Jetson Orin Nano DevKit Disk Encryption Could not stat device /dev/mmcblk0 - No such file or directory

Hi,

I’m using a Jetson Orin Nano Devkit with JetPack SDK 5.1.2 and BSP 35.4.1. A Ubuntu 20.04 Linux host. OpTee from https://developer.nvidia.com/embedded/l4t/r35_release_v1.0/sources/public_sources.tbz2. Samsung 960 Pro NVME.

I am trying to get disk encryption working with the default/test fuse keys on an NVME before I then get it working with custom keys with secure boot enabled. The error occurs after the final step and it looks to me like it’s trying to flash the eMMC on the device, but it can’t find /dev/mmcblk0 because it is never mounted by the device operating system. I have tried every variation I can think of, and have read through a lot of documentation and examined the scripts themselves to try and make sense of it, but I have not made any significant progress for a few days of looking at this, any help is appreciated, thanks.

My instructions below for reproducing the error:

sudo -s echo -1 > /sys/module/usbcore/parameters/autosuspend
sudo systemctl stop udisks2
cd Linux_for_Tegra
cd ./source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/
./example.sh
cd ../../../../../../../..
cp ./source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/sym2_t234.key ./sym2_t234.key
rm ./bootloader/eks_t234.img
cp ./source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/eks_t234.img ./bootloader/eks_t234.img
sudo ./flash.sh --no-flash -k A_eks -i "sym2_t234.key" jetson-orin-nano-devkit mmcblk0p1
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
cp ./bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/eks_t234_sigheader.img.encrypt
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
sudo ./tools/kernel_flash/l4t_initrd_flash.sh -k A_eks --flash-only --showlogs
# Wait and restart Jetson in recovery mode
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

The error itself:

/home/chris/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_ORIN_NANO_TARGETS/Linux_for_Tegra
***************************************
*                                     *
*  Step 3: Start the flashing process *
*                                     *
***************************************
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for device to expose ssh ......RTNETLINK answers: File exists
RTNETLINK answers: File exists
Waiting for device to expose ssh ...Run command: flash on fc00:1:1:0::2
SSH ready
blockdev: cannot open /dev/mmcblk0boot0: No such file or directory
[ 0]: l4t_flash_from_kernel: Starting to create gpt for emmc
Active index file is /mnt/internal/flash.idx
Number of lines is 58
max_index=57
[ 1]: l4t_flash_from_kernel: Successfully create gpt for emmc
[ 1]: l4t_flash_from_kernel: Starting to create gpt for external device
Active index file is /mnt/external/flash.idx
Number of lines is 76
max_index=75
writing item=59, 6:0:primary_gpt, 512, 19968, gpt_primary_6_0.bin, 16896, fixed-<reserved>-0, b407a53ee188480034094e26dd1b261aa5f46ecd
Error: Could not stat device /dev/mmcblk0 - No such file or directory.
Flash failure
Cleaning up...

Hi chrisward9000,

Please also refer to the following steps to flash the board with disk encryption which has been verified on the Orin Nano devkit.

Step 1. Put the device into recovery mode, then generate qspi only images for the internal device
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --no-flash --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" jetson-orin-nano-devkit internal

Step 2. Put the device into recovery mode, then generate a normal filesystem for the external device
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external

Step 3. Put the device into recovery mode, then flash both images
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

If you still hit the flash failed issue, please share the full serial console log for further check.

I tried 3 times and the result was the same each time.

