Disk encryption: partition flashing

Hello,

I need to reflash encrypted rootFS (APP +APP_EXT) on top of plain rootFS (APP).
(The plain flash image includes customization by our OEM vendor.
And we as ODM install our own software and want to encrypt the file system.)

I made a mass flash image (mfi) and then tried to flash, EKS, APP, APP_EXT as follows.

cd mfi_jetson-orin-nano-devkit
sudo ./tools/kernel_flash/l4t_initrd_flash.sh -k A_eks --flash-only --massflash 1
sudo ./tools/kernel_flash/l4t_initrd_flash.sh -k APP --flash-only --external-only --massflash 1
sudo ./tools/kernel_flash/l4t_initrd_flash.sh -k APP_EXT --flash-only --external-only --massflash 1

EKS flashing was successful.

But APP partition flashing failed with following error message in the end of flash log.

...
writing item=16, 9:0:APP, 1561624576, 419430400, , , fixed-<reserved>-1,
[ 1]: l4t_flash_from_kernel: APP paritiion /dev/nvme0n1p1 is not found !!!
[ 1]: l4t_flash_from_kernel: Failed to write to APP
[ 1]: l4t_flash_from_kernel: Error flashing external device
...

APP_EXT flashing is almost the same (nvem0n1p2 instead of p1).

I can flash the whole NVME partitions by following command, but it will break the OEM customization, e.g. enabling mobile broadband modem.

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --external-only --massflash 1

Is it not possible to flash APP+APP_ENC on top of APP in the first place?
Or else, please advise how to make it possible.

For reference, I will put flash.idx contents of plan and encrypted images as follows.

plain root fs

tools/kernel_flash/images/external$ cat flash.idx
0, 9:0:master_boot_record, 0, 512, mbr_9_0.bin, 512, fixed-<reserved>-0, 694898d1c345bdb31b377790ed7fc0b0db184bf7
1, 9:0:primary_gpt, 512, 19968, gpt_primary_9_0.bin, 16896, fixed-<reserved>-0, e7525986793f7b2684b2d018ce0c29368b5f2da5
2, 9:0:A_kernel, 20480, 134217728, boot.img, 53506048, fixed-<reserved>-2, e305a30227e6aba5452885378981b1c6e27cb9b1
3, 9:0:A_kernel-dtb, 134238208, 786432, kernel_tegra234-p3768-0000+p3767-0003-nv.dtb, 243878, fixed-<reserved>-3, b20609fb7cac6eff90b9a2c3b715a21aad8df50e
4, 9:0:A_reserved_on_user, 135024640, 33161216, , , fixed-<reserved>-4,
5, 9:0:B_kernel, 168185856, 134217728, boot.img, 53506048, fixed-<reserved>-5, e305a30227e6aba5452885378981b1c6e27cb9b1
6, 9:0:B_kernel-dtb, 302403584, 786432, kernel_tegra234-p3768-0000+p3767-0003-nv.dtb, 243878, fixed-<reserved>-6, b20609fb7cac6eff90b9a2c3b715a21aad8df50e
7, 9:0:B_reserved_on_user, 303190016, 33161216, , , fixed-<reserved>-7,
8, 9:0:recovery, 336351232, 83886080, recovery.img, 58613760, fixed-<reserved>-8, 8d1be03933d86820381c1193a32270848550f22c
9, 9:0:recovery-dtb, 420237312, 524288, tegra234-p3768-0000+p3767-0003-nv.dtb.rec, 243878, fixed-<reserved>-9, b20609fb7cac6eff90b9a2c3b715a21aad8df50e
10, 9:0:esp, 420761600, 67108864, esp.img, 67108864, fixed-<reserved>-10, 04f7548551b99cc2181ab1e8b833c385418f31c4
11, 9:0:recovery_alt, 487870464, 83886080, , , fixed-<reserved>-11,
12, 9:0:recovery-dtb_alt, 571756544, 524288, , , fixed-<reserved>-12,
13, 9:0:esp_alt, 572280832, 67108864, , , fixed-<reserved>-13,
14, 9:0:UDA, 639401984, 419430400, , , fixed-<reserved>-14,
15, 9:0:reserved, 1058832384, 502792192, , , fixed-<reserved>-15,
16, 9:0:APP, 1561624576, 59641638912, , , expand-<reserved>-1,
17, 9:0:secondary_gpt, 61203267072, 16896, gpt_secondary_9_0.bin, 16896, fixed-<reserved>-0, e8ab4c8758426022783dedbb67545a1bef799aa7

