Disk encryption

oscar.thorn · February 2, 2022, 10:41am

Hi!

I’m trying to flash an encrypted disk image to an external disk on xavier nx. I’m following the instructions in README_initrd_flash.txt but it fails when generating the encrypted image. This is the whole process (I include my scripts so that everything can be exactly reproduced).

Get L4T/sample rootfs/secureboot:

#! /bin/bash

set -e

BSP=https://developer.nvidia.com/embedded/l4t/r32_release_v6.1/t186/jetson_linux_r32.6.1_aarch64.tbz2
SECURE_BOOT=https://developer.nvidia.com/embedded/l4t/r32_release_v6.1/t186/secureboot_r32.6.1_aarch64.tbz2
SAMPLE_ROOTFS=https://developer.nvidia.com/embedded/l4t/r32_release_v6.1/t186/tegra_linux_sample-root-filesystem_r32.6.1_aarch64.tbz2
SAMPLE_DIR=$PWD/sample/

prompt_confirm() {
  while true; do
    read -r -n 1 -p "${1:-Continue?} [y/n]: " REPLY
    case $REPLY in
      [yY]) echo ; return 0 ;;
      [nN]) echo ; return 1 ;;
      *) printf " \033[31m %s \n\033[0m" "invalid input"
    esac
  done
}

# Set sudo
read -s -p "[sudo] password for $USER: " sudoPW
echo "$sudoPW" | sudo -S printf "\e[32m[OK]\n"

# Create deploy directory
printf "Create sample directory...    "
mkdir -p "$SAMPLE_DIR"
if [ -n "$(ls -A "$SAMPLE_DIR")" ]; then
  prompt_confirm "Rootfs dir is non-empty, continuing will erase current contents" || exit 0
  echo "$sudoPW" | sudo -S rm -rf "$SAMPLE_DIR" && mkdir "$SAMPLE_DIR"
fi
printf "[OK]\n"

printf "\e[32mDownload L4T...       "
wget -qO- $BSP | sudo tar -jxpf - -C "$SAMPLE_DIR"
wget -qO- $SECURE_BOOT | sudo tar -jxpf - -C "$SAMPLE_DIR"
rm "$SAMPLE_DIR"/Linux_for_Tegra/rootfs/README.txt
wget -qO- $SAMPLE_ROOTFS | sudo tar -jxpf - -C "$SAMPLE_DIR/Linux_for_Tegra/rootfs/"
printf "[OK]\n"

printf "\e[32mApply NVIDIA binaries...  "
echo "$sudoPW" | sudo -S rm -rf "$SAMPLE_DIR"/Linux_for_Tegra/rootfs/dev/random && echo "$sudoPW" | sudo -S rm -rf "$SAMPLE_DIR"/Linux_for_Tegra/rootfs/dev/urandom
cd "$SAMPLE_DIR"/Linux_for_Tegra && echo "$sudoPW" | sudo -S ./apply_binaries.sh
printf "[OK]\n"

cd ./sample/Linux_for_Tegra

(Instructions from README_initrd_flash.txt)

First step: Put the device into recovery mode, then generate a normal root
filesystem for the internal device:

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash jetson-xavier internal

Second step: Put the device into recovery mode, then generate an encrypted
filesystem for the external device:

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash \
            --external-device nvme0n1p1 \
            -S 8GiB -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml \
            --external-only --append jetson-xavier external

This step fails with the following output:

************************************
*                                  *
*  Step 1: Generate flash packages *
*                                  *
************************************
Create folder to store images to flash
Generate images to be flashed
BOOTDEV=external /home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/flash.sh --no-flash --sign --external-device -c "./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml" -S "8GiB"  jetson-xavier external

