I’m trying to flash an NVME with disc encryption and custom keys and image to the Jetson Nano Orin on the official development board. Using the defualt keys it is working with the steps below. But when trying with custom keys the flashing in the last step fails looking at the UART.
I went through the documentation over and over but don’t see what I’m missing. Also tried to read all related forum threads without success. Trying out with fresh environments on real hardware on both ubuntu 18.04 and 20.04 with the same results. Also tried on two different Jetson Nano Orin with the same results.
you must update EKS image since you’re using a customize key.
did you replace any keys within example.sh to generate a new eks_t234.img?
for instance, you should keep others as default, such as oem_k1, fv, sym_t234, and only replacing sym2_t234 with your customize key.
after that…
you should also try partition flash only to update EKS partition, A_eks.
due to it’s a sign/encrypted binary file, you should have two steps approaches to create an image by flash.sh, and running l4t_initrd_flash.sh for a partition update.
for example,
(1) Running with flash script to create eks_t234_sigheader.img.encrypt. $ sudo ./flash.sh --no-flash -r -k A_eks jetson-agx-orin-devkit mmcblk0p1
(2) Copy sign/encrypt binary to… $OUT/Linux_for_Tegra/tools/kernel_flash/images/internal/
(3) Execute below command to update EKS partition for your Orin NX/Nano. $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh -k A_eks --flash-only --showlogs
the failure is due to you did not create system image before.
please see-also Flashing Script Usage.
it’s assumed you’ve ran flash.sh before, and using -r options to re-use the system.img on your local host.
beside, please do not revise the board naming of flash.sh, the idea is using flash.sh to create a sign/encrypted binary file by flash.sh with AGX Orin favor.
it’s 2nd steps by using l4t_initrd_flash.sh to flash Orin Nano actually.
hence…
please try again to remove -r options to create system image, and keep using AGX Orin to create a sign/encrypted EKS binary.
for example, $ sudo ./flash.sh --no-flash -k A_eks jetson-agx-orin-devkit mmcblk0p1
Thank you for the reply. But still no success. During boot after flash it’s fails to unlock the encrypted device. See UART output below:
This is the process now. If you please can advise this step by step it would be great.
tar -xvf jetson_linux_r35.4.1_aarch64.tbz2 && sudo tar -xvf tegra_linux_sample-root-filesystem_r35.4.1_aarch64.tbz2 -C Linux_for_Tegra/rootfs && tar -xvf public_sources.tbz2 && tar -xvf Linux_for_Tegra/source/public/nvidia-jetson-optee-source.tbz2 -C Linux_for_Tegra/source/public/
cd Linux_for_Tegra/ && sudo ./apply_binaries.sh
cd source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/
vim example.sh
# #############################
# Replace the last two zeros for "aa"
# Before: echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key
# After: echo "f0e0d0c0b0a0010203040506070809aa" > sym2_t234.key
# #############################
./example.sh
cd ../../../../../../../../
cp source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/sym2_t234.key ./
# Attach the device to the host in RM mode
sudo ./flash.sh --no-flash -k A_eks jetson-agx-orin-devkit mmcblk0p1
# These dirs does not exist
mkdir tools/kernel_flash/images/ && mkdir tools/kernel_flash/images/internal
cp bootloader/eks_t234* tools/kernel_flash/images/internal
# Reattach the device to the host in RM mode
# Command below not working
#sudo ./tools/kernel_flash/l4t_initrd_flash.sh -k A_eks --flash-only --showlogs
# Reattach the device to the host in RM mode
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
# Reattach the device to the host in RM mode
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
# Reattach the device to the host in RM mode
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only
Output from UART:
[ 10.387361] mmc1: SDHCI controller on 3400000.sdhci [3400000.sdhci] using ADMA 64-bit
[ 13.374912] ERROR: fail to unlock the encrypted dev /dev/nvme0n1p2.
[ 13.383968] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00
[ 13.394408] CPU: 3 PID: 1 Comm: bash Not tainted 5.10.120-tegra #1
[ 13.401819] Hardware name: Unknown NVIDIA Orin Nano Developer Kit/NVIDIA Orin Nano Developer Kit, BIOS 4.1-33958178 08/01/2023
[ 13.413571] Call trace:
[ 13.416091] dump_backtrace+0x0/0x1d0
[ 13.419862] show_stack+0x30/0x40
[ 13.423269] dump_stack+0xd8/0x138
[ 13.426768] panic+0x17c/0x384
[ 13.429915] do_exit+0xaa8/0xab0
[ 13.433243] do_group_exit+0x4c/0xb0
[ 13.436917] __arm64_sys_exit_group+0x28/0x30
[ 13.441405] el0_svc_common.constprop.0+0x80/0x1d0
[ 13.446325] do_el0_svc+0x38/0xb0
[ 13.449733] el0_svc+0x1c/0x30
[ 13.452868] el0_sync_handler+0xa8/0xb0
[ 13.456800] el0_sync+0x16c/0x180
[ 13.460214] SMP: stopping secondary CPUs
[ 13.464432] Kernel Offset: 0x4989a9c10000 from 0xffff800010000000
[ 13.470690] PHYS_OFFSET: 0xffffeadc80000000
[ 13.474984] CPU features: 0x08040006,4a80aa38
[ 13.479455] Memory Limit: none
[ 13.482592] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00 ]---
I see some unexpected failures.
