Disk encryption on SD card without secure boot

Hi,

I’m having a problem with enabling disk encryption on Jetson Orin Nano devkit with SD Card (256Gb) without enabling secure boot.

The build and flash process goes without errors, but device can’t boot due to kernel panic:

[    8.524256] tegra194-pcie 14160000.pcie: Detected iATU regions: 8 outbound, 2 inbound
[    8.716865] Kernel panic - not syncing:
[    8.716870] Attempted to kill init! exitcode=0x00007f00
[    8.716874] CPU: 3 PID: 1 Comm: bash Not tainted 5.15.148-tegra #1
[    8.716879] Hardware name: NVIDIA NVIDIA Jetson Orin Nano Developer Kit/Jetson, BIOS 36.4.0-gcid-37537400 09/13/2024
[    8.716881] Call trace:
[    8.716881]  dump_backtrace+0x0/0x1d0
[    8.716895]  show_stack+0x34/0x50
[    8.716899]  dump_stack_lvl+0x68/0x8c
[    8.716905]  dump_stack+0x18/0x3c
[    8.716906]  panic+0xc4/0x398
[    8.716912]  do_exit+0xa04/0xa30
[    8.716916]  do_group_exit+0x44/0xb0
[    8.716919]  __arm64_sys_exit_group+0x2c/0x30
[    8.716922]  invoke_syscall+0x5c/0x150
[    8.716927]  el0_svc_common.constprop.0+0x64/0x120
[    8.716930]  do_el0_svc+0x74/0xb0
[    8.716933]  el0_svc+0x28/0x90
[    8.716936]  el0t_64_sync_handler+0xac/0x130
[    8.716939]  el0t_64_sync+0x1a4/0x1a8

I’m using Jetson_Linux_R36.4.0 sources and rootfs.
I’ve followed official guide as well as steps from this topic but result always the same - kernel panic.

Here are steps that I’m doing to build and flash:

  1. EXTRACT SOURCES
    Extract Linux_for_Tegra.
    Extract sample rootfs.
    Extract optee sources.

  2. GENERATE EKS

Got to optee/samples/hwkey-agent/host/tool/gen_ekb
Modify example.sh.

#!/bin/bash

# Copyright (c) 2023-2024, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
# SPDX-License-Identifier: BSD-2-Clause

# [T234 example]
# Fill your OEM_K1 fuse key value
echo "0000000000000000000000000000000000000000000000000000000000000000" > oem_k1.key

# Generate user-defined symmetric key files
# A random generate key is recommended for production, and a specified key is recommended for testing
# For each key, there are reference examples for generating random key and specifying keys.
# openssl rand -rand /dev/urandom -hex 32 > sym_t234.key    # kernel/kernel-dtb encryption key
echo "0000000000000000000000000000000000000000000000000000000000000000" > sym_t234.key
# openssl rand -rand /dev/urandom -hex 16 > sym2_t234.key   # disk encryption key
echo "00000000000000000000000000000000" > sym2_t234.key
# openssl rand -rand /dev/urandom -hex 16 > auth_t234.key   # uefi variables authentication key
echo "00000000000000000000000000000000" > auth_t234.key

python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key \
        -in_sym_key sym_t234.key \
        -in_sym_key2 sym2_t234.key \
        -in_auth_key auth_t234.key \
        -in_ftpm_sn 00000000000000000000 \
        -in_ftpm_eps_seed ftpm_eps_seed_file \
        -in_ftpm_rsa_ek_cert ftpm_rsa_ek_cert.der \
        -in_ftpm_ec_ek_cert ftpm_ec_ek_cert.der \
        -in_sid_cert sid_cert.der \
        -in_ftpm_rsa_ek_csr ftpm_rsa_ek_csr.der \
        -in_ftpm_ec_ek_csr ftpm_ec_ek_csr.der \
        -out eks_t234.img

Generate EKS image.
Copy eks_t234.img and sym2_t234.key to Linux_for_Tegra dir.

cp ./eks_t234.img Linux_for_Tegra/bootloader
cp sym2_t234.key Linux_for_Tegra/

The eks image has this header.

hexdump -C -n 4 -s 0x34 eks_t234.img

00000034  45 45 4b 42                                       |EEKB|
  1. BUILD IMAGES
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs  --no-flash --external-device mmcblk0p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml -S 16GiB --external-only --append --network usb0 jetson-orin-nano-devkit external
  1. FLASH
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs  --network usb0 --flash-only

flash_3-4_0_20250202-180923.log (69.2 KB)
bootlog.txt (66.1 KB)

The steps above were done on fresh sources.
The host machine running Ubuntu 22.04.

