Jetpack 5.1.1 disk encryption with user-generated ekb.key

evchupriyanov · July 21, 2023, 4:03pm

Hi!

I’m trying to use NVMe disk encryption without fusing my own KEK2 key on Jetson Xavier NX Devkit.

I’m using script from optee samples to generate bootloader/eks_t194.img and ekb.key:

#!/bin/bash

# [T194 example]
# This is default KEK2 root key for unfused board
echo "00000000000000000000000000000000" > kek2.key

# This is the fixed vector for deriving EKB root key from fuse.
# It is expected user to replace the FV below with a user specific
# FV, and code the exact same user specific FV into OP-TEE.
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t194

# Generate user-defined symmetric key files
# openssl rand -rand /dev/urandom -hex 16 > sym_t194.key
# openssl rand -rand /dev/urandom -hex 16 > sym2_t194.key
#echo "00000000000000000000000000000000" > sym_t194.key
#echo "00000000000000000000000000000000" > sym2_t194.key
echo "11111111111111111111111111111111" > sym_t194.key
echo "11111111111111111111111111111111" > sym2_t194.key

python3 gen_ekb.py -chip t194 -kek2_key kek2.key \
        -fv fv_ekb_t194 \
        -in_sym_key sym_t194.key \
        -in_sym_key2 sym2_t194.key \
        -out eks_t194.img

The following command is used to flash device:

ROOTFS_ENC=1 tools/kernel_flash/l4t_initrd_flash.sh -c tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-device nvme0n1 --external-only -p "-i ekb.key" jetson-xavier-nx-devkit-emmc external

If I use all 0’s for user-defined symmetric keys, everything goes fine, device is flashed succesfully and boots with encrypted root unlocked and mounted.
But if I use anything else for user-defined keys (replacing bootloader/eks_t194.img and ekb.key with generated ones), device is flashed fine, but nvluks-srv-app fails to unlock the rootfs with error No key found for this passphrase

What I am dong wrong here? Is it possible to use random user-defined symmetric keys without fusing device?

JerryChang · July 24, 2023, 2:16am

please see-also Topic 238756.

elton3 · July 24, 2023, 11:26pm

Hi Jerry,

I’m also interested in this topic. If you don’t mind, could you answer “Is it possible to use user-defined symmetric keys (other than all zeros) without fusing (kek2) on the device?”

Thank you!

JerryChang · July 25, 2023, 5:10am

had you fuse the target?
by default it’s using all zero as KEK2 root key for unfused board.
i.e. # echo "00000000000000000000000000000000" > kek2.key

FYI,
KEK it’s the Key for Encryption Key.
they are keys to encrypt your keys. KEK0, KEK1, KEK2 are 128-bit key files; KEK256 is 256-bit key file.
please use the commands, --KEK* to determine which key encryption key you’re going to fused.

elton3 · July 25, 2023, 7:06am

Hey @JerryChang,

Thanks for the response! We understand that by default it’s using all zeros as KEK2 root key for an unfused board. And yes KEK is used to encrypt keys.

But we would still like to get a clarification on whether we have to fuse the target first before we can use user-defined symmetric keys that are not all zeros.

And @evchupriyanov, sorry didn’t mean to steal your post.

Thanks

JerryChang · July 25, 2023, 7:50am

hello elton3,

the only way to put the keys into the target is fuse burning.
please note that, Burning a fuse (changing the value of a fuse from 0 to 1) is non-reversible.

evchupriyanov · July 25, 2023, 10:04am

Hi, @JerryChang

So what will be the correct procedure of flashing/fusing eks_t194.img generated by gen-ekb.py script, so we can have our own luks encryption keys?

JerryChang · July 26, 2023, 5:45am

hello evchupriyanov,

here’re roughly steps for your reference,

(1) you may put the device into recovery, execute below to create the base image.
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --no-flash jetson-xavier-nx-devkit-emmc internal.

(2) then, please replace the default eks imagem i.e. eks_t194.img with yours.
please using the same key with, -i ekb.key to generate an image blob.
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh -i ./ekb.key --network usb0 --no-flash --external-device nvme0n1p1 -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only --append jetson-xavier-nx-devkit-emmc external

(3) finally, put the device into recovery and then run below.
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --network usb0

system · August 16, 2023, 1:17am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.