I want to implement full disk encryption on Jetson AGX Xavier.
As mentioned in the Disk encryption documentation trying to create the two images system_boot.img and system_root_encrypted.img with the flash script without flashing the board:
$ sudo ROOTFS_ENC=1 ./flash.sh --no-flash -i “./sym2_t194.key” jetson-agx-xavier-devkit mmcblk0p1
I am an error saying: ERROR: build_enc_fsimg: ECID is null .
Attached the log file from the flash script
I genarated the sym2_t194.key by example.sh and gen_ekb.py files following the below steps as mentioned in forum:
The EKB stores two keys, one is the kernel encryption key, and another one is the LUKS key for disk encryption support.
For LUKS disk encryption support with a specific key.
Need to re-generate EKB blob with the key ( the 2nd key is for LUKS)
The sym2.key is equivalent to the key.
I attached the example script to run gen_ekb.py. Note that the gen_ekb.py need to be the same Jetpack / BSP version as the flashing script
During the flash process, use the command below to support the key sudo ROOTFS_ENC=1 ./flash.sh -i “sym2.key”
(sym2.key == ekb.key)
Then the LUKS support modules will use the key to generate the per-device unique passphrase.
Both Jetpack/BSP and Public_source are of 35.3.1 version.
I followed the same steps to create sym2_t194.key and also We are talking about internal memory so workflow 10 which is refered will not be applicable to us.
It seems there is some settings or parameter required to generate ECID, could you please help on the same currently we are using the following command to create the encrypted file system sudo ROOTFS_ENC=1 ./flash.sh --no-flash -i “./sym2_t194.key” jetson-agx-xavier-devkit mmcblk0p1
Error
Making system_uda_encrypted.img…
ERROR: build_enc_fsimg: ECID is null .
EKB (Encrypted Binary Blob) stores two keys, one is the kernel encryption key (sym_key_file), and another one is the LUKS key (sym2_key_file) for disk encryption support.
LUKS disk encryption support with a specific key. you should execute the script file, gen_ekb.py to generate an image. also, in the developer guide, [Tool for EKB Generation] that sym2.key is equivalent to ekb.key
I followed the same steps, executing example.sh and gen_ekb.py to generate the image. After, I replaced the existing eks_194.img in Linux_for_Tegra/bootloader with the newly generated image.
I utilized sym2_t194.key as ekb.key to build and flash the image onto the NVIDIA Jetson AGX Xavier development kit.
To do the flashing process:
sudo ROOTFS_ENC=1 ./flash.sh -i “./sym2_t194.key” jetson-agx-xavier-devkit mmcblk0p1
Still, While Booting it leads to Error saying:
[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00 ]
FYI, it looks we’re able to reproduce the same kernel panic failure by using non-zero disk encryption keys on l4t-r35.3.1/ AGX Xavier,
let me arrange resources to check this internally.
we’ve double checked this with non-fuse AGX Xavier,
it’s verified disk encryption works on AGX Xavier with non-zero keys.
I have verified non-zero disk encryption key on AGX Xavier.
here’re steps for your reference,
Modify the optee/samples/hwkey-agent/host/tool/gen_ekb/example.sh for using non-zero key. echo "f0e0d0c0b0a001020304050607080900" > sym2_t194.key
Run ./example.sh
Copy generated sym2_t194.key and eks_t194.img to Linux_for_Tegra/bootloader
had you assign KEK2 keys?
if you’re using a non-fuse target, you may using echo "00000000000000000000000000000000" > kek2.key to create eks image.
please execute the script file, odmfuseread.sh to determine whether your target fused or not.