I have a Clara AGX Xavier devices, and for my organization I am trying to encrypt the eMMC storage.
I am having trouble understanding how to generate the eks image and use the ekb keys.
After extracting the OS-TEE and looking at the gen_ekb folder and the example.sh, I am confused as to which of these things should be randomly generated, and which should be left as default.
# [T234 example]
# Fill your OEM_K2 fuse key value
echo "432646294a404e635266556a586e3272357538782f413f442a472d4b61506453" > oem_k2.key
# This is the default initial vector for EKB.
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t234
# Generate user-defined symmetric key files
# openssl rand -rand /dev/urandom -hex 16 > sym_t234.key
# openssl rand -rand /dev/urandom -hex 16 > sym2_t234.key
echo "010203040506070809a0b0c0d0e0f001" > sym_t234.key
echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key
python3 gen_ekb.py -chip t234 -oem_k2_key oem_k2.key \
-fv fv_ekb_t234 \
-in_sym_key sym_t234.key \
-in_sym_key2 sym2_t234.key \
-out eks_t234.img
In this example, am I supposed to leave the oem_k2.key alone? Or am I supposed to generate that?
- In this example, am I supposed to leave the oem_k2.key alone? Or am I supposed to generate that?
- For fv_ekb_t234 am I supposed to leave this alone? Or am I supposed to randomly generate this?
- sym_t234 and sym2_t234 are properly showing to randomly generate.
Also following the developer documentation, I am confused when it says “ekb.key” for using flash.sh.
For example, if I flash my jetson device using:
ROOTFS_ENC=1 ./flash.sh -i "ekb.key" jetson-agx-xavier-devkit mmblk0p1
I am not clear on what value I am supposed to use for “ekb.key”. If I randomly generate fv_ekb_t234, and I use this value here, when the device tries to post, I get an error and then a blank screen with a blinking cursor.
If I use sym2_t234.key, I get a little further, but then I get a kernel panic that says “no key available with this passphrase”.
Looking at the NVIDIA documentation:
https://docs.nvidia.com/jetson/archives/r35.4.1/DeveloperGuide/text/SD/Security/DiskEncryption.html#creating-an-encrypted-rootfs-on-the-host
It is not clear on which files are which and what I am missing. I am hoping someone with some more experience with the tool can help me.
Thank you!