chris@christhreadripper:~/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_ORIN_NANO_TARGETS/Linux_for_Tegra$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only
/home/chris/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_ORIN_NANO_TARGETS/Linux_for_Tegra/tools/kernel_flash/l4t_initrd_flash_internal.sh --network usb0 --usb-instance 7-1 --device-instance 0 --flash-only --external-device nvme0n1p1 -c "./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml" --network usb0 jetson-orin-nano-devkit external
**********************************************
*                                            *
*  Step 1: Build the flashing environment    *
*                                            *
**********************************************
Create flash environment 0
/home/chris/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_ORIN_NANO_TARGETS/Linux_for_Tegra/bootloader /home/chris/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_ORIN_NANO_TARGETS/Linux_for_Tegra
/home/chris/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_ORIN_NANO_TARGETS/Linux_for_Tegra
Finish creating flash environment 0.
****************************************************
*                                                  *
*  Step 2: Boot the device with flash initrd image *
*                                                  *
****************************************************
/home/chris/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_ORIN_NANO_TARGETS/Linux_for_Tegra/temp_initrdflash/bootloader0 /home/chris/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_ORIN_NANO_TARGETS/Linux_for_Tegra
./tegraflash.py --bl uefi_jetson_with_dtb_sigheader.bin.encrypt --bct br_bct_BR.bct --securedev  --bldtb tegra234-p3767-0003-p3768-0000-a0.dtb --applet rcm_2_encrypt.rcm --applet_softfuse rcm_1_encrypt.rcm --cmd "rcmboot"  --cfg secureflash.xml --chip 0x23 --mb1_bct mb1_bct_MB1_sigheader.bct.encrypt --mem_bct mem_rcm_sigheader.bct.encrypt --mb1_cold_boot_bct mb1_cold_boot_bct_MB1_sigheader.bct.encrypt --mb1_bin mb1_t234_prod_aligned_sigheader.bin.encrypt --psc_bl1_bin psc_bl1_t234_prod_aligned_sigheader.bin.encrypt --mem_bct_cold_boot mem_coldboot_sigheader.bct.encrypt  --bins "psc_fw pscfw_t234_prod_sigheader.bin.encrypt; mts_mce mce_flash_o10_cr_prod_sigheader.bin.encrypt; mb2_applet applet_t234_sigheader.bin.encrypt; mb2_bootloader mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader.bin.encrypt; xusb_fw xusb_t234_prod_sigheader.bin.encrypt; dce_fw display-t234-dce_sigheader.bin.encrypt; nvdec nvdec_t234_prod_sigheader.fw.encrypt; bpmp_fw bpmp_t234-TE950M-A1_prod_sigheader.bin.encrypt; bpmp_fw_dtb tegra234-bpmp-3767-0003-3509-a02_with_odm_sigheader.dtb.encrypt; sce_fw camera-rtcpu-sce_sigheader.img.encrypt; rce_fw camera-rtcpu-t234-rce_sigheader.img.encrypt; ape_fw adsp-fw_sigheader.bin.encrypt; spe_fw spe_t234_sigheader.bin.encrypt; tos tos-optee_t234_sigheader.img.encrypt; eks eks_t234_sigheader.img.encrypt; kernel boot0.img; kernel_dtb tegra234-p3767-0003-p3768-0000-a0.dtb"    --secondary_gpt_backup  --bct_backup  --instance 7-1
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands


 Entering RCM boot

[   0.0383 ] mb1_t234_prod_aligned_sigheader.bin.encrypt filename is from --mb1_bin
[   0.0383 ] psc_bl1_t234_prod_aligned_sigheader.bin.encrypt filename is from --psc_bl1_bin
[   0.0383 ] rcm boot with presigned binaries
[   0.0401 ] tegrarcm_v2 --instance 7-1 --new_session --chip 0x23 0 --uid --download bct_br br_bct_BR.bct --download mb1 mb1_t234_prod_aligned_sigheader.bin.encrypt --download psc_bl1 psc_bl1_t234_prod_aligned_sigheader.bin.encrypt --download bct_mb1 mb1_bct_MB1_sigheader.bct.encrypt
[   0.0416 ] BR_CID: 0x80012344705DE2891C00000019000100
[   0.0483 ] Sending bct_br
[   0.0515 ] Sending mb1
[   0.0519 ] Sending psc_bl1
[   0.0609 ] Sending bct_mb1
[   0.0666 ] Generating blob for T23x
[   0.0699 ] tegrahost_v2 --chip 0x23 0 --generateblob blob.xml blob.bin
[   0.0717 ] The number of images in blob is 18
[   0.0722 ] blobsize is 73378586
[   0.0722 ] Added binary blob_uefi_jetson_with_dtb_sigheader.bin.encrypt of size 2924608
[   0.1036 ] Added binary blob_pscfw_t234_prod_sigheader.bin.encrypt of size 375168
[   0.1042 ] Added binary blob_mce_flash_o10_cr_prod_sigheader.bin.encrypt of size 190592
[   0.1045 ] Added binary blob_applet_t234_sigheader.bin.encrypt of size 277312
[   0.1047 ] Not supported type: mb2_applet
[   0.1048 ] Added binary blob_mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader.bin.encrypt of size 438768
[   0.1052 ] Added binary blob_xusb_t234_prod_sigheader.bin.encrypt of size 164864
[   0.1055 ] Added binary blob_display-t234-dce_sigheader.bin.encrypt of size 9097216
[   0.1102 ] Added binary blob_nvdec_t234_prod_sigheader.fw.encrypt of size 294912
[   0.1123 ] Added binary blob_bpmp_t234-TE950M-A1_prod_sigheader.bin.encrypt of size 1051136
[   0.1128 ] Added binary blob_tegra234-bpmp-3767-0003-3509-a02_with_odm_sigheader.dtb.encrypt of size 110080
[   0.1132 ] Added binary blob_camera-rtcpu-sce_sigheader.img.encrypt of size 166304
[   0.1135 ] Added binary blob_camera-rtcpu-t234-rce_sigheader.img.encrypt of size 537952
[   0.1137 ] Added binary blob_adsp-fw_sigheader.bin.encrypt of size 400864
[   0.1139 ] Added binary blob_spe_t234_sigheader.bin.encrypt of size 270336
[   0.1141 ] Added binary blob_tos-optee_t234_sigheader.img.encrypt of size 1127568
[   0.1144 ] Added binary blob_eks_t234_sigheader.img.encrypt of size 9232
[   0.1146 ] Added binary blob_boot0.img of size 55592960
[   0.1456 ] Added binary blob_tegra234-p3767-0003-p3768-0000-a0.dtb of size 347610
[   0.2156 ] tegrarcm_v2 --instance 7-1 --chip 0x23 0 --pollbl --download bct_mem mem_rcm_sigheader.bct.encrypt --download blob blob.bin
[   0.2175 ] BL: version 1.2.0.0-t234-54845784-562369e5 last_boot_error: 0
[   0.3083 ] Sending bct_mem
[   0.3138 ] Sending blob
[   2.8351 ] RCM-boot started

