Fused OrinNX: Disk Encryption Fail & Secure Boot (Usage Error vs ECID Null)

Hello,

I am working on a Jetson Orin NX 16GB module running L4T R36.4.3. The device is FUSED with PKC + SBK(Secure Boot is active).

Goal: I am trying to flash the device with Disk Encryption enabled (ROOTFS_ENC=1).

References Followed: I have been following the official NVIDIA documentation and RidgeRun guides regarding Disk Encryption and Secure Boot:

• NVIDIA: Disk Encryption for Jetson Linux

• RidgeRun: Jetson Orin NX/Nano Secure Boot

The Problem: Since the device is fused, signing and encryption operations seem to cause timing issues or generation failures during the standard flash process. I am facing two distinct blocking errors when attempting to flash using l4t_initrd_flash.sh.

Scenario 1: USB Write Timeout When attempting to flash directly, the process starts but eventually fails during the transfer of large signed binaries (like mb1 or bct), likely due to the overhead on the fused device.

[ 0.0721 ] Sending mb1
[ 0.0727 ] ERROR: might be timeout in USB write.
Error: Return value 3

Scenario 2: Return Value 4 (Generation Error) In some attempts (especially when trying to generate images first), I encounter Error: Return value 4 during the GPT generation or signing phase involving tegraparser_v2 and tegrahost_v2.

[ 5.4257 ] End sector for APP_ENC, expected at: 119537630, actual: 0
Error: Return value 4
Command tegraparser_v2 --generategpt --pt flash.xml.bin

My Question: What is the recommended, reliable workflow to flash a Fused (PKC+SBK) Orin NX 16GB with Disk Encryption enabled? I am using with external NVME on it.

Is there a specific parameter or a two-step approach (without running into the USB timeout) that handles the encryption keys (-i, -u, -v) correctly for a fused target?

I am using this script:

cp “$BSP_TOP/oem_keys/sym2_t234.key” “$BSP_TOP/Linux_for_Tegra/disk_enc.key”

sudo BOARDID=“$BOARD_ID” FAB=“$FAB” BOARDSKU=“$BOARDSKU” CHIP_SKU=“$CHIP_SKU” RAMCODE_ID=“$RAMCODE” \
./tools/kernel_flash/l4t_initrd_flash.sh \
–odm-image-gen \
–showlogs \
–network usb0 \
–no-flash \
-u ../odm_keys/rsa3k.pem \
-v ../odm_keys/sbk-32.key \
–uefi-keys ../uefi_keys/uefi_keys.conf \
-p “-c bootloader/generic/cfg/flash_t234_qspi.xml” \
jetson-orin-nano-devkit-super \
internal

sudo BOARDID=“$BOARD_ID” FAB=“$FAB” BOARDSKU=“$BOARDSKU” CHIP_SKU=“$CHIP_SKU” RAMCODE_ID=“$RAMCODE” \
ROOTFS_ENC=1 \
./tools/kernel_flash/l4t_initrd_flash.sh \
–mass-storage-only \
–showlogs \
–network usb0 \
–no-flash \
–external-device nvme0n1p1 \
–external-only \
-c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml \
-i “./disk_enc.key” \
–uefi-keys ../uefi_keys/uefi_keys.conf \
–uefi-enc ../oem_keys/sym_t234.key \
jetson-orin-nano-devkit-super \
internal

sudo cp “${BSP_TOP}/oem_out/signed/”* tools/kernel_flash/images/internal/ekb_db
sudo cp “${BSP_TOP}/oem_out/signed/”* bootloader/

sudo BOARDID=“$BOARD_ID” FAB=“$FAB” BOARDSKU=“$BOARDSKU” CHIP_SKU=“$CHIP_SKU” RAMCODE_ID=“$RAMCODE” \
ROOTFS_ENC=1 \
./tools/kernel_flash/l4t_initrd_flash.sh \
–external-device nvme0n1p1 \
-c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml \
-i “./disk_enc.key” \
-p “-c ./bootloader/generic/cfg/flash_t234_qspi.xml” \
–uefi-keys ../uefi_keys/uefi_keys.conf \
–showlogs \
–network usb0 \
jetson-orin-nano-devkit-super \
internal

and getting this error after successfully flash:

[ 13.149686] ERROR: fail to unlock the encrypted dev /dev/nvme0n1p2.
[ 13.151574] Kernel panic - not syncing:
[ 13.151578] Attempted to kill init! exitcode=0x00007f00
[ 13.151581] CPU: 7 PID: 1 Comm: bash Not tainted 5.15.148-tegra #1
[ 13.151585] Hardware name: NVIDIA NVIDIA Jetson Orin NX Engineering Reference Developer Kit Super/Jetson, BIOS 36.4.3-gcid-38968081 01/08/2025

Thanks.

hello OswaldUK,

it’s bootloader secure boot to ensure the root-of-trust can start from the BootROM.
it’s disk encryption to have a new, encrypted APP_ENC partition to protect the data it contains.

in short, once you’ve fused a target, you’ll need to provide the exactly same keys for running flash command-line. otherwise, it’ll abort the flashing process.
according to the error logs,

this is due to an extracted EKB has mismatch user key, it has failed to unlock APP_ENC.
such failure usually due to EKS image did not update correctly. please refer to Tool for EKB Generation to re-create EKS image.

