Encountering Issue with Disk Encryption Setup on Jetson Orin NX 16GB

Hello fellow Jetson enthusiasts,

I am working on setting up disk encryption on my NVIDIA Jetson device and have run into an issue during the process. Below are the detailed steps I took. I hope someone can help me pinpoint where things might be going wrong or suggest what steps to take next.

  1. Stopped udisks2 services.
  2. Disabled USB autosuspend: echo -1 | sudo tee /sys/module/usbcore/parameters/autosuspend > /dev/null
  3. Disabled UFW (Uncomplicated Firewall).
  4. Installed necessary packages: dislocker, cryptsetup, libcryptsetup-dev, libcryptsetup12, cryptmount, overlayroot, qemu-user-static.
  5. Extracted public source into the source/ directory.
  6. Extracted optee package versions earlier than 5.1.2.
  7. Modified the sample.sh script to use openssl for generating sym2_t234.key for disk encryption.
  8. Executed the modified sample.sh script.
  9. Deleted existing eks_t234.img in the bootloader folder.
  10. Copied the newly generated eks_t234.img from sample.sh to the bootloader folder.
  11. Copied sym2_t234.key to the Linux_for_Tegra folder.
  12. Updated the rootfs size in Linux_for_Tegra/p3767.conf.common.
  13. Put my device into recovery mode.
  14. Ran sudo ./flash.sh --no-flash -k A_eks -i "sym2_t234.key" p3509-a02+p3767-0000 mmcblk0p1.
  15. Executed sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --no-flash --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" p3509-a02+p3767-0000 internal.
  16. Copied ./bootloader/eks_t234_sigheader.img.encrypt to ./tools/kernel_flash/images/internal/.
  17. Ran sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only --append --network usb0 p3509-a02+p3767-0000 external.
  18. Executed sudo ./tools/kernel_flash/l4t_initrd_flash.sh -k A_eks --flash-only --showlogs.
  19. Re-entered recovery mode.
  20. Ran final flash command: sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only.
    bootloader.log (148.5 KB)

After completing these steps, I am unable to boot the device or there are encryption-related errors (please specify the exact error or issue if possible). Has anyone encountered similar issues, or does anyone see a potential misstep in the process that I might have overlooked?

Do I need to used the python3 ./source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/gen_ekb.py -chip t234 -oem_k2_key kek_optee.key -fv fv_ekb_t234 -in_sym_key sym_t234.key -in_sym_key2 sym2_t234.key -out bootloader/eks_t234.img ???

Any insights or suggestions would be greatly appreciated!

Thank you in advance

hello apa,

may I confirm the Jetpack release version you’re working with.
did you use the identical optee package versions?

BTW,
please see-also Topic 284400 to re-generate a new EKS image.

Hi Jerry,

I’ve been working with the 5.1.2 version provided by Advantech for the Orin NX 16G - MIC-713 + the public_sources package versions 5.1.2. As I mentioned in my last update, I successfully connected to the device via SSH after following the steps outlined. The successful connection required running the l4t_create_default_user.sh script and modifying the sudoer file to enhance access permissions for SSH connections. This was necessary because the device’s screen remains black upon booting, although it is powered on.

After reconfiguring and reflashing, the screen issue was resolved, and a warning about excessive permissions for the main user was displayed. I acknowledge this setup might be unconventional. Once connected, everything functions well, except that the PCI Express card on the board is not detected, prompting a need for a different approach.

Regarding your question about the eks_t234_sigheader.img.encrypt image: If it’s encrypted with the standard EKB key (f0e0d0c0b0a001020304050607080900), I can encrypt the device’s disk. However, altering the encryption process affects the image, leading to conflicts.

