Disk encryption

Hi!

I’m trying to flash an encrypted disk image to an external disk on xavier nx. I’m following the instructions in README_initrd_flash.txt but it fails when generating the encrypted image. This is the whole process (I include my scripts so that everything can be exactly reproduced).

1. Get L4T/sample rootfs/secureboot:

#! /bin/bash

set -e

BSP=https://developer.nvidia.com/embedded/l4t/r32_release_v6.1/t186/jetson_linux_r32.6.1_aarch64.tbz2
SECURE_BOOT=https://developer.nvidia.com/embedded/l4t/r32_release_v6.1/t186/secureboot_r32.6.1_aarch64.tbz2
SAMPLE_ROOTFS=https://developer.nvidia.com/embedded/l4t/r32_release_v6.1/t186/tegra_linux_sample-root-filesystem_r32.6.1_aarch64.tbz2
SAMPLE_DIR=$PWD/sample/

prompt_confirm() {
  while true; do
    read -r -n 1 -p "${1:-Continue?} [y/n]: " REPLY
    case $REPLY in
      [yY]) echo ; return 0 ;;
      [nN]) echo ; return 1 ;;
      *) printf " \033[31m %s \n\033[0m" "invalid input"
    esac
  done
}

# Set sudo
read -s -p "[sudo] password for $USER: " sudoPW
echo "$sudoPW" | sudo -S printf "\e[32m[OK]\n"

# Create deploy directory
printf "Create sample directory...    "
mkdir -p "$SAMPLE_DIR"
if [ -n "$(ls -A "$SAMPLE_DIR")" ]; then
  prompt_confirm "Rootfs dir is non-empty, continuing will erase current contents" || exit 0
  echo "$sudoPW" | sudo -S rm -rf "$SAMPLE_DIR" && mkdir "$SAMPLE_DIR"
fi
printf "[OK]\n"

printf "\e[32mDownload L4T...       "
wget -qO- $BSP | sudo tar -jxpf - -C "$SAMPLE_DIR"
wget -qO- $SECURE_BOOT | sudo tar -jxpf - -C "$SAMPLE_DIR"
rm "$SAMPLE_DIR"/Linux_for_Tegra/rootfs/README.txt
wget -qO- $SAMPLE_ROOTFS | sudo tar -jxpf - -C "$SAMPLE_DIR/Linux_for_Tegra/rootfs/"
printf "[OK]\n"

printf "\e[32mApply NVIDIA binaries...  "
echo "$sudoPW" | sudo -S rm -rf "$SAMPLE_DIR"/Linux_for_Tegra/rootfs/dev/random && echo "$sudoPW" | sudo -S rm -rf "$SAMPLE_DIR"/Linux_for_Tegra/rootfs/dev/urandom
cd "$SAMPLE_DIR"/Linux_for_Tegra && echo "$sudoPW" | sudo -S ./apply_binaries.sh
printf "[OK]\n"

cd ./sample/Linux_for_Tegra

(Instructions from README_initrd_flash.txt)

First step: Put the device into recovery mode, then generate a normal root
filesystem for the internal device:

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash jetson-xavier internal

Second step: Put the device into recovery mode, then generate an encrypted
filesystem for the external device:

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash \
            --external-device nvme0n1p1 \
            -S 8GiB -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml \
            --external-only --append jetson-xavier external

This step fails with the following output:

************************************
*                                  *
*  Step 1: Generate flash packages *
*                                  *
************************************
Create folder to store images to flash
Generate images to be flashed
BOOTDEV=external /home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/flash.sh --no-flash --sign --external-device -c "./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml" -S "8GiB"  jetson-xavier external

