Disk Encryption on Orin NX NVMe Not working

Thanks for the confirmation, @JerryChang. I did try locally with mixed results. Some attempts worked, so that’s a win.

Setup: Orin Nano carrier board, 2x Orin NX SoMs which I didn’t experiment with in the disk encryption setup, they were previously flashed without any security features with JP 5.1.2.

1. Clean Linux_for_Tegra. Only your commands from above.

• Orin SoM #1
  • flashed and booted succesfully with encryption working.
• Switched the SoM to Orin #2.
  • Ran only command 4.
  • Orin booted but hung with ERROR: fail to unlock the encrypted dev /dev/nvme0n1p2.

2. Clean Linux_for_Tegra. Again only your commands.

• Orin SoM #2
  • worked, booted succesfully.
  • In the same environment, run all the commands again
  • Command 4 failed with Error: Could not stat device /dev/mmcblk0 - No such file or directory.. This replicates every time you run the commands again.

3. Clean Linux_for_Tegra. Again only your commands.

• Switched back to Orin SoM #1
  • Booted, but in recovery mode from the 1st boot L4TLauncher: Attempting Recovery Boot
  • Failed later with

[    7.494074] Root device found: initrd
modprobe: FATAL: Module r8168 not found in directory /lib/modules/5.10.120-tegra
[    7.496146] Mount initrd as rootfs and enter recovery mode
Finding OTA work dir on external storage devices
Checking whether device /dev/mmcblk?p1 exist
Device /dev/mmcblk?p1 does not exist
Checking whether device /dev/sd?1 exist
Device /dev/sd?1 does not exist
Checking whether device /dev/nvme?n1p1 exist
Looking for OTA work directory on the device(s): /dev/nvme0n1p1
mount /dev/nvme0n1p1 /mnt
[    7.520214] EXT4-fs (nvme0n1p1): mounted filesystem with ordered data mode. Opts: (null)
is_boot_only_partition /mnt
The mounted /dev/nvme0n1p1 is boot partition, try locating rootfs partition and mount it...
mount_rootfs_partition /dev/nvme0n1p1 /mnt
Found encrypted rootfs partition /dev/nvme0n1p2 through UUID(aa83d09a-41cb-4239-bebd-f682d7814032)
umount /mnt
unlock_encrypted_partition /dev/nvme0n1p2 dm_crypt_ota dm_crypt
is_luks_partition /dev/nvme0n1p2
is_unlocked /dev/nvme0n1p2 unlocked_device_name
get_uuid_for_luks_partition /dev/nvme0n1p2 luks_uuid
No key available with this passphrase.
Failed to unlock the LUKS partition /dev/nvme0n1p2(UUID=aa83d09a-41cb-4239-bebd-f682d7814032)
Failed to run "unlock_encrypted_partition /dev/nvme0n1p2 dm_crypt_ota dm_crypt"
Failed to run "moutn_rootfs_partition /dev/nvme0n1p1 /mnt"
Failed to run "mount_ota_work_partition /dev/nvme0n1p1 /mnt"
Finding OTA work dir on internal storage device
mount /dev/mmcblk0p1 /mnt
mount: /mnt: special device /dev/mmcblk0p1 does not exist.
Failed to mount /dev/mmcblk0p1 on the /mnt
Failed to run "mount_ota_work_partition /dev/mmcblk0p1 /mnt"
OTA work directory is not found on internal and external storage devices

4. Clean Linux_for_Tegra. Again only your commands.

• Orin SoM #1
  • Command 4 failed with Error: Could not stat device /dev/mmcblk0 - No such file or directory.
• Switch to SoM #2
  • Run only command #4. Same error.

So it seems that the commands work…sometimes :-?. But sometimes fail even with a clean environment.
I’ll try to change to a custom key and add Secureboot to the setup, see how that goes.

Thanks for your help!

Hi @bingnvidia, Attempt 3 which I was referring to in that comment involved mixing the bootloader versions from a previous jetpack release with the external storage images built on JP 5.1.2. So a hacky solution, that’s why I mentioned it’s only an “FYI”.

@alex.iakov1337 See Disk Encryption — Jetson Linux Developer Guide documentation for custom keys. You have to create and update eks.img as well.

Thank you very much! Didn’t notice)

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.