Disk Encryption of External sda in jatson AGX xavier(RS32.7.1 js4.6.1)

hello
i have another question about luks_key.How i can confirm which passphrash was generated or both generated . and if this passphrash can be used to unlock the encrypted disk .Also i want to known where i can get the ECID .


thanks

If possible, can you add “–showlogs” to your flash command to show the log and put it here?

Also I think for the first attempt you did , it probably is encrypted. However, it seems Cboot cannot boot from the sda so it does not unlock partition /dev/sda2. You can check this by using command:

sudo lsblk

to see if the file system on /dev/sda2 is luks file system.

In case you want to continue to boot from mmcblk0p1 and want to unlock /dev/sda2. You can follow instruction in section To modify initrd to unlock additional encrypted file systems to unlock it upon boot.

Hi,
I’m very sorry to return to you now. Thank you very much for your help。
I made some other attempts, below are my steps。
The first i follow this guide:


command run:

sudo ROOTFS_ENC=1 ./nvsdkmanager_flash.sh -u rsa_priv.pem -v sbk.key --storage sda1

and this my log:
encryptlog (141.5 KB)
this my environment(30G sda)

and where the section:To modify initrd to unlock additional encrypted file systems to unlock it upon boot

Can you look into here.

To modify initrd to unlock additional encrypted file systems

https://docs.nvidia.com/jetson/archives/l4t-archived/l4t-3261/index.html#page/Tegra%20Linux%20Driver%20Package%20Development%20Guide/bootloader_disk_encryption.html#wwpID0E0IE0HA

The content is mistakenly removed for 32.7.1

hello i try the another command:

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh -u rsa_priv.pem -v sbk.key -k eks --external-device sda1   -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only -S 8GiB  --erase-all --network usb0  --showlogs jetson-xavier external

and the flash_l4t_nvme_rootfs_enc.xml showed following:
flash_l4t_nvme_rootfs_enc.xml (9.1 KB)
if here anything i need change?

or i need use the bootloader/‌t186ref/cfg/‌flash_t194_sdmmc_enc_rfs.xml

and i really very wonder about the password what is used in decrypting disk internal . how i can get the password


and to encrypt disk external if i need the “-k eks” command
thank u

Please follow the comments in Disk Encryption of External sda in jatson AGX xavier(RS32.7.1 js4.6.1) - #10 by lhoang

to modify the initrd on the device to unlock the encrypted file system.

The passphrase are generated by the device programmatically upon boot.

This command is ok

These two commands are correct.

sudo ROOTFS_ENC=1 ./nvsdkmanager_flash.sh -u rsa_priv.pem -v sbk.key

Then after this you need to modify the initrd to unlock the encrypted file system.

hello thank u so much for your reply。
but as u said

The passphrase are generated by the device programmatically upon boot
if it means i cant get the passphrase as a plain key
However as i see the two guides :



if i can get the passphrase by the stript or i will cant open the luks disk if i umount it
thank u

You can try to retrieve the password during flashing time. The key are generated by functions build_enc_fsimg() and build_enc_root_fsimg in Linux_for_Tegra/tools/disk_encryption/disk_encryption_helper.func. In partitcular, the passwords are generated by running this code snippet in the disk_encryption_helper.func file: eval ${GEN_LUKS_PASS_CMD}

I think you can modify the script slightly to save the passwords into a file if you want. Note that each time you flash with ROOTFS_ENC=1 option there will be two keys generated: One for the APP_ENC partition and One for UDA partition.

sorry so late to reply u . the flashing is so slow
and the error showing last .i dont know why .
i replace the sda(30G) with sda(500G)
and this my command

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh -u rsa_priv.pem -v sbk.key --external-device sda1   -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only -S 35GiB  --erase-all --network usb0  --showlogs jetson-xavier external

this my flash_l4t_nvme_rootfs_enc.xml
flash_l4t_nvme_rootfs_enc.xml (9.1 KB)

