I am trying to get disk encryption working with the default/test fuse keys on an NVME before I then get it working with custom keys with secure boot enabled. The error occurs after the final step and it looks to me like it’s trying to flash the eMMC on the device, but it can’t find /dev/mmcblk0 because it is never mounted by the device operating system. I have tried every variation I can think of, and have read through a lot of documentation and examined the scripts themselves to try and make sense of it, but I have not made any significant progress for a few days of looking at this, any help is appreciated, thanks.
/home/chris/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_ORIN_NANO_TARGETS/Linux_for_Tegra
***************************************
* *
* Step 3: Start the flashing process *
* *
***************************************
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for device to expose ssh ......RTNETLINK answers: File exists
RTNETLINK answers: File exists
Waiting for device to expose ssh ...Run command: flash on fc00:1:1:0::2
SSH ready
blockdev: cannot open /dev/mmcblk0boot0: No such file or directory
[ 0]: l4t_flash_from_kernel: Starting to create gpt for emmc
Active index file is /mnt/internal/flash.idx
Number of lines is 58
max_index=57
[ 1]: l4t_flash_from_kernel: Successfully create gpt for emmc
[ 1]: l4t_flash_from_kernel: Starting to create gpt for external device
Active index file is /mnt/external/flash.idx
Number of lines is 76
max_index=75
writing item=59, 6:0:primary_gpt, 512, 19968, gpt_primary_6_0.bin, 16896, fixed-<reserved>-0, b407a53ee188480034094e26dd1b261aa5f46ecd
Error: Could not stat device /dev/mmcblk0 - No such file or directory.
Flash failure
Cleaning up...
Please also refer to the following steps to flash the board with disk encryption which has been verified on the Orin Nano devkit.
Step 1. Put the device into recovery mode, then generate qspi only images for the internal device
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --no-flash --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" jetson-orin-nano-devkit internal
Step 2. Put the device into recovery mode, then generate a normal filesystem for the external device
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
Step 3. Put the device into recovery mode, then flash both images
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only
If you still hit the flash failed issue, please share the full serial console log for further check.
here’s failure… ERROR cryptsetup not found!
it looks you did not install cryptsetup utility. please execute $ sudo apt-get install cryptsetup
after that, please re-run step-2 as mentioned in comment #3 to create encrypted rootfs.
FYI,
once there’s cryptsetup utility installed,
you shall see below user_data_encrypted.img_ext has created during image creation.
for example,
Using UUID e0e0b050-0433-49b1-93c1-4f23c10ac1de for mounting UDA_ext partition.
Making user_data_encrypted.img_ext...
Sync'ing user_data_encrypted.img_ext ... done.
Converting RAW image to Sparse image... done.
user_data_encrypted.img_ext built successfully.
I am also trying to accomplish this, but need a little help understanding things on this embedded device compared to a normal ubuntu pc i am used to working with…
When i do a fresh install of ubuntu on a normal PC, it asks me to setup LUKS and assign a password, then each time i boot the system i am asked to enter the password to get into ubuntu.
Since we are using key files in this instance instead of a password, how does the user authenticate and unlock the encryption upon boot to access the device?
After i completed these steps, the orin just boots to a black screen… Does secure boot need to be enabled first? Do you need to SSH into the box and present the key file to login?
did you meant a self-encryption? self-encrypting drive only support with WindowsOS,
fortunately, you may use dislocker on Linux, you’ll need the BitLocker password to mount such partition to your filesystem.
for instance. $ sudo apt install dislocker
please submit another new discussion thread to follow-up if there’re any questions…