How to remove ECID limitaition when ROOT_ENC enable

Autonomous Machines Jetson & Embedded Systems Jetson Xavier NX
1

Hi, everyone,

When i used disk encryption and wanted to flash, it would recreate an image every time, it lost much time, so i wanted to remove ECID and use a generic passphrase.

As follows, i comment ECID,

@@ -543,7 +543,8 @@ function build_enc_root_fsimg () {
        if [ "${enc_rfs_keyfile}" != "" ]; then
                genpass_opt+="-k \"${enc_rfs_keyfile}\" ";
        fi;
-       genpass_opt+="-u -e '${__ecid}' "
+       # do not need ecid for ourself
+       #genpass_opt+="-u -e '${__ecid}' "
        genpass_opt+="-c '${__rootfsuuid}'";
        GEN_LUKS_PASS_CMD+=" ${genpass_opt}";
 
@@ -655,7 +656,7 @@ function build_enc_fsimg () {
        # Check ECID
        if [ "${__ecid}" == "" ]; then
                echo "ERROR: build_enc_fsimg: ECID is null .";
-               exit 1;
+               #exit 1;
        fi;
 
        # Check gen_luks_passphrase.py
@@ -669,7 +670,7 @@ function build_enc_fsimg () {
        if [ "${enc_rfs_keyfile}" != "" ]; then
                genpass_opt+="-k \"${enc_rfs_keyfile}\" ";
        fi;
-       genpass_opt+="-u -e '${__ecid}' ";
+       #genpass_opt+="-u -e '${__ecid}' ";
        genpass_opt+="-c '${__fsuuid}'";
        GEN_LUKS_PASS_CMD+=" ${genpass_opt}";

After create image, i could use ./tools/disk_encryption/gen_luks_passphrase.py -k ./ekb.key -c "${uuid}" | sudo cryptsetup luksOpen ${loopdev} ${l4t_enc_root_dm}
i could unencrypt raw image to mount. But when i flash it, the NX cannot boot normally.

So what should i do, i can resolve this question.

BTW, cat /etc/nv_tegra_release

R35 (release), REVISION: 3.1, GCID: 32827747, BOARD: t186ref, EABI: aarch64, DATE: Sun Mar 19 15:19:21 UTC 2023

Thanks,
Best regards,
Ultwcz1997

3

hello ultwcz1997,

may I know what’s the real use-case,
if you’re using flash.sh, there’s -r options to skip building system.img; by reusing the existing one for image flashing.
if you’re running with l4t_initrd_flash.sh, there’s options with --no-flash to generate images first, and you’re able to flash the target later by using --flash-only.

4

Hello JerryChang,

When i enable disk encryption, if i use the NX-a to create an image, and next flash the NX-b, the NX-b can not work, so i should recreate an image for the NX-b

I want to just encrypt the disk and the image not bind ECID, because i need to use the one image to flash dual devices

Thank you.

5

hello ultwcz1997,

it’s not supported. each device need an unique encryption key, it’s not suggest to use the same encryption key for all devices.
please see-also Topic 221204 for reference, thanks

6

Hi JerrtChang,

Thanks for your reply.

But if we need to flash mass devices, do you have some advice to reduce flash time if i use disk encryption?

7

as mentioned above, each device need an unique encryption key, disk encryption is only possible for per-device flashing.

8

Ok, thank you,
Does NVIDIA try to plan to use the generic passphrase?

9

it is not supported for using generic passphrase.
please also note that, it’s mentioned in developer guide, To Enhance initrd to Unlock an Encrypted Rootfs.

Unlock the encrypted root device with the per-device unique passphrase.

10

Thank you. I will try to it;
I think you mean that i could unlock the encrypted image from NX-a and open it at NX-b.