Hi All
I’m able to flash correctly a NVIDIA Jetson Orin™ NX 16GB module with the command:
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1
-c tools/kernel_flash/flash_l4t_external.xml -p “-c bootloader/t186ref/cfg/flash_t234_qspi.xml”
–showlogs --network usb0 p3509-a02+p3767-0000 internal
but when I’m try to flash the same device with an encrypted disk with the command:
echo “…omitted…” > ekb.key
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1
-c tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml -p “-i ekb.key -c bootloader/t186ref/cfg/flash_t234_qspi.xml”
–showlogs --network usb0 p3509-a02+p3767-0000 internal
it fails with :
[ 2.5577 ] tegraparser_v2 --pt flash.xml.bin --generateflashindex ./Deploy/install_scripts/Jetson/image/L4T/Linux_for_Tegra/bootloader/signed/flash.xml.tmp flash.idx
[ 2.5581 ] File system_root_encrypted.img_ext open failed
Error: Return value 19
Command tegraparser_v2 --pt flash.xml.bin --generateflashindex ./Deploy/install_scripts/Jetson/image/L4T/Linux_for_Tegra/bootloader/signed/flash.xml.tmp flash.idx
Error: ./Deploy/install_scripts/Jetson/image/L4T/Linux_for_Tegra/bootloader/signed/flash.idx is not found
Error: failed to relocate images to ./Deploy/install_scripts/Jetson/image/L4T/Linux_for_Tegra/tools/kernel_flash/images
Some one have any idea ?
hello alessandro4,
had you refer to Tool for EKB Generation section, and create a new eks image (with your own ekb key) for flashing to the target?
please check Topic 248137, comment #40, you may double check the commands to generate eks.img.
FYI.
we’ve test locally with l4t-r35.3.1, disk encryption works normally.
even though it’s tested with Xavier NX, but the process should be the same.
please see-also Topic 248137 for reference,
thanks
Hi Jerry
I’ve read the topics and comments.
Unfortunately with the Orin it seems that the ./flash.sh hangs during
tegrarcm_v2 --chip 0x23 0 --oem platformdetails storage storage_info.bin
so I need to use l4t_initrd_flash.sh
and these seem not to create an encrypted image.
Do you know if disk encryption is supported on Orin?
Thank you
Alessandro
it looks you’re working with Orin NX actually. let me moving this topic to Orin NX division.
hello alessandro4,
flash.sh it doesn’t works with Orin NX. please execute l4t_initrd_flash.sh for flashing Orin NX.
since you’ve given the command, -p “-i ekb.key, it’ll pass the keys to the target. and… you should have the eks.img which contain the same key you’re using.
so,
had you perform gen_ekb.py python script to assign your keys to generate a new eks.img?
Hi Jerry,
thank you very much.
Some update:
- I’m using l4t_initrd_flash.sh
- the img wat not created because the used config p3509-a02+p3767-0000.conf has not the disk_enc_enable=1 flag enable and it doesn’t check the ROOTFS_ENC env variable. So I’ve added manually.
- Now the script procedure run correctly and flash the device but the device doesn’t boot… black screen :-(
- I think that now the flash_t234_qspi.xml is not valid for the encrypted disk. Do you know with config I need to use?
Actually I’m using these command:
cp gen_ekb/*.img ${L4T_DIR}/bootloader
cd ${L4T_DIR}
echo “disk_enc_enable=1;” >> p3509-a02+p3767-0000.conf
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --erase-all --external-device nvme0n1p1 -S 100G
-c tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml -p “-i ${SCRIPT_DIR}/gen_ekb/sym2_t234.key -c bootloader/t186ref/cfg/flash_t234_qspi.xml”
–showlogs --network usb0 p3509-a02+p3767-0000 internal
as r35.3.1 developer guide mentioned, i.e. Security — Jetson Linux Developer Guide documentation, it looks Jetson Orin NX only support SecureBoot feature only.