/home/chris/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_ORIN_NANO_TARGETS/Linux_for_Tegra
***************************************
*                                     *
*  Step 3: Start the flashing process *
*                                     *
***************************************
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for device to expose ssh ......RTNETLINK answers: File exists
RTNETLINK answers: File exists
Waiting for device to expose ssh ...Run command: flash on fc00:1:1:0::2
SSH ready
blockdev: cannot open /dev/mmcblk0boot0: No such file or directory
[ 0]: l4t_flash_from_kernel: Starting to create gpt for emmc
Active index file is /mnt/internal/flash.idx
Number of lines is 58
max_index=57
[ 2]: l4t_flash_from_kernel: Successfully create gpt for emmc
[ 2]: l4t_flash_from_kernel: Starting to create gpt for external device
Active index file is /mnt/external/flash.idx
Number of lines is 76
max_index=75
writing item=59, 6:0:primary_gpt, 512, 19968, gpt_primary_6_0.bin, 16896, fixed-<reserved>-0, 57eb507e80441995675a70a3df51d31777fac016
Error: Could not stat device /dev/mmcblk0 - No such file or directory.
Flash failure
Cleaning up...

Full log for all commands was too long to post here: log

hello chrisward9000,

here’s failure… ERROR cryptsetup not found!
it looks you did not install cryptsetup utility. please execute $ sudo apt-get install cryptsetup
after that, please re-run step-2 as mentioned in comment #3 to create encrypted rootfs.

FYI,
once there’s cryptsetup utility installed,
you shall see below user_data_encrypted.img_ext has created during image creation.
for example,

Using UUID e0e0b050-0433-49b1-93c1-4f23c10ac1de for mounting UDA_ext partition.
Making user_data_encrypted.img_ext... 
	Sync'ing user_data_encrypted.img_ext ... done.
	Converting RAW image to Sparse image... done.
user_data_encrypted.img_ext built successfully. 
2 Likes

Thanks,

I installed everything cryptsetup and dmcrypt related and it now works, but you probably only need one or two of these, thanks.

apt-get install cryptsetup-initramfs cryptsetup-bin cryptsetup cryptsetup-run libcryptsetup-dev libcryptsetup12 cryptmount overlayroot

I am also trying to accomplish this, but need a little help understanding things on this embedded device compared to a normal ubuntu pc i am used to working with…

When i do a fresh install of ubuntu on a normal PC, it asks me to setup LUKS and assign a password, then each time i boot the system i am asked to enter the password to get into ubuntu.

Since we are using key files in this instance instead of a password, how does the user authenticate and unlock the encryption upon boot to access the device?

After i completed these steps, the orin just boots to a black screen… Does secure boot need to be enabled first? Do you need to SSH into the box and present the key file to login?

Looking for clear steps to:

  • Enable Fulldisk Encryption (above, thank you!)
  • Login to the machine using the encryption key

hello brian178,

did you meant a self-encryption? self-encrypting drive only support with WindowsOS,
fortunately, you may use dislocker on Linux, you’ll need the BitLocker password to mount such partition to your filesystem.
for instance. $ sudo apt install dislocker

please submit another new discussion thread to follow-up if there’re any questions…

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.