BTW,
we’ve test again locally to confirm disk encryption is working.
here’re our test steps for your reference,
– Generate images for QSPI:
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
– Generate the key:
$ echo "f0e0d0c0b0a001020304050607080900" > ekb.key
– Generate images for external storage device:
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
– Flash images into the both storage devices:
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only
– Verification after flash and booting up:

$ df -h
/dev/mapper/crypt_root 54G 5.6G 46G 12% /
/dev/mapper/crypt_UDA 374M 14K 350M 1% /mnt/crypt_UDA
/dev/nvme0n1p1 371M 97M 247M 29% /boot

Thanks for the guidance.

Regarding the step “Flash images into both storage devices”: When I use the --flash-only parameter here, I encounter a usb-timeout, error3.

I have re-generated the EKS image. I created this EKS image using the exact same keys that I used for burning the fuses and for fTPM. However, I still experience a Kernel Panic even after the flash reports “successful”.

I generated the .img file using the following command, as specified in the link you sent:

python3 gen_ekb.py -chip t234
-oem_k1_key <oem_k1.key>
-in_sym_key <sym_t234.key>
-in_sym_key2 <sym2_t234.key>
-in_auth_key <auth_t234.key>
-out <eks_t234.img>

Consequently, the problem persists even though my key files are identical.

Is the EKS image related to the specific files generated during the fuse burning process? For example, I noticed a file created in the oem_out directory named: eks_0021-0000014acfc52d65.img.

There are 6 of these files, corresponding to the 6 Orin units on which I performed the fuse burning process. Do I need to use these specific files? Or is it acceptable to re-generate the EKS image file from scratch? Currently, even when I re-generate the EKS image (using the same keys), I am still getting a Kernel Panic.

hello OswaldUK,

it’s by default uses unique passphrase which depends on ECID (per device).
however, you may create encrypted images with a generic key (--generic-passphrase )
see-also Topic 291335 for reference.

Hello Jerry,

I followed the steps as specified in Topic 291335. I created the mfi package and extracted it from the tar file. Then, I started the process of flashing the package to the Orin NX. However, I encountered the ‘Return value 3, timeout USB’ error again. I set the massflash parameter to 1 in the flash command because I am flashing only a single Orin for now: sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --massflash 1.

How can I solve this problem? There is definitely no issue with the USB cable because I can flash fTPM to the Orin; this error only occurs while flashing disk encryption.

How can I fix this?

hello OswaldUK,

don’t you able to re-flash a target with ROOTFS_ENC, and it reports fail to unlock the encrypted dev?

I followed your instructions to generate the massflash package with the --generic-passphrase option. The package generation was successful.

However, my issue is NOT about failing to unlock the device after booting. Right now My issue is that I cannot even finish the flashing process due to a USB communication error.

When I run the flash script inside the extracted massflash package (sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --massflash 1), the process starts but fails at the very beginning (during MB1/BCT transfer) with the following error: **ERROR: might be timeout in USB write. Error: Return value 3
**
Since l4t_initrd_flash.sh keeps failing with USB timeouts on my setup, is there a way to flash this “Generic Key” configuration to the QSPI (Bootloader) using the standard flash.sh tool instead?

hello OswaldUK,

since it’s a fused device, did you create massflash package with PKC/SBK keys?

Hello Jerry,

Yes, I used keys.

I use this script to create mass flash package:

sudo BOARDID=3767 FAB=301 BOARDSKU=0000 BOARDREV=G.1 CHIP_SKU=“00:00:00:D3” RAMCODE=0
ROOTFS_ENC=1
./tools/kernel_flash/l4t_initrd_flash.sh
–no-flash
–showlogs
–network usb0
–external-device nvme0n1p1
-c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml
–external-only
–append
-u “$RSA_KEY”
-v “$SBK_KEY”
-i “$DISK_KEY”
-p “–generic-passphrase”
–massflash 1
jetson-orin-nano-devkit-super
external

hello OswaldUK,

that looks like an incomplete command-line,
you should also have massflash package created for internal storage as well.

let me give you an example..
– internal storage, QSPI.
$ sudo BOARDID=3767 BOARDSKU=0000 ./tools/kernel_flash/l4t_initrd_flash.sh -u PKC.key -v SBK.key --network usb0 -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" --no-flash jetson-orin-nano-devkit internal
– external storage, NVME.
$ sudo BOARDID=3767 BOARDSKU=0000 ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh -u PKC.key -v SBK.key --network usb0 --showlogs --no-flash --external-device nvme0n1p1 -S 16GiB -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append -i Disk_Enc.key -p "--generic-passphrase" --massflash 1 jetson-orin-nano-devkit external

you should have a massflash (mfi_.tar.gz) package created, by extracting this package,
you should then putting Orin Nano DevKit into recovery mode, and running below for image flashing to enable disk encryption.
$ sudo tar xpfv mfi_<target-board>.tar.gz.
$ cd mfi_<target-board>
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --massflash 1

BTW, you may see-also Topic 319101.
we’ve tested and confirm disk encryption + massflash on two devices is working on r36.4+ Orin-Nano Devkit.