the erro here

Waiting for target to boot-up...
Waiting for device to expose ssh ......RTNETLINK answers: File exists
RTNETLINK answers: File exists
Waiting for device to expose ssh ...Run command: flash on fc00:1:1:0::2
8388608
[ 0]: l4t_flash_from_kernel: Starting to create gpt for external device
Active index file is /mnt/external/flash.idx
Number of lines is 15
max_index=14
writing item=1, 9:0:primary_gpt, 512, 19968, gpt_primary_9_0.bin, 16896, fixed-<reserved>-0, 39929e91afe4085ea4f73bbbc31e32558c076d3c
Writing primary_gpt partition with gpt_primary_9_0.bin
Offset is not aligned to K Bytes, no optimization is applied
dd if=/mnt/external/gpt_primary_9_0.bin of=/dev/sda bs=1 skip=0  seek=512 count=16896
16896+0 records in
16896+0 records out
16896 bytes (17 kB, 16 KiB) copied, 0.0435301 s, 388 kB/s
Writing primary_gpt partition done
Error: The backup GPT table is corrupt, but the primary appears OK, so that will be used.
Warning: Not all of the space available to /dev/sda appears to be used, you can fix the GPT to use all of the space (an extra 347627567 blocks) or continue with the current setting? 
Writing secondary_gpt partition with gpt_secondary_9_0.bin
Offset is not aligned to K Bytes, no optimization is applied
dd if=/mnt/external/gpt_secondary_9_0.bin of=/dev/sda bs=1 skip=0  seek=322122530304 count=16896
16896+0 records in
16896+0 records out
16896 bytes (17 kB, 16 KiB) copied, 0.0317244 s, 533 kB/s
Writing secondary_gpt partition done
Fix/Ignore? Fix                                                           
Error: The backup GPT table is not at the end of the disk, as it should be.  Fix, by moving the backup to the end (and removing the old backup)?
Warning: Not all of the space available to /dev/sda appears to be used, you can fix the GPT to use all of the space (an extra 347627567 blocks) or continue with the current setting? 
Fix/Ignore? Fix                                                           
Model: Samsung Portable SSD T5 (scsi)
Disk /dev/sda: 500GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system  Name               Flags
 1      20.5kB  419MB   419MB   ext4         APP                msftdata
 2      419MB   38.7GB  38.2GB               APP_ENC            msftdata
 3      38.7GB  38.7GB  66.1MB               recovery           msftdata
 4      38.7GB  38.7GB  524kB                recovery-dtb       msftdata
 5      38.7GB  38.7GB  65.5kB               kernel-bootctrl    msftdata
 6      38.7GB  38.7GB  65.5kB               kernel-bootctrl_b  msftdata
 7      38.7GB  38.8GB  83.9MB               kernel             msftdata
 8      38.8GB  38.9GB  83.9MB               kernel_b           msftdata
 9      38.9GB  38.9GB  524kB                kernel-dtb         msftdata
10      38.9GB  38.9GB  524kB                kernel-dtb_b       msftdata
11      38.9GB  39.2GB  315MB                RECROOTFS          msftdata
12      39.2GB  322GB   283GB                UDA                msftdata

[ 2]: l4t_flash_from_kernel: Expanding last partition to fill the storage device
[ 2]: l4t_flash_from_kernel: Successfully create gpt for external device
[ 2]: l4t_flash_from_kernel: Starting to flash to external device
Active index file is /mnt/external/flash.idx
Number of lines is 15
max_index=14
writing item=0, 9:0:master_boot_record, 0, 512, mbr_9_0.bin, 512, fixed-<reserved>-0, 694898d1c345bdb31b377790ed7fc0b0db184bf7
writing item=1, 9:0:primary_gpt, 512, 19968, gpt_primary_9_0.bin, 16896, fixed-<reserved>-0, 39929e91afe4085ea4f73bbbc31e32558c076d3c
writing item=2, 9:0:APP, 20480, 419430400, , , fixed-<reserved>-1, 
Formatting APP partition /dev/sda1 ...
mke2fs 1.44.1 (24-Mar-2018)
Creating filesystem with 409600 1k blocks and 102400 inodes
Filesystem UUID: b8486d89-68ea-47ba-8dc5-3f02b398a248
Superblock backups stored on blocks: 
	8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done 

Formatting APP parition done
Formatting APP partition /dev/sda1 ...
tar --xattrs -xpf /mnt/external/system_boot.img  --checkpoint=10000 --warning=no-timestamp --numeric-owner  -C  /tmp/ci-mgqpmzQHXc
writing item=3, 9:0:APP_ENC, 419450880, 38235275264, system_root_encrypted.img_ext, 6063895200, fixed-<reserved>-2, 
Writing APP_ENC partition with system_root_encrypted.img_ext
Get size of partition through connection.
blkdiscard /dev/sda2
blkdiscard: /dev/sda2: BLKDISCARD ioctl failed: Operation not supported
Cannot erase using blkdiscard. Write zero to partition /dev/sda2
dd if=/dev/zero of=/dev/sda2
38235102208 bytes (38 GB, 36 GiB) copied, 12676 s, 3.0 MB/s
dd: writing to '/dev/sda2': No space left on device
74678273+0 records in
74678272+0 records out
38235275264 bytes (38 GB, 36 GiB) copied, 12676.1 s, 3.0 MB/s
[ 12689]: l4t_flash_from_kernel: ERROR simg2img not found! To install - please run: "sudo apt-get install 	simg2img" or "sudo apt-get install android-tools-fsutils"
[ 12689]: l4t_flash_from_kernel: Error: /mnt/internal/flash.idx is not found
[ 12689]: l4t_flash_from_kernel: The device size indicated in the partition layout xml is smaller than the actual size. This utility will try to fix the GPT.
[ 12689]: l4t_flash_from_kernel: Error flashing qspi
[ 12689]: l4t_flash_from_kernel: Error flashing external device
Cleaning up...

why it shows i have no space where i need to modify
thank u

do you have to use a USB for disk encryption? because USB does not support fast erase command unlike a SSD, it will take quite a long time to fully erase a partition before it can start writing the data.

thanks u replay
i did use a usb if that will effect my flashing.
at the moment i try modify the -S 35G to be -S 8G and install the simg2img but still failed

