Jetson Orin Nano Custom Key Encryption

Continuing the discussion from Failing with custom keys for encrypting NVME on Jetson Orin Nano:

I tried with disk encryption step as above for flashing NVME disk encryption.
In op-tee source package folder

  1. openssl rand -rand /dev/urandom -hex 16 > sym2_t234.key
  2. cp eks_t234.img to $OUT/Linux_for_Tegra/bootloader/.
  3. cp sym2_t234.key to $OUT/Linux_for_Tegra

Flashing

  1. $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p “-c bootloader/t186ref/cfg/flash_t234_qspi.xml” --no-flash --network usb0 cti/orin-nano/boson-orin/fsm-imx678-2cam internal
    log1.log (179.6 KB)

  2. $ sudo ./flash.sh --no-flash -k A_eks cti/orin-nano/boson-orin/fsm-imx678-2cam internal
    log2.log (20.9 KB)

  3. $ sudo cp bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/.

  4. $ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 cti/orin-nano/boson-orin/fsm-imx678-2cam external
    log3.log (140.5 KB)

  5. $ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only
    log4.log (40.5 KB)

UART log
uart.log (86.5 KB)

hello mrcloud,

this failure shows incorrect eks image were used.

E/TC:00 00 ekb_extraction_process:211 Bad parameter: eks image not correct
E/TC:00 00 jetson_user_key_pta_init:898 jetson_user_key_pta_init: Failed (ffff0006).
E/TC:00 00 call_initcalls:43 Initcall __text_start + 0x000f2848 failed
I/TC: Primary CPU switching to normal world boot

....

[   12.334014] ERROR: fail to unlock the encrypted dev /dev/nvme0n1p2.
[   12.343291] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00

Hi Jerry,

What is the solution for this?
I removed the eks_t234.img from bootloader directory.
Then I copied the eks_t234.img from optee into bootloader directory with sudo.
And confirm that the eks_t234.img is copied.

hello mrcloud,

please check eks image did not overwrite by l4t_initrd_flash.sh
$ md5sum ./tools/kernel_flash/images/internal/eks_t234_sigheader.img.encrypt results should be identical with the… bootloader/eks_t234_sigheader.img.encrypt.

if not…
please try step-3, and step-5 again.

Hi Jerry

I checked, both checksum is correct.

And I also reflash with step 5, same error “eks image not correct”

hello mrcloud,

please also run hexdump to examine the EKS image you’ve created.
FYI, there are 4 magic bytes at the beginning of the EKS image, they are: "EEKB".
if these 4 bytes are wrong, you will also see "eks image not correct" failure.
for example,

$ hexdump -C -n 4 -s 0x24 eks_t234.img
00000024  45 45 4b 42                                       |EEKB|

still both is identical
$ hexdump -C -n 4 -s 0x24 eks_t234.img
00000024 7d f3 bd a2 |}…|

hello mrcloud,

it looks those 4 magic bytes did not shown.

may I double confirm the script file you’re used to generate EKS image.
for instance, did you download [Driver Package (BSP) Sources] via Jetson Linux 35.4.1 | NVIDIA Developer.
and… you should execute this file to create a customize EKS image.
$public_sources/r35.4.1/Linux_for_Tegra/source/public/atf_and_optee/optee/samples/hwkey-agent/host/tool/gen_ekb/gen_ekb.py

I reinstall the optee, and is working perfectly.
Thanks.

hello mrcloud,

glad to know it works.
let me double confirm, is the issue on the script file (i.e. gen_ekb.py) that did not match the L4T release version?

just notice I’m using r35_release_v1.0 compare to r35_release_v4.1 for public_resources.tbz2

1 Like