Disk Encryption with OP-TEE

flash.log (4.0 KB)


I want to implement full disk encryption on Jetson AGX Xavier.

  • As mentioned in the Disk encryption documentation trying to create the two images system_boot.img and system_root_encrypted.img with the flash script without flashing the board:
    $ sudo ROOTFS_ENC=1 ./flash.sh --no-flash -i “./sym2_t194.key” jetson-agx-xavier-devkit mmcblk0p1

  • I am an error saying: ERROR: build_enc_fsimg: ECID is null .
    Attached the log file from the flash script

  • I genarated the sym2_t194.key by example.sh and gen_ekb.py files following the below steps as mentioned in forum:

The EKB stores two keys, one is the kernel encryption key, and another one is the LUKS key for disk encryption support.

For LUKS disk encryption support with a specific key.

  1. Need to re-generate EKB blob with the key ( the 2nd key is for LUKS)
  • The sym2.key is equivalent to the key.
    I attached the example script to run gen_ekb.py. Note that the gen_ekb.py need to be the same Jetpack / BSP version as the flashing script
  1. During the flash process, use the command below to support the key
    sudo ROOTFS_ENC=1 ./flash.sh -i “sym2.key”

(sym2.key == ekb.key)
Then the LUKS support modules will use the key to generate the per-device unique passphrase.

Both Jetpack/BSP and Public_source are of 35.3.1 version.


Welcome to the NVIDIA forums! This topic belongs in the Jetson forums.

I will move it over for you.

please see-also Topic 238756.

Hi JerryChang,

I followed the same steps to create sym2_t194.key and also We are talking about internal memory so workflow 10 which is refered will not be applicable to us.

It seems there is some settings or parameter required to generate ECID, could you please help on the same currently we are using the following command to create the encrypted file system
sudo ROOTFS_ENC=1 ./flash.sh --no-flash -i “./sym2_t194.key” jetson-agx-xavier-devkit mmcblk0p1

Making system_uda_encrypted.img…
ERROR: build_enc_fsimg: ECID is null .

flash.log (4.0 KB)

hello SriDivya,

please refer to developer guide, Disk Encryption — Jetson Linux Developer Guide documentation

Hi JerryChang,

I flashed the board with command: sudo ROOTFS_ENC=1 ./flash.sh -i “./sym2_t194.key” jetson-agx-xavier-devkit mmcblk0p1

While Booting it leads to Error saying:
[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00 ]

Attached the complete logs
boot.log (89.8 KB)
flash.log (95.1 KB)

Jetpack/BSP 35.3.1 version and encrypting the content on internal eMMC.

Please guide me through the steps. Did i miss any step?


hello SriDivya,

EKB (Encrypted Binary Blob) stores two keys, one is the kernel encryption key (sym_key_file), and another one is the LUKS key (sym2_key_file) for disk encryption support.
LUKS disk encryption support with a specific key. you should execute the script file, gen_ekb.py to generate an image. also, in the developer guide, [Tool for EKB Generation] that sym2.key is equivalent to ekb.key

Hi JerryChang,

I followed the same steps, executing example.sh and gen_ekb.py to generate the image. After, I replaced the existing eks_194.img in Linux_for_Tegra/bootloader with the newly generated image.

I utilized sym2_t194.key as ekb.key to build and flash the image onto the NVIDIA Jetson AGX Xavier development kit.
To do the flashing process:
sudo ROOTFS_ENC=1 ./flash.sh -i “./sym2_t194.key” jetson-agx-xavier-devkit mmcblk0p1

Still, While Booting it leads to Error saying:
[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00 ]

Attached the Booting logs:
boot.log (89.8 KB)


there’s failure…

[0030.194] I> Writing APP_ENC partition.
[0030.227] E> NV3P_SERVER: Could not write 1048576 bytes.

could you please check you’re actually using EMMC_CFG=flash_t194_sdmmc_enc_rfs.xml for flashing the target?

This Issue was fixed eariler.
Sorry for the confusion, copied two logs in the same file. later there was no issue in flashing the APP_ENC partition

Attached the correct logs
boot .log (81.4 KB)


hello SriDivya,

it looks we’re able to reproduce the same kernel panic failure by using non-zero disk encryption keys on l4t-r35.3.1/ AGX Xavier,
let me arrange resources to check this internally.

hello SriDivya,

we’ve double checked this with non-fuse AGX Xavier,
it’s verified disk encryption works on AGX Xavier with non-zero keys.
I have verified non-zero disk encryption key on AGX Xavier.
here’re steps for your reference,

  1. Modify the optee/samples/hwkey-agent/host/tool/gen_ekb/example.sh for using non-zero key.
    echo "f0e0d0c0b0a001020304050607080900" > sym2_t194.key
  2. Run ./example.sh
  3. Copy generated sym2_t194.key and eks_t194.img to Linux_for_Tegra/bootloader
  4. Run flashing command, $ sudo ROOTFS_ENC=1 ./flash.sh -i “./sym2_t194.key” jetson-agx-xavier-devkit mmcblk0p1

had you assign KEK2 keys?
if you’re using a non-fuse target, you may using echo "00000000000000000000000000000000" > kek2.key to create eks image.
please execute the script file, odmfuseread.sh to determine whether your target fused or not.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.