Fusing OemK1 for Disk Encryption

Robotics & Edge Computing Jetson & Embedded Systems Jetson Orin NX
26

I also tried (in desperation) to fuse the same key in OEMK2 as what I had flashed into OEMK1 just to see if that changed anything. But I’m still getting the same error. :(

27

hello chinmaypen,

please check you’ve cryptsetup utility installed, it’s used to create encrypted rootfs for image flashing.
for instance, $ sudo apt-get install cryptsetup.

28

Yup.

$ sudo apt-get install cryptsetup
[sudo] password for subnero:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
cryptsetup is already the newest version (2:2.4.3-1ubuntu1.2).
0 upgraded, 0 newly installed, 0 to remove and 45 not upgraded.
29

let’s try without flash.sh to generate the encrypted images.
here’re steps for your reference.

  1. Based-on sample script to edit your keys, such as fused “oem_k1.key” and “sym2_t234.key” from r36.4.0 public release sources.
    for instance, $public_sources/r36.4.0/Linux_for_Tegra/source/atf_and_optee/optee/samples/hwkey-agent/host/tool/gen_ekb/example.sh

  2. Generate eks_t234.img from example.sh.

  3. Copy the created eks_t234.img to $OUT/Linux_for_Tegra/bootloader

  4. Generate QSPI. (note, this was tested on SBKPKC device)
    $ sudo ROOTFS_AB=1 ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --no-flash -u ecp521_v3_0.pem -v sbk-256.key --showlogs -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" jetson-orin-nano-devkit internal

  5. Copy the encrypt EKS image
    $ sudo cp ./bootloader/eks_t234_sigheader_encrypt.img.signed ./tools/kernel_flash/images/internal/.

  6. Generate external:
    $ sudo ROOTFS_AB=1 ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -u ecp521_v3_0.pem -v sbk-256.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_ab_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external

  7. Flash image:
    $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -u ecp521_v3_0.pem -v sbk-256.key --network usb0 --flash-only

30

@JerryChang

The steps I followed are exactly the same as what you list except 2 things.

  1. I call this tool to sign the EKS partition, which I don’t see in your steps.
sudo ./flash.sh --no-flash -k A_eks -i "sym2_t234.key" cti/orin-nano/hadron/base nvme0n1p1
  1. I am using a board where I have ONLY fused the OEMK1 and OEMK2 fuses. While you seem to also have fused the SKB and other fuses.

Does that mean that for disk encryption to work WITH custom OEM keys one MUST ALSO have full Secure Boot setup?

31

@JerryChang I managed to get this to work.

What I needed was this.

<genericfuse MagicId="0x45535546" version="1.0.0">
    <fuse name="OemK1" size="32" value="0xf3bedbff9cea44c05b08124e8242a71ec1871d55ef4841eb4e59a56b5f88fb2b"/>
    <fuse name="OemK2" size="32" value="0xf3bedbff9cea44c05b08124e8242a71ec1871d55ef4841eb4e59a56b5f88fb2b"/>
    <fuse name="BootSecurityInfo" size="4" value="0x200"/>
</genericfuse>

Without ODM Key Valid flag set in the BootSecurityInfo, it wasn’t working. Once I set that flag. It works.

Thank you for all your help @JerryChang for all your help!

1 Like
33

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.