Hi,
Do we have any default procedure that I can follow to encrypt root-filesystem in jeston orin-nano? I also understand that we do have fTPM support, how can I enable fTPM? For fTPM to work do we need to enable secure boot as well?
Thanks for sharing link. We are using devkit.
I understand that to enable just Disk encryption we may need to enable LUKS/cryptsetup, do we also need fTPM and uefi secureboot for Disk encryption? Please correct if my understanding is wrong.
please refer to developer guide, Disk Encryption section for details.
you may see-also… $OUT/Linux_for_Tegra/tools/kernel_flash/README_initrd_flash.txt of [Workflow 10] for steps.
here’re sample steps to enable ROOTFS_ENC on Orin NX.
note, please install cryptsetup utility to your host machine, it’s a necessary tool to create encrypted rootfs for image flashing.
for instance, $ sudo apt-get install cryptsetup
here’re our test steps for your reference,
(1) Generate images for QSPI. $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
(2) Generate the disk encryption key. $ echo "f0e0d0c0b0a001020304050607080900" > ekb.key
(3) Generate images for external storage device. $ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
(4) Flash images into the both storage devices. $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only
after that,
you may running with df -h for verification after flash complete and system booting up.