Jetson TX2 not booting after ROOTFS_ENC=1 flash

Good afternoon,

Currently I am trying to test the encrypted rootfs option in Tx2 and following instructions here: Tegra Linux Driver

This is after testing and succeeding at using secureboot and therefor my command to flash is
sudo ROOTFS_ENC=1 ./flash.sh -u <rsa_key> jetson-tx2-4GB mmcblk0p12
(currently do not have SBK set)

The flash continues normally with no errors but after booting, I get this:
pca953x 0-0077 : failed reading register…

ERROR: fail to unlock the encrypted dev /dev/mmcblk0p2
Kernel panic…

Then reboot and repeat.

Any idea how we can diagnose the issue?

Thank you

hello nvidiadude,

had you perform cryptsetup to generate a master key?
Disk Encryption it’s using LUKS to enable full disk encryption for Jetson platforms, so, you’ll need to generate a passphrase (or, a password), which provided at boot stage to unlock the encrypted container.

Thank you for the help…

cyptsetup for a master key?
Do you mean set the ekb.key in the script which should be used in the key derivation function?

image

I tried this and it produced the same results.
Using the -i ./ekb.key option

hello nvidiadude,

please follow developer guide, EKB Generation.
you should use the tool for EKB Generation, i.e. gen_ekb.py
thanks

I thought the flashing script would handle the ekb blob,
I can create my own blob using this script but I need to incorporate it into the flashing sequence.

I have made some changes to the init script in order to get more output when my boot is failing.
I am having this error when the nvluks-srv-app queries for the key:

tipc_connect: can't connect to tipc service "hwkey-agent.srv.crypto-srv" (err=107)

I thought maybe the TOS or secure boot is not enabled,
I checked my fuses, the values are (this is on TX2)
odm_lock : 0x00000000
arm_jtag_disable : 0x00000000
odm_production_mode : 0x00000000
boot_security_info : 0x00000002
odm_info : 0x00000000

This looks ok to me, am I reading the documentation in Jetson Download Center | NVIDIA Developer wrong?

As you see above, I am flashing with just PKC currently and do not have SBK set. Do I need to set SBK for this to work correctly?

hello nvidiadude