###############################################################################
# L4T BSP Information:
# R32 , REVISION: 6.1
###############################################################################
Change device boot from external to internal
Board ID() version() sku() revision()
Copy /home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/kernel/dtb/tegra194-p2888-0001-p2822-0000.dtb to /home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/kernel/dtb/tegra194-p2888-0001-p2822-0000.dtb.rec
Generated UUID deeddd1d-1795-4ae8-ae84-fb0b29afc017 for mounting root APP_ext partition.
Generated UUID 3674aa17-d22b-43b0-abf2-14e0c0191002 for mounting root APP_ext_enc partition.
Generated UUID fa5fda07-ea9e-4174-aac7-611822bc56ce for mounting boot APP_ext partition.
copying bctfile(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-memcfg-p2888.cfg)... done.
copying bctfile1(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-memcfg-sw-override.cfg)... done.
copying uphy_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-uphy-lane-p2888-0000-p2822-0000.cfg)... done.
copying minratchet_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-ratchet-p2888-0000-p2822-0000.cfg)... done.
copying device_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra19x-mb1-bct-device-sdmmc.cfg)... done.
copying misc_cold_boot_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-misc-l4t.cfg)... done.
copying misc_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-misc-flash.cfg)... done.
copying pinmux_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra19x-mb1-pinmux-p2888-0000-a04-p2822-0000-b01.cfg)... done.
copying gpioint_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-gpioint-p2888-0000-p2822-0000.cfg)... done.
copying pmic_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-pmic-p2888-0001-a01-p2822-0000.cfg)... done.
copying pmc_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra19x-mb1-padvoltage-p2888-0000-a00-p2822-0000-a00.cfg)... done.
copying prod_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra19x-mb1-prod-p2888-0000-p2822-0000.cfg)... done.
copying scr_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-scr-cbb-mini.cfg)... done.
copying scr_cold_boot_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-scr-cbb-mini.cfg)... done.
copying bootrom_config(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-reset-p2888-0000-p2822-0000.cfg)... done.
copying dev_params(/home/oscar/projects/moon_deploy_unit/sample/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-br-bct-sdmmc.cfg)... done.
Generated UUID 7b670c12-bd3f-470a-984a-47b180e18e64 for mounting UDA_ext partition.
Making system_uda_encrypted.img_ext... 
ERROR: build_enc_fsimg: ECID is null .
Error: Failed to generate images for external device
Cleaning up...

Any pointers are appreciated! What I want to achieve is disk encryption at rest for an external disk. I’ve also refered to https://docs.nvidia.com/jetson/l4t/index.html#page/Tegra%20Linux%20Driver%20Package%20Development%20Guide/bootloader_disk_encryption.html# but it is not very clear on the actual steps to be performed.

JerryChang · February 7, 2022, 8:05am

hello oscar.thorn,

could you please check again with following procedure,
please put device in recovery mode before running each of the below steps,
you may generate images with command:
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1 -c tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml -S 8GiB --no-flash --massflash 1 jetson-xavier internal
after that, please flash with commands:
$ cd mfi_jetson-xavier
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --massflash 1

oscar.thorn · February 8, 2022, 6:34am

Hi!

It does not seem to work.

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --massflash 1

starts and prints the initial few lines but then it just prints

Ongoing processes: 1746

Again and again. I had it running overnight and it still did not finish.

oscar.thorn · February 8, 2022, 6:41am

Maybe it was not properly in recovery mode, I tried again but now it fails with:

**********************************************
*                                            *
*  Step 1: Build the flashing environment    *
*                                            *
**********************************************
Create flash environment 0
~/projects/moon_deploy_unit/sample/Linux_for_Tegra/mfi_jetson-xavier/bootloader ~/projects/moon_deploy_unit/sample/Linux_for_Tegra/mfi_jetson-xavier
~/projects/moon_deploy_unit/sample/Linux_for_Tegra/mfi_jetson-xavier
Finish creating flash environment 0.
****************************************************
*                                                  *
*  Step 2: Boot the device with flash initrd image *
*                                                  *
****************************************************
~/projects/moon_deploy_unit/sample/Linux_for_Tegra/mfi_jetson-xavier/temp_initrdflash/bootloader0 ~/projects/moon_deploy_unit/sample/Linux_for_Tegra/mfi_jetson-xavier
./tegraflash.py --bl nvtboot_recovery_cpu_t194_sigheader.bin.encrypt --bct br_bct_BR.bct --securedev  --applet rcm_2_encrypt.rcm --applet_softfuse rcm_1_encrypt.rcm --cmd "rcmboot"  --cfg secureflash.xml --chip 0x19 --mb1_bct mb1_bct_MB1_sigheader.bct.encrypt --mem_bct mem_rcm_sigheader.bct.encrypt --mb1_cold_boot_bct mb1_cold_boot_bct_MB1_sigheader.bct.encrypt --mem_bct_cold_boot mem_coldboot_sigheader.bct.encrypt  --bins "mb2_bootloader nvtboot_recovery_t194_sigheader.bin.encrypt; mts_preboot preboot_c10_prod_cr_sigheader.bin.encrypt; mts_mce mce_c10_prod_cr_sigheader.bin.encrypt; mts_proper mts_c10_prod_cr_sigheader.bin.encrypt; bpmp_fw bpmp_t194_sigheader.bin.encrypt; bpmp_fw_dtb tegra194-a02-bpmp-p2888-a01_sigheader.dtb.encrypt; spe_fw spe_t194_sigheader.bin.encrypt; tlk tos-trusty_t194_sigheader.img.encrypt; eks eks_sigheader.img.encrypt; kernel boot0.img; kernel_dtb kernel_tegra194-p2888-0001-p2822-0000.dtb; bootloader_dtb tegra194-p2888-0001-p2822-0000_sigheader.dtb.encrypt"    --instance 1-7
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 

