Is it possible to generate encrypted disk without a jetson connected?

Quick question. I’m trying to generate an image and then flash in 2 steps. I’m fine doing it with initrd_flash and mass_flash . However, when I try to enable the ROOTFS_ENC, it start to complain about ECID being null.

Generated UUID 8a1fe0c2-b205-4150-b125-7fe3ec463680 for mounting UDA partition.
Making user_data_encrypted.img... 
ERROR: build_enc_fsimg: ECID is null .
Error: /home/david/tmp_build/bootloader/signed/flash.idx is not found
Error: failed to relocate images to /home/david/tmp_build/tools/kernel_flash/images
Cleaning up...

It seems this is the BR_CID which is only available on jetson device, is this device specific? If so, then is it even possible to generate encrypted image (hence encrypted disk) without jetson connected?

TIA

hello user16748,

did you have two step approaches, which had --no-flash in the first command-line to generate image locally?

besides,
you may also revise the file to assign your ECID to the disk encryption script.
for example, $OUT/Linux_for_Tegra/tools/disk_encryption/disk_encryption_helper.func

Yes, I’m using the two step, which means the first step I’m trying to do without the actual device. Is this doable?

I guess I can “hardcode” some ECID in the script you mentioned. however, will the device will be able to “retrieve” the ECID on live device? Also, are those ECID same across devices? I assume not? Then how can I generate a single image for all manufacture devices and use them on manufacture floor?

Thanks in advance!

hello user16748,

no, each device need an unique encryption key, it’s not suggest to use the same encryption key for all devices.
as you can see in the developer guide, To Enhance initrd to Unlock an Encrypted Rootfs.
re-cap as following.

Unlock the encrypted root device with the per-device unique passphrase.


moreover, it’s not support to use generic passphrase, please have unique ECID to enable disk encryption. please have per-device flashing for mass production with disk encryption enabled.
you may see-also similar discussion threads for reference,
such as… Topic 263337, and Topic 265989.

Hi @JerryChang
Thanks for the prompt response. Also appreciate links to the topics they answered many of my questions.
Please allow me to ask one more question on this topic:
If this is device specific flash, and seems we would need the device to be connected during the flash, let’s say we need to do this on the non secure manufacture floor, does it mean we have to share the non-encrypted flash folder (L4T folder) to the flashing host on the manufacture floor? And it will only encrypt on the fly during the flashing.

Thanks

hello user16748,

you should have Jetson device connected to generate encrypted disk image.

Thanks, this is good for now

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.