Having issues with encryption

Robotics & Edge Computing Jetson & Embedded Systems Jetson AGX Xavier
,
1

I have a Clara AGX Xavier devices, and for my organization I am trying to encrypt the eMMC storage.

I am having trouble understanding how to generate the eks image and use the ekb keys.

After extracting the OS-TEE and looking at the gen_ekb folder and the example.sh, I am confused as to which of these things should be randomly generated, and which should be left as default.

# [T234 example]
# Fill your OEM_K2 fuse key value
echo "432646294a404e635266556a586e3272357538782f413f442a472d4b61506453" > oem_k2.key

# This is the default initial vector for EKB.
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t234

# Generate user-defined symmetric key files
# openssl rand -rand /dev/urandom -hex 16 > sym_t234.key
# openssl rand -rand /dev/urandom -hex 16 > sym2_t234.key
echo "010203040506070809a0b0c0d0e0f001" > sym_t234.key
echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key

python3 gen_ekb.py -chip t234 -oem_k2_key oem_k2.key \
        -fv fv_ekb_t234 \
        -in_sym_key sym_t234.key \
        -in_sym_key2 sym2_t234.key \
        -out eks_t234.img

In this example, am I supposed to leave the oem_k2.key alone? Or am I supposed to generate that?

  • In this example, am I supposed to leave the oem_k2.key alone? Or am I supposed to generate that?
  • For fv_ekb_t234 am I supposed to leave this alone? Or am I supposed to randomly generate this?
  • sym_t234 and sym2_t234 are properly showing to randomly generate.

Also following the developer documentation, I am confused when it says “ekb.key” for using flash.sh.

For example, if I flash my jetson device using:

ROOTFS_ENC=1 ./flash.sh -i "ekb.key" jetson-agx-xavier-devkit mmblk0p1

I am not clear on what value I am supposed to use for “ekb.key”. If I randomly generate fv_ekb_t234, and I use this value here, when the device tries to post, I get an error and then a blank screen with a blinking cursor.

If I use sym2_t234.key, I get a little further, but then I get a kernel panic that says “no key available with this passphrase”.

Looking at the NVIDIA documentation:
https://docs.nvidia.com/jetson/archives/r35.4.1/DeveloperGuide/text/SD/Security/DiskEncryption.html#creating-an-encrypted-rootfs-on-the-host

It is not clear on which files are which and what I am missing. I am hoping someone with some more experience with the tool can help me.

Thank you!

3

hello wesley.stewart,

you’re referring to incorrect example, which should be t194 as Xavier series.
and… please treat those keys within example.sh as default keys for creating EKS image.

FYI,
EKB (Encrypted Binary Blob) stores two keys, one is the kernel encryption key (sym_key_file), and another one is the LUKS key (sym2_key_file) for disk encryption support.
LUKS disk encryption support with a specific key. you should execute the script file, gen_ekb.py to generate an image. please also note, in the developer guide, [Tool for EKB Generation] that sym2.key is equivalent to ekb.key

4

Thanks for the reply! That clears up a lot. One more question I think

So when you say “default”, do you mean all of these should be randomly generated, preferably by a secure method such as openssl?

5

Following your advice, I am still getting the same

"No Key available with this passphrase"
ERROR: Failed to unlock the encrypted dev /dev/mmcblk0p2

For reference, this is what I ran:

#!/bin/bash

# [T194 example]
# This is default KEK2 root key for unfused board
echo "00000000000000000000000000000000" > kek2.key

# This is the default initial vector for EKB.
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t194

# Generate user-defined symmetric key files
openssl rand -rand /dev/urandom -hex 16 > sym_t194.key
openssl rand -rand /dev/urandom -hex 16 > sym2_t194.key

python3 gen_ekb.py -chip t194 -kek2_key kek2.key \
        -fv fv_ekb_t194 \
        -in_sym_key sym_t194.key \
        -in_sym_key2 sym2_t194.key \
        -out eks_t194.img

I think copied the eks_t192.img to:
Linux_for_Tegra/bootloader

And lastly, I ran this:

ROOTFS_ENC=1 ./flash.sh -i "./sym2_t194.key" jetson-agx-xavier-devkit mmcblk0p1

This goes off and appears to work. Takes 4 or 5 minutes to fully run. Once the unit reboots, I get the above error.

6

hello wesley.stewart,

may I double confirm the Jetpack release version you’re now using?
please check release tag, i.e. $ cat /etc/nv_tegra_release for confirmation.
you should also confirm you’re using the same version of public_source package to create EKS image.

