Failing with custom keys for encrypting NVME on Jetson Orin Nano

Robotics & Edge Computing Jetson & Embedded Systems Jetson Orin Nano
, ,
1

I’m trying to flash an NVME with disc encryption and custom keys and image to the Jetson Nano Orin on the official development board. Using the defualt keys it is working with the steps below. But when trying with custom keys the flashing in the last step fails looking at the UART.

I went through the documentation over and over but don’t see what I’m missing. Also tried to read all related forum threads without success. Trying out with fresh environments on real hardware on both ubuntu 18.04 and 20.04 with the same results. Also tried on two different Jetson Nano Orin with the same results.

This workflow is successful with default keys.

sudo apt-get --yes install cryptsetup
sudo -s echo -1 > /sys/module/usbcore/parameters/autosuspend
sudo systemctl stop udisks2

wget https://developer.nvidia.com/downloads/embedded/l4t/r35_release_v4.1/release/jetson_linux_r35.4.1_aarch64.tbz2
wget https://developer.nvidia.com/downloads/embedded/l4t/r35_release_v4.1/release/tegra_linux_sample-root-filesystem_r35.4.1_aarch64.tbz2

tar -xvf jetson_linux_r35.4.1_aarch64.tbz2 && sudo tar -xvf tegra_linux_sample-root-filesystem_r35.4.1_aarch64.tbz2 -C Linux_for_Tegra/rootfs

cd Linux_for_Tegra/
sudo ./apply_binaries.sh

# Connect Jetson Orin and put in RM
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal

# Create key 
echo "f0e0d0c0b0a001020304050607080900" > ekb.key

# Reconnect Jetson in RM
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external 

# Reconnect Jetson in RM
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

This workflow with custom keys fails to unlock the encrypted device. Error message from UART is below.

sudo apt-get --yes install cryptsetup
pip install cryptography
pip install pycrypto

sudo -s echo -1 > /sys/module/usbcore/parameters/autosuspend
sudo systemctl stop udisks2

wget https://developer.nvidia.com/downloads/embedded/l4t/r35_release_v4.1/release/jetson_linux_r35.4.1_aarch64.tbz2
wget https://developer.nvidia.com/downloads/embedded/l4t/r35_release_v4.1/release/tegra_linux_sample-root-filesystem_r35.4.1_aarch64.tbz2

tar -xvf jetson_linux_r35.4.1_aarch64.tbz2 && sudo tar -xvf tegra_linux_sample-root-filesystem_r35.4.1_aarch64.tbz2 -C Linux_for_Tegra/rootfs

wget https://developer.nvidia.com/embedded/l4t/r35_release_v1.0/sources/public_sources.tbz2
tar -xvf public_sources.tbz2
tar -xvf Linux_for_Tegra/source/public/nvidia-jetson-optee-source.tbz2 -C Linux_for_Tegra/source/public/

cd Linux_for_Tegra/
sudo ./apply_binaries.sh

cd source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/

# Uncomment all the openssl rand lines and commenting the echo "...." > *.key lines underneath them to generate new keys
# Then create new random keys
./example.sh

# Copy keys and img
cd ../../../../../../../../
cp source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/*.key ./
rm ./bootloader/eks_t234.img
cp source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/eks_t234.img bootloader/eks_t234.img

# Plug in Jetson Orin and put in RM
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal

# Reconnect Jetson in RM
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external

# Reconnect Jetson in RM
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

This is the error message at the end of the last flashing step and also when trying to boot the Jetson Orin. Output from UART