###############################################################################
# L4T BSP Information:
# R32 , REVISION: 6.1
###############################################################################
Change device boot from external to internal
Board ID() version() sku() revision()
Copy /home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/kernel/dtb/tegra194-p2888-0001-p2822-0000.dtb to /home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/kernel/dtb/tegra194-p2888-0001-p2822-0000.dtb.rec
Generated UUID deeddd1d-1795-4ae8-ae84-fb0b29afc017 for mounting root APP_ext partition.
Generated UUID 3674aa17-d22b-43b0-abf2-14e0c0191002 for mounting root APP_ext_enc partition.
Generated UUID fa5fda07-ea9e-4174-aac7-611822bc56ce for mounting boot APP_ext partition.
copying bctfile(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-memcfg-p2888.cfg)... done.
copying bctfile1(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-memcfg-sw-override.cfg)... done.
copying uphy_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-uphy-lane-p2888-0000-p2822-0000.cfg)... done.
copying minratchet_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-ratchet-p2888-0000-p2822-0000.cfg)... done.
copying device_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra19x-mb1-bct-device-sdmmc.cfg)... done.
copying misc_cold_boot_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-misc-l4t.cfg)... done.
copying misc_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-misc-flash.cfg)... done.
copying pinmux_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra19x-mb1-pinmux-p2888-0000-a04-p2822-0000-b01.cfg)... done.
copying gpioint_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-gpioint-p2888-0000-p2822-0000.cfg)... done.
copying pmic_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-pmic-p2888-0001-a01-p2822-0000.cfg)... done.
copying pmc_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra19x-mb1-padvoltage-p2888-0000-a00-p2822-0000-a00.cfg)... done.
copying prod_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra19x-mb1-prod-p2888-0000-p2822-0000.cfg)... done.
copying scr_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-scr-cbb-mini.cfg)... done.
copying scr_cold_boot_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-scr-cbb-mini.cfg)... done.
copying bootrom_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-reset-p2888-0000-p2822-0000.cfg)... done.
copying dev_params(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-br-bct-sdmmc.cfg)... done.
Generated UUID 7b670c12-bd3f-470a-984a-47b180e18e64 for mounting UDA_ext partition.
Making system_uda_encrypted.img_ext... 
ERROR: build_enc_fsimg: ECID is null .
Error: Failed to generate images for external device
Cleaning up...

Any pointers are appreciated! What I want to achieve is disk encryption at rest for an external disk. I’ve also refered to https://docs.nvidia.com/jetson/l4t/index.html#page/Tegra%20Linux%20Driver%20Package%20Development%20Guide/bootloader_disk_encryption.html# but it is not very clear on the actual steps to be performed.

hello oscar.thorn,

could you please check again with following procedure,
please put device in recovery mode before running each of the below steps,
you may generate images with command:
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1 -c tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml -S 8GiB --no-flash --massflash 1 jetson-xavier internal
after that, please flash with commands:
$ cd mfi_jetson-xavier
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --massflash 1

Hi!

It does not seem to work.

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --massflash 1

starts and prints the initial few lines but then it just prints

Ongoing processes: 1746

Again and again. I had it running overnight and it still did not finish.

Maybe it was not properly in recovery mode, I tried again but now it fails with:

**********************************************
*                                            *
*  Step 1: Build the flashing environment    *
*                                            *
**********************************************
Create flash environment 0
~/projects/moon_deploy_unit/sample/Linux_for_Tegra/mfi_jetson-xavier/bootloader ~/projects/moon_deploy_unit/sample/Linux_for_Tegra/mfi_jetson-xavier
~/projects/moon_deploy_unit/sample/Linux_for_Tegra/mfi_jetson-xavier
Finish creating flash environment 0.
****************************************************
*                                                  *
*  Step 2: Boot the device with flash initrd image *
*                                                  *
****************************************************
~/projects/moon_deploy_unit/sample/Linux_for_Tegra/mfi_jetson-xavier/temp_initrdflash/bootloader0 ~/projects/moon_deploy_unit/sample/Linux_for_Tegra/mfi_jetson-xavier
./tegraflash.py --bl nvtboot_recovery_cpu_t194_sigheader.bin.encrypt --bct br_bct_BR.bct --securedev  --applet rcm_2_encrypt.rcm --applet_softfuse rcm_1_encrypt.rcm --cmd "rcmboot"  --cfg secureflash.xml --chip 0x19 --mb1_bct mb1_bct_MB1_sigheader.bct.encrypt --mem_bct mem_rcm_sigheader.bct.encrypt --mb1_cold_boot_bct mb1_cold_boot_bct_MB1_sigheader.bct.encrypt --mem_bct_cold_boot mem_coldboot_sigheader.bct.encrypt  --bins "mb2_bootloader nvtboot_recovery_t194_sigheader.bin.encrypt; mts_preboot preboot_c10_prod_cr_sigheader.bin.encrypt; mts_mce mce_c10_prod_cr_sigheader.bin.encrypt; mts_proper mts_c10_prod_cr_sigheader.bin.encrypt; bpmp_fw bpmp_t194_sigheader.bin.encrypt; bpmp_fw_dtb tegra194-a02-bpmp-p2888-a01_sigheader.dtb.encrypt; spe_fw spe_t194_sigheader.bin.encrypt; tlk tos-trusty_t194_sigheader.img.encrypt; eks eks_sigheader.img.encrypt; kernel boot0.img; kernel_dtb kernel_tegra194-p2888-0001-p2822-0000.dtb; bootloader_dtb tegra194-p2888-0001-p2822-0000_sigheader.dtb.encrypt"    --instance 1-7
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 

