i’m trying to use secure boot + encrypted filesystem on my board.
i started with using the latest 32.6.1 version, and burned the fuses, created the eks.img and flashed the board using:

sudo ./odmfuse.sh -p -i 0x19 -k ./rsa_priv.pem -S ./sbk.txt --KEK2 ./kek2_key.txt jetson-xavier-nx-devkit-emmc

python3 gen_ekb.py -kek2_key kek2_key.txt -fv fv_for_ekb_ek.txt -in_sym_key user_key_for_ekb.txt -in_sym_key2 disk_enc_key.txt -out eks.img

sudo ROOTFS_ENC=1 ./flash.sh -u ./rsa_priv.pem -v ./sbk.txt  -i ./disk_enc_key.txt --user_key ./user_key_for_flash.txt jetson-xavier-nx-devkit-emmc mmcblk0p1

everything worked and i was able to boot and run everything.

I then needed to revert to the 32.5.1 version and tried to do the same process on the same board.
at first the board didn’t boot, I applied the 0001-lib-tegrabl_auth-fix-a-bug-in-decrypting-buffer.patch patch to cboot, compiled and flashed again and the board did boot but i got the following error:

and after I press ok i got on boot:

[ TIME ] Timed out waiting for device .dev.mapper/crypt_UDA.
[DEPEND] Dependency failed for File System Check on /dev/mapper/crypt_UDA.

I tried flashing again without the 'ROOTFS_ENC=1 ’ and everything looked ok, so the problem is with the encrypted filesystem.

the partition config i used is basically ‘flash_l4t_t194_spi_emmc_p3668_enc_rootfs_ab.xml’ with the following changes:

        <partition name="APP" type="data">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 104857600 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <align_boundary> 4096 </align_boundary>
            <unique_guid> APPUUID </unique_guid>
            <filename> system_boot.img </filename>
            <description> **Required.** Contains the boot partition. This partition must be defined
              after `primary_GPT` so that it can be accessed as the fixed known special device
              `/dev/mmcblk0p1`. </description>
        </partition>
        <partition name="APP_ENC" type="data" encrypted="true">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> APP_ENC_SIZE </size>
            <file_system_attribute> 0 </file_system_attribute>
            <percent_reserved> 0 </percent_reserved>
            <allocation_attribute> 0x8 </allocation_attribute>
            <align_boundary> 4096 </align_boundary>
            <unique_guid> APP_ENC_UUID </unique_guid>
            <filename> system_root_encrypted.img </filename>
            <description> **Required.** Contains the encrypted root partition("/"). </description>

        <partition name="UDA" type="data" encrypted="true">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 167772160 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x808 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <align_boundary> 4096 </align_boundary>
            <filename> system_uda_encrypted.img </filename>
            <description> **Required.** Automatically takes all remaining space on the device except that
              occupied by the `secondary_gpt` partition. Allocation attribute must be set to 0x808.
              May be mounted and used to store user data. </description>
        </partition>

do I need to do anything else? are there any additional steps needed for version 32.5.1?
any help will be greatly appreciated.

hello user91887,

ideally, you should use the latest release package.
may I know what’s the actual use-case for reverting to previous release, r32.5.1?

there is already an existing working project running on 32.5.1 and they want to add an encrypted filesystem to it, but they don’t want the risk of changing to a newer version at this stage of the project.

hello user91887,

please check L4T Archive | NVIDIA Developer page for all release versions,
you should confirm you’re using linux-tegra-r3251 board support package.

yes, i double checked, i’m using the correct 32.5.1 bsp

hello user91887,

please check this see-also thread, Topic 177180.
you should apply the patch for the cboot sources, building cboot_t194.bin and updating cpu-bootloader partition.
the boot partition (“APP”) remains in an unencrypted format, so the bootloader can sill load kernel and device tree blob; the root partition (“APP_ENC”) would be encrypted.
please also review the xml file, i.e. flash_t194_sdmmc_enc_rfs.xml to examine the allocated size, you may modify it manually regards to your storage size.
thanks

I applied the patch (before that the boot didn’t even get to the nvidia logo).
as for the sizes in the xml file, in the 32.6.1 version there was already a flash_l4t_t194_spi_emmc_p3668_enc_rootfs_ab.xml file that i used, it doesn’t exist in the 32.5.1 version, so i started with the flash_l4t_t194_spi_emmc_p3668_rootfs_ab.xml file that was there and just changed the APP, APP_ENC, UDA partitions as I mentioned above.
are the sizes I used correct? I checked and the sizes are bigger than the bin files, is there a specific size that is required? the sizes in flash_t194_sdmmc_enc_rfs.xml that you mentioned are different than the ones in the emmc files (as for the sizes of the binaries, i’m currently using all the files downloaded from the nvidia site as is including the sample filesystem)

hello user91887,

I’ve check internally and there indeed some disk encryption bug fixes.
since you’ve test r32.6.1 and it works as expect, could you please OTA the target for moving to the latest release?
Over-The-Air (OTA) update will keep your user data.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.