Disk Encryption for AGX Orin with prompt asking for passphrase

I have Use Case for AGX Orin Developer Kit, where I do not implement Secured Boot, only need Full Disk Encryption on the flash device (mmcblk0p1). I need the system upon boot up, displays a prompt asking user to enter passphrase to decrypt the file system and continue the boot process. Similar concept as in BitLocker for Windows or LUKS in Ubuntu desktop machine. I am using Jetson Linux R35.X and follows Disk Encryption instruction to flash to Orin using the default ekb.key file:

The disk encryption key in the EKB partition:

This key is defined in example.sh too to generate the EKS image

$ echo “f0e0d0c0b0a001020304050607080900” > ekb.key
$ sudo ROOTFS_ENC=1 ./flash.sh -i “./ekb.key”

As the system boot up, it automatically decrypted the filesystem and finish the boot up process. I verified that the file system is decrypted and mapped. However, how do I remove the automatic decryption process and intercept it with a prompt for passphrase.
Thank you for your help.

hello james.dinh,

this is not supported at the moment.

Thank you Jerry for your reply. I tried to find a way to implement that solution myself. I extracted the initrd image and view the init script, which handle the decryption of the disk. Here is the code snippet:

Unlock the encrypted dev

nvluks-srv-app -u -c “${crypt_disk_uuid}” | LD_LIBRARY_PATH=“/lib/cryptsetup”
/sbin/cryptsetup luksOpen “${enc_dev}” “${enc_dm_name}”;

Look like the nvluks-srv-app take the input of disk uuid and generate the passpharse for the luksOpen command. Would you point where I can find the source code for the nvluks-srv-app executable. If I would implement the use case of intercepting the boot sequence to ask for passphrase, is the init script in initrd the script I need to modify?

hello james.dinh,

you may visit L4T page, jetson-linux-r3541 to download [Driver Package (BSP) Sources] package.
please extract atf_src.tbz2 and nvidia-jetson-optee-source.tbz2 sources, and you’ll see luks-srv samples.
for instance, $public_sources/atf_and_optee/optee/samples/luks-srv/README

(1) luks_srv_ca.c it doesn’t “generate” the unique passphrase, it sends the request to luks TA, TA generates the passphrase. If you go along the code path, you’ll find actually luks TA doesn’t generate the passphrase as well because it doesn’t know the disk encryption key, the jetson user key PTA finally does the key generation,
i.e. invoke_jetson_user_key_pta

(2) you may using the command gunzip -c l4t_initrd.img | cpio -id to extract the initrd image, you’ll find a script named “init” in it.