Encryption with the Orin NX and Orin Nano

Greetings,

I have been working extensively with the L4T script in an attempt to encrypt my drive using the Orin Nano from Advantech (MIC-713-ON). Based on the forum’s recommendation, I executed the following commands:

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p “-c bootloader/t186ref/cfg/flash_t234_qspi.xml” --no-flash --network usb0 p3509-a02+p3767-0000 internal

This successfully creates the image without flashing.

Subsequently, I generated a key using:
echo “f0e0d0c0b0a001020304050607080900” > ekb.key

However, I encountered an issue with the following command:
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -p “-i ./ekb.key” -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_emc.xml --external-only --append --network usb0 p3509-a02+p3767-0000 external

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

I also attempted the command specified in the official documentation:
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1
-c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only -S 8GiB
p3509-a02+p3767-0000 external

The logs suggest that the image cannot be located.

I am keen to understand whether I might be overlooking key elements of this process. I’ve found the available documentation to be somewhat ambiguous regarding this procedure.

Would it be possible for someone to provide a comprehensive, step-by-step guide on this matter?

Thank you in advance for your assistance.

hello apa,

is there any logs for reference? for example, may I know what’s the failure you’ve seen.

BTW, please also read this Setup Preparation section.
you must have necessary utility installed to your host machine, i.e. $ sudo apt-get install cryptsetup,
it’s cryptsetup utility to create encrypted rootfs for image flashing.

I don’t have the log of this operation. Since I try the step I show you in the older post below… I can’t flash my drive. The nvme m.2 is not recognize.

For the encryption process : I just install the crypto setup and run de lt4.sh to encrypt my drive ??? Or do I have other step to procede.

Can you certified me that the command I input in my first conversation are good command?
And can you certified with me that the disk encryption work correctly with Orin NX and Orin Nano. The two machine are from Advantech MIC-713-ON and MIC-713-OX.

Thanks in advanced

may I know what’s the error logs you’ve seen.

Hi Jerry. I don’t have the error log for this event. But after I start this command. I got no response from the console for a long time, so I stop the procedure. Can you tell me if the fuse can be activated by this command and if its the case how do I roll back from this procedure.

Here is my last log when I try to flash the drive.
flash_1-4_0_20231030-074457.log (28.7 KB)

hello apa,

may I double confirm the platform you’re using.

this is the board configuraition for Orin Nano on Xavier NX carrier board.

besides,
is this related to ROOTFS_ENC=1 only?
are you able to flash the image correctly without disk encryption?

Right now I’m enabled to flash the drive. I format the drive (I got a clone of the first drive stat just in case) I format the drive in ext4 but when I flash the /dev/nvme0n1 is not recognize.
flash_1-4_0_20231030-160116.log (7.3 KB)
You can watch my log here

hello apa,

as mentioned, the board configuration, p3509-a02+p3767-0000 is developer kit of Orin SOM on Xavier NX carrier board.
when I’m google this… MIC-713-ON, which doesn’t looks like developer kits.

since it might uses the different board configuration. please also contact with vendor to confirm the correct flash command-lines, and also the supported Jetpack release version.

Assistance Needed with tegrafuse.sh Script and Encryption Procedure

Dear Jerry,

I hope this message finds you well. I’m reaching out for assistance concerning the encryption procedure we’ve initiated on our board.

Specifically, I’ve been attempting to locate the tegrafuse.sh script, which is essential for analyzing whether the fuses on the board have been activated post-encryption command. Regrettably, this script appears to be missing from my SDK.

For reference, I utilized the following command in my attempt to encrypt the drive:

cd Linux_for_Tegra
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1 \  -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only -S 8GiB \ p3509-a02+p3767-0000

However, this command froze and did not complete successfully. Unfortunately, I do not possess logs from this procedure. Subsequent to this operation, the nvme drive has become unrecognizable by the SDK’s flashing script.

On a related note, I can confirm that I’m able to flash external drives (such as SD cards and USB drives) using the MIC-713-ON device from Advantech. They have also confirmed that the board number provided is accurate for the execution of this script.

Given the circumstances, I’m keen to determine whether the fuses have been written to. Could you assist by guiding me to the location of the tegrafuse.sh script or suggesting steps to rectify this situation?

Your assistance is greatly appreciated.

Warm regards

we’ve test again locally to confirm disk encryption is working.
here’re our test steps for your reference,

  1. Generate images for QSPI:
    $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
  2. Generate the key:
    $ echo "f0e0d0c0b0a001020304050607080900" > ekb.key
  3. Generate images for external storage device:
    $ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
  4. Flash images into the both storage devices:
    $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

Can I test this procedure with the sda (external drive)?
Subsequent to this operation, the nvme drive has become unrecognizable by the SDK’s flashing script.
I boot from a sd card to see if I can’t see the nvme but I don’t see it since the operation I describe you in the conversation. Can you provide me guidance on how I can’t detect this drive again ?

When I try the second command it show me the menu of the utility. The command is not executed:

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh 
--showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -c 
./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only 
--append --network usb0 jetson-orin-nano-devkit external

This it<s what it does when i enter this command:
illegal option.txt (5.0 KB)

I try this command:

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -p "-i ./ekb.key" -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external

second command.txt (6.6 KB)

None of this command work flawlessly

And an othe question (because I need precision in this type of procedure) Can you confirm with with if we need to create the .eks image and the key with the OPTEE example.sh ?

I try to find this tool with no success in my SDK.

this doesn’t looks like Jetpack release image, i.e. MIC-713ON_8G_OrinNano_5.1.1_V1.0.1_SDK

I finally found out that I don’t have the

flash_l4t_t234_nvme_rootfs_enc.xml

xml file in my Linux for Tegra folder can you confirm with me if that files is in the new version of Linux for Tegra ?

Can someone show me a good xml files configuration for a 128 gig ssd drive that I need to encrypt ?

please also check you have necessary utility installed on your host machine, i.e. $ sudo apt-get install cryptsetup

Hi Jerry. I can’t find
flash_l4t_t234_nvme_rootfs_enc.xml in the script folder l4t

Can you tell me if that xml have to be create by us our it’s a xml template that only exist in the early version of Linux for Tegra ?

hello apa,

it’s located in the kernel_flash/ folder.
if you’re using Jetpack release image, which can be downloaded via SDK Manager,
for instance, $OUT/Linux_for_Tegra/tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml

I finally found the xml template to encrypt the drive. After the command are enter it tell me it<s succesful for the flash but when the computer boot … Hi see the first screen after the screen don’t shutdown and its black.
These are the command:


    Generate images for QSPI:
    $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
    Generate the key:
    $ echo "f0e0d0c0b0a001020304050607080900" > ekb.key
    Generate images for external storage device:
    $ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
    Flash images into the both storage devices:
    $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only
I fallow the exact step  you mentioned. 
[flash_1-3_0_20231106-124310.log|attachment](upload://uNKGn4r9aetnxKgcyf8uAmgbd8q.log) (39.3 KB)


after that screen it go black

please gather the bootloader logs for reference.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.