Here are the steps I followed to establish the SSH connection:

  1. Stopped the udisks2 services.
  2. Disabled USB autosuspend using: echo -1 | sudo tee /sys/module/usbcore/parameters/autosuspend > /dev/null.
  3. Disabled the UFW (Uncomplicated Firewall).
  4. Installed the following necessary packages: dislocker, cryptsetup, libcryptsetup-dev, libcryptsetup12, cryptmount, overlayroot, qemu-user-static.
  5. Extracted the public source into the source/ directory.
  6. Extracted optee package versions 5.1.2.
  7. Modified the sample.sh script to utilize openssl for generating sym2_t234.key for disk encryption.
  8. Executed the modified sample.sh script.
  9. Removed the existing eks_t234.img in the bootloader folder.
  10. Copied the newly generated eks_t234.img from sample.sh to the bootloader folder.
  11. Transferred sym2_t234.key to the Linux_for_Tegra folder.
  12. Updated the rootfs size in Linux_for_Tegra/p3767.conf.common.
  13. Used the new command: sudo tools/l4t_create_default_user.sh -u user -p password -a -n desktop --accept-license.
  14. Placed the device into recovery mode.
  15. Executed sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --no-flash --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" p3509-a02+p3767-0000 internal.
  16. Ran sudo ./flash.sh --no-flash -k A_eks -i "sym2_t234.key" p3509-a02+p3767-0000 internal.
  17. Moved ./bootloader/eks_t234_sigheader.img.encrypt to ./tools/kernel_flash/images/internal/.
  18. Executed sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only --append --network usb0 p3509-a02+p3767-0000 external.
  19. Ran the final flash command: sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only.

I would appreciate your input on whether a custom board can reliably use the eks_t234_sigheader.img.encrypt image under these conditions. Your advice on potentially resolving the PCI Express card detection issue would also be invaluable.

Best regards,

hello apa,

it does looks like EKS image with your customize key did not update correctly.

here’re couple of suggestions.
(1) there are 4 magic bytes at the beginning of the EKS image, they are: “EEKB”, if these 4 bytes are wrong, you will see "eks image not correct" failure.
hence,
please also have a check after your step-10 with… $ hexdump -C -n 4 -s 0x24 eks_t234.img

(2) the step-16,17 to sign/encrypt EKS image should be unnecessary for JP-5.1.2 now.
you may running with l4t_initrd_flash to generate images for external storage device, and assign keys to flash the target directly.
for instance,
$ echo "XXXXXX" > ekb.key
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

please also sharing the complete booting logs for reference,
thanks

This is the result of hexdump -C -n 4 -s 0x24 eks_t234.img

00000024  45 45 4b 42      |EEKB|
00000028

Are you telling me do redo the ekb.key even if I do these steps:
7-Executed the modified sample.sh script.
8-Removed the existing eks_t234.img in the bootloader folder.
9-Copied the newly generated eks_t234.img from sample.sh to the bootloader folder.
10-Transferred sym2_t234.key to the Linux_for_Tegra folder.
Can you give me more precision on the necessary step to achieve disk encryption with a custom key?

I f I fallow your logic:

  1. Stopped the udisks2 services.
  2. Disabled USB autosuspend using: echo -1 | sudo tee /sys/module/usbcore/parameters/autosuspend > /dev/null.
  3. Disabled the UFW (Uncomplicated Firewall).
  4. Installed the following necessary packages: dislocker, cryptsetup, libcryptsetup-dev, libcryptsetup12, cryptmount, overlayroot, qemu-user-static.
  5. Extracted the public source into the source/ directory.
  6. Extracted optee package versions 5.1.2.
  7. Modified the sample.sh script to utilize openssl for generating sym2_t234.key for disk encryption.
  8. Executed the modified sample.sh script.
  9. Removed the existing eks_t234.img in the bootloader folder.
  10. Copied the newly generated eks_t234.img from sample.sh to the bootloader folder.
  11. Transferred sym2_t234.key to the Linux_for_Tegra folder.
  12. Updated the rootfs size in Linux_for_Tegra/p3767.conf.common.
  13. Used the new command: sudo tools/l4t_create_default_user.sh -u user -p password -a -n desktop --accept-license.
  14. Placed the device into recovery mode.
  15. Executed sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --no-flash --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" p3509-a02+p3767-0000 internal.
  16. echo "XXXXXX" > ekb.key
  17. Executed sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only --append --network usb0 p3509-a02+p3767-0000 external.
  18. Ran the final flash command: sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only.

So what is the point of using sample.sh ?

hello apa,

first of all, we’ve checked disk encryption with a custom key worked normally.
you may see-also Topic 270934 for reference.

your steps looks correct, please share the complete UART logs if there’s booting failure.

Everything work fine now! Thanks for your support!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.