Hi,
I am trying to flash an external device (NVMe) with encryption. We are using the JetPack-5.0.2 release for this.
We want to be able to create a bootable external device in a similar way to “Workflow 11: Manually generate a bootable external storage device” of the <Linux_for_Tegra/tools/kernel_flash/>README_initrd_flash.txt README file.
The Jetson Xavier will act as the host PC and flash an NVMe that is attached to it by treating the NVMe as an external device. Workflow 11 (without encryption) works fine to achieve this, but we would like to be able to flash the NVMe with encryption support as well.
The workflow I am following is:
1. Create the encrypted images for the external NVMe device with one PC that has a Jetson AGX in recovery mode:
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash --external-device nvme0n1p1 -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only -S 8GiB --direct nvme0n1 jetson-xavier external
2. Compress the resulting JetPack ennvironment.
3. Deompress the JetPack environment in the Jetson, which will be in charge of flashing the NVMe, then flash:
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --external-device nvme0n1p1 -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only -S 8GiB --direct nvme0n1 jetson-xavier external
- As it can be seen, the Jetson acts as a host computer by flashing the NVMe attached to it.
Problem:
When trying to flash the encrypted images I get to this error:
Formatting APP parition done
Formatting APP partition /dev/nvme0n1p1 …
tar --xattrs -xpf /home/nvidia/Linux_for_Tegra/tools/kernel_flash/images/external/system_boot.img --checkpoint=10000 --warning=no-timestamp --numeric-owner -C /tmp/ci-jF0e5IDxtd
writing item=12, 9:0:APP_ENC, 1054384128, 8170504192, system_root_encrypted.img_ext, 2544928464, fixed--2,
Writing APP_ENC partition with system_root_encrypted.img_ext
Get size of partition through connection.
/home/nvidia/Linux_for_Tegra/tools/kernel_flash/images/l4t_flash_from_kernel.sh: line 626: [: p2: integer expression expected
blkdiscard: /dev/nvme0n1pp2: not a block device
Cannot erase using blkdiscard. Write zero to partition /dev/nvme0n1pp2
dd if=/dev/zero of=/dev/nvme0n1pp2
dd: failed to open ‘/dev/nvme0n1pp2’: Invalid argument
nvsimg2img /home/nvidia/Linux_for_Tegra/tools/kernel_flash/images/external/system_root_encrypted.img_ext /dev/nvme0n1p2
/home/nvidia/Linux_for_Tegra/tools/kernel_flash/images/l4t_flash_from_kernel.sh: line 679: /home/nvidia/Linux_for_Tegra/tools/kernel_flash/bin/nvsimg2img: cannot execute binary file: Exec format error
[ 16]: l4t_flash_from_kernel: The device size indicated in the partition layout xml is smaller than the actual size. This utility will try to fix the GPT.
[ 16]: l4t_flash_from_kernel: nvsimg2img /home/nvidia/Linux_for_Tegra/tools/kernel_flash/images/external/system_root_encrypted.img_ext /dev/nvme0n1p2 failed
[ 16]: l4t_flash_from_kernel: Error flashing external device
It does look like a typo in the flash script when constructing the name for the /dev/nvme0n1p2 device.
Questions
1. Is making an external bootable device with encryption supported?
2. If the answer to question 1 is yes, is there something in our workflow that we are doing wrong or is it a bug in the flash scripts?
Thanks,
Marisol