Hello there,
Last few months we are trying to enable disk encryption with no luck. We really need your help to figure out the issues. We have the worst experience ever with your documentation.
We are using Jetson Xavier NX production board (P3668-0001). Last week we successfully enabled the secure boot in our device. We followed following steps to achieve it.
- Install dependencies
sudo apt-get update
sudo apt-get install qemu-user-static libxml2-utils cryptsetup libftdi-dev openssh-server
- Setup L4T
mkdir ~/nvidia
cd nvidia
#download l4t
wget https://developer.nvidia.com/embedded/l4t/r32_release_v5.1/r32_release_v5.1/t186/tegra186_linux_r32.5.1_aarch64.tbz2
# download rootfs
wget https://developer.nvidia.com/embedded/l4t/r32_release_v5.1/r32_release_v5.1/t186/tegra_linux_sample-root-filesystem_r32.5.1_aarch64.tbz2
# download secureboot packages
wget https://developer.nvidia.com/embedded/L4T/r32_Release_v5.0/T186/secureboot_R32.5.0_aarch64.tbz2
tar xf tegra186_linux_r32.5.1_aarch64.tbz2
tar xvjf secureboot_R32.5.0_aarch64.tbz2
cd ./Linux_for_Tegra/rootfs/
sudo tar xpf ../../tegra_linux_sample-root-filesystem_r32.5.1_aarch64.tbz2
cd ..
sudo ./apply_binaries.sh
-
Generate keys using openssl
For example,openssl genrsa -out rsa_priv.pem 3072
-
Fuse device
sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./odmfuse.sh -p -i 0x19 -k $XAVIER_KEYS/rsa_priv.pem --KEK2 $XAVIER_KEYS/KEK2 -S $XAVIER_KEYS/SBK jetson-xavier-nx-devkit-emmc
- Flash device
sudo BOARDID=3668 BOARDSKU=0001 BOARDREV=H.0 ./flash.sh --no-flash --sign -u $XAVIER_KEYS/rsa_priv.pem -v $XAVIER_KEYS/SBK jetson-xavier-nx-devkit-emmc mmcblk0p1
cd bootloader
sudo bash ./flashcmd.txt
The above steps successfully enabled the secureboot option and flash the device. Now when we try to enable disk encryption, the device is not booting.
We followed the following steps on the same device.
- Used keys (generated using openssl)
➜ ~ cat $XAVIER_KEYS/KEK2
3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx5
➜ ~ cat $XAVIER_KEYS/SBK
0xcxxxxxx3 0xdxxxxxx5 0x2xxxxxx1 0x4xxxxxx9
➜ ~ cat $XAVIER_KEYS/iv_hex_file
bad66eb4484983684b992fe54a648bb8
➜ ~ cat $XAVIER_KEYS/usr_eks.key
bxxxxxx5dxxxxxx2dxxxxxx0cxxxxxx2
➜ ~ cat $XAVIER_KEYS/usr_flash.key
0xbxxxxxx5 0xdxxxxxx2 0xdxxxxxx0 0xcxxxxxx2
➜ ~ cat $XAVIER_KEYS/ekb.key
dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1
- Generate EKS blob and replace with the existing
eks.img
➜ ~ python3 gen_ekb.py -kek2_key $XAVIER_KEYS/KEK2 -fv $XAVIER_KEYS/iv_hex_file -in_sym_key $XAVIER_KEYS/usr_eks.key -in_sym_key2 $XAVIER_KEYS/ekb.key -out eks.img
➜ ~ cp eks.img ../../../../../../../../Linux_for_Tegra/bootloader/
- Update partition table on
bootloader/t186ref/cfg/flash_l4t_t194_spi_emmc_p3668.xml
<partition name="APP" type="data">
<allocation_policy> sequential </allocation_policy>
<filesystem_type> basic </filesystem_type>
<size> 104857600 </size>
<file_system_attribute> 0 </file_system_attribute>
<allocation_attribute> 0x8 </allocation_attribute>
<percent_reserved> 0 </percent_reserved>
<align_boundary> 4096 </align_boundary>
<unique_guid> APPUUID </unique_guid>
<filename> system_boot.img </filename>
<description> **Required.** Contains the boot partition. This partition must be defined
after `primary_GPT` so that it can be accessed as the fixed known special device
`/dev/mmcblk0p1`. </description>
</partition>
<partition name="APP_ENC" type="data" encrypted="true">
<allocation_policy> sequential </allocation_policy>
<filesystem_type> basic </filesystem_type>
<size> APP_ENC_SIZE </size>
<file_system_attribute> 0 </file_system_attribute>
<allocation_attribute> 0x8 </allocation_attribute>
<percent_reserved> 0 </percent_reserved>
<align_boundary> 4096 </align_boundary>
<unique_guid> APP_ENC_UUID </unique_guid>
<filename> system_root_encrypted.img </filename>
<description> **Required.** Contains the encrypted root partition("/"). </description>
</partition>
- Update board config file
jetson-xavier-nx-devkit-emmc.conf
source "${LDK_DIR}/p3668.conf.common";
disk_enc_enable=1;
EMMC_CFG=flash_l4t_t194_spi_emmc_p3668.xml;
EMMCSIZE=17179869184;
- Run flash script
➜ ~ sudo ROOTFS_ENC=1 BOARDID=3668 BOARDSKU=0001 BOARDREV=H.0 ./flash.sh --sign -u $XAVIER_KEYS/rsa_priv.pem -v $XAVIER_KEYS/SBK -i $XAVIER_KEYS/ekb.key --user_key $XAVIER_KEYS/usr_flash.key jetson-xavier-nx-devkit-emmc mmcblk0p1
There is no error on flashing device. But device cannot boot after flashing. Always showing a blank screen with nvidia logo.
Here is the console logs of flash command:
Console log of flash with disk encryption command.txt (115.5 KB)
Here are the serial port boot logs:
Boot logs from serial port.txt (25.8 KB)
Please help us to figure out the long existing issue. Thanks in advance.