Encrypted File-system support on Jeston Orin-Nano JP 6.0

Robotics & Edge Computing Jetson & Embedded Systems Jetson Orin Nano
1

Hi,
Do we have any default procedure that I can follow to encrypt root-filesystem in jeston orin-nano? I also understand that we do have fTPM support, how can I enable fTPM? For fTPM to work do we need to enable secure boot as well?

Thanks in advance.
Vinayak

3

Hi vinayakk28,

Aer you using the devkit or custom board for Orin Nano?

Please refer to Security — NVIDIA Jetson Linux Developer Guide 1 documentation for the secure feature on Jetson with JP6.0(R36.3.0).

Disk-Encryption: Disk Encryption — NVIDIA Jetson Linux Developer Guide 1 documentation
Secureboot(PKC, SBK): Secure Boot — NVIDIA Jetson Linux Developer Guide 1 documentation
UEFI Secureboot: Secure Boot — NVIDIA Jetson Linux Developer Guide 1 documentation

4

Hi Kevin,

Thanks for sharing link. We are using devkit.
I understand that to enable just Disk encryption we may need to enable LUKS/cryptsetup, do we also need fTPM and uefi secureboot for Disk encryption? Please correct if my understanding is wrong.

5

Hi Kevin,

I am also seeing many forums about Disk encryption is not supported in Orin-Nano Dev-kit, is it correct?

Thanks.

6

hello vinayakk28,

please share your device setups,
for instance, is it internal eMMC, or external NVMe you would like to encrypted?

7

Hi,

We have external NVMe connected to dev-kit and we need to encrypt root file-system or an entire disk if possible.

Thanks.

8

hello vinayakk28,

please refer to developer guide, Disk Encryption section for details.
you may see-also… $OUT/Linux_for_Tegra/tools/kernel_flash/README_initrd_flash.txt of [Workflow 10] for steps.

here’re sample steps to enable ROOTFS_ENC on Orin NX.
note, please install cryptsetup utility to your host machine, it’s a necessary tool to create encrypted rootfs for image flashing.
for instance, $ sudo apt-get install cryptsetup

here’re our test steps for your reference,
(1) Generate images for QSPI.
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
(2) Generate the disk encryption key.
$ echo "f0e0d0c0b0a001020304050607080900" > ekb.key
(3) Generate images for external storage device.
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
(4) Flash images into the both storage devices.
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

after that,
you may running with df -h for verification after flash complete and system booting up.

$ df -h
/dev/mapper/crypt_root 54G 5.6G 46G 12% /
/dev/mapper/crypt_UDA 374M 14K 350M 1% /mnt/crypt_UDA
/dev/nvme0n1p1 371M 97M 247M 29% /boot
2 Likes
9

Thank for your test steps. Following few other forum’s for reference I was able to enable disk-encryption with JP6.0 r36.3

Below was step I followed:

$ sudo apt-get install python3-cryptography python3-cffi-backend libxml2-utils
$ sudo apt-get install cryptsetup python3-pycryptodome python3-crypto

tar -xvf Jetson_Linux_R36.3.0_aarch64.tbz2 && sudo tar -xvf Tegra_Linux_Sample-Root-Filesystem_R36.3.0_aarch64.tbz2 -C Linux_for_Tegra/rootfs && tar -xvf public_sources.tbz2 && tar -xvf Linux_for_Tegra/source/public/nvidia-jetson-optee-source.tbz2 -C Linux_for_Tegra/source/public/ cd Linux_for_Tegra/ && sudo ./apply_binaries.sh

In op-tee source package folder

(1) $ edit vim ./source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/example.sh to edit sym2_t234.key as following. Comment openssl and uncomment echo command
(2) $ echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key
(3) $ ./example.sh
(4) $ cp eks_t234.img Linux_for_Tegra/bootloader/.
(5) $ cp sym2_t234.key Linux_for_Tegra/.

In JetPack-6.0 image folder

	1. $ cd Linux_for_Tegra
	2. $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 \
        --showlogs -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" \
        --no-flash jetson-orin-nano-devkit internal
	3. $ sudo ./flash.sh --no-flash -k A_eks jetson-orin-nano-devkit internal  (optional)
	4. $ sudo cp bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/.
	5. $ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
6. $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

o/p:

ubuntu@ubuntu-desktop:~$ df -h
Filesystem              Size  Used Avail Use% Mounted on
/dev/mapper/crypt_root   54G  6.7G   45G  14% /
/dev/mapper/crypt_UDA   356M   24K  329M   1% /mnt/crypt_UDA
tmpfs                   3.8G  120K  3.8G   1% /dev/shm
tmpfs                   1.5G   27M  1.5G   2% /run
tmpfs                   5.0M  4.0K  5.0M   1% /run/lock
/dev/nvme0n1p1          359M   75M  256M  23% /boot
tmpfs                   763M  112K  762M   1% /run/user/1000
1 Like
11

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.