 Entering RCM boot

[   0.0000 ] rcm boot with presigned binaries
[   0.0000 ] Boot Rom communication
[   0.0021 ] tegrarcm_v2 --instance 1-7 --chip 0x19 0 --rcm rcm_1_encrypt.rcm --rcm rcm_2_encrypt.rcm
[   0.0026 ] BR_CID: 0x88021911646cf5c92400000016008280
[   0.0081 ] Boot Rom communication completed
[   1.0282 ] 
[   2.0312 ] tegrarcm_v2 --instance 1-7 --isapplet
[   2.0317 ] Applet version 01.00.0000
[   2.0434 ] 
[   2.0434 ] Sending BCTs
[   2.0452 ] tegrarcm_v2 --instance 1-7 --download bct_bootrom br_bct_BR.bct --download bct_mb1 mb1_bct_MB1_sigheader.bct.encrypt --download bct_mem mem_rcm_sigheader.bct.encrypt
[   2.0457 ] Applet version 01.00.0000
[   2.0572 ] Sending bct_bootrom
[   2.0573 ] [................................................] 100%
[   2.0584 ] Sending bct_mb1
[   2.0634 ] [................................................] 100%
[   2.0668 ] Sending bct_mem
[   2.1240 ] [................................................] 100%
[   2.2411 ] 
Error: Return value 8
Command tegrarcm_v2 --instance 1-7 --download bct_bootrom br_bct_BR.bct --download bct_mb1 mb1_bct_MB1_sigheader.bct.encrypt --download bct_mem mem_rcm_sigheader.bct.encrypt
Cleaning up...

Okey, so if I change jetson-xavierto jetson-xavier-nx-devkit-emmc it seems to work. The only issue is that this boots from the internal emmc but I want to boot from m2 ssd (and not use the emmc at all if possible).

And while it seems like to ssd gets encrypted there does not seem to be a way to mount it. The emmc gets auto mounted but not the ssd.

hello oscar.thorn,

had you changing the boot order to make it boot from ssd?

How do I do that?

hello oscar.thorn,

please refer to developer guide, Changing Boot Order with CBoot.
note, Xavier series doesn’t have u-boot.

Okey, but that’s not really a feasible solution, I can’t manually change the boot order on every single device we flash.

hello oscar.thorn,

you may able to update cboot sources by modify linux_load.c to configure the boot order.
please download the Cboot Sources T194 via https://developer.nvidia.com/embedded/linux-tegra.
there’s also readme file for environment setup of building CBoot binary.

For anyone else wondering the proper commands for generating a massflash package for xavier nx ssd with disk encryption (no secure boot though):

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash jetson-xavier-nx-devkit-qspi internal

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash --external-device nvme0n1p1 -S 200GiB -c "$REPO_DIR"/resources/flash_l4t_nvme_rootfs_enc.xml --external-only --massflash 1 --append jetson-xavier-nx-devkit-emmc external

then from the massflash folder:

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --massflash 1

Make sure to put the device into recovery mode before each step.

Edit: If you are using a custom rootfs make sure to install

cryptsetup-bin=2:2.0.2-1ubuntu1.2
cryptsetup=2:2.0.2-1ubuntu1.2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.