Encrypted File-system support on Jeston Orin-Nano JP 6.0

Hi,
Do we have any default procedure that I can follow to encrypt root-filesystem in jeston orin-nano? I also understand that we do have fTPM support, how can I enable fTPM? For fTPM to work do we need to enable secure boot as well?

Thanks in advance.
Vinayak

Hi vinayakk28,

Aer you using the devkit or custom board for Orin Nano?

Please refer to Security — NVIDIA Jetson Linux Developer Guide 1 documentation for the secure feature on Jetson with JP6.0(R36.3.0).

Disk-Encryption: Disk Encryption — NVIDIA Jetson Linux Developer Guide 1 documentation
Secureboot(PKC, SBK): Secure Boot — NVIDIA Jetson Linux Developer Guide 1 documentation
UEFI Secureboot: Secure Boot — NVIDIA Jetson Linux Developer Guide 1 documentation

Hi Kevin,

Thanks for sharing link. We are using devkit.
I understand that to enable just Disk encryption we may need to enable LUKS/cryptsetup, do we also need fTPM and uefi secureboot for Disk encryption? Please correct if my understanding is wrong.

Hi Kevin,

I am also seeing many forums about Disk encryption is not supported in Orin-Nano Dev-kit, is it correct?

Thanks.

hello vinayakk28,

please share your device setups,
for instance, is it internal eMMC, or external NVMe you would like to encrypted?

Hi,

We have external NVMe connected to dev-kit and we need to encrypt root file-system or an entire disk if possible.

Thanks.

hello vinayakk28,

please refer to developer guide, Disk Encryption section for details.
you may see-also… $OUT/Linux_for_Tegra/tools/kernel_flash/README_initrd_flash.txt of [Workflow 10] for steps.

here’re sample steps to enable ROOTFS_ENC on Orin NX.
note, please install cryptsetup utility to your host machine, it’s a necessary tool to create encrypted rootfs for image flashing.
for instance, $ sudo apt-get install cryptsetup

here’re our test steps for your reference,
(1) Generate images for QSPI.
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
(2) Generate the disk encryption key.
$ echo "f0e0d0c0b0a001020304050607080900" > ekb.key
(3) Generate images for external storage device.
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
(4) Flash images into the both storage devices.
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

after that,
you may running with df -h for verification after flash complete and system booting up.

$ df -h
/dev/mapper/crypt_root 54G 5.6G 46G 12% /
/dev/mapper/crypt_UDA 374M 14K 350M 1% /mnt/crypt_UDA
/dev/nvme0n1p1 371M 97M 247M 29% /boot
1 Like