Jetson Orin NX (R36.4.3) - Disk Encryption - ERROR Kernel Panic

Robotics & Edge Computing Jetson Systems Jetson Orin NX
1

Hi everyone,

I am working on a Jetson Orin NX (L4T R36.4.3). I have already successfully enabled Secure Boot and fTPM. dmesg confirms “Secure Boot Enabled”.

Now, I am trying to implement Disk Encryption (Rootfs Encryption) using an external NVMe, but I am hitting a Kernel Panic during boot.
**
Steps I followed:

  1. Key Generation:** Generated oem_k1.key, sym_t234.key, sym2_t234.key, and auth_t234.key using openssl.
    **
    openssl rand -rand /dev/urandom -hex 32 > oem_k1.key
    openssl rand -rand /dev/urandom -hex 32 > sym_t234.key
    openssl rand -rand /dev/urandom -hex 16 > sym2_t234.key
    openssl rand -rand /dev/urandom -hex 16 > auth_t234.key**

2. EKB Generation: I generated eks_t234.img using gen_ekb.py with the keys above and placed it in Linux_for_Tegra/bootloader/.

3. Disk Encryption Key: I used sym2_t234.key as my disk_enc.key: cp "sym2_t234.key" "Linux_for_Tegra/disk_enc.key"

4. Flashing Command: I used l4t_initrd_flash.sh with the following workflow:

  • Generated images with --odm-image-gen and -u/-v keys.

  • Ran the flash command with ROOTFS_ENC=1, -i ./disk_enc.key, and --external-device nvme0n1p1.

  • Used the config: flash_l4t_t234_nvme_rootfs_enc.xml.

  • Flash Script :

    sudo BOARDID=“$BOARD_ID” FAB=“$FAB” BOARDSKU=“$BOARDSKU” CHIP_SKU=“$CHIP_SKU” RAMCODE_ID=“$RAMCODE”
    ./tools/kernel_flash/l4t_initrd_flash.sh
    –odm-image-gen
    –showlogs
    –network usb0
    –no-flash
    -u ../odm_keys/rsa3k.pem
    -v ../odm_keys/sbk-32.key
    –uefi-keys ../uefi_keys/uefi_keys.conf
    -p “-c bootloader/generic/cfg/flash_t234_qspi.xml”
    jetson-orin-nano-devkit-super
    internal

    sudo BOARDID=“$BOARD_ID” FAB=“$FAB” BOARDSKU=“$BOARDSKU” CHIP_SKU=“$CHIP_SKU” RAMCODE_ID=“$RAMCODE”
    ROOTFS_ENC=1
    ./tools/kernel_flash/l4t_initrd_flash.sh
    –mass-storage-only
    –showlogs
    –network usb0
    –no-flash
    –external-device nvme0n1p1
    –external-only
    -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml
    -i “./disk_enc.key”
    –uefi-keys ../uefi_keys/uefi_keys.conf
    –uefi-enc ../oem_keys/sym_t234.key
    jetson-orin-nano-devkit-super
    internal

    sudo mkdir -p tools/kernel_flash/images/internal/ekb_db
    sudo cp “${BSP_TOP}/oem_out/signed/”* tools/kernel_flash/images/internal/ekb_db
    sudo cp “${BSP_TOP}/oem_out/signed/”* bootloader/

    sudo BOARDID=“$BOARD_ID” FAB=“$FAB” BOARDSKU=“$BOARDSKU” CHIP_SKU=“$CHIP_SKU” RAMCODE_ID=“$RAMCODE”
    ROOTFS_ENC=1
    ./tools/kernel_flash/l4t_initrd_flash.sh
    –external-device nvme0n1p1
    -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml
    -i “./disk_enc.key”
    -p “-c ./bootloader/generic/cfg/flash_t234_qspi.xml”
    –uefi-keys ../uefi_keys/uefi_keys.conf
    –showlogs
    –network usb0
    jetson-orin-nano-devkit-super
    internal

The Error: The system flashes successfully, but during boot, it fails with:

[ 13.149686] ERROR: fail to unlock the encrypted dev /dev/nvme0n1p2.
[ 13.151574] Kernel panic - not syncing:
[ 13.151578] Attempted to kill init! exitcode=0x00007f00

Questions:

  1. Is copying eks_t234.img only to bootloader/ sufficient, or does it need to be signed/processed differently for Orin NX?

  2. My flash command uses jetson-orin-nano-devkit-super as the target (custom board based on Orin Nano/NX). Is there any mismatch in the XML partition files for NVMe?

  3. In R36.4.3, is there a specific requirement for the -i (disk_enc.key) to match a specific key index in the EKB?

Any help to avoid bricking the device while fixing this would be appreciated.

2

Moving this to the Jetson Orin topic.