[    9.859583] Run /init as init process
[    9.879927] Root device found: UUID=07f195e2-238d-4665-ae5a-e7039b7d90cb
[    9.944843] random: ld-linux-aarch6: uninitialized urandom read (4 bytes read)
[    9.958275] random: ld-linux-aarch6: uninitialized urandom read (4 bytes read)
[   10.313324] mmc1: SDHCI controller on 3400000.sdhci [3400000.sdhci] using ADMA 64-bit
[   13.824229] ERROR: fail to unlock the encrypted dev /dev/nvme0n1p2.
[   13.833283] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00
[   13.843773] CPU: 3 PID: 1 Comm: bash Not tainted 5.10.120-tegra #1
[   13.851223] Hardware name: Unknown NVIDIA Orin Nano Developer Kit/NVIDIA Orin Nano Developer Kit, BIOS 4.1-33958178 08/01/2023
[   13.862943] Call trace:
[   13.865461]  dump_backtrace+0x0/0x1d0
[   13.869219]  show_stack+0x30/0x40
[   13.872630]  dump_stack+0xd8/0x138
[   13.876119]  panic+0x17c/0x384
[   13.879254]  do_exit+0xaa8/0xab0
[   13.882573]  do_group_exit+0x4c/0xb0
[   13.886241]  __arm64_sys_exit_group+0x28/0x30
[   13.890715]  el0_svc_common.constprop.0+0x80/0x1d0
[   13.895641]  do_el0_svc+0x38/0xb0
[   13.899045]  el0_svc+0x1c/0x30
[   13.902177]  el0_sync_handler+0xa8/0xb0
[   13.906128]  el0_sync+0x16c/0x180
[   13.909533] SMP: stopping secondary CPUs
[   13.913767] Kernel Offset: 0x3cfd1d260000 from 0xffff800010000000
[   13.920026] PHYS_OFFSET: 0xffffb12340000000
[   13.924322] CPU features: 0x08040006,4a80aa38
[   13.928797] Memory Limit: none
[   13.931934] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00 ]---```

Something is obviously wrong with key and image generation but I fail to find out how to fix it. Have anyone manage to do this successfully and can point me in the right direction?
1 Like
2

Looks like an almost identical issue to me:

3

You got it to work without replacing the img-file? Is it still using a custom key for encryption?

From what I could read in the docs we should replace both the key and the img-file.

Does it work with only a custom key-file?

/S

4

No, I am working my way towards a custom key. That is the next step for me. I will be keeping an eye on this thread!

1 Like
6

please refer to this topic also,

7

This example linked in your example is using the default key. The same as in my working example above

echo "f0e0d0c0b0a001020304050607080900" > ekb.key

The question and problem was regarding a custom key. This does not solve the issue, or am I missing something?

8

you must update EKS image since you’re using a customize key.
did you replace any keys within example.sh to generate a new eks_t234.img?
for instance, you should keep others as default, such as oem_k1, fv, sym_t234, and only replacing sym2_t234 with your customize key.

after that…
you should also try partition flash only to update EKS partition, A_eks.
due to it’s a sign/encrypted binary file, you should have two steps approaches to create an image by flash.sh, and running l4t_initrd_flash.sh for a partition update.
for example,
(1) Running with flash script to create eks_t234_sigheader.img.encrypt.
$ sudo ./flash.sh --no-flash -r -k A_eks jetson-agx-orin-devkit mmcblk0p1
(2) Copy sign/encrypt binary to… $OUT/Linux_for_Tegra/tools/kernel_flash/images/internal/
(3) Execute below command to update EKS partition for your Orin NX/Nano.
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh -k A_eks --flash-only --showlogs

9

I still don’t manage to get it to work.

Running the flash.sh script with modified device and destination yields an error.

Complete steps on host machine:

tar -xvf jetson_linux_r35.4.1_aarch64.tbz2 && sudo tar -xvf tegra_linux_sample-root-filesystem_r35.4.1_aarch64.tbz2 -C Linux_for_Tegra/rootfs

tar -xvf public_sources.tbz2
tar -xvf Linux_for_Tegra/source/public/nvidia-jetson-optee-source.tbz2 -C Linux_for_Tegra/source/public/

cd Linux_for_Tegra/ && sudo ./apply_binaries.sh

cd source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/

vim example.sh
# #############################
# Replace the last two zeros for "aa" 
# Before:  echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key
# After: echo "f0e0d0c0b0a0010203040506070809aa" > sym2_t234.key
# #############################

