Hi,
I’m having a problem with enabling disk encryption on Jetson Orin Nano devkit with SD Card (256Gb) without enabling secure boot.
The build and flash process goes without errors, but device can’t boot due to kernel panic:
[ 8.524256] tegra194-pcie 14160000.pcie: Detected iATU regions: 8 outbound, 2 inbound
[ 8.716865] Kernel panic - not syncing:
[ 8.716870] Attempted to kill init! exitcode=0x00007f00
[ 8.716874] CPU: 3 PID: 1 Comm: bash Not tainted 5.15.148-tegra #1
[ 8.716879] Hardware name: NVIDIA NVIDIA Jetson Orin Nano Developer Kit/Jetson, BIOS 36.4.0-gcid-37537400 09/13/2024
[ 8.716881] Call trace:
[ 8.716881] dump_backtrace+0x0/0x1d0
[ 8.716895] show_stack+0x34/0x50
[ 8.716899] dump_stack_lvl+0x68/0x8c
[ 8.716905] dump_stack+0x18/0x3c
[ 8.716906] panic+0xc4/0x398
[ 8.716912] do_exit+0xa04/0xa30
[ 8.716916] do_group_exit+0x44/0xb0
[ 8.716919] __arm64_sys_exit_group+0x2c/0x30
[ 8.716922] invoke_syscall+0x5c/0x150
[ 8.716927] el0_svc_common.constprop.0+0x64/0x120
[ 8.716930] do_el0_svc+0x74/0xb0
[ 8.716933] el0_svc+0x28/0x90
[ 8.716936] el0t_64_sync_handler+0xac/0x130
[ 8.716939] el0t_64_sync+0x1a4/0x1a8
I’m using Jetson_Linux_R36.4.0 sources and rootfs.
I’ve followed official guide as well as steps from this topic but result always the same - kernel panic.
Here are steps that I’m doing to build and flash:
-
EXTRACT SOURCES
Extract Linux_for_Tegra.
Extract sample rootfs.
Extract optee sources. -
GENERATE EKS
Got to optee/samples/hwkey-agent/host/tool/gen_ekb
Modify example.sh
.
#!/bin/bash
# Copyright (c) 2023-2024, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
# SPDX-License-Identifier: BSD-2-Clause
# [T234 example]
# Fill your OEM_K1 fuse key value
echo "0000000000000000000000000000000000000000000000000000000000000000" > oem_k1.key
# Generate user-defined symmetric key files
# A random generate key is recommended for production, and a specified key is recommended for testing
# For each key, there are reference examples for generating random key and specifying keys.
# openssl rand -rand /dev/urandom -hex 32 > sym_t234.key # kernel/kernel-dtb encryption key
echo "0000000000000000000000000000000000000000000000000000000000000000" > sym_t234.key
# openssl rand -rand /dev/urandom -hex 16 > sym2_t234.key # disk encryption key
echo "00000000000000000000000000000000" > sym2_t234.key
# openssl rand -rand /dev/urandom -hex 16 > auth_t234.key # uefi variables authentication key
echo "00000000000000000000000000000000" > auth_t234.key
python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key \
-in_sym_key sym_t234.key \
-in_sym_key2 sym2_t234.key \
-in_auth_key auth_t234.key \
-in_ftpm_sn 00000000000000000000 \
-in_ftpm_eps_seed ftpm_eps_seed_file \
-in_ftpm_rsa_ek_cert ftpm_rsa_ek_cert.der \
-in_ftpm_ec_ek_cert ftpm_ec_ek_cert.der \
-in_sid_cert sid_cert.der \
-in_ftpm_rsa_ek_csr ftpm_rsa_ek_csr.der \
-in_ftpm_ec_ek_csr ftpm_ec_ek_csr.der \
-out eks_t234.img
Generate EKS image.
Copy eks_t234.img
and sym2_t234.key
to Linux_for_Tegra dir.
cp ./eks_t234.img Linux_for_Tegra/bootloader
cp sym2_t234.key Linux_for_Tegra/
The eks image has this header.
hexdump -C -n 4 -s 0x34 eks_t234.img
00000034 45 45 4b 42 |EEKB|
- BUILD IMAGES
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device mmcblk0p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml -S 16GiB --external-only --append --network usb0 jetson-orin-nano-devkit external
- FLASH
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only
flash_3-4_0_20250202-180923.log (69.2 KB)
bootlog.txt (66.1 KB)
The steps above were done on fresh sources.
The host machine running Ubuntu 22.04.
Could you please point me in the right direction?
It seems to me that initrd doesn’t try to decrypt rootfs, or EKS image is not flashed, but I have no evidence.
Appreciate any help.
Thanks.