1 Like
4

hello kingssize19,

please refer to Tool for EKB Generation to re-create EKS image.
your flash options, -i (disk_enc.key) must be the same key as sym2_t234.key for gen_ekb python script.

$ python3 gen_ekb.py -chip t234
                     -oem_k1_key <oem_k1.key> \
                     -in_sym_key <sym_t234.key> \
                     -in_sym_key2 <sym2_t234.key> \
                     -in_auth_key <auth_t234.key> \
                     -out <eks_t234.img>

BTW,
please see-also Topic 357471 for reference.

5

hello JerryChang,

You said “-i parameter must be the same key as sym2_t234.key“ but you used ekb.key (new generate) in Topic 357471. I didn’t understand this.

Since the fuses on my Orin NX device are already burned, don’t I need to sign the EKS image using the sbk-32.key and rsa3k.pem keys?

Also, is the device serial number required when generating the EKS image? In other words, is the EKS image the same for every device, or does it change depending on the device serial number?

6

in that demonstration, it’s sym2_t234.key = ekb.key = f0e0d0c0b0a001020304050607080900.

it’s by default uses unique passphrase which depends on ECID (per device).
however, you may create encrypted images with a generic key (--generic-passphrase)
see-also Topic 291335 for reference.

7

Hi JerryChang,

I used two scripts .

First Script :

This script reads the serial number and hardware details from a Jetson Orin Nano in Recovery mode; uses this data along with OEM keys (specifically the sym2 key for disk encryption) to generate a device-specific, encrypted EKS (Encrypted Key Blob). Finally, it signs this file with Secure Boot keys (RSA/SBK) and copies it to the bootloader directory, ready to be used in the flashing process.

Second (Flash) Script :

#!/bin/bash
set -e

echo “— Preparing Disk Encryption Key (sym2_t234.key) —”
cp ../oem_keys/sym2_t234.key ./disk_enc.key

cd ${BSP_TOP}/Linux_for_Tegra
sudo rm -rf tools/kernel_flash/images/

echo “Generating QSPI image…”

sudo BOARDID=“$BOARD_ID” FAB=“$FAB” BOARDSKU=“$BOARDSKU” CHIP_SKU=“$CHIP_SKU” RAMCODE_ID=“$RAMCODE”
./tools/kernel_flash/l4t_initrd_flash.sh
–odm-image-gen
–showlogs
–network usb0
–no-flash
-u ../odm_keys/rsa3k.pem
-v ../odm_keys/sbk-32.key
–uefi-keys ../uefi_keys/uefi_keys.conf
-p “-c bootloader/generic/cfg/flash_t234_qspi.xml”
jetson-orin-nano-devkit-super
internal

echo “Generating UPI image (Encrypted)…”

sudo BOARDID=“$BOARD_ID” FAB=“$FAB” BOARDSKU=“$BOARDSKU” CHIP_SKU=“$CHIP_SKU” RAMCODE_ID=“$RAMCODE”
ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh
–external-device nvme0n1p1
–mass-storage-only
–showlogs
–network usb0
–no-flash
–external-only
-c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml
-i ./disk_enc.key
–uefi-keys ../uefi_keys/uefi_keys.conf
–uefi-enc ../oem_keys/sym_t234.key
jetson-orin-nano-devkit-super
internal

sudo mkdir -p tools/kernel_flash/images/internal/ekb_db
sudo cp ${BSP_TOP}/oem_out/signed/* tools/kernel_flash/images/internal/ekb_db

echo “Flashing the board with secure & encrypted image…”

sudo BOARDID=“$BOARD_ID” FAB=“$FAB” BOARDSKU=“$BOARDSKU” CHIP_SKU=“$CHIP_SKU” RAMCODE_ID=“$RAMCODE”
./tools/kernel_flash/l4t_initrd_flash.sh
–external-device nvme0n1p1
-c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml
-i ./disk_enc.key
-p “-c ./bootloader/generic/cfg/flash_t234_qspi.xml”
–uefi-keys ../uefi_keys/uefi_keys.conf
–uefi-enc ../oem_keys/sym_t234.key
-u ../odm_keys/rsa3k.pem
-v ../odm_keys/sbk-32.key
–showlogs
–network usb0
jetson-orin-nano-devkit-super
internal

However, I keep getting the following error every time. I also received the same error with the method you suggested above. I don’t think there is a hardware issue with my cable.

