Jetson Orin Nano Custom Key Encryption

Continuing the discussion from Failing with custom keys for encrypting NVME on Jetson Orin Nano:

I tried with disk encryption step as above for flashing NVME disk encryption.
In op-tee source package folder

  1. openssl rand -rand /dev/urandom -hex 16 > sym2_t234.key
  2. cp eks_t234.img to $OUT/Linux_for_Tegra/bootloader/.
  3. cp sym2_t234.key to $OUT/Linux_for_Tegra


  1. $ sudo ./tools/kernel_flash/ --showlogs -p “-c bootloader/t186ref/cfg/flash_t234_qspi.xml” --no-flash --network usb0 cti/orin-nano/boson-orin/fsm-imx678-2cam internal
    log1.log (179.6 KB)

  2. $ sudo ./ --no-flash -k A_eks cti/orin-nano/boson-orin/fsm-imx678-2cam internal
    log2.log (20.9 KB)

  3. $ sudo cp bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/.

  4. $ sudo ROOTFS_ENC=1 ./tools/kernel_flash/ --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 cti/orin-nano/boson-orin/fsm-imx678-2cam external
    log3.log (140.5 KB)

  5. $ sudo ./tools/kernel_flash/ --showlogs --network usb0 --flash-only
    log4.log (40.5 KB)

UART log
uart.log (86.5 KB)

hello mrcloud,

this failure shows incorrect eks image were used.

E/TC:00 00 ekb_extraction_process:211 Bad parameter: eks image not correct
E/TC:00 00 jetson_user_key_pta_init:898 jetson_user_key_pta_init: Failed (ffff0006).
E/TC:00 00 call_initcalls:43 Initcall __text_start + 0x000f2848 failed
I/TC: Primary CPU switching to normal world boot


[   12.334014] ERROR: fail to unlock the encrypted dev /dev/nvme0n1p2.
[   12.343291] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00

Hi Jerry,

What is the solution for this?
I removed the eks_t234.img from bootloader directory.
Then I copied the eks_t234.img from optee into bootloader directory with sudo.
And confirm that the eks_t234.img is copied.

hello mrcloud,

please check eks image did not overwrite by
$ md5sum ./tools/kernel_flash/images/internal/eks_t234_sigheader.img.encrypt results should be identical with the… bootloader/eks_t234_sigheader.img.encrypt.

if not…
please try step-3, and step-5 again.

Hi Jerry

I checked, both checksum is correct.

And I also reflash with step 5, same error “eks image not correct”

hello mrcloud,

please also run hexdump to examine the EKS image you’ve created.
FYI, there are 4 magic bytes at the beginning of the EKS image, they are: "EEKB".
if these 4 bytes are wrong, you will also see "eks image not correct" failure.
for example,

$ hexdump -C -n 4 -s 0x24 eks_t234.img
00000024  45 45 4b 42                                       |EEKB|

still both is identical
$ hexdump -C -n 4 -s 0x24 eks_t234.img
00000024 7d f3 bd a2 |}…|

hello mrcloud,

it looks those 4 magic bytes did not shown.

may I double confirm the script file you’re used to generate EKS image.
for instance, did you download [Driver Package (BSP) Sources] via Jetson Linux 35.4.1 | NVIDIA Developer.
and… you should execute this file to create a customize EKS image.

I reinstall the optee, and is working perfectly.

hello mrcloud,

glad to know it works.
let me double confirm, is the issue on the script file (i.e. that did not match the L4T release version?

just notice I’m using r35_release_v1.0 compare to r35_release_v4.1 for public_resources.tbz2

1 Like