Jetson Orin NX - disk encryption - flash failure mmcblk

Robotics & Edge Computing Jetson & Embedded Systems Jetson Orin NX
1

Hi,

I’m trying to flash with encrypted rootfs, and it fails on searching for mmcblk0 instead of nvme in the ‘nfs’ sequence (after qspi initrd booted?).
Please ignore eks, keys, fuses - this is an issue with the initrd_flash script and blobs generated.

System:

  • Jetson Orin NX 16G
  • Forecr carrier
  • JetPack r35.5.0

Details:

  • the following simple flash command without encryption works correctly:

prepare:
sudo ./tools/kernel_flash/l4t_initrd_flash.sh
–no-flash
–external-device nvme0n1p1
-c tools/kernel_flash/flash_l4t_external.xml
-p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml"
–showlogs
–network usb0 jetson-orin-nano-devkit external;

flash:
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

blobs created in images dir:
[4.0K] images
├── [4.0K] external
│ ├── [ 42M] boot.img
│ ├── [ 64M] esp.img
│ ├── [ 57] flash.cfg
│ ├── [1.8K] flash.idx
│ ├── [ 16K] gpt_primary_9_0.bin
│ ├── [ 16K] gpt_secondary_9_0.bin
│ ├── [338K] kernel_tegra234-p3767-0000-p3509-a02.dtb
│ ├── [ 512] mbr_9_0.bin
│ ├── [ 45M] recovery.img
│ ├── [5.5G] system.img
│ ├── [ 41] system.img.sha1sum
│ └── [338K] tegra234-p3767-0000-p3509-a02.dtb.rec
├── [4.0K] internal
│ ├── [392K] adsp-fw_sigheader.bin.encrypt
│ ├── [ 32K] bct_backup.img
│ ├── [1003K] bpmp_t234-TE980M-A1_prod_sigheader.bin.encrypt
│ ├── [8.0K] br_bct_BR.bct
│ ├── [527K] camera-rtcpu-t234-rce_sigheader.img.encrypt
│ ├── [721K] display-t234-dce_with_tegra234-p3767-0000-p3509-a02_with_odm_overlay_aligned_blob_w_bin_sigheader.bin.encrypt
│ ├── [9.0K] eks_t234_sigheader.img.encrypt
│ ├── [ 38] flash.cfg
│ ├── [7.6K] flash.idx
│ ├── [ 16K] gpt_backup_secondary_3_0.bin
│ ├── [ 16K] gpt_secondary_3_0.bin
│ ├── [ 17K] mb1_cold_boot_bct_MB1_sigheader.bct.encrypt
│ ├── [275K] mb1_t234_prod_aligned_sigheader.bin.encrypt
│ ├── [120K] mb2rf_t234_sigheader.bin.encrypt
│ ├── [427K] mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader.bin.encrypt
│ ├── [186K] mce_flash_o10_cr_prod_sigheader.bin.encrypt
│ ├── [238K] mem_coldboot_sigheader.bct.encrypt
│ ├── [288K] nvdec_t234_prod_sigheader.fw.encrypt
│ ├── [120K] psc_bl1_t234_prod_aligned_sigheader.bin.encrypt
│ ├── [366K] pscfw_t234_prod_sigheader.bin.encrypt
│ ├── [120K] psc_rf_t234_prod_sigheader.bin.encrypt
│ ├── [ 98] qspi_bootblob_ver.txt
│ ├── [181K] sc7_t234_prod_sigheader.bin.encrypt
│ ├── [264K] spe_t234_sigheader.bin.encrypt
│ ├── [253K] tegra234-bpmp-3767-0000-a02-3509-a02_with_odm_sigheader.dtb.encrypt
│ ├── [1.2M] tos-optee_t234_sigheader.img.encrypt
│ ├── [2.8M] uefi_jetson_with_dtb_aligned_blob_w_bin_sigheader.bin.encrypt
│ └── [161K] xusb_t234_prod_sigheader.bin.encrypt
├── [ 38K] l4t_flash_from_kernel.sh
└── [ 53K] simg2img

  • when I try to flash with disk encryption using the following:

prepare qspi
sudo ./tools/kernel_flash/l4t_initrd_flash.sh
–no-flash
-p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml"
–showlogs
–network usb0 jetson-orin-nano-devkit internal

prepare external
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh
–no-flash
-i MY_KEY
–external-device nvme0n1p1
-c tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml
–external-only
–append
–showlogs
–network usb0
jetson-orin-nano-devkit external