(1) you should also copy the eks image.
(2) images for Orin Nano should created after you execute l4t_initrd_flash.sh, that kernel_flash/images folder exist after you run the script.
(3) following up above, now you should have kernel_flash/images folder created, right? below steps assumed you already have this image folder.
so,
let me share steps to update EKS image briefly.
(1) copy those keys, sym2_t234.key and eks image, eks_t234.img after running ./example.sh to overwrite the default file. $ cp eks_t234.img $OUT/Linux_for_Tegra/bootloader/eks_t234.img
(2) Running with flash script to create eks_t234_sigheader.img.encrypt, you may given board info if that’s asking module SKU. $ sudo BOARDID=3701 BOARDSKU=0004 BOARDDEV=C.2 FAB=TS4 ./flash.sh --no-flash -k A_eks jetson-agx-orin-devkit mmcblk0p1
seeing the messages, it shall complete as following.
...
[ 0.2103 ] Copying eks_t234_sigheader.img.encrypt to /home/jerry/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_AGX_ORIN_TARGETS/Linux_for_Tegra/bootloader
[ 0.2104 ] Signed file: /home/jerry/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_AGX_ORIN_TARGETS/Linux_for_Tegra/bootloader/eks_t234_sigheader.img.encrypt
*** eks_t234.img has been signed successfully. ***
(3) Copy this sign/encrypt binary. $ cp $OUT/Linux_for_Tegra/bootloader/eks_t234_sigheader.img.encrypt $OUT/Linux_for_Tegra/tools/kernel_flash/images/internal/
(4) Execute below command to update EKS partition for your Orin NX/Nano. $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh -k A_eks --flash-only --showlogs
Thank you but it still doesn’t work with the same outcome as before.
I’m using a Ubuntu 18.04 host machine (no VM) and new installation folders every time. Complete steps below. I even just a completely new NVME ssd this time but get the same result.
tar -xvf jetson_linux_r35.4.1_aarch64.tbz2 && sudo tar -xvf tegra_linux_sample-root-filesystem_r35.4.1_aarch64.tbz2 -C Linux_for_Tegra/rootfs && tar -xvf public_sources.tbz2 && tar -xvf Linux_for_Tegra/source/public/nvidia-jetson-optee-source.tbz2 -C Linux_for_Tegra/source/public/ && cd Linux_for_Tegra/ && sudo ./apply_binaries.sh
cd source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/
vim example.sh
# #############################
# Replace the last two zeros for "aa"
# Before: echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key
# After: echo "f0e0d0c0b0a0010203040506070809aa" > sym2_t234.key
# #############################
./example.sh
cp eks_t234.img ~/nvidia_boot/Linux_for_Tegra/bootloader/.
cp sym2_t234.key ~/nvidia_boot/Linux_for_Tegra/.
cd ../../../../../../../../
# Attach the device to the host in RM mode
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
# Reattach the device to the host in RM mode
sudo ./flash.sh --no-flash -k A_eks jetson-orin-nano-devkit internal
sudo cp bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/.
# Reattach the device to the host in RM mode
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
# Reattach the device to the host in RM mode
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only
please revise these two command-line for adding -p "-i sym2_t234.key" before --no-flash and try again.
for example,
internal. # Attach the device to the host in RM mode sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" -p "-i sym2_t234.key" --no-flash --network usb0 jetson-orin-nano-devkit internal
and…external # Reattach the device to the host in RM mode $ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-i sym2_t234.key" --no-flash --external-device nvme0n1p1 -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
we may dig into why this happened… [ 13.488544] ERROR: fail to unlock the encrypted dev /dev/nvme0n1p2.
could you please share the complete UART logs starting from mb1, it’s the start point of bootloader logs.
This is UART running step 4, last command from running the command until the Jetson device is rebooted, still with pins shorted for Recovery mode and USB-cable still connected uart-flash.txt (162.7 KB)
This UART is rebooting the device with pins for RM not shorted and USB-C cable not connected to the host computer uart-boot-after-flash.txt (83.6 KB)
as chrisward9000 mentioned, had you enable Jetson security by burning fuses?
note, it used KEK2 to encrypt EKS image. for the un-fused board, we’re useing zero key for it.