./example.sh
cd ../../../../../../../../
cp source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/sym2_t234.key ./

sudo ./flash.sh --no-flash -r -k A_eks jetson-orin-nano-devkit internal

This is the error at the end

Existing sosfile(/home/ubuntu1804/nvidia_boot/Linux_for_Tegra/bootloader/mb1_t234_prod.bin) reused.
Existing tegraboot(/home/ubuntu1804/nvidia_boot/Linux_for_Tegra/bootloader/mb2_t234.bin) reused.
Existing cpu_bootloader(/home/ubuntu1804/nvidia_boot/Linux_for_Tegra/bootloader/mb2_t234.bin) reused.
Existing mb2blfile(/home/ubuntu1804/nvidia_boot/Linux_for_Tegra/bootloader/mb2_t234.bin) reused.
Existing xusbfile(/home/ubuntu1804/nvidia_boot/Linux_for_Tegra/bootloader/xusb_t234_prod.bin) reused.
Existing dcefile(/home/ubuntu1804/nvidia_boot/Linux_for_Tegra/bootloader/display-t234-dce.bin) reused.
Existing nvdecfile(/home/ubuntu1804/nvidia_boot/Linux_for_Tegra/bootloader/nvdec_t234_prod.fw) reused.
Existing psc_rf(/home/ubuntu1804/nvidia_boot/Linux_for_Tegra/bootloader/psc_rf_t234_prod.bin) reused.
Existing mb2_rf(/home/ubuntu1804/nvidia_boot/Linux_for_Tegra/bootloader/mb2rf_t234.bin) reused.
Existing mb1file(/home/ubuntu1804/nvidia_boot/Linux_for_Tegra/bootloader/mb1_t234_prod.bin) reused.
Existing bpffile(/home/ubuntu1804/nvidia_boot/Linux_for_Tegra/bootloader/bpmp.bin) reused.
copying bpfdtbfile(/home/ubuntu1804/nvidia_boot/Linux_for_Tegra/bootloader/t186ref/tegra234-bpmp-3701-0005-3737-0000.dtb)... done.
Existing scefile(/home/ubuntu1804/nvidia_boot/Linux_for_Tegra/bootloader/camera-rtcpu-sce.img) reused.
Existing camerafw(/home/ubuntu1804/nvidia_boot/Linux_for_Tegra/bootloader/camera-rtcpu-t234-rce.img) reused.
Existing apefile(/home/ubuntu1804/nvidia_boot/Linux_for_Tegra/bootloader/adsp-fw.bin) reused.
Existing spefile(/home/ubuntu1804/nvidia_boot/Linux_for_Tegra/bootloader/spe_t234.bin) reused.
Existing wb0boot(/home/ubuntu1804/nvidia_boot/Linux_for_Tegra/bootloader/sc7_t234_prod.bin) reused.
Existing tosfile(/home/ubuntu1804/nvidia_boot/Linux_for_Tegra/bootloader/tos-optee_t234.img) reused.
Existing eksfile(/home/ubuntu1804/nvidia_boot/Linux_for_Tegra/bootloader/eks_t234.img) reused.
copying dtbfile(/home/ubuntu1804/nvidia_boot/Linux_for_Tegra/kernel/dtb/tegra234-p3701-0005-p3737-0000.dtb)... done.
Copying nv_boot_control.conf to rootfs
Reusing existing system.img...
file does not exist.