Could you please point me in the right direction?

It seems to me that initrd doesn’t try to decrypt rootfs, or EKS image is not flashed, but I have no evidence.

Appreciate any help.
Thanks.

Do you have anything connected on the PCIe C4 controller (m.2 key M slot) on your board?

The panic seems happened right after pcie controller init, but there is no dump from pcie controller. I wonder if PCIe is really related to this crash.

I’m using development board without anything connected to it (except of UART).
The board works fine without disk encryption.
It only happens when I try to enable encryption.

Could you check if the error always happened after " tegra194-pcie 14160000.pcie:"? Or it would happen randomly?

hello iwallrite,

let’s check your EKS image as well,
there are 4 magic bytes at the beginning of the EKS image, they are: EEKB.
for instance,
$ hexdump -C -n 4 -s 0x34 eks_t234.img
00000034 45 45 4b 42 |EEKB|

Hi,

Please see my original post, I’ve checked the EKS, it’s like you provided.

hello iwallrite,

it doesn’t look like EKS image related issue although you mention it only happens when disk encryption enabled.
please check if the error always happened after " tegra194-pcie 14160000.pcie:"? Or it would happen randomly?

I’ve checked 5 times, it always happens after “pcie” log like in my original post.

Is there a way to check that EKS image is flashed correctly and OP-TEE can find it?

hello iwallrite,

all right, it’s likely a kernel panic reported by PCIE, please double check you did not enable unused node.

the quickest way is creating an EKS image with incorrect encryption key.
here’s an example error logs for your reference.

E/TC:00 00 ekb_extraction_process:211 Bad parameter: eks image not correct
E/TC:00 00 jetson_user_key_pta_init:898 jetson_user_key_pta_init: Failed (ffff0006).
E/TC:00 00 call_initcalls:43 Initcall __text_start + 0x000f2848 failed
I/TC: Primary CPU switching to normal world boot

....

[   12.334014] ERROR: fail to unlock the encrypted dev /dev/nvme0n1p2.
[   12.343291] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00

I’m using default Linux and rootfs for both regular and build with encryption. No modifications.

Could it be related to the partition configuration file? I’m using sample file flash_l4t_t234_nvme_rootfs_enc.xml without modifications. Do I need to modify it for SD card? Description of APP partition concerns me:

**Required.** Contains the boot partition. This partition must be defined
              after `primary_GPT` so that it can be accessed as the fixed known special device
              `/dev/nvme0n1p1`.

Here is the full file content for reference:

<?xml version="1.0"?>

<!--
# SPDX-FileCopyrightText: Copyright (c) 2023 NVIDIA CORPORATION & AFFILIATES.
#                         All rights reserved.
# SPDX-License-Identifier: LicenseRef-NvidiaProprietary
#
# NVIDIA CORPORATION, its affiliates and licensors retain all intellectual
# property and proprietary rights in and to this material, related
# documentation and any modifications thereto. Any use, reproduction,
# disclosure or distribution of this material and related documentation
# without an express license agreement from NVIDIA CORPORATION or
# its affiliates is strictly prohibited.
-->

