How to flash OS etc to encrypted emmc but also setup encrypted nvme ssd?

We have a Orin AGX that has a nvme ssd attached to it.

We enabled rootfs a/b and disk encryption.

We can flash the orin with the regular flash.sh w/o problems and can see that the expected emmc partitions are encrypted via luks etc.

We also would like to
a) format
b) encrypt
c) decrypt and mount the ssd at boot time (at the same time the rootfs gets decrypted)

When flashing with flash.sh we could find out that ./bootloader/t186ref/cfg/flash_t234_qspi_sdmmc_enc_rootfs_ab.xml gets used to flash the orin partitions.

Our idea was now to extend this file with the following:

<device type="nvme" instance="0" sector_size="512" num_sectors="1000215216" >
    <partition name="NVME_SSD" type="data" encrypted="true">
        <allocation_policy> sequential </allocation_policy>
        <filesystem_type> basic </filesystem_type>
        <size> 998244352 </size>
        <file_system_attribute> 0 </file_system_attribute>
        <allocation_attribute> 8 </allocation_attribute>
        <percent_reserved> 0 </percent_reserved>
        <description> Stores sensor data </description>
    </partition>
    <partition name="secondary_gpt" type="secondary_gpt">
        <allocation_policy> sequential </allocation_policy>
        <filesystem_type> basic </filesystem_type>
        <size> 0xFFFFFFFFFFFFFFFF </size>
        <file_system_attribute> 0 </file_system_attribute>
        <allocation_attribute> 8 </allocation_attribute>
        <percent_reserved> 0 </percent_reserved>
    </partition>
</device>

inside the <partition_layout> that is already there.

Is this the way to do this or is there another, better way to flash the os to the emmc and initialize the nvme-ssd at the same time?

hello brootux,

you may refer to Topic 270934 to enable disk encryption.

we were able to flash the device with

export ROOTFS_AB=1
export ROOTFS_ENC=1
echo "[key]" > ./ekb.key
./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --no-flash -i ./ekb.key --uefi-keys uefi_keys/uefi_keys.conf jetson-agx-orin-devkit internal
./flash.sh --no-flash -i ./ekb.key --uefi-keys uefi_keys/uefi_keys.conf jetson-agx-orin-devkit internal
cp ./bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/.
./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --no-flash -i ./ekb.key --external-device nvme0n1p1 -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append jetson-agx-orin-devkit external
./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

so the first call of l4t_initrd_flash.sh uses the “stock” l4t 34.5.1bootloader/t186ref/cfg/flash_t234_qspi_sdmmc_enc_rootfs_ab.xml.

For the second call of l4t_initrd_flash.sh we adjusted ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml to have

<partition_layout version="01.00.0000">
    <!-- <device type="external" instance="0" sector_size="512" num_sectors="NUM_SECTORS" > -->
    <device type="external" instance="0" sector_size="512" num_sectors="1000215216" >
        <partition name="primary_gpt" type="primary_gpt">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 19968 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
        </partition>
        <partition name="NVME_SSD" type="data" encrypted="true">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <!-- (1000215216 - 78) * 512 -> 39 sectors of primary-gpt, 39 sectors for secondary-gpt, 512 byte per sector) -->
            <size> 512110150656 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <description> Stores sensor data </description>
        </partition>
        <partition name="secondary_gpt" type="secondary_gpt">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 0xFFFFFFFFFFFFFFFF </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
        </partition>
    </device>
</partition_layout>

in it (no need for e.g. boot and root partitions). But when we flash it like that, the uefi seem to be configured to boot from the nvme-ssd, so we end up in the uefi shell.

Is this expected? how to have boot/root etc on internal emmc and only one data partition on the nvme-ssd?

hello brootux,

you’ve specify this to flash external NVMe.

you can use flash.sh to flash AGX Orin directly, it’ll flash onto internal eMMC by default .

Okay im trying to make it more clear what we try to accieve,

we need

  • the stuff of a “regular” flash (boot/rootfs a/b/etc) on the internal storage
  • a data partition that gets decrypted on boot on external nvme-storage

to have decryption of the external storage on boot, i think the luks passphrase has to be in optee and in crypttab of the initrd.

Is there a way to acchieve this?

hello brootux,

you should set environment ROOTFS_ENC=1 in flash.sh command line to generate and flash disk encryption enabled rootfs/UDA partition images, please refer to How to Create an Encrypted Rootfs on the Host for details.

We are already setting ROOTFS_ENC whats the difference to ENC_ROOTFS? My guess is that there is a typo in the docs since ROOTFS_ENC works for us (when we flash the rootfs only).

hello brootux,

you’re correct, it’s ROOTFS_ENC variable to enable disk encryption support.

>> the stuff of a “regular” flash (boot/rootfs a/b/etc) on the internal storage
it’s done with ROOTFS_ENC=1 in flash.sh command line.

>> a data partition that gets decrypted on boot on external nvme-storage
you may see-also Topic 217663 for using l4t_initrd_flash.sh to encrypt external device.