I read the manual and followed all the instructions from this post
This is my series of commands that I use based on the above post, with the only difference being the target board is cti/orin-nx/hadron/base which is defined by the CTI BSP.
# Generate the keys
cd gen_ekb/
./example.sh
# Copy the keys into Linux_for_tegra
cd ../Linux_for_Tegra
cp ../gen_ekb/sym2_t234.key ./sym2_t234.key
rm ./bootloader/eks_t234.img
cp ../gen_ekb/eks_t234.img ./bootloader/eks_t234.img
# Generate a new sign/encrypt file (`eks_t234_sigheader.img.encrypt`)
sudo ./flash.sh --no-flash -k A_eks -i "sym2_t234.key" cti/orin-nx/hadron/base nvme0n1p1
# Generate images for QSPI
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" --no-flash --network usb0 cti/orin-nx/hadron/base internal
# Generate images for external storage device
sudo cp ./bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/eks_t234_sigheader.img.encrypt
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 cti/orin-nx/hadron/base external
# Flash the encrypted EKS
sudo ./tools/kernel_flash/l4t_initrd_flash.sh -k A_eks --flash-only --showlogs
# Flash all images into the both storage devices
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --showlogs --flash-only
above failure usually caused by an incorrect EKS image had applied.
you may refer to jetson-linux-archive, please double check you’re using the same public release version.
please review the steps as mentioned by example.sh to re-generate EKS image,
for instance, $public_sources/r36.4.0/Linux_for_Tegra/source/atf_and_optee/optee/samples/hwkey-agent/host/tool/gen_ekb/example.sh
please check you’ve update EKS image, eks_t234.img accordingly. you may see-also Topic 270934 for steps to update EKS image.
I have gone through and updated my example.sh to use openssl to generate random keys. I only ran it once and am reusing the .key and .img files for all my attempts.
#!/bin/bash
# [T234 example]
# Fill your OEM_K1 fuse key value
openssl rand -rand /dev/urandom -hex 32 > oem_k1.key
# echo "0000000000000000000000000000000000000000000000000000000000000000" > oem_k1.key
# Generate user-defined symmetric key files
# A random generate key is recommended for production, and a specified key is recommended for testing
# For each key, there are reference examples for generating random key and specifying keys.
openssl rand -rand /dev/urandom -hex 32 > sym_t234.key # kernel/kernel-dtb encryption key
# echo "0000000000000000000000000000000000000000000000000000000000000000" > sym_t234.key
openssl rand -rand /dev/urandom -hex 16 > sym2_t234.key # disk encryption key
# echo "00000000000000000000000000000000" > sym2_t234.key
openssl rand -rand /dev/urandom -hex 16 > auth_t234.key # uefi variables authentication key
# echo "00000000000000000000000000000000" > auth_t234.key
python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key \
-in_sym_key sym_t234.key \
-in_sym_key2 sym2_t234.key \
-in_auth_key auth_t234.key \
-out eks_t234.img
Oh! I didn’t realize that it’s a separate operation. Thanks for pointing that out.
I am struggling to find documentation about how to fuse the Jeston Orin. This document refers to a Using the Fuse Burning Toolkit for T234. I can’t find the document.
Is odmfuse.sh still the tool to use? Is the only fuse needed for just Disk Encryption (no need secure boot) OEM_K1?
you may enable disk encryption without SecureBoot (i.e. fuse burning).
please aware that, fuse burning operations are high-risk because they cannot be reversed.
so,
please refer to example.sh and updating only the keys you’ve applied to re-generate EKS image.
OK. Thanks @JerryChang ! I think I understand now.
I can run a Jetson Orin with Disk Encryption enabled in two ways.
Fuse the board (and enable secure boot), then use the oem_k1.key used for fusing in example.sh and a custom sym2_t234.key to create a eks_t234.img and flash it using the steps above.
OR
Don’t fuse the board (no secure boot), and use the default oem_k1.key ( 000... ) and a custom sym2_t234.key to create a eks_t234.img and flash it using the steps above.