp
cd tmp
wget https://developer.nvidia.com/downloads/embedded/l4t/r35_release_v4.1/release/jetson_linux_r35.4.1_aarch64.tbz2
tar xvf jetson_linux_r35.4.1_aarch64.tbz2
wget https://developer.nvidia.com/downloads/embedded/l4t/r35_release_v4.1/release/tegra_linux_sample-root-filesystem_r35.4.1_aarch64.tbz2
sudo tar xvf tegra_linux_sample-root-filesystem_r35.4.1_aarch64.tbz2 -C Linux_for_Tegra/rootfs/
tar xvf public_sources.tbz2
cd Linux_for_Tegra/source/public/
tar xvf nvidia-jetson-optee-source.tbz2
cd ./optee/samples/hwkey-agent/host/tool/gen_ekb/
cd ../../../../../../../../../Linux_for_Tegra/
mv bootloader/eks_t234.img bootloader/eks_t234.img.bak
cp source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/eks_t234.img bootloader/eks_t234.img
cp source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/sym2_t234.key sym2_t234.key
sudo ./apply_binaries.sh
# Modify NUM_SECTORS in ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml
# Put Jetson Orin Nano Devkit into recovery mode and plug it in
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --no-flash --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" jetson-orin-nano-devkit internal
# Unplug Jetson Orin Nano Devkit into recovery mode and plug it in
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml -S 60GiB --external-only --append --network usb0 jetson-orin-nano-devkit external
# Unplug Jetson Orin Nano Devkit into recovery mode and plug it in
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only





Don’t replace bootloader/eks_t234.img if you want to use an unfused system.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.