Disk encryption on Jetson Orin Nano

Hi,

I am having trouble initrd flashing an encripted rootfs for ADVANTECH '‘mic-711on’, which is a Orin Nano product. JetPack 5.1.1, L4T 35.4.1.

Steps to reproduce

sudo tools/l4t_flash_prerequisites.sh
sudo ./apply_binaries.sh

python3 ./source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/gen_ekb.py -chip t234 -oem_k2_key kek_optee.key -fv fv_ekb_t234 -in_sym_key sym_t234.key -in_sym_key2 sym2_t234.key -out bootloader/eks_t234.img

echo "00000000000000000000000000000000" > ekb.key

*Currently I don’t use fusing, only nvme encryption.

3. Flashing procedure step-by-step (according to official documentation):

# Generate images for QSPI
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal

# Generate images for external storage device
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external

# Flash images into the both storage devices
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

Output error

[ 3.3910 ] tegrahost_v2 --chip 0x23 0 --align uefi_jetson_with_dtb_aligned.bin
[ 3.3938 ] tegrahost_v2 --chip 0x23 0 --magicid CPBL --ratchet_blob ratchet_blob.bin --appendsigheader uefi_jetson_with_dtb_aligned.bin zerosbk
[ 3.3949 ] adding BCH for uefi_jetson_with_dtb_aligned.bin
[ 3.5132 ] tegrasign_v3.py --key None --list uefi_jetson_with_dtb_aligned_sigheader.bin_list.xml --pubkeyhash pub_key.key --sha sha512
[ 3.5134 ] Assuming zero filled SBK key
[ 3.5248 ] Warning: pub_key.key is not found
[ 3.5242 ] tegrahost_v2 --chip 0x23 0 --updatesigheader uefi_jetson_with_dtb_aligned_sigheader.bin.encrypt uefi_jetson_with_dtb_aligned_sigheader.bin.hash zerosbk
[ 3.5373 ] Copying enc/signed file in /home/pawecza/test-MIC-711ON_8G_OrinNano_5.1.1_V1.0.0_SDK/bootloader/signed
[ 3.5375 ] Copying br bct for multi chains
[ 3.5377 ] Signed BCT for boot chain A is copied to /home/pawecza/test-MIC-711ON_8G_OrinNano_5.1.1_V1.0.0_SDK/bootloader/signed/br_bct_BR.bct

[ 3.5379 ] Signed BCT for boot chain B is copied to /home/pawecza/test-MIC-711ON_8G_OrinNano_5.1.1_V1.0.0_SDK/bootloader/signed/br_bct_b_BR.bct

[ 3.5405 ] Copying uefi_jetson_with_dtb_sigheader.bin.encrypt to /home/pawecza/test-MIC-711ON_8G_OrinNano_5.1.1_V1.0.0_SDK/bootloader/signed
[ 3.5437 ] Signed file: /home/pawecza/test-MIC-711ON_8G_OrinNano_5.1.1_V1.0.0_SDK/bootloader/signed/uefi_jetson_with_dtb_sigheader.bin.encrypt
[ 3.5470 ] tegraparser_v2 --pt flash.xml.bin --generateflashindex /home/pawecza/test-MIC-711ON_8G_OrinNano_5.1.1_V1.0.0_SDK/bootloader/signed/flash.xml.tmp flash.idx
[ 3.5485 ] File system_root_encrypted.img_ext open failed
Error: Return value 19
Command tegraparser_v2 --pt flash.xml.bin --generateflashindex /home/pawecza/test-MIC-711ON_8G_OrinNano_5.1.1_V1.0.0_SDK/bootloader/signed/flash.xml.tmp flash.idx
Error: /home/pawecza/test-MIC-711ON_8G_OrinNano_5.1.1_V1.0.0_SDK/bootloader/signed/flash.idx is not found
Error: failed to relocate images to /home/pawecza/test-MIC-711ON_8G_OrinNano_5.1.1_V1.0.0_SDK/tools/kernel_flash/images

This seems to indicate a failure in generating:

system_root_encrypted.img_ext

However I did not happen to find out how it is created.