flash:
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

blobs created in images dir:
[4.0K] images.bak
├── [4.0K] external
│ ├── [392K] adsp-fw_sigheader.bin.encrypt
│ ├── [ 32K] bct_backup.img
│ ├── [ 42M] boot.img
│ ├── [1003K] bpmp_t234-TE980M-A1_prod_sigheader.bin.encrypt
│ ├── [8.0K] br_bct_BR.bct
│ ├── [527K] camera-rtcpu-t234-rce_sigheader.img.encrypt
│ ├── [719K] display-t234-dce_with_kernel_tegra234-p3767-0000-p3509-a02_aligned_blob_w_bin_sigheader.bin.encrypt
│ ├── [9.0K] eks_t234_sigheader.img.encrypt
│ ├── [ 64M] esp.img
│ ├── [ 57] flash.cfg
│ ├── [9.4K] flash.idx
│ ├── [ 16K] gpt_backup_secondary_3_0.bin
│ ├── [ 16K] gpt_primary_6_0.bin
│ ├── [ 16K] gpt_secondary_3_0.bin
│ ├── [ 16K] gpt_secondary_6_0.bin
│ ├── [338K] kernel_tegra234-p3767-0000-p3509-a02.dtb
│ ├── [ 17K] mb1_cold_boot_bct_MB1_sigheader.bct.encrypt
│ ├── [275K] mb1_t234_prod_aligned_sigheader.bin.encrypt
│ ├── [120K] mb2rf_t234_sigheader.bin.encrypt
│ ├── [427K] mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader.bin.encrypt
│ ├── [ 512] mbr_6_0.bin
│ ├── [186K] mce_flash_o10_cr_prod_sigheader.bin.encrypt
│ ├── [238K] mem_coldboot_sigheader.bct.encrypt
│ ├── [288K] nvdec_t234_prod_sigheader.fw.encrypt
│ ├── [120K] psc_bl1_t234_prod_aligned_sigheader.bin.encrypt
│ ├── [366K] pscfw_t234_prod_sigheader.bin.encrypt
│ ├── [120K] psc_rf_t234_prod_sigheader.bin.encrypt
│ ├── [ 98] qspi_bootblob_ver.txt
│ ├── [ 45M] recovery.img
│ ├── [181K] sc7_t234_prod_sigheader.bin.encrypt
│ ├── [264K] spe_t234_sigheader.bin.encrypt
│ ├── [5.5G] system.img
│ ├── [ 41] system.img.sha1sum
│ ├── [253K] tegra234-bpmp-3767-0000-a02-3509-a02_with_odm_sigheader.dtb.encrypt
│ ├── [338K] tegra234-p3767-0000-p3509-a02.dtb.rec
│ ├── [1.2M] tos-optee_t234_sigheader.img.encrypt
│ ├── [2.8M] uefi_jetson_with_dtb_aligned_blob_w_bin_sigheader.bin.encrypt
│ └── [161K] xusb_t234_prod_sigheader.bin.encrypt
├── [4.0K] internal
│ ├── [392K] adsp-fw_sigheader.bin.encrypt
│ ├── [ 32K] bct_backup.img
│ ├── [1003K] bpmp_t234-TE980M-A1_prod_sigheader.bin.encrypt
│ ├── [8.0K] br_bct_BR.bct
│ ├── [527K] camera-rtcpu-t234-rce_sigheader.img.encrypt
│ ├── [721K] display-t234-dce_with_tegra234-p3767-0000-p3509-a02_with_odm_overlay_aligned_blob_w_bin_sigheader.bin.encrypt
│ ├── [9.0K] eks_t234_sigheader.img.encrypt
│ ├── [ 29] flash.cfg
│ ├── [7.6K] flash.idx
│ ├── [ 16K] gpt_backup_secondary_3_0.bin
│ ├── [ 16K] gpt_secondary_3_0.bin
│ ├── [ 17K] mb1_cold_boot_bct_MB1_sigheader.bct.encrypt
│ ├── [275K] mb1_t234_prod_aligned_sigheader.bin.encrypt
│ ├── [120K] mb2rf_t234_sigheader.bin.encrypt
│ ├── [427K] mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader.bin.encrypt
│ ├── [186K] mce_flash_o10_cr_prod_sigheader.bin.encrypt
│ ├── [238K] mem_coldboot_sigheader.bct.encrypt
│ ├── [288K] nvdec_t234_prod_sigheader.fw.encrypt
│ ├── [120K] psc_bl1_t234_prod_aligned_sigheader.bin.encrypt
│ ├── [366K] pscfw_t234_prod_sigheader.bin.encrypt
│ ├── [120K] psc_rf_t234_prod_sigheader.bin.encrypt
│ ├── [ 98] qspi_bootblob_ver.txt
│ ├── [181K] sc7_t234_prod_sigheader.bin.encrypt
│ ├── [264K] spe_t234_sigheader.bin.encrypt
│ ├── [253K] tegra234-bpmp-3767-0000-a02-3509-a02_with_odm_sigheader.dtb.encrypt
│ ├── [1.2M] tos-optee_t234_sigheader.img.encrypt
│ ├── [2.8M] uefi_jetson_with_dtb_aligned_blob_w_bin_sigheader.bin.encrypt
│ └── [161K] xusb_t234_prod_sigheader.bin.encrypt
├── [ 38K] l4t_flash_from_kernel.sh
└── [ 53K] simg2img

In the flash sequence, after the initrd boots and starts update from nfs, due to the script generating gpt_primary_6.0.bin instead of gpt_primary_9.0.bin your l4t_flash_from_kernel.sh try to flock /dev/mmcblk0p1 due to 6 being id for sdcard (instead of nvme0n1p1 being id 9) and fails.
(see function create_gpt in it).

What I’ve missed or did wrong ?

Waiting for your response.

Thanks,
Nadir.

3

Hi ncs1,

There’s internal QSPI to store bootloader which should also be prepared and flashed.
Please share the full flash log for further check.

4

Hi,

Attached logs.
The internal dir (qspi) seems correct, like in the regular flash with gpt3.0 blobs.
Either way, it shouldn’t generate gpt6.0 blobs for external, there’s no sdcard.

Waiting for your comments.

orinnx_prepare_qspi.log (173.8 KB)
orinnx_prepare_encrypted_external.log (120.3 KB)
orinnx_flash_only.log (8.3 KB)

5

The issue was due to me passing 32bytes encryption key instead of 16bytes.

(gen_luks_passphrase.py traceback printed in encrypted_external log, though script not failing due to it)

Now I’m having issues with the EKS, but I’ll open a new thread if I can’t figure it out…

Thanks.

1 Like
6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.