 Entering RCM boot

[   0.0000 ] rcm boot with presigned binaries
[   0.0000 ] Boot Rom communication
[   0.0021 ] tegrarcm_v2 --instance 1-7 --chip 0x19 0 --rcm rcm_1_encrypt.rcm --rcm rcm_2_encrypt.rcm
[   0.0026 ] BR_CID: 0x88021911646cf5c92400000016008280
[   0.0081 ] Boot Rom communication completed
[   1.0282 ] 
[   2.0312 ] tegrarcm_v2 --instance 1-7 --isapplet
[   2.0317 ] Applet version 01.00.0000
[   2.0434 ] 
[   2.0434 ] Sending BCTs
[   2.0452 ] tegrarcm_v2 --instance 1-7 --download bct_bootrom br_bct_BR.bct --download bct_mb1 mb1_bct_MB1_sigheader.bct.encrypt --download bct_mem mem_rcm_sigheader.bct.encrypt
[   2.0457 ] Applet version 01.00.0000
[   2.0572 ] Sending bct_bootrom
[   2.0573 ] [................................................] 100%
[   2.0584 ] Sending bct_mb1
[   2.0634 ] [................................................] 100%
[   2.0668 ] Sending bct_mem
[   2.1240 ] [................................................] 100%
[   2.2411 ] 
Error: Return value 8
Command tegrarcm_v2 --instance 1-7 --download bct_bootrom br_bct_BR.bct --download bct_mb1 mb1_bct_MB1_sigheader.bct.encrypt --download bct_mem mem_rcm_sigheader.bct.encrypt
Cleaning up...

oscar.thorn · February 8, 2022, 7:33am

Okey, so if I change jetson-xavierto jetson-xavier-nx-devkit-emmc it seems to work. The only issue is that this boots from the internal emmc but I want to boot from m2 ssd (and not use the emmc at all if possible).

oscar.thorn · February 8, 2022, 8:00am

And while it seems like to ssd gets encrypted there does not seem to be a way to mount it. The emmc gets auto mounted but not the ssd.

JerryChang · February 8, 2022, 8:40am

hello oscar.thorn,

had you changing the boot order to make it boot from ssd?

oscar.thorn · February 8, 2022, 9:00am

How do I do that?

JerryChang · February 8, 2022, 9:05am

hello oscar.thorn,

please refer to developer guide, Changing Boot Order with CBoot.
note, Xavier series doesn’t have u-boot.

oscar.thorn · February 8, 2022, 11:52am

Okey, but that’s not really a feasible solution, I can’t manually change the boot order on every single device we flash.

JerryChang · February 8, 2022, 5:06pm

hello oscar.thorn,

you may able to update cboot sources by modify linux_load.c to configure the boot order.
please download the Cboot Sources T194 via https://developer.nvidia.com/embedded/linux-tegra.
there’s also readme file for environment setup of building CBoot binary.

oscar.thorn · February 17, 2022, 10:07am

For anyone else wondering the proper commands for generating a massflash package for xavier nx ssd with disk encryption (no secure boot though):

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash jetson-xavier-nx-devkit-qspi internal

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash --external-device nvme0n1p1 -S 200GiB -c "$REPO_DIR"/resources/flash_l4t_nvme_rootfs_enc.xml --external-only --massflash 1 --append jetson-xavier-nx-devkit-emmc external

then from the massflash folder:

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --massflash 1

Make sure to put the device into recovery mode before each step.

Edit: If you are using a custom rootfs make sure to install

cryptsetup-bin=2:2.0.2-1ubuntu1.2
cryptsetup=2:2.0.2-1ubuntu1.2

system · March 3, 2022, 10:08am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.