Error :

/home/hkilic/orin-secure-Linux4Tegra-29-12-2025/Linux_for_Tegra/tools/kernel_flash/tmp 127.0.0.1(rw,nohide,insecure,no_subtree_check,async,no_root_squash)
rpcbind: another rpcbind is already running. Aborting
Export list for localhost:
/home/hkilic/orin-secure-Linux4Tegra-29-12-2025/Linux_for_Tegra/tools/kernel_flash/tmp 127.0.0.1
/home/hkilic/orin-secure-Linux4Tegra-29-12-2025/Linux_for_Tegra/tools/kernel_flash/l4t_initrd_flash_internal.sh --network usb0 --usb-instance 3-6 --device-instance 0 --flash-only --external-device nvme0n1p1 -c “./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml” --network usb0 jetson-orin-nano-devkit-super internal

  • Step 1: Build the flashing environment *

Create flash environment 0
/home/hkilic/orin-secure-Linux4Tegra-29-12-2025/Linux_for_Tegra/bootloader /home/hkilic/orin-secure-Linux4Tegra-29-12-2025/Linux_for_Tegra
/home/hkilic/orin-secure-Linux4Tegra-29-12-2025/Linux_for_Tegra
Finish creating flash environment 0.

  • Step 2: Boot the device with flash initrd image *

/home/hkilic/orin-secure-Linux4Tegra-29-12-2025/Linux_for_Tegra/temp_initrdflash/bootloader0 /home/hkilic/orin-secure-Linux4Tegra-29-12-2025/Linux_for_Tegra
./tegraflash.py --bl uefi_jetson_minimal_with_dtb_sigheader_encrypt.bin.signed --bct br_bct_BR.bct --securedev --bldtb tegra234-p3768-0000+p3767-0000-nv-super.dtb --applet rcm_2_signed.rcm --applet_softfuse rcm_1_signed.rcm --instance 3-6 --cmd “rcmboot” --cfg secureflash.xml --chip 0x23 --mb1_bct mb1_bct_MB1_sigheader_encrypt.bct.signed --mem_bct mem_rcm_sigheader_encrypt.bct.signed --mb1_cold_boot_bct mb1_cold_boot_bct_MB1_sigheader_encrypt.bct.signed --mb1_bin mb1_t234_prod_aligned_sigheader_encrypt.bin.signed --psc_bl1_bin psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed --mem_bct_cold_boot mem_coldboot_aligned_sigheader_encrypt.bct.signed --bins “psc_fw pscfw_t234_prod_sigheader_encrypt.bin.signed; mts_mce mce_flash_o10_cr_prod_sigheader_encrypt.bin.signed; tsec_fw tsec_t234_sigheader_encrypt.bin.signed; mb2_applet applet_t234_sigheader_encrypt.bin.signed; mb2_bootloader mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader_encrypt.bin.signed; xusb_fw xusb_t234_prod_sigheader_encrypt.bin.signed; pva_fw nvpva_020_sigheader_encrypt.fw.signed; dce_fw display-t234-dce_sigheader_encrypt.bin.signed; nvdec nvdec_t234_prod_sigheader_encrypt.fw.signed; bpmp_fw bpmp_t234-TE980M-A1_prod_sigheader_encrypt.bin.signed; bpmp_fw_dtb tegra234-bpmp-3767-0000-3768-super_with_odm_sigheader_encrypt.dtb.signed; rce_fw camera-rtcpu-t234-rce_sigheader_encrypt.img.signed; ape_fw adsp-fw_sigheader_encrypt.bin.signed; spe_fw spe_t234_sigheader_encrypt.bin.signed; tos tos_t234_sigheader_encrypt.img.signed; eks eks_t234_sigheader_encrypt.img.signed; kernel boot0.img; kernel_dtb tegra234-p3768-0000+p3767-0000-nv-super.dtb” --bct_backup
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands

Entering RCM boot

[ 0.0185 ] mb1_t234_prod_aligned_sigheader_encrypt.bin.signed filename is from --mb1_bin
[ 0.0185 ] psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed filename is from --psc_bl1_bin
[ 0.0185 ] rcm boot with presigned binaries
[ 0.0192 ] tegrarcm_v2 --instance 3-6 --new_session --chip 0x23 0 --uid --download bct_br br_bct_BR.bct --download mb1 mb1_t234_prod_aligned_sigheader_encrypt.bin.signed --download psc_bl1 psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed --download bct_mb1 mb1_bct_MB1_sigheader_encrypt.bct.signed
[ 0.0197 ] BR_CID: 0x89012344705DF29D780000000AFD8140
[ 0.0330 ] Sending bct_br
[ 0.0393 ] Sending mb1
[ 0.0396 ] ERROR: might be timeout in USB write.
Error: Return value 3
Command tegrarcm_v2 --instance 3-6 --new_session --chip 0x23 0 --uid --download bct_br br_bct_BR.bct --download mb1 mb1_t234_prod_aligned_sigheader_encrypt.bin.signed --download psc_bl1 psc_bl1_t234_prod_aligned_sigheader_encrypt.bin.signed --download bct_mb1 mb1_bct_MB1_sigheader_encrypt.bct.signed
Cleaning up…