Disk Encryption of External sda in jatson AGX xavier(RS32.7.1 js4.6.1)

hello lhoang
i notice that if someone gets the UUID and the ECID may he can get the passwd by using the " gen_luks_passphrase.py" ,can he ? if the initrd_flash has some options like “./flash.sh -i ekb” to enhance security.
thank u

I try to use the command flashing

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1  -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only -S 30GiB --network  eth0:192.168.2.3/24:192.168.2.2 --showlogs jetson-agx-xavier-devkit external

It can be flashed successfully but the device reboot again and again
my flash log and debug log under below.
thank u
Uploading: flash_encrypt_log…
debug_encrypt_log (38.8 KB)

Yes that is correct. However, the security requirements of disk encryption is that if you lost the storage to someone, that person should not be able to access the data of the storage. The assumption is that because the person does not have access to the device, they can’t possibly know the ecid.

Our disk encryption implementation does not have such option.

Is it possible for you to reflash the emmc also? It might because of mismatch version in the emmc and the one flashed to external NVMe SSD.

sudo ./flash.sh jetson-agx-xavier-devkit mmcblk0p1

thank u
Here something i forget to say that I once change the file"p2972-0000.conf.common " making the “disk_enc_enable=1;” and I use your command “sudo ./flash.sh jetson-agx-xavier-devkit mmcblk0p1”
some error back :

done.
populating kernel to rootfs… done.
populating initrd to rootfs… done.
populating kernel_tegra194-p2888-0001-p2822-0000.dtb to rootfs… done.
Making APPFILE…
Error: file system size has to be 512 bytes allign.
Error: failed to generate images
Cleaning up…

if i dont need change the parameter?

hello I have refalsh the emmc but it reboot still

Hi,
Does it also fail if you connect a NvME SSD to Xavier developer kit and encrypt it? Would like to know if the failure is specific to the custom board.

I check your boot log:

NOTICE:  BL31: Built : 08:55:29, Feb 19 2022
ipc-unittest-main: 1519: Welcome to IPC unittest!!!
ipc-unittest-main: 1531: waiting forever
ipc-unittest-srv: 329: Init unittest services!!!
hwkey-agent: 41: hwkey-agent is running!!
hwkey-agent: 347: key_mgnt_processing .......
hwkey-agent: 162: ekb_verification: EKB_CMAC verification is not match.
hwkey-agent: 400: key_mgnt_processing: failed (-7)
hwkey-agent: 45: main: Failed to verify or extract EKB (-7).
exit called, thread 0xffffffffea8a4d58, name trusty_app_2_92b92883-f96a-4177
luks-srv: 40: luks-srv is running!!
platform_bootstrap_epilog: trusty bootstrap complete
��

Seems like trusty is not running properly. I am wondering how are you generating your ekb partition? Note that the implementation of gen_ekb.py script is different in 32.6.1 and 32.7.1 so you have to regenerate the ekb partition for the corresponding version. you cannot use one for both.

A successful trusty TA log looks similar to this. Disk encryption requires trusty TA to successfully run first:

[0063.910] I> EKB detected (length: 0x410) @ VA:0x526fb600
NOTICE:  BL31: v1.3(release):b5eeb33
NOTICE:  BL31: Built : 20:42:11, Apr 12 2022
ipc-unittest-main: 1519: Welcome to IPC unittest!!!
ipc-unittest-main: 1531: waiting forever
ipc-unittest-srv: 329: Init unittest services!!!
hwkey-agent: 41: hwkey-agent is running!!
hwkey-agent: 347: key_mgnt_processing .......
hwkey-agent: 255: Setting EKB key 0 to slot 14
hwkey-agent: 178: Init hweky-agent services!!
luks-srv: 40: luks-srv is running!!
luks-srv: 157: Init luks-srv IPC services!!
platform_bootstrap_epilog: trusty bootstrap complete

Sorry so late to replay
I am using the 32.7.1 all the time . Firstly I generate the ekb.img for encrypting the Xavier developer kit internal by “fv_key ,ekb_key, usr_flashing_key ,kek2_key” ,then I use the environment to flash the custom board internal and decrypt external with no changing the ekb partition .Did I need remove the old eks.img .
I have one question that if the ekb partition is different between external and internal.So I can use the flash.sh “-i ,-user_key” to encrypt the internal and initrd_flash with nothing to encrypt the external
thank u

This is what you should do:
First regenerate ekb.img using the script from gen_ekb.py script https://developer.nvidia.com/embedded/l4t/r32_release_v7.1/sources/t186/public_sources.tbz2

Second, place that ekb.img image into bootloader/ folder rename it to eks.img file so that it will be flashed to the eks partition.