encrypted fs image

tools/kernel_flash/images/external$ cat flash.idx
0, 9:0:master_boot_record, 0, 512, mbr_9_0.bin, 512, fixed-<reserved>-0, 694898d1c345bdb31b377790ed7fc0b0db184bf7
1, 9:0:primary_gpt, 512, 19968, gpt_primary_9_0.bin, 16896, fixed-<reserved>-0, dbf178c02729853c2c0b57055389762c3c7a0774
2, 9:0:A_kernel, 20480, 134217728, boot.img, 58304512, fixed-<reserved>-3, d08480e1e11c68731677d9a6ab56261e92663653
3, 9:0:A_kernel-dtb, 134238208, 786432, kernel_tegra234-p3768-0000+p3767-0003-nv.dtb, 244096, fixed-<reserved>-4, 8590cd4d2133ba10231c119aa62c4307d614826e
4, 9:0:A_reserved_on_user, 135024640, 33161216, , , fixed-<reserved>-5,
5, 9:0:B_kernel, 168185856, 134217728, boot.img, 58304512, fixed-<reserved>-6, d08480e1e11c68731677d9a6ab56261e92663653
6, 9:0:B_kernel-dtb, 302403584, 786432, kernel_tegra234-p3768-0000+p3767-0003-nv.dtb, 244096, fixed-<reserved>-7, 8590cd4d2133ba10231c119aa62c4307d614826e
7, 9:0:B_reserved_on_user, 303190016, 33161216, , , fixed-<reserved>-8,
8, 9:0:recovery, 336351232, 83886080, recovery.img, 62908416, fixed-<reserved>-9, f41b3cbda3d2293e58ee5cc671a0437a26afe369
9, 9:0:recovery-dtb, 420237312, 524288, tegra234-p3768-0000+p3767-0003-nv.dtb.rec, 244096, fixed-<reserved>-10, 8590cd4d2133ba10231c119aa62c4307d614826e
10, 9:0:esp, 420761600, 67108864, esp.img, 67108864, fixed-<reserved>-11, 42bdd25f65f10d982372d5fbcd8bda0b537c31c6
11, 9:0:recovery_alt, 487870464, 83886080, , , fixed-<reserved>-12,
12, 9:0:recovery-dtb_alt, 571756544, 524288, , , fixed-<reserved>-13,
13, 9:0:esp_alt, 572280832, 67108864, , , fixed-<reserved>-14,
14, 9:0:UDA, 639401984, 419430400, , , fixed-<reserved>-15,
15, 9:0:reserved, 1058832384, 502792192, , , fixed-<reserved>-16,
16, 9:0:APP, 1561624576, 419430400, , , fixed-<reserved>-1,
17, 9:0:APP_ENC, 1981054976, 235803770880, , , fixed-<reserved>-2,
18, 9:0:secondary_gpt, 240057392640, 16896, gpt_secondary_9_0.bin, 16896, fixed-<reserved>-0, 9be24f6b31ff808dc781c7309cd3091aee388b7f

Or should I rather try copying files under images/external folder from the ODM mfi to my disk encryption mfi and then flash the whole NVME for disk encryption?

Actually I tried copying kernel_tegra234-p3768-0000+p3767-0003-nv.dtb from the ODM mfi to my mfi, but OEM feature (e.g. mobile broadband) was not enabled.

I listed contents of images/external of the OEM mfi as follows.
I cannot tell which I can copy and which I cannot. Please advice.

tools/kernel_flash/images/external$ ll
total 21810936
drwxr-xr-x 2 emi  emi         4096 11月  7 09:48 ./
drwxr-xr-x 4 root root        4096 10月 15 15:11 ../
-rw-r--r-- 1 emi  emi     53506048 10月 15 15:00 boot.img
-rw-r--r-- 1 emi  emi     67108864 10月 15 15:07 esp.img
-rw-r--r-- 1 emi  emi           57 10月 15 15:11 flash.cfg
-rw-r--r-- 1 emi  emi         1847 10月 15 15:08 flash.idx
-rw-r--r-- 1 emi  emi        16896 10月 15 15:07 gpt_primary_9_0.bin
-rw-r--r-- 1 emi  emi        16896 10月 15 15:07 gpt_secondary_9_0.bin
-rw-r--r-- 1 emi  emi       243878 10月 15 15:00 kernel_tegra234-p3768-0000+p3767-0003-nv.dtb
-rw-r--r-- 1 emi  emi          512 10月 15 15:07 mbr_9_0.bin
-rw-r--r-- 1 emi  emi     58613760 10月 15 15:00 recovery.img
-rw-r--r-- 1 root root 22154591172 11月  6 14:39 system.img
-rw-r--r-- 1 root root          53 11月  6 14:46 system.img.sha1sum
-rw-r--r-- 1 emi  emi       243878 10月 15 15:00 tegra234-p3768-0000+p3767-0003-nv.dtb.rec

hello akudo,

you may adding --external-device flag, and also the external xml file for testing.
for instance,
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh -k APP --external-device nvme0n1p1 -i ./ekb.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --flash-only --network usb0 jetson-orin-nano-devkit external

however, the best approach is compose the OEM settings to the image.
so that you may creating mfi package to contain all the settings for image flashing.
please see-also Root File System section for reference.

