Hello,
I want to enable disk encryption on the Jetson AGX Orin with L4T 36.4.
It works with the default description, but I want to also enable the passphrase given by the user as you describe it here:
The input has two parts: the plain key file of the EKB key used for disk encryption, and an input string used to generate the passphrase. By default, the input string is the UUID of the encrypted disk. You can modify the script that generates the rootfs to let user to enter their own string. You must change the initrd accordingly to make it use the user-supplied string.
If I understand it correctly, it can be configured such that a user is prompted a passphrase in the beginning which is then used to decrypt the data instead of the automatic decryption.
I tried with the flag --generic-passphrase (assuming that this allows for using a passphrase) but no passphrase was prompted at any point of the boot.
I flashed the using the following command:
sudo ROOTFS_ENC=1 ./flash.sh -i ~/Projects/secureboot/jetson-public-srcs/Linux_for_Tegra/source/jetson-optee-srcs/optee/samples/hwkey-agent/host/tool/gen_ekb/disk_enc.key --generic-passphrase "diskencryption123" jetson-agx-orin-devkit internal
Is there a guide somewhere which describes how this is done or some reference implementation?
Thank you for your help!