Failing with custom keys for encrypting NVME on Jetson Orin Nano

No I have not,
Didn’t realize this was necessary when following the guides and Readme’s.

Is this the guide to follow?

Any pointers in do’s and don’ts I should know about?

Hi Jerry,

For using custom key for sym2_t234.key need to burning fuses?
for FV key and others key are same as default.

FYI, you don’t need to burn fuse, disk encryption still works without secureboot.

Hi Jerry,

I have tried the step with stefankmfr0 .
I also facing the same error with what he facing in UART, compared the UART log is same error.

Either there is same step missed? or something somewhere when wrong.

There is no burning fuses enabled.
Use the custom key on the sym2_t234.key in and generate eks_image.
copy over the eks_image to bootloader directory and sym2_t234.key to Linux_for_Tegra directory.

  1. sudo ./ --no-flash -k A_eks jetson-orin-nano-devkit internal

  2. sudo cp bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/.

  3. sudo ./tools/kernel_flash/ --showlogs -p “-c bootloader/t186ref/cfg/flash_t234_qspi.xml” -p “-i sym2_t234.key” --no-flash --network usb0 cti/orin-nano/boson-orin/fsm-imx678-2cam internal

  4. sudo ROOTFS_ENC=1 ./tools/kernel_flash/ --showlogs -p “-i sym2_t234.key” --no-flash --external-device nvme0n1p1 -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 cti/orin-nano/boson-orin/fsm-imx678-2cam external

  5. sudo ./tools/kernel_flash/ --showlogs --network usb0 --flash-only

as mentioned in previous comment #16, we’ve checked disk encryption with a custom key worked normally.

hello stefankmfr0,

please see-also Topic 271974, comment #8 by running hexdump to examine your EKS image.

Hi JerryChang,
Thank you for the reply. This week I’ve been sick and away from work so I did not have a chance to test this further.

But I’m a bit confused when one comment is we should set up SecureBoot and fuse the board (chrisward9000)

Did you setup SecureBoot and fuse the “f0e0d0c0b0a0010203040506070809aa” key on the board?

And then (JerryChang)

FYI, you don’t need to burn fuse, disk encryption still works without secureboot.

I have not yet figured out if I need to burn a fuse to the Jetson and at what step to do it and what key to use…

hello stefankmfr0,

as you can see… comment #16. we’re testing disk encryption with a custom key based-on a non-fused target.
you must provide the EKB key to the flash command through -i option, for instance, -i ./sym2_t234.key

we doubt the failure… "eks image not correct" is due to incorrect bytes at the beginning of the EKS image.
they are… "EEKB", if these 4 bytes are wrong, you will also see such failures.
please do check your EKS image by running… $ hexdump -C -n 4 -s 0x24 eks_t234.img for confirmation.

hello stefankmfr0,

FYI, according to Topic 271974, disk encryption with a custom key works after re-install the optee package.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.