Hello JerryChang

Thank you for your suggestion.

I tried as follows, but the same result.

Linux_for_Tegra/mfi_jetson-orin-nano-devkit$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh -k APP --external-device nvme0n1p1 -i ../sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --flash-only --network usb0 jetson-orin-nano-devkit external
writing item=16, 9:0:APP, 1561624576, 419430400, , , fixed-<reserved>-1,
[ 1]: l4t_flash_from_kernel: APP paritiion /dev/nvme0n1p1 is not found !!!
[ 1]: l4t_flash_from_kernel: Failed to write to APP
[ 1]: l4t_flash_from_kernel: Error flashing external device
Flash failure
Either the device cannot mount the NFS server on the host or a flash command has failed. Debug log saved to /tmp/tmp.srBxP62JXl. You can access the target's terminal through "sshpass -p root ssh root@fc00:1:1:0::2"
Cleaning up...

For root FS, I have cloned the APP partition using external USB mass storage device after adding ODM’s kitting on top of the OEM image. The cloning procedure is as follows.

  • Connect the Orin Nano to host by USB cable. Also connect the USB mass storage device to the Orin Nano’s another USB port.
Host PC <-----> Orin Nano <-----> USB mass storage device
  • From the host PC, ssh to the Orin Nano with initrd command as follows.
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --initrd jetson-orin-nano-devkit nvme0n1p1

ssh root@fc00:1:1:0::2
  • In the SSH terminal, mount the USB mass storage device and copy p1 partition to a RAW image as follows.
mount /dev/sda1 /mnt

dd if=/dev/nvme0n1p1 of=/mnt/rootfs.img.raw status=progress bs=512

sync

umount /mnt
  • Disconnect the mass storage device from the Orin Nano, and connect it to host PC. And copy the RAW file to somewhere in the host PC.
Host PC <-----> USB mass storage device
  • In the flashing home directory on the host PC, I evacuated the original rootfs and mount the extracted RAW file to the new rootfs as follows.
cd nvidia/nvidia_sdk/JetPack_6.0_Linux_JETSON_ORIN_NANO_TARGETS/Linux_for_Tegra

sudo mv rootfs rootfs_original

mkdir rootfs

sudo mount -o loop {path to the rootfs.img.raw} rootfs

This way, I think the OEM customization in the root FS is cloned completely, but still cannot enable modem. So I guess there are another partitions other than root FS which are including the OEM customization. What do you think?

hello akudo,

may I confirm which Jetpack public release version you’re working with?

could you please give it a try by adding some delay to l4t_initrd_flash.sh regrading to above failure.
for instance,

mkdir -p "${LINUX_BASE_DIR}/initrdlog/"
for devpath in "${devpaths[@]}"; do
...
        fi  
        instance=$((instance + 1))
+       sleep .5
done

I assume there’s specific device tree, right? it’s kernel-dtb partition for saving device tree, which belong to qspi.
besides, you may refer to Related Documentation for [Jetson Linux backup and restore tool].

Hello JerryChang

which Jetpack public release version you’re working with?

I am working on Jetpack 6.0.

adding some delay to l4t_initrd_flash.sh

I added the delay in l4t_initrd_flash.sh, but the result was the same.

it’s kernel-dtb partition for saving device tree, which belong to qspi.

I see. But I am not updating qspi side except EKS partition.
Could it be due to the EKS change?

hello akudo,

FYI,
there’re OEM_K1/K2 to derive a root key which is itself used to sign and encrypt the EKB.
in r36.3.0 release version, it was using OEM_K2,
in r36.4.0 (the latest release version) they are both used to open EKB.
furthermore,
OEM_K1 , it is the root of trust of EKB, and it is used to derive the RPMB key too.
OEM_K2 , it is to derive the PV encryption key. If you don’t need to encrypt CPUBL with a PV key, you don’t need to care about OEM_K2.

we’ve test locally to confirm disk encryption is working.
please see-also Topic 314134, comment #29 for your reference.

I copied EKS partition (internal), APP, APP_EXT, UDA, primary/secondary GPT partitions (external) from my encrypted flash image creation environment to the OEM mfi. Then, I modified flash.idx and flash.cfg in the OEM mfi external folder. Executed sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only in the mfi and the device booted up OK with encrypted root FS. => Still modem is not enabled.

Later I got an information from OEM that I have to replace l4t_initrd.img under bootloader/ folder with the one they are using. This sound promising and I will try that. Thanks for all advise anyway.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.