HW Accelerated Encryption for Xavier NX with LUKS/cryptsetup

Autonomous Machines Jetson & Embedded Systems Jetson Xavier NX
#1

Hi there! I’m trying to create an encrypted partition on a uSD flash card with the Xavier NX Developer Kit. I would like to ensure that the partition I’m formatting is using the HW accelerated crypto provided by the platform to ensure minimal overhead.

After diving into the platform’s encryption docs, I was able to extract that AES-CBC with ESSIV is the algorithm of choice. The docs also showed the exact cipher flag (aes-cbc-essiv:sha256) and key size (128) to pass into cryptsetup. I attempted formatting an already created partition a couple of ways using cryptsetup (which uses DMCrypt):

  1. Specifying luks2 type
cryptsetup --type=luks2 -c aes-cbc-essiv:sha256 -s 128 -v --debug luksFormat /dev/mmcblk0p12

This method returned an error, indicating that it was unsupported/invalid:

# Allocating context for crypt device /dev/mmcblk0p12.
# Trying to open and read device /dev/mmcblk0p12 with direct-io.
# Initialising device-mapper backend library.
# File descriptor passphrase entry requested.
Failed to open key file.
# Releasing crypt device /dev/mmcblk0p12 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code -1 (wrong or missing parameters).

Interestingly, I do not see aes-cbc-essiv in /proc/crypto.

  1. Specifying plain type
cryptsetup --type=plain -c aes-cbc-essiv:sha256 -s 128 -v --debug luksFormat /dev/mmcblk0p12

This one succeeded, however I noticed poor read/write speeds compared to another unencrypted partition. A side question: perhaps this is due to alignment of the partition itself?

I also noticed that the docs referenced above are super new, so I have tried this on the latest developer kit image (as of today - nx-jp45).

What is the recommended method to create an encrypted partition using cryptsetup such that HW accelerated crypto is taken full advantage of?

Thanks a bunch in advance!

#3

hello bmsp,

please upgrade to the latest JetPack release. it’s a new feature added for JetPack-4.5 / L4T R32.5,
you should also refer to r32.5 release notes.

Disk encryption
supported to protect data at rest on Jetson Xavier NX, Jetson AGX Xavier, and Jetson TX2.

#4

Hi Jerry, thanks for your prompt reply! However, I have already downloaded the latest available image for the developer kit this morning which includes JetPack-4.5 as I saw this in the release notes the other day.

I’m wondering if the commands I tried above are correct or if there is another recommend way to create an encrypted partition with HW accelerated crypto.

Thanks!

#5

hello bmsp,

may I have more details about why to enable this option? i.e. --type=luks2
since this needs to enable the kernel config “CONFIG_CRYPTO_USER_API_SKCIPHER”, which we don’t enable that by default.

could you please ignore specifying luks2 types, or please use --type=luks1 options.
since there’re different header formats of LUKS partition, it would be different when checking the header.
however, the crypto operations for disk encryption are the same.
thanks

Memory encryption of normal applications outside of TrustZone on Xavier NX
#6

Hi Jerry! I only tried luks2 because it was the newest LUKS offered in the type options. It worked with luks1 as well as plain. Additionally, thank you for confirming the encryption parameters.