We have a Orin AGX that has a nvme ssd attached to it.
We enabled rootfs a/b and disk encryption.
We can flash the orin with the regular flash.sh w/o problems and can see that the expected emmc partitions are encrypted via luks etc.
We also would like to
a) format
b) encrypt
c) decrypt and mount the ssd at boot time (at the same time the rootfs gets decrypted)
When flashing with flash.sh we could find out that ./bootloader/t186ref/cfg/flash_t234_qspi_sdmmc_enc_rootfs_ab.xml gets used to flash the orin partitions.
Our idea was now to extend this file with the following:
in it (no need for e.g. boot and root partitions). But when we flash it like that, the uefi seem to be configured to boot from the nvme-ssd, so we end up in the uefi shell.
Is this expected? how to have boot/root etc on internal emmc and only one data partition on the nvme-ssd?
you should set environment ROOTFS_ENC=1 in flash.sh command line to generate and flash disk encryption enabled rootfs/UDA partition images, please refer to How to Create an Encrypted Rootfs on the Host for details.
We are already setting ROOTFS_ENC whats the difference to ENC_ROOTFS? My guess is that there is a typo in the docs since ROOTFS_ENC works for us (when we flash the rootfs only).
you’re correct, it’s ROOTFS_ENC variable to enable disk encryption support.
>> the stuff of a “regular” flash (boot/rootfs a/b/etc) on the internal storage
it’s done with ROOTFS_ENC=1 in flash.sh command line.
>> a data partition that gets decrypted on boot on external nvme-storage
you may see-also Topic 217663 for using l4t_initrd_flash.sh to encrypt external device.