Formatting APP parition done
Formatting APP partition /dev/sda1 ...
tar --xattrs -xpf /mnt/external/system_boot.img  --checkpoint=10000 --warning=no-timestamp --numeric-owner  -C  /tmp/ci-foUKJ5tzhD
writing item=3, 9:0:APP_ENC, 419450880, 8170504192, system_root_encrypted.img_ext, 5392061680, fixed-<reserved>-2, 
Writing APP_ENC partition with system_root_encrypted.img_ext
Get size of partition through connection.
blkdiscard /dev/sda2
blkdiscard: /dev/sda2: BLKDISCARD ioctl failed: Operation not supported
Cannot erase using blkdiscard. Write zero to partition /dev/sda2
dd if=/dev/zero of=/dev/sda2
8169992192 bytes (8.2 GB, 7.6 GiB) copied, 2720 s, 3.0 MB/s
dd: writing to '/dev/sda2': No space left on device
15958017+0 records in
15958016+0 records out
8170504192 bytes (8.2 GB, 7.6 GiB) copied, 2720.18 s, 3.0 MB/s
[ 2733]: l4t_flash_from_kernel: Error: /mnt/internal/flash.idx is not found
[ 2733]: l4t_flash_from_kernel: The device size indicated in the partition layout xml is smaller than the actual size. This utility will try to fix the GPT.
[ 2733]: l4t_flash_from_kernel: ERROR simg2img not found! To install - please run: "sudo apt-get install 	simg2img" or "sudo apt-get install android-tools-fsutils"
[ 2733]: l4t_flash_from_kernel: Error flashing qspi
[ 2733]: l4t_flash_from_kernel: Error flashing external device
Cleaning up...

The error mean you have to install simg2img into the Linux_for_Tegra/rootfs folder.
You can find the source code of it here:

You can manually build aarch64 version of it and put the binary simg2img into Linux_for_Tegra/rootfs/bin

Or you can download simg2img from Release build for aarch64 · anhmiuhv/android-simg2img · GitHub and put it into Linux_for_Tegra/rootfs/bin as well

thanks,
i use the step 2 :download this and sudo cp simg2img Linux_for_Tegra/rootfs/bin

to install the simg2img and run the command again
but it seems somthing worry and need be sloved in advance

Formatting APP parition done
Formatting APP partition /dev/sda1 ...
tar --xattrs -xpf /mnt/external/system_boot.img  --checkpoint=10000 --warning=no-timestamp --numeric-owner  -C  /tmp/ci-GeAbSX7IF1
writing item=3, 9:0:APP_ENC, 419450880, 8170504192, system_root_encrypted.img_ext, 5392172224, fixed-<reserved>-2, 
Writing APP_ENC partition with system_root_encrypted.img_ext
Get size of partition through connection.
blkdiscard /dev/sda2
blkdiscard: /dev/sda2: BLKDISCARD ioctl failed: Operation not supported
Cannot erase using blkdiscard. Write zero to partition /dev/sda2
dd if=/dev/zero of=/dev/sda2
8168994816 bytes (8.2 GB, 7.6 GiB) copied, 2729 s, 3.0 MB/s
dd: writing to '/dev/sda2': No space left on device
15958017+0 records in
15958016+0 records out
8170504192 bytes (8.2 GB, 7.6 GiB) copied, 2729.52 s, 3.0 MB/s
simg2img /mnt/external/system_root_encrypted.img_ext /dev/sda2
/mnt/l4t_flash_from_kernel.sh: line 665: /bin/simg2img: Permission denied
[ 2742]: l4t_flash_from_kernel: The device size indicated in the partition layout xml is smaller than the actual size. This utility will try to fix the GPT.
[ 2742]: l4t_flash_from_kernel: simg2img /mnt/external/system_root_encrypted.img_ext /dev/sda2 failed
[ 2742]: l4t_flash_from_kernel: Error: /mnt/internal/flash.idx is not found
[ 2742]: l4t_flash_from_kernel: Error flashing qspi
[ 2742]: l4t_flash_from_kernel: Error flashing external device
Cleaning up...

thanks

I think you need to add execute permission for simg2img binary:

sudo chmod +x simg2img

Also there is a minor bug in the version that is fixed in Jetpack 5.0 . You can fix it by modifying this code snipet in Linux_for_Tegra/tools/kernel_flash/l4t_flash_from_kernel.sh from

function is_spi_flash
{
	if [ ! -f "${FLASH_INDEX_FILE}" ];then
		print_at_end "Error: ${FLASH_INDEX_FILE} is not found"
		exit 1
	fi

to

function is_spi_flash
{
	if [ ! -f "${FLASH_INDEX_FILE}" ];then
		print_at_end "Error: ${FLASH_INDEX_FILE} is not found"
		return 1
	fi

exit 1 should be return 1

Also looking back, I think you should run these two commands:

sudo ROOTFS_ENC=1 ./nvsdkmanager_flash.sh -u rsa_priv.pem -v sbk.key

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh -u rsa_priv.pem -v sbk.key -k eks --external-device sda1   -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only -S 8GiB --network usb0  --showlogs jetson-xavier external

The second command should not have “–erase-all” option