Hello Jerry,

I have completed the steps you mentioned.

During the final flashing process, it prints a log like this in between:

0.7611 ] Info: Skip generating mem_bct because sdram_config is not defined

[ 0.7611 ] Copying signatures

[ 0.7615 ] tegrahost_v2 --chip 0x23 0 --partitionlayout readinfo_t234_min_prod.xml.bin --updatesig images_list_signed.xml --pubkeyhash pub_key.key

[ 0.7647 ] mb1_t234_prod_aligned_sigheader_encrypt.bin.signed filename is from images_list

[ 0.7649 ] psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed filename is from images_list

[ 0.7649 ] Boot Rom communication

[ 0.7651 ] tegrarcm_v2 --new_session --chip 0x23 0 --uid --download bct_br br_bct_BR.bct --download mb1 mb1_t234_prod_aligned_sigheader_encrypt.bin.signed --download psc_bl1 psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed --download bct_mb1 mb1_bct_MB1_sigheader_encrypt.bct.signed

[ 0.7653 ] BR_CID: 0x89012344705DF6458000000002018280

[ 0.7660 ] Sending bct_br

[ 0.7660 ] Sending mb1

[ 0.7665 ] ERROR: might be timeout in USB write.

Error: Return value 3

Command tegrarcm_v2 --new_session --chip 0x23 0 --uid --download bct_br br_bct_BR.bct --download mb1 mb1_t234_prod_aligned_sigheader_encrypt.bin.signed --download psc_bl1 psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed --download bct_mb1 mb1_bct_MB1_sigheader_encrypt.bct.signed

[ 0.7693 ] tegrarcm_v2 --chip 0x23 0 --ismb2applet

Afterward, the flashing process seems to continue, but at the very end, it gives a USB timeout error again. I think that when it tries to read the ECID during this process, it causes the Orin NX to exit recovery mode. Because of this, the flashing cannot be completed. How can I resolve this?

hello OswaldUK,

did you update the command-line to create the same board spec?
for instance, is it your board SKUs? i.e. sudo BOARDID=3767 BOARDSKU=0000 ...

yes, I did. But same issue persists.

So what could be the possible solution here?

When I generate EKS image with example.sh, and look at the hexdump with this:

input:
hexdump -C -n 4 -s 0x24 eks_t234.img

output:
00000024 ac ee bb e3 |…|
00000028

but when I look 0x34:

input:
hexdump -C -n 4 -s 0x34 eks_t234.img

output:
00000034 45 45 4b 42 |EEKB|
00000038

is this a true EKS image file? Even if I generate this image again, the result is same, no magic bytes in 0x24, magic bytes in 0x34

is this why I cannot enable disk encryption? What should I do to solve this problem??

hello OswaldUK,

FYI, we did test disk encryption with SBKPKC target, see-also.. Topic 314134 for the steps.

Hello JerryChang,

This is not a solution for my case. My fuse file is already like this:

<genericfuse MagicId="0x45535546" version="1.0.0"> <fuse name="OdmInfo" size="4" value="0x21"/> <fuse name="OdmId" size="8" value="0x0000014BD5FD48C0"/> <fuse name="Kdk0" size="32" value="0x63b6d3cab65be8bdca7743b083114023246497ddc83ff24ac305da5befd317d7"/> <fuse name="OemK1" size="32" value="0x4fb38179d9ff6d5a33c1dbf5ac3a381a82f43a811fdce822d7350129de16b198"/> <fuse name="PublicKeyHash" size="64" value="0x83de2ecbea32ce0fe5f06a6911a097c07b11276b6eaf0995fb7aaeb11b66025fa74bf31c22c992d445d725c02e8972f65a0965d114ead3882ffc58415d8519e5"/> <fuse name="SecureBootKey" size="32" value="0x2a751444d1c1ccd8b49f9b57c2ca9590fa82378a5de621224616ab3c3a84c91a"/> <fuse name="BootSecurityInfo" size="4" value="0x1E9"/> </genericfuse>

Are there anything wrong with this file?

hello OswaldUK,

since you’re using OEM_K1, please also add PscOdmStatic, we recommend burning it to 0x60, which sets the purpose of:
– OEM_K1 to encryption. (see-also OEM_K1_PURPOSE=0x0)
– OEM_K2 to KDK(key derive key) (see-also OEM_K2_PURPOSE=0x6)

hello Jerry,

I’ve tried this, flashing progress finished successfully and when orinNX tries to boot up, it boots up in shell screen. Not using or mounting NVME. It opens always in the shell screen.

Any solutions?

could you please setup serial console to gather bootloader logs for reference.

Hello Jerry,

here is the uart log:

uartLog_shell.txt (40.2 KB)