How to used the flash_l4t_nvme_rootfs_enc.xml with a custom board?

I am currently overseeing the process of flashing and encrypting the drive on the MIC-713(S)-OX for our upcoming project. Despite following the recommended steps outlined on the NVIDIA forum, I have encountered persistent issues that have prevented successful completion. These are the command I used to encrypted the drive:

# Generate images for QSPI
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 p3509-a02+p3767-0000 internal

# Generate ekb.key 
sudo openssl rand -hex 16 > ekb.key

# Generate images for external storage device
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only –S 20GiB --append --network usb0 p3509-a02+p3767-0000 external

# Flash images into the both storage devices
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

After these commands are executed, the flash is successful. The machine boots to the UEFI but never starts the OS, and the screen turns black. The Orin NX restarts to the UEFI screen repeatedly.

My board is a custom board from Advantech. We are waiting for a USB to UART 1.8v adapter; until then, I won’t be able to provide you with the bootloader log.

Waiting for your reply.

Then are you able to boot the device without disk encryption?

Really nothing we can do without the log.

Yes. The devic without the encryption can be flash. Here is the log from the bootloader when I encrypted the drive.
log_encrypt.txt (115.0 KB)
Here is the initrd log for the flash with encryption.
flash_1-1_0_20240315-091420.log (39.4 KB)

Thanks in advanced

I mean whether you are able to boot the device, not just flash.
Also, what L4T version do you use?

Version 35.4.1 is the current version. Upon attempting to start the device, I encounter a black screen. Subsequently, the computer reboots automatically after approximately 10 minutes. On occasion, the Ubuntu Installer appears, but it fails to complete the installation process, perpetually remaining on the Panther background.

hello apa,

please check Tool for EKB Generation section for reference.
since you’re using a custom key, you’ll also need to perform gen_ekb.py to create a new EKS image; please also updating EKS image accordingly for image flash.

furthermore,
here’s similar discussion thread, Topic 270934, which give steps to enable disk encryption with a custom key,
it’s tested/verified the ROOTFS_ENC functionality had worked normally.

Hi @JerryChang, can you confirm with me that the disk encryption work properly on custom board from Advantech ?
I did replace de EKS image in the bootloader. I just want to confirm that I used MIC-713_8GB_OrinNX_5.1.2_V1.0.3_SDK from Advantech: Dropbox - MIC-713(S)-OX3A1 - Simplify your life

Just FYI I was able to encrypted a drive on a jetson nano devkit.

hello apa,

please check with vendors since we (and you’ve also) verified disk encryption on developer kits.

Hello @JerryChang,

I’ve reached out as you suggested, and the response was to seek your expertise on this matter. It appears that support for encryption-related issues is not being offered at this time. Given this guidance, I will diligently follow the instructions available on this forum once more. Afterward, I plan to compile a detailed, step-by-step guide of my procedure. I hope with your keen insight, you might be able to identify any missteps or areas for improvement in my approach.

Thank you in advance for your time and assistance. I look forward to your valuable feedback and am hopeful for a resolution to this challenge.

Here are the step I did with the log :

#Edit the sym2_t234.key 

#Modify example.sh

#!/bin/bash

# [T194 example]
# This is default KEK2 root key for unfused board
echo "00000000000000000000000000000000" > kek2.key

# This is the fixed vector for deriving EKB root key from fuse.
# It is expected user to replace the FV below with a user specific
# FV, and code the exact same user specific FV into OP-TEE.
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t194

# Generate user-defined symmetric key files
# openssl rand -rand /dev/urandom -hex 16 > sym_t194.key
# openssl rand -rand /dev/urandom -hex 16 > sym2_t194.key
echo "00000000000000000000000000000000" > sym_t194.key
echo "f0e0d0c0b0a0010203040506070809aa" > sym2_t194.key <--- 

#Run the sample.sh script 

sudo ./sample.sh 

#copy the key and image 
sudo cp sym2_t234.key /media/apa/SDK/Advantech/1.0.3/Linux_for_Tegra/.
sudo cp eks_t234.img /media/apa/SDK/Advantech/1.0.3/Linux_for_Tegra/bootloader/.

#Execute first command to create qspi image
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 -u ./rsa.pem -v ./sbk.key --no-flash --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" p3509-a02+p3767-0000 internal

#copy encrypted img
sudo cp bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/.

#created encrypted rootfs img
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -u ./rsa.pem -v ./sbk.key --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml -S 20GiB --external-only --append --network usb0 p3509-a02+p3767-0000 external

#Flash image to device on recovery mode
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -u rsa.pem -v sbk.key --network usb0 --flash-only

flash_1-4_0_20240319-084946.log (41.1 KB)

log.txt (79.5 KB)

You can close the ticket. This was the step I forgot.

python3 ./source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/gen_ekb.py -chip t234 -oem_k2_key kek_optee.key -fv fv_ekb_t234 -in_sym_key sym_t234.key -in_sym_key2 sym2_t234.key -out bootloader/eks_t234.img

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.