I have been working extensively with the L4T script in an attempt to encrypt my drive using the Orin Nano from Advantech (MIC-713-ON). Based on the forum’s recommendation, I executed the following commands:
This successfully creates the image without flashing.
Subsequently, I generated a key using:
echo “f0e0d0c0b0a001020304050607080900” > ekb.key
However, I encountered an issue with the following command:
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -p “-i ./ekb.key” -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_emc.xml --external-only --append --network usb0 p3509-a02+p3767-0000 external
I also attempted the command specified in the official documentation:
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1
-c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only -S 8GiB
p3509-a02+p3767-0000 external
The logs suggest that the image cannot be located.
I am keen to understand whether I might be overlooking key elements of this process. I’ve found the available documentation to be somewhat ambiguous regarding this procedure.
Would it be possible for someone to provide a comprehensive, step-by-step guide on this matter?
is there any logs for reference? for example, may I know what’s the failure you’ve seen.
BTW, please also read this Setup Preparation section.
you must have necessary utility installed to your host machine, i.e. $ sudo apt-get install cryptsetup,
it’s cryptsetup utility to create encrypted rootfs for image flashing.
I don’t have the log of this operation. Since I try the step I show you in the older post below… I can’t flash my drive. The nvme m.2 is not recognize.
For the encryption process : I just install the crypto setup and run de lt4.sh to encrypt my drive ??? Or do I have other step to procede.
Can you certified me that the command I input in my first conversation are good command?
And can you certified with me that the disk encryption work correctly with Orin NX and Orin Nano. The two machine are from Advantech MIC-713-ON and MIC-713-OX.
Hi Jerry. I don’t have the error log for this event. But after I start this command. I got no response from the console for a long time, so I stop the procedure. Can you tell me if the fuse can be activated by this command and if its the case how do I roll back from this procedure.
Right now I’m enabled to flash the drive. I format the drive (I got a clone of the first drive stat just in case) I format the drive in ext4 but when I flash the /dev/nvme0n1 is not recognize. flash_1-4_0_20231030-160116.log (7.3 KB)
You can watch my log here
as mentioned, the board configuration, p3509-a02+p3767-0000 is developer kit of Orin SOM on Xavier NX carrier board.
when I’m google this… MIC-713-ON, which doesn’t looks like developer kits.
since it might uses the different board configuration. please also contact with vendor to confirm the correct flash command-lines, and also the supported Jetpack release version.
Assistance Needed with tegrafuse.sh Script and Encryption Procedure
Dear Jerry,
I hope this message finds you well. I’m reaching out for assistance concerning the encryption procedure we’ve initiated on our board.
Specifically, I’ve been attempting to locate the tegrafuse.sh script, which is essential for analyzing whether the fuses on the board have been activated post-encryption command. Regrettably, this script appears to be missing from my SDK.
For reference, I utilized the following command in my attempt to encrypt the drive:
However, this command froze and did not complete successfully. Unfortunately, I do not possess logs from this procedure. Subsequent to this operation, the nvme drive has become unrecognizable by the SDK’s flashing script.
On a related note, I can confirm that I’m able to flash external drives (such as SD cards and USB drives) using the MIC-713-ON device from Advantech. They have also confirmed that the board number provided is accurate for the execution of this script.
Given the circumstances, I’m keen to determine whether the fuses have been written to. Could you assist by guiding me to the location of the tegrafuse.sh script or suggesting steps to rectify this situation?
Can I test this procedure with the sda (external drive)?
Subsequent to this operation, the nvme drive has become unrecognizable by the SDK’s flashing script.
I boot from a sd card to see if I can’t see the nvme but I don’t see it since the operation I describe you in the conversation. Can you provide me guidance on how I can’t detect this drive again ?
And an othe question (because I need precision in this type of procedure) Can you confirm with with if we need to create the .eks image and the key with the OPTEE example.sh ?
I try to find this tool with no success in my SDK.
it’s located in the kernel_flash/ folder.
if you’re using Jetpack release image, which can be downloaded via SDK Manager,
for instance, $OUT/Linux_for_Tegra/tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml
I finally found the xml template to encrypt the drive. After the command are enter it tell me it<s succesful for the flash but when the computer boot … Hi see the first screen after the screen don’t shutdown and its black.
These are the command:
Generate images for QSPI:
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
Generate the key:
$ echo "f0e0d0c0b0a001020304050607080900" > ekb.key
Generate images for external storage device:
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
Flash images into the both storage devices:
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only
I fallow the exact step you mentioned.
[flash_1-3_0_20231106-124310.log|attachment](upload://uNKGn4r9aetnxKgcyf8uAmgbd8q.log) (39.3 KB)