Hi!
I am just trying to flash a external device with encrypted filesystem with:
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1 -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only -S 8GiB jetson-xavier-nx-devkit externa
After flashing my device can boot and file system are encrypted. What I am confuse is that, my ssd have the volume of 1T, but only 279MB is availiable.
Is there anything I missed when flashing ?
Hi EmondCai,
Are you using the Xavier NX devkit with external NVMe SSD?
What’s your Jetpack version in use?
Have you tried to extend the disk size after boot up?
-S parameter in flash command is used to specify the size of rootfs.
Could you help to provide your flash_l4t_nvme_rootfs_enc.xml ?
and also share the result of lsblk command on your board.
Thank you for your replay @KevinFFF !
Yes, I am using jetson-xavier-nx-devkit, the jetpack version is 5.0.2 and I’m using the Linux_for_tegra inside Jetpack r35.1.0 for flashing.
The result of lsblk is here:
The flash_l4t_nvme_rootfs_enc.xml I am using is here(I have never configed it):
flash_l4t_nvme_rootfs_enc.xml (8.5 KB)
By the way, if I specific the -S to 500G, does it mean that my pc which I execute the l4t_initrd_flash.sh also need 500G?
You could see that you have only 7.6G for rootfs.
From your XML…
sector_size="512" num_sectors="122159104"
The size for NVMe is 512*122159104 = 62545461248 = 58.25 GB.
Please note the following:
physical size >= sector_size*num_sectors >= -S parameter
The physical size of your NVMe SSD is 945.57GiB
If you want to have 500 GB for rootfs, you could use -S 500GiB in your flash command, and modify num_sectors to 1073741824, which resulting 512*1073741824 = 512GiB
Thank you very much!
One other question:
If i flash through the default parameter, the passphrase is generate automatically, and the disk is decrypted after boot without entering any passphrase. So I wonder is there any way that I can define my own passphrase and enter the passphrase to decrypt? Any doc that I can refer to ?
Thank you again for your help!
I found that If I want to encrypt a 900GB disk, It takse a large amout of time to generate .img
Is that normal?
What do you mean about the “default parameter”?
You could refer to the following instruction for disk encryption.
Disk Encryption — Jetson Linux Developer Guide documentation (nvidia.com)
It seems expected. Could you flash successfully with my previous response?
I can flash successfully, thank you!
For passphrase, What I mean is that: Can I specific a passphrase myself that is not bound to the hardware device?
I try to change the output of gen_luks_passphrase.py and flash
But after flashing seems that the disk cannot be decrypted when boot up
You could refer to the following instruction for how passphrase work.
Disk Encryption — Details of Operation
You could also run the following command for the usage for gen_luks_passphrase.py, you may need to add a key file for custom key instead of modifying passphrase directly.
python3 gen_luks_passphrase.py --help
Is that possible to encrypt a disk which is not bound to the ecid(chip id), which means the disk itself is encrypted, and It can be boot from other device.
It seems you would need the original key to decrypt your disk.
The same input is used to decrypt and unlock data stored on the disk.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.