Reflash the board internal storage using flash.sh and make sure trusty can run properly .

The EKB partition is only used from the internal emmc of the Xavier so don’t worry about duplicate it on the external storage.

After trusty work, you can initrd flash --external-only option root to flash to external storage like here:

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1  -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only -S 30GiB --network  eth0:192.168.2.3/24:192.168.2.2 --showlogs jetson-agx-xavier-devkit external

Hello
If I dont encrypt the internal should I generate the eks.img? I just encrypt the external nvme .As the example 1 in “README_initrd_flash.txt” said.

You will have generate the eks.img if you want to use a custom key for for disk encryption on internal or external, or if you have kek2 fused for your board, or if you use kernel encryption feature.

Also for this command:

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1  -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml -p "-i <disk_encryption_key> --user_key <user_key>"
--external-only -S 30GiB --network  eth0:192.168.2.3/24:192.168.2.2 --showlogs jetson-agx-xavier-devkit external

You can use -p option to add “-i” the disk encryption key and “–user_key” if you want

hello
If I dont fuse the kek2 ,it means I can generate the eks.img use the kek2_key which contains all “0”,doesn’t it ? And I want know how the default eks.img was generated

hello
I chage the eks.img now the trusty can run but stll cant boot
here the log
debug_external_fail_log1 (138.3 KB)

command run :sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1 -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only -S 30GiB --network eth0:192.168.2.3/24:192.168.2.2 --showlogs jetson-agx-xavier-devkit external

***************************************
*                                     *
*  Step 3: Start the flashing process *
*                                     *
***************************************
Waiting for device to expose ssh .....................Run command: flash on 192.168.2.3
Cleaning up...

I confirmed with another engineer that for kek2 unfused you can set it to zero.

For the flashing problem, for some reasons, sshd is missing a library so it cannot set up ssh server for flashing

/bin/sshd: error while loading shared libraries: libkeyutils.so.1: cannot open shared object file: No such file or directory

Do you use a special rootfs? because you said you had flashed successfully before so I am not sure why this appear now. Anyway if you want to still use this rootfs you can edit tools/kernel_flash/l4t_initrd_flash_internal.sh to add libkeyutils.so.1 here

generate_flash_initrd()
{
	local dev_instance="$1"

	pushd "${working_dir}"

	abootimg -x "${BOOTLOADER_DIR}/recovery.img"

	mkdir -p "${working_dir}/initrd"

	pushd "${working_dir}/initrd"

	gunzip -c "${working_dir}/initrd.img" | cpio -i

	cp "${INITRDDIR_L4T_DIR}/"*.sh "${working_dir}/initrd/bin"
	cp "${ROOTFS_DIR}/usr/sbin/flash_erase" "${working_dir}/initrd/usr/sbin"
	cp "${ROOTFS_DIR}/usr/sbin/mtd_debug" "${working_dir}/initrd/usr/sbin"
	cp "${ROOTFS_DIR}/usr/bin/sort" "${working_dir}/initrd/usr/bin"
	cp "${ROOTFS_DIR}/sbin/blkdiscard" "${working_dir}/initrd/sbin"
	cp "${ROOTFS_DIR}/sbin/partprobe" "${working_dir}/initrd/sbin"
	cp "${ROOTFS_DIR}/bin/mktemp" "${working_dir}/initrd/bin"
	cp "${ROOTFS_DIR}/lib/aarch64-linux-gnu/libsmartcols.so.1" "${working_dir}/initrd/lib/aarch64-linux-gnu"
	# Add the below line to the function
	cp "${ROOTFS_DIR}/lib/aarch64-linux-gnu/libkeyutils.so.1" "${working_dir}/initrd/lib/aarch64-linux-gnu"

Hello ,thank u so much
Now I can success to boot the encrypted external SSD .
I am curious about the matter that what the different between encrypted external and encrypted internal . And when I finish flashing the encrypted external SSD,then boot .It seems I dont need modify initrd to unlock additional encrypted file systems.They are all mounted on mapper.

For examples, if you have encrypted on both external and internal storage, boot into one device only unlock the encrypted partitions on that deviced but not the other. In such case, you will need to modify to unlock.

hello
When I use the ./flash.sh I can use “-r” to flash using existing system.img in the ./bootloader which was generated by a special rootfs . However, when I use the ./l4t_initrd_flash.sh ,I cant use the system.img even through the command “–flash-only”.
Here I what to know if anything can be provided to help me use the special system.img flashing external storage
thank u