I’m trying to follow the guide at

10

hello stefankmfr0,

the failure is due to you did not create system image before.

please see-also Flashing Script Usage.
it’s assumed you’ve ran flash.sh before, and using -r options to re-use the system.img on your local host.
beside, please do not revise the board naming of flash.sh, the idea is using flash.sh to create a sign/encrypted binary file by flash.sh with AGX Orin favor.
it’s 2nd steps by using l4t_initrd_flash.sh to flash Orin Nano actually.

hence…
please try again to remove -r options to create system image, and keep using AGX Orin to create a sign/encrypted EKS binary.
for example, $ sudo ./flash.sh --no-flash -k A_eks jetson-agx-orin-devkit mmcblk0p1

11

Thank you for the reply. But still no success. During boot after flash it’s fails to unlock the encrypted device. See UART output below:

This is the process now. If you please can advise this step by step it would be great.

tar -xvf jetson_linux_r35.4.1_aarch64.tbz2 && sudo tar -xvf tegra_linux_sample-root-filesystem_r35.4.1_aarch64.tbz2 -C Linux_for_Tegra/rootfs && tar -xvf public_sources.tbz2 && tar -xvf Linux_for_Tegra/source/public/nvidia-jetson-optee-source.tbz2 -C Linux_for_Tegra/source/public/

cd Linux_for_Tegra/ && sudo ./apply_binaries.sh

cd source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/
vim example.sh

# #############################
# Replace the last two zeros for "aa" 
# Before:  echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key
# After: echo "f0e0d0c0b0a0010203040506070809aa" > sym2_t234.key
# #############################

./example.sh
cd ../../../../../../../../
cp source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/sym2_t234.key ./

# Attach the device to the host in RM mode
sudo ./flash.sh --no-flash -k A_eks jetson-agx-orin-devkit mmcblk0p1

# These dirs does not exist
mkdir tools/kernel_flash/images/ && mkdir tools/kernel_flash/images/internal
cp bootloader/eks_t234* tools/kernel_flash/images/internal

# Reattach the device to the host in RM mode
# Command below not working
#sudo ./tools/kernel_flash/l4t_initrd_flash.sh -k A_eks --flash-only --showlogs

# Reattach the device to the host in RM mode
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
# Reattach the device to the host in RM mode
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
# Reattach the device to the host in RM mode
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

Output from UART:

[   10.387361] mmc1: SDHCI controller on 3400000.sdhci [3400000.sdhci] using ADMA 64-bit
[   13.374912] ERROR: fail to unlock the encrypted dev /dev/nvme0n1p2.
[   13.383968] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00
[   13.394408] CPU: 3 PID: 1 Comm: bash Not tainted 5.10.120-tegra #1
[   13.401819] Hardware name: Unknown NVIDIA Orin Nano Developer Kit/NVIDIA Orin Nano Developer Kit, BIOS 4.1-33958178 08/01/2023
[   13.413571] Call trace:
[   13.416091]  dump_backtrace+0x0/0x1d0
[   13.419862]  show_stack+0x30/0x40
[   13.423269]  dump_stack+0xd8/0x138
[   13.426768]  panic+0x17c/0x384
[   13.429915]  do_exit+0xaa8/0xab0
[   13.433243]  do_group_exit+0x4c/0xb0
[   13.436917]  __arm64_sys_exit_group+0x28/0x30
[   13.441405]  el0_svc_common.constprop.0+0x80/0x1d0
[   13.446325]  do_el0_svc+0x38/0xb0
[   13.449733]  el0_svc+0x1c/0x30
[   13.452868]  el0_sync_handler+0xa8/0xb0
[   13.456800]  el0_sync+0x16c/0x180
[   13.460214] SMP: stopping secondary CPUs
[   13.464432] Kernel Offset: 0x4989a9c10000 from 0xffff800010000000
[   13.470690] PHYS_OFFSET: 0xffffeadc80000000
[   13.474984] CPU features: 0x08040006,4a80aa38
[   13.479455] Memory Limit: none
[   13.482592] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00 ]---
12

hello stefankmfr0,

I see some unexpected failures.
(1) you should also copy the eks image.
(2) images for Orin Nano should created after you execute l4t_initrd_flash.sh, that kernel_flash/images folder exist after you run the script.
(3) following up above, now you should have kernel_flash/images folder created, right? below steps assumed you already have this image folder.

so,
let me share steps to update EKS image briefly.
(1) copy those keys, sym2_t234.key and eks image, eks_t234.img after running ./example.sh to overwrite the default file.
$ cp eks_t234.img $OUT/Linux_for_Tegra/bootloader/eks_t234.img
(2) Running with flash script to create eks_t234_sigheader.img.encrypt, you may given board info if that’s asking module SKU.
$ sudo BOARDID=3701 BOARDSKU=0004 BOARDDEV=C.2 FAB=TS4 ./flash.sh --no-flash -k A_eks jetson-agx-orin-devkit mmcblk0p1
seeing the messages, it shall complete as following.

