Disk encryption jetson orin nano

I read lot of disk encryption related topic in the forums, and try different steps but it stuck at black screen after showing boot.

I’m not able to provide UART log at the moment, only console log available.

I use the optee ./sample.sh to generate the sym2_t234.key
Remove the eks_t234.img from bootloader and copy the newly generated from optee into bootloader

step 1
sudo ./flash.sh --no-flash -k A_eks -i “sym2_t234.key” cti/orin-nano/boson-orin/fsm-imx678-2cam mmcblk0p1
log1.log (21.0 KB)

step 2
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p “-c bootloader/t186ref/cfg/flash_t234_qspi.xml” --no-flash --network usb0
log2.log (181.3 KB)

step 3
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 cti/orin-nano/boson-orin/fsm-imx678-2cam external
log3.log (141.4 KB)

step 4
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only
log4.log (40.5 KB)

Hi @mrcloud,

This should be posted in the Jetson forums. I will move it so the Jetson team has visibility.


please refer to below topic also,

Hi Jerry,

So actually don’t require optee? generate random sym, sym2, eks_t234.img?
Just random generate ekb.key?

hello mrcloud,

these user keys are specified in EKS image, i.e. eks_t234.img
for instance, it’s an op-tee example, optee/samples/hwkey-agent/host/tool/gen_ekb/example.sh to generate EKS image.
during booting up, a trust service (OP-TEE OS) to retrieves user keys from eks_t234.img, and loads the key into keyslots for decryption.
please see-also developer guide, Encrypted Keyblob Generation and Device Provisioning.

EKB (Encrypted Binary Blob) stores two keys, one is the kernel encryption key (sym_key_file), and another one is the LUKS key (sym2_key_file) for disk encryption support.
LUKS disk encryption support with a specific key. you should execute the script file, gen_ekb.py to generate an image. also, in the developer guide of the OP-TEE section, [Tool for EKB Generation] that sym2.key is equivalent to ekb.key

Hi Jerry,

would like to double confirm the step of using openssl generated key and with gen_ekb to flash.

after generate using sym2_t234.key and eks_t234.img

  1. copy sym2_t234.key

  2. remove existing eks_t234.img and replace with new eks_t234.img into bootloader.

  3. $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p “-c bootloader/t186ref/cfg/flash_t234_qspi.xml” --no-flash --network usb0 jetson-orin-nano-devkit internal

log1.log (181.1 KB)

  1. sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external

log2.log (130.6 KB)

  1. $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

but at step 5, facing some error.
log3.log (7.5 KB)

hello mrcloud,

it looks EKS image did not update correctly.
according to the log file, i.e. log1.log (181.1 KB)
re-cap as below.

Existing eksfile(/home/cf/Downloads/flash8/Linux_for_Tegra/bootloader/eks_t234.img) reused.

[  16.9515 ] Copying eks_t234_sigheader.img.encrypt to /home/cf/Downloads/flash8/Linux_for_Tegra/bootloader/signed
[  16.9523 ] Signed file: /home/cf/Downloads/flash8/Linux_for_Tegra/bootloader/signed/eks_t234_sigheader.img.encrypt

Copying /home/cf/Downloads/flash8/Linux_for_Tegra/bootloader/signed/eks_t234_sigheader.img.encrypt  /home/cf/Downloads/flash8/Linux_for_Tegra/tools/kernel_flash/images/internal/eks_t234_sigheader.img.encrypt

could you please refer to Topic 270934 to have two steps approaches to create an image by flash.sh , and running l4t_initrd_flash.sh for EKS partition update.

I think @mrcloud have a point. Can you please established a step by step guide for a perfect disk encyption on any device …

Hi Jerry,

I’m still not success.

Steps as below:

  1. only generate sym2_t234 with openssl random

  2. cp ./source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/sym2_t234.key ./sym2_t234.key

  3. rm ./bootloader/eks_t234.img

  4. cp ./source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/eks_t234.img ./bootloader/eks_t234.img

  5. sudo ./flash.sh --no-flash -k A_eks jetson-agx-orin-devkit mmcblk0p1
    log1.log (21.4 KB)

  6. sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p “-c bootloader/t186ref/cfg/flash_t234_qspi.xml” --no-flash --network usb0 cti/orin-nano/boson-orin/fsm-imx678-2cam internal
    log2.log (179.9 KB)

  7. sudo cp ./bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/eks_t234_sigheader.img.encrypt

  8. sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 cti/orin-nano/boson-orin/fsm-imx678-2cam external
    log3.log (140.6 KB)

  9. sudo ./tools/kernel_flash/l4t_initrd_flash.sh -k A_eks --flash-only --showlogs
    log4.log (12.6 KB)

During device booting, there is error “Could not detect network connection”

hello mrcloud,

please re-run step-(4), (5), (7), (9). and sharing the UART logs for reference.