Kind Regards

Hi pawel.c,

It seems you are using the custom carrier board with JP5.1.1.

Please refer to the following steps to enable disk-encryption on your board.

a. create default key
$ echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key

b. create internal
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal

c. create external
(you may specify 461373440 for num_sectors in <base BSP>/tools/kernel_flash/flash_l4t_t234_nvme_rootfs_ab_enc.xml)
$ sudo  ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -S 100GiB -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external

d. flash both
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

What’s the physical size of your NVMe SSD in use?
What’s the size you want to use for rootfs?
Please also check if there’s any error showed in every steps.

I am getting an Error in step c):

[ 1.0310 ] Retrieving EEPROM data
[ 1.0310 ] tegrarcm_v2 --oem platformdetails eeprom cvm /home/pawecza/test-MIC-711ON_8G_OrinNano_5.1.1_V1.0.0_SDK/bootloader/cvm.bin --chip 0x23 0
[ 1.0327 ] MB2 Applet version 01.00.0000
[ 1.0892 ] Saved platform info in /home/pawecza/test-MIC-711ON_8G_OrinNano_5.1.1_V1.0.0_SDK/bootloader/cvm.bin
[ 1.1231 ] tegrarcm_v2 --chip 0x23 0 --ismb2applet
[ 1.1246 ] MB2 Applet version 01.00.0000
[ 1.1831 ] tegrarcm_v2 --chip 0x23 0 --ismb2applet
[ 1.1847 ] MB2 Applet version 01.00.0000
[ 1.2413 ] Dumping customer Info
[ 1.2433 ] tegrarcm_v2 --chip 0x23 0 --oem dump bct tmp.bct
[ 1.2451 ] MB2 Applet version 01.00.0000
[ 1.3013 ] Saved bct in tmp.bct
[ 1.3098 ] tegrabct_v2 --brbct tmp.bct --chip 0x23 0 --custinfo /home/pawecza/test-MIC-711ON_8G_OrinNano_5.1.1_V1.0.0_SDK/bootloader/custinfo_out.bin
[ 1.3110 ] C[ 1.3114 ] ustomer data saved in /home/pawecza/test-MIC-711ON_8G_OrinNano_5.1.1_V1.0.0_SDK/bootloader/custinfo_out.bin successfully
[ 1.3115 ] Rebooting to recovery mode
[ 1.3129 ] tegrarcm_v2 --chip 0x23 0 --ismb2
[ 1.3747 ] tegrarcm_v2 --chip 0x23 0 --ismb2applet
[ 1.3762 ] MB2 Applet version 01.00.0000
[ 1.4333 ] Booting to recovery mode
[ 1.4352 ] tegrarcm_v2 --chip 0x23 0 --reboot recovery
[ 1.4368 ] MB2 Applet version 01.00.0000
Board ID(3767) version(300) sku(0003) revision(N.1)
Chip SKU(00:00:00:D5) ramcode(00:00:00:02) fuselevel(fuselevel_production) board_FAB(300)
emc_opt_disable_fuse:(0)
Error: missing cfgfile ().

I have the ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml in the right directory, I also changed the physical SSD size according to the config, it is around 120GiB, so the -S param should also be ok.

Do you have <Linux_for_Tegra>/jetson-orin-nano-devkit.conf in your BSP package?

The package provided by Advantech seemed to be incomplete. Downloading a fresh 35.4.1 flashing package for Orin worked fine with the official documentation.

There is one more problem i encountered during massflashing an encrypted drive, following this workflow:

Workflow 3: To massflash the backup image
Steps:

• Make sure you have only ONE device in recovery mode plugged in the host
• Run this command from the Linux_for_Tegra folder:
  $ sudo ./tools/backup_restore/l4t_backup_restore.sh -b -c
  Where are similar to the corresponding variables used
  in the flash.sh command. (See more details in the official documentation’s
  board name table).
• If this command completes successfully, an initrd flash image is stored in
  Linux_for_Tegra/tools/kernel_flash/images.
• Put the device in recovery mode again and generate a massflash package using backup image:
  $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --use-backup-image --no-flash --network usb0 --massflash mmcblk0p1
  Where is the highest possible number of devices to be flashed concurrently.
  are similar to the corresponding variables used
  in the flash.sh command. (See more details in the official documentation’s
  board name table).
• After generate the massflash image and environment, you can flash new device by putting the device into recovery mode:
  $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --massflash --network usb0
  Alternatively, use the generated mfi_.tar.gz tarball. More
  detailed instruction can be found in the Initrd flash README.