...
[   0.2103 ] Copying eks_t234_sigheader.img.encrypt to /home/jerry/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_AGX_ORIN_TARGETS/Linux_for_Tegra/bootloader
[   0.2104 ] Signed file: /home/jerry/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_AGX_ORIN_TARGETS/Linux_for_Tegra/bootloader/eks_t234_sigheader.img.encrypt
*** eks_t234.img has been signed successfully. ***

(3) Copy this sign/encrypt binary.
$ cp $OUT/Linux_for_Tegra/bootloader/eks_t234_sigheader.img.encrypt $OUT/Linux_for_Tegra/tools/kernel_flash/images/internal/
(4) Execute below command to update EKS partition for your Orin NX/Nano.
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh -k A_eks --flash-only --showlogs

13

Maybe some progress but still a fail. Am I missing some steps or doing things in the wrong order?

tar -xvf jetson_linux_r35.4.1_aarch64.tbz2 && sudo tar -xvf tegra_linux_sample-root-filesystem_r35.4.1_aarch64.tbz2 -C Linux_for_Tegra/rootfs && tar -xvf public_sources.tbz2 && tar -xvf Linux_for_Tegra/source/public/nvidia-jetson-optee-source.tbz2 -C Linux_for_Tegra/source/public/
cd Linux_for_Tegra/ && sudo ./apply_binaries.sh

cd source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/
vim example.sh
# #############################
# Replace the last two zeros for "aa" 
# Before:  echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key
# After: echo "f0e0d0c0b0a0010203040506070809aa" > sym2_t234.key
# #############################

./example.sh
cd ../../../../../../../../
cp source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/sym2_t234.key ./

rm bootloader/eks_t234.img
cp source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/eks_t234.img bootloader/eks_t234.img

# Attach the device to the host in RM mode
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal

sudo BOARDID=3701 BOARDSKU=0004 BOARDDEV=C.2 FAB=TS4 ./flash.sh --no-flash -k A_eks jetson-agx-orin-devkit mmcblk0p1

Output from flash.sh

[   0.0128 ] adding BCH for eks_t234_aligned.img
[   0.0138 ] tegrasign_v3.py --key None --list eks_t234_aligned_sigheader.img_list.xml --pubkeyhash pub_key.key --sha sha512
[   0.0140 ] Assuming zero filled SBK key
[   0.0150 ] Warning: pub_key.key is not found
[   0.0151 ] tegrahost_v2 --chip 0x23 0 --updatesigheader eks_t234_aligned_sigheader.img.encrypt eks_t234_aligned_sigheader.img.hash zerosbk
[   0.0158 ] Copying eks_t234_sigheader.img.encrypt to /home/stefan/nvidia_boot/Linux_for_Tegra/bootloader
[   0.0159 ] Signed file: /home/stefan/nvidia_boot/Linux_for_Tegra/bootloader/eks_t234_sigheader.img.encrypt
*** eks_t234.img has been signed successfully. ***

Then continue with below

sudo cp bootloader/eks_t234_sigheader.img.encrypt tools/kernel_flash/images/internal/

# Reattach the device to the host in RM mode
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external

# Reattach the device to the host in RM mode
sudo ./tools/kernel_flash/l4t_initrd_flash.sh -k A_eks --flash-only --showlogs

The last step goes really fast and yields below output.
Output from terminal: terminal_output.txt (2.5 KB)
Output from UART: uart.txt (1.5 KB)

Seems like a failed cause here but trying is not working either, gives the same results as before

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

From UART: uart2.txt (1.6 KB)

Also tried different orders of commands and combining them with the -k A_eks command like

sudo ./tools/kernel_flash/l4t_initrd_flash.sh -k A_eks --network usb0 --flash-only --showlog

But never get it to work. Read through documentation and README_initrd_flash.txt. I can’t find a single example where someone got it to work.