<!-- Nvidia Tegra Partition Layout Version 1.0.0 -->

<partition_layout version="01.00.0000">
    <device type="external" instance="0" sector_size="512" num_sectors="EXT_NUM_SECTORS" >
        <partition name="master_boot_record" type="protective_master_boot_record">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 512 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
        </partition>
        <partition name="primary_gpt" type="primary_gpt">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 19968 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
        </partition>
        <partition name="A_kernel" id="3" type="kernel">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 134217728 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <filename> LNXFILE </filename>
        </partition>
        <partition name="A_kernel-dtb" type="kernel_dtb">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 786432 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <filename> DTB_FILE </filename>
        </partition>
        <partition name="A_reserved_on_user" type="data">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 33161216 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
        </partition>
        <partition name="B_kernel" type="kernel">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 134217728 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <filename> LNXFILE </filename>
        </partition>
        <partition name="B_kernel-dtb" type="kernel_dtb">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 786432 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <filename> DTB_FILE </filename>
        </partition>
        <partition name="B_reserved_on_user" type="data">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 33161216 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
        </partition>
        <partition name="RECNAME" type="kernel">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> RECSIZE </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <filename> RECFILE </filename>
        </partition>
        <partition name="RECDTB-NAME" type="kernel_dtb">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 524288 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <filename> RECDTB-FILE </filename>
        </partition>
        <partition name="esp" type="data">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 67108864 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <filename> ESP_FILE </filename>
            <partition_type_guid> C12A7328-F81F-11D2-BA4B-00A0C93EC93B </partition_type_guid>
            <description> **Required.** EFI system partition with L4T Launcher. </description>
        </partition>
        <partition name="RECNAME_alt" type="kernel">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> RECSIZE </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
        </partition>
        <partition name="RECDTB-NAME_alt" type="kernel_dtb">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 524288 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
        </partition>
        <partition name="esp_alt" type="data">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 67108864 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <description> **Required.** EFI system partition for fail-safe ESP update. </description>
        </partition>
        <partition name="UDA" type="data" encrypted="true" reencrypt="true">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 419430400 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <align_boundary> 16384 </align_boundary>
            <filename> UDA_FILE </filename>
            <description> **Required.** This partition may be mounted and used to store user
              data. </description>
        </partition>
        <partition name="reserved" type="data">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 502792192 </size> <!-- Recalculate the size if RECSIZE changed -->
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <description> **Required.** Reserve space in case there is any partition change
              required in the future, for example, adding new partitions or increasing size
              of some partitions. </description>
        </partition>
        <partition name="APP" id="1" type="data">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 419430400 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x8 </allocation_attribute>
            <align_boundary> 16384 </align_boundary>
            <percent_reserved> 0 </percent_reserved>
            <unique_guid> APPUUID </unique_guid>
            <filename> system_boot.img </filename>
            <description> **Required.** Contains the boot partition. This partition must be defined
              after `primary_GPT` so that it can be accessed as the fixed known special device
              `/dev/nvme0n1p1`. </description>
        </partition>
        <partition name="APP_ENC" id="2" type="data" encrypted="true" reencrypt="false">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> APP_ENC_SIZE </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x8 </allocation_attribute>
            <align_boundary> 16384 </align_boundary>
            <percent_reserved> 0 </percent_reserved>
            <unique_guid> APP_ENC_UUID </unique_guid>
            <filename> system_root_encrypted.img_ext </filename>
            <description> **Required.** Contains the encrypted root partition("/"). </description>
        </partition>
        <partition name="secondary_gpt" type="secondary_gpt">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 0xFFFFFFFFFFFFFFFF </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
        </partition>
    </device>
</partition_layout>

Here is the snippet from my boot log:

NOTICE:  BL31: Built : 21:01:44, Sep 12 2024
I/TC: 
I/TC: Non-secure external DT found
I/TC: OP-TEE version: 4.2 (gcc version 11.3.0 (Buildroot 2022.08)) #2 Fri Sep 13 04:10:17 UTC 2024 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html
I/TC: Primary CPU initializing
I/TC: Test OEM keys are being used. This is insecure for shipping products!
I/TC: fTPM ID is not enabled.
I/TC: ftpm-helper PTA: fTPM DT or EKB is not available. fTPM provisioning is not supported.
I/TC: Primary CPU switching to normal world boot

Does this mean that EKS is not flashed?

hello ValeriyI,

since you’re working Orin Nano with SD card.
it should be this flash configuration file, i.e.flash_l4t_t234_nvme_rootfs_enc.xml to probe NVMe, which cause a kernel panic reported by PCIE.

please try using flash script instead,
we’ve test with following to enable disk encryption on Orin Nano.
$ sudo ROOTFS_ENC=1 ./flash.sh -i ./sym2_t234.key jetson-orin-nano-devkit internal