Fusing OemK1 for Disk Encryption

chinmaypen · December 5, 2024, 2:19am

Here are the steps I took to move to JP-6.1/r36.4.0.

Downloaded all of these sources and installed them into a new directory.

BSP_URL=https://developer.nvidia.com/downloads/embedded/l4t/r36_release_v4.0/release/jetson_linux_r36.4.0_aarch64.tbz2
ROOT_FS_URL=https://developer.nvidia.com/downloads/embedded/l4t/r36_release_v4.0/release/tegra_linux_sample-root-filesystem_r36.4.0_aarch64.tbz2
SOURCES_URL=https://developer.nvidia.com/downloads/embedded/l4t/r36_release_v4.0/sources/public_sources.tbz2
CTI_URL=https://connecttech.com/ftp/Drivers/CTI-L4T-ORIN-NX-NANO-36.4.0-V002.tgz

Ran the install.sh which intern run apply_binaries.sh
Created a new default user using l4t_create_default_user.sh
Extracted the new gen_ekb from sources for JP-6.1/r36.4.0.
Using the keys used and fused previously, I regenerated the ekb using

python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key \
        -in_sym_key sym_t234.key \
        -in_sym_key2 sym2_t234.key \
        -in_auth_key auth_t234.key \
        -out eks_t234.img`

Copied the keys over

cd Linux_for_Tegra
cp ../gen_ekb/sym2_t234.key ./sym2_t234.key
rm ./bootloader/eks_t234.img
cp ../gen_ekb/eks_t234.img ./bootloader/eks_t234.img

Generated the encrypted images

sudo ./flash.sh --no-flash -k A_eks -i "sym2_t234.key" cti/orin-nx/hadron/base nvme0n1p1
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" --no-flash --network usb0 cti/orin-nx/hadron/base internal
sudo cp ./bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/eks_t234_sigheader.img.encrypt
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 cti/orin-nx/hadron/base external

Flashed them in

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --showlogs --flash-only

we’ve test locally to confirm disk encryption is working.

I also have disk encryption working without fusing. I am seeing the issue when I fuse the OEM_K1 key using odmfuse.sh and then the encryption stopped working.

Topic		Replies	Views
Disk encryption not working (2) . AGX Orin but also Orin Nano - r35.5.0 Jetson Orin Nano security , nvbugs	17	929	April 1, 2024
Secure boot and Disk Encryption issues in l4t 35.3.1 and 35.5.0 Jetson AGX Orin security	10	60	August 27, 2024
Jetson Orin NX - board can't flash after partial fuse burn Jetson Orin NX security , nvbugs	53	291	September 24, 2024
Custom keys for Orin NX disk encryption Jetson Orin NX security	11	1448	September 25, 2023
Secure Boot for Orin NX Jetson Orin NX boot , security	30	2991	October 13, 2023
Secure boot failed with jetson nano orin Jetson Orin Nano security	18	153	August 16, 2024
Firmware with daisk encryption Jetson Orin NX security	8	266	April 15, 2024
Failure to unlock 'crypt_root' with fused module when ROOTFS_ENC=1 Jetson Xavier NX boot , kernel , security	18	1291	January 31, 2024
Disk Encryption on Orin NX NVMe Not working Jetson Orin NX reflash , security , nvbugs	24	2528	September 25, 2023
UEFI secureboot and disk encryption in 36.4 Jetson AGX Orin security	11	120	October 28, 2024

Fusing OemK1 for Disk Encryption

Related topics