16

hello stefankmfr0,

we’ve also check disk encryption with a custom key worked normally.
please refer to below for the steps.

In op-tee source package folder
(1) $ vim example.sh to edit sym2_t234.key as following.
(2) $ echo "f0e0d0c0b0a0010203040506070809aa" > sym2_t234.key
(3) $ ./example.sh
(4) $ cp eks_t234.img $OUT/JetPack-5.1.2_AGX-Orin/Linux_for_Tegra/bootloader/.
(5) $ cp sym2_t234.key $OUT/JetPack-5.1.2_AGX-Orin/Linux_for_Tegra/.

In JetPack-5.1.2 image folder
(1) $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --no-flash --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" jetson-orin-nano-devkit internal
(2) $ sudo ./flash.sh --no-flash -k A_eks jetson-orin-nano-devkit internal
(3) $ sudo cp bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/.
(4) $ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
(5) $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

17

Thank you but it still doesn’t work with the same outcome as before.

I’m using a Ubuntu 18.04 host machine (no VM) and new installation folders every time. Complete steps below. I even just a completely new NVME ssd this time but get the same result.

tar -xvf jetson_linux_r35.4.1_aarch64.tbz2 && sudo tar -xvf tegra_linux_sample-root-filesystem_r35.4.1_aarch64.tbz2 -C Linux_for_Tegra/rootfs && tar -xvf public_sources.tbz2 && tar -xvf Linux_for_Tegra/source/public/nvidia-jetson-optee-source.tbz2 -C Linux_for_Tegra/source/public/ && cd Linux_for_Tegra/ && sudo ./apply_binaries.sh 

cd source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/
vim example.sh
# #############################
# Replace the last two zeros for "aa" 
# Before:  echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key
# After: echo "f0e0d0c0b0a0010203040506070809aa" > sym2_t234.key
# #############################

./example.sh
cp eks_t234.img ~/nvidia_boot/Linux_for_Tegra/bootloader/.
cp sym2_t234.key ~/nvidia_boot/Linux_for_Tegra/.
cd ../../../../../../../../

# Attach the device to the host in RM mode
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal

# Reattach the device to the host in RM mode
sudo ./flash.sh --no-flash -k A_eks jetson-orin-nano-devkit internal
sudo cp bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/.

# Reattach the device to the host in RM mode
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external

# Reattach the device to the host in RM mode
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

Output from terminal in last step:
terminal-log.txt (39.3 KB)

Output from UART after flashing in the last step:
UART-log.txt (52.2 KB)

18

hello stefankmfr0,

please revise these two command-line for adding -p "-i sym2_t234.key" before --no-flash and try again.
for example,
internal.
# Attach the device to the host in RM mode
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" -p "-i sym2_t234.key" --no-flash --network usb0 jetson-orin-nano-devkit internal

and…external
# Reattach the device to the host in RM mode
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-i sym2_t234.key" --no-flash --external-device nvme0n1p1 -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external

19

Thanks for the support, tried running it again with your modifications but still the same outcome.

tar -xvf jetson_linux_r35.4.1_aarch64.tbz2 && sudo tar -xvf tegra_linux_sample-root-filesystem_r35.4.1_aarch64.tbz2 -C Linux_for_Tegra/rootfs && tar -xvf public_sources.tbz2 && tar -xvf Linux_for_Tegra/source/public/nvidia-jetson-optee-source.tbz2 -C Linux_for_Tegra/source/public/ && cd Linux_for_Tegra/ && sudo ./apply_binaries.sh 

cd source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/
vim example.sh
# #############################
# Replace the last two zeros for "aa" 
# Before:  echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key
# After: echo "f0e0d0c0b0a0010203040506070809aa" > sym2_t234.key
# #############################

