HW Accelerated Encryption for Xavier NX with LUKS/cryptsetup

Robotics & Edge Computing Jetson & Embedded Systems Jetson Xavier NX
1

Hi there! I’m trying to create an encrypted partition on a uSD flash card with the Xavier NX Developer Kit. I would like to ensure that the partition I’m formatting is using the HW accelerated crypto provided by the platform to ensure minimal overhead.

After diving into the platform’s encryption docs, I was able to extract that AES-CBC with ESSIV is the algorithm of choice. The docs also showed the exact cipher flag (aes-cbc-essiv:sha256) and key size (128) to pass into cryptsetup. I attempted formatting an already created partition a couple of ways using cryptsetup (which uses DMCrypt):

  1. Specifying luks2 type
cryptsetup --type=luks2 -c aes-cbc-essiv:sha256 -s 128 -v --debug luksFormat /dev/mmcblk0p12

This method returned an error, indicating that it was unsupported/invalid:

# Allocating context for crypt device /dev/mmcblk0p12.
# Trying to open and read device /dev/mmcblk0p12 with direct-io.
# Initialising device-mapper backend library.
# File descriptor passphrase entry requested.
Failed to open key file.
# Releasing crypt device /dev/mmcblk0p12 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code -1 (wrong or missing parameters).

Interestingly, I do not see aes-cbc-essiv in /proc/crypto.

  1. Specifying plain type
cryptsetup --type=plain -c aes-cbc-essiv:sha256 -s 128 -v --debug luksFormat /dev/mmcblk0p12

This one succeeded, however I noticed poor read/write speeds compared to another unencrypted partition. A side question: perhaps this is due to alignment of the partition itself?

I also noticed that the docs referenced above are super new, so I have tried this on the latest developer kit image (as of today - nx-jp45).

What is the recommended method to create an encrypted partition using cryptsetup such that HW accelerated crypto is taken full advantage of?

Thanks a bunch in advance!

3

hello bmsp,

please upgrade to the latest JetPack release. it’s a new feature added for JetPack-4.5 / L4T R32.5,
you should also refer to r32.5 release notes.

Disk encryption
supported to protect data at rest on Jetson Xavier NX, Jetson AGX Xavier, and Jetson TX2.

4

Hi Jerry, thanks for your prompt reply! However, I have already downloaded the latest available image for the developer kit this morning which includes JetPack-4.5 as I saw this in the release notes the other day.

I’m wondering if the commands I tried above are correct or if there is another recommend way to create an encrypted partition with HW accelerated crypto.

Thanks!

5

hello bmsp,

may I have more details about why to enable this option? i.e. --type=luks2
since this needs to enable the kernel config “CONFIG_CRYPTO_USER_API_SKCIPHER”, which we don’t enable that by default.

could you please ignore specifying luks2 types, or please use --type=luks1 options.
since there’re different header formats of LUKS partition, it would be different when checking the header.
however, the crypto operations for disk encryption are the same.
thanks

6

Hi Jerry! I only tried luks2 because it was the newest LUKS offered in the type options. It worked with luks1 as well as plain. Additionally, thank you for confirming the encryption parameters.