Disk Encryption on Jetson Orin Nano Without Secure Boot or UEFI Secure Boot

Hello,

I am using a Jetson Orin Nano (custom board) with JetPack 5.1.2. My goal is to enable disk encryption on the device without enabling Secure Boot or UEFI Secure Boot, as I need to maintain the ability to perform OTA updates.

From my understanding, the OEM key is relevant for disk encryption. I have not fused my device yet but plan to fuse it with the OEM key.

Could you please provide guidance on the following:

How can I enable disk encryption on the Jetson Orin Nano without enabling Secure Boot or UEFI Secure Boot?
Will enabling only disk encryption allow me to continue performing OTA updates?
Are there specific steps or documentation available for this process?

Here are the steps:
(I’am using the correct public_sources.tbz2.)

1. OemKey generated and saved in fuse.xml:
   echo “<genericfuse MagicId="0x45535546" version="1.0.0">” > fuse.xml
   echo " <fuse name="OemK1" size="32" value="${OemK1.key}"/>" >> fuse.xml
   echo “” >> fuse.xml

2. sudo ./odmfuse.sh --test -i 0x23 -X fuse.xml jetson-orin-nano-devkit

echo “bad66eb4484983684b992fe54a648bb8” > fv_ekb_t234
echo “010203040506070809a0b0c0d0e0f001” > sym_t234.key
echo “f0e0d0c0b0a001020304050607080900” > sym2_t234.key

4. rm bootloader/eks_t234.img

5. python3 ./source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/gen_ekb.py -chip t234 -oem_k1_key OemK1.key -fv fv_ekb_t234 -in_sym_key sym_t234.key -in_sym_key2 sym2_t234.key -out bootloader/eks_t234.img

(hexdump -C -n 4 -s 0x24 bootloader/eks_t234.img: the 4 magic bytes in the beginning of the EKS image are EEKB)

6. sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --no-flash --showlogs -p “-c bootloader/t186ref/cfg/flash_t234_qspi.xml” jetson-orin-nano-devkit internal

7. sudo ROOTFS_AB=1 ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs–no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_ab_enc.xml -S 30GiB --external-only --append --network usb0 jetson-orin-nano-devkit external (num of sec is correct)

8. sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

In the bootlog I end up with “ERROR: fail to unlock the encrypted dev /dev/nvme0n1p2” for ROOTFS_ENC=1 and “ERROR: fail to unlock the encrypted dev /dev/nvme0n1p3” for ROOTFS_AB=1 and ROOTFS_ENC=1.

Any help is highly appriciated
Thank you for your assistance!

Hi ahmed.lassoued,

Please refer to Disk Encryption — Jetson Linux Developer Guide documentation (nvidia.com).

and refer to example.sh to generate the key.

Please share the full flash log when you run this command.

Thanks for your response.

I have tried using the default keys from example.sh (OEM Key, sym2_t234, etc.) and it worked. However, after burning the fuse with a randomly generated OEM Key and also randomly generating the sym2_t234 key, I ended up with the same error: fail to unlock the encrypted dev /dev/nvme0n1p3.

Here are the full flash log and boot log for your reference:

flash_1-1_0_20240729-113811.log (38.5 KB)

BootLog.txt (89.1 KB)

Any assistance to resolve this issue would be highly appreciated.

Thank you!

It seems you hit the similar issue as SecureBoot and Encrypted RootFs - Jetson & Embedded Systems / Jetson Orin Nano - NVIDIA Developer Forums.
Please check if it could help for your case.

I followed the exact same steps, and everything works when using the default keys from example.sh. It also works when I use the default oem_k1.key, sym_t234, and fv_ekb_t234, while randomly generating the sym2_t234.key.

However, it doesn’t work when I use my own oem_k1 key, with which I’ve already burned the fuse.

It seems not the expected result to me.

You have to use the your own oem_k1 key (which is used to burn the fuse) to create the key for disk encryption.
The default key should not work with your fuse board.
Maybe you used the default oem_k1 key to burn the fuse…!?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.