./example.sh
cp eks_t234.img ~/nvidia_boot/Linux_for_Tegra/bootloader/.
cp sym2_t234.key ~/nvidia_boot/Linux_for_Tegra/.
cd ../../../../../../../../

# Attach the device to the host in RM mode
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" -p "-i sym2_t234.key" --no-flash --network usb0 jetson-orin-nano-devkit internal

# Reattach the device to the host in RM mode
sudo ./flash.sh --no-flash -k A_eks jetson-orin-nano-devkit internal
sudo cp bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/.

# Reattach the device to the host in RM mode
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-i sym2_t234.key" --no-flash --external-device nvme0n1p1 -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external

# Reattach the device to the host in RM mode
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

terminal-log-2.txt (39.4 KB)
UART-log-2.txt (52.2 KB)

20

we may dig into why this happened… [ 13.488544] ERROR: fail to unlock the encrypted dev /dev/nvme0n1p2.
could you please share the complete UART logs starting from mb1, it’s the start point of bootloader logs.

21

Here are more comprehensive logs from all the steps.

#!/bin/bash
# 2023-11-03 

tar -xvf jetson_linux_r35.4.1_aarch64.tbz2 && sudo tar -xvf tegra_linux_sample-root-filesystem_r35.4.1_aarch64.tbz2 -C Linux_for_Tegra/rootfs && tar -xvf public_sources.tbz2 && tar -xvf Linux_for_Tegra/source/public/nvidia-jetson-optee-source.tbz2 -C Linux_for_Tegra/source/public/ && cd Linux_for_Tegra/ && sudo ./apply_binaries.sh 

cd source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/
vim example.sh
# #############################
# Replace the last two zeros for "aa" 
# Before:  echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key
# After: echo "f0e0d0c0b0a0010203040506070809aa" > sym2_t234.key
# #############################

./example.sh
cp eks_t234.img ~/nvidia_boot/Linux_for_Tegra/bootloader/.
cp sym2_t234.key ~/nvidia_boot/Linux_for_Tegra/.
cd ../../../../../../../../

# STEP 1. Attach the device to the host in RM mode
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" -p "-i sym2_t234.key" --no-flash --network usb0 jetson-orin-nano-devkit internal > terminal-step1.txt

# STEP 2. Reattach the device to the host in RM mode
sudo ./flash.sh --no-flash -k A_eks jetson-orin-nano-devkit internal > terminal-step2.txt
sudo cp bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/.

# STEP 3. Reattach the device to the host in RM mode
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-i sym2_t234.key" --no-flash --external-device nvme0n1p1 -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external > terminal-step3.txt

# STEP 4. Reattach the device to the host in RM mode
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only > terminal-step4.txt

terminal-step1.txt (177.5 KB)
terminal-step2.txt (20.3 KB)
terminal-step3.txt (137.7 KB)
terminal-step4.txt (40.0 KB)

This is UART running step 4, last command from running the command until the Jetson device is rebooted, still with pins shorted for Recovery mode and USB-cable still connected
uart-flash.txt (162.7 KB)

This UART is rebooting the device with pins for RM not shorted and USB-C cable not connected to the host computer
uart-boot-after-flash.txt (83.6 KB)

22

Did you setup SecureBoot and fuse the “f0e0d0c0b0a0010203040506070809aa” key on the board?

If so, can you let me know the steps you took for that I can repeat them on my board?

23

hello stefankmfr0,

here’re failures,
E/TC:06 00 ekb_extraction_process:211 Bad parameter: eks image not correct
E/TC:06 00 jetson_user_key_pta_init:898 jetson_user_key_pta_init: Failed (ffff0006).
E/TC:06 00 call_initcalls:43 Initcall __text_start + 0x000f2848 failed

as chrisward9000 mentioned, had you enable Jetson security by burning fuses?
note, it used KEK2 to encrypt EKS image. for the un-fused board, we’re useing zero key for it.