I generate the massflash package but flashing using ‘–use-backup-image’ fails every time at the end of the script:
Writing APP_ENC partition done
writing item=18, 9:0:secondary_gpt, 128035659264, 16896, gpt_secondary_9_0.bin, 16896, fixed--0, 39cebea8ba4b425cf3602d21a69ae39a157145e6
[ 294]: l4t_flash_from_kernel: Successfully flash the external device
[ 294]: l4t_flash_from_kernel: /mnt/internal/flash.idx is not found. Skipping spi flashing
[ 294]: l4t_flash_from_kernel: Error: /mnt/internal/flash.idx is not found
[ 294]: l4t_flash_from_kernel: Error flashing qspi
Flash failure
Cleaning up…

Any ideas?

Thanks for your assistance
PC

But you should use the custom BSP package for custom carrier board.
Please double check with your vendor for the custom BSP package.

There’s no eMMC in Orin Nano so that this command would not work for your case.

Sure, I was just refering to the workflow from README.txt, this is the exact command I was using:

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --use-backup-image --no-flash --network usb0 --massflash nvme0n1p1

Would it work if you don’t add --use-backup-image in this command?

Yes, we confirmed that it works without using backup image, but the result is a fresh, encripted rootfs, and we need to clone our software and its dependencies while mass flashing.

I believe this is a similar issue as described here:

However, having no massflash option in our case is unacceptable, has this issue been resolved in any JP version?

We only have a patch for now:

Thank you, I will test it shortly and give feedback in this thread.

I tried your approach,

Running:

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --use-backup-image --no-flash --network usb0 --massflash 10 jetson-orin-nano-devkit nvme0n1

Succeeded, however the multiflashing command:

./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --massflash 2 --network usb0

still results in the SDK trying to find emmc:

Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for device to expose ssh ......RTNETLINK answers: File exists
RTNETLINK answers: File exists
Waiting for device to expose ssh ...Run command: flash on fc00:1:1:1::2
SSH ready
blockdev: cannot open /dev/mmcblk0boot0: No such file or directory
[ 0]: l4t_flash_from_kernel: Starting to flash to qspi
QSPI storage size: 67108864 bytes.
Erased 67108864 bytes from address 0x00000000 in flash
[ 179]: l4t_flash_from_kernel: Error: /mnt/internal/flash.idx is not found
[ 179]: l4t_flash_from_kernel: /mnt/internal/flash.idx is not found. Skipping spi flashing
[ 179]: l4t_flash_from_kernel: Error flashing qspi
Flash failure
Cleaning up...

Could you share the following 3 files after you run this command?

1. <Linux_for_Tegra>/tools/backup_restore/images/nvpartitionmap.txt
2. <Linux_for_Tegra>/tools/kernel_flash/images/internal/flash.idx
3. <Linux_for_Tegra>/tools/kernel_flash/images/external/flash.idx

nvpartitionmap.txt (1.8 KB)

Files:

2. <Linux_for_Tegra>/tools/kernel_flash/images/internal/flash.idx
3. <Linux_for_Tegra>/tools/kernel_flash/images/external/flash.idx

Were not generated at all after running the command.

So did you remember to add the -c option when you ran the backup/restore tool (l4t_backup_restore.sh)?
Put the log of that script here.

Please find the attached logs, I had used the -c flag before also:

nvflash_output.txt (102.7 KB)

Then what do you have there?

flash_idx_external.txt (2.0 KB)
flash_idx_internal.txt (7.6 KB)

Delete these two folders entirely, run the backup tool again, and show me the same stuff:

<Linux_for_Tegra>/tools/backup_restore/images/
<Linux_for_Tegra>/tools/kernel_flash/images/