FYI,
as you can see, it’s by default using all zeros keys for t194 series.
sym_t194.key it’s assigned by --user-key options via flash command-line.
however, it turns out there’s an issue with --user_key, please see-also Topic 248137 for more details…

hence,
please try using sym2_t194.key only to re-try again for confirmation.

7

Thanks for the reply!

To make sure I understand, I should reverse the EKS image without the -in_sym_key, and only use the -in_sym_key2 ?

I’ll try in the morning and report versions once I’m next to the device again

8

hello wesley.stewart,

no, I meant you should use all zero for sym_t194.key to re-create EKS image.
for example,

# [T194 example]
# This is default KEK2 root key for unfused board
echo "00000000000000000000000000000000" > kek2.key

# This is the fixed vector for deriving EKB root key from fuse.
# It is expected user to replace the FV below with a user specific
# FV, and code the exact same user specific FV into OP-TEE.
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t194

# Generate user-defined symmetric key files
# openssl rand -rand /dev/urandom -hex 16 > sym_t194.key
# openssl rand -rand /dev/urandom -hex 16 > sym2_t194.key
echo "00000000000000000000000000000000" > sym_t194.key
openssl rand -rand /dev/urandom -hex 16 > sym2_t194.key

python3 gen_ekb.py -chip t194 -kek2_key kek2.key \
        -fv fv_ekb_t194 \
        -in_sym_key sym_t194.key \
        -in_sym_key2 sym2_t194.key \
        -out eks_t194.img

after that,
please updating eks_t194.img, and using the following command-line to re-flash AGX Xavier.
ROOTFS_ENC=1 ./flash.sh -i "./sym2_t194.key" jetson-agx-xavier-devkit mmcblk0p1

9

Thanks for that. I am still having the same issue…

Here are my exact steps in attempt to be very verbose to see if I am missing something…

#!/bin/bash

# [T194 example]
# This is default KEK2 root key for unfused board
echo "00000000000000000000000000000000" > kek2.key

# This is the default initial vector for EKB.
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t194

# Generate user-defined symmetric key files
# openssl rand -rand /dev/urandom -hex 16 > sym_t194.key
openssl rand -rand /dev/urandom -hex 16 > sym2_t194.key
echo "00000000000000000000000000000000" > sym_t194.key

python3 gen_ekb.py -chip t194 -kek2_key kek2.key \
        -fv fv_ekb_t194 \
        -in_sym_key sym_t194.key \
        -in_sym_key2 sym2_t194.key \
        -out eks_t194.img

I then push the two buttons on the Clara device to put it into forced recovery mode.

cp eks_t192.img ~/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_AGX_XAVIER_TARGETS/Linux_for_Tegra/bootloader

cp sym2_t192.key ~/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_AGX_XAVIER_TARGETS/Linux_for_Tegra/
cd ~/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_AGX_XAVIER_TARGETS/Linux_for_Tegra/
ROOTFS_ENC=1 ./flash.sh -i "./sym2_t194.key" jetson-agx-xavier-devkit mmcblk0p1

I also tried using “clara-agx-xavier-devkit” as well.

Image of terminal output of the device when booting

3024×4032 3.66 MB

10

I think I got past this! Following a guide, I downloaded an older sources package.

Since this Xavier supports JetPack 5.1.2, I made sure to get the correct Driver Package (BSP) Sources

Also, since I realized (With your help from the previous post) I was using an older version of the public_sources, I went ahead and randomly generaly sym_t194.key again to give this a shot. And it was able to boot fine with this randomly generated by openssl.

What exactly is this key used for? Is it more or less secure with sym_t194.key randomly generated versus all zeroes?

11

hello wesley.stewart,

thanks for confirmation.
please always keep using the same version (i.e. Jetpack-5.1.2/ l4t-r35.4.1) of public_source package to create EKS image.

this is the kernel encryption key. please see-also developer guide to assign the key with --uefi-enc options.
for instance, Enabling UEFI Payload Encryption at Flashing Time.

12

This is very helpful, thank you!

From our discussion, I think I understand that for:
-u <pkc_keyfile>

I want to use the sym_t194.key here.

But do I need something for:
-v <sbk_keyfile>

Or
--uefi-enc user_encryption.key ?

Thank you for helping me navigate this.

13

hello wesley.stewart,

FYI,
you may refer to Secure Boot chapter.
it’s Public Key Cryptography (PKC) key, and Secure Boot Key (SBK), which prevents execution of unauthorized boot codes through the chain of trust.

you may also dig into OP-TEE section for Encrypted Keyblob Generation and Device Provisioning.
such sym is the abbreviation of symmetric. so, sym_t194.key it’s a symmetric key as an EKB fuse key. (user encryption key)
please execute flash command with --uefi-enc sym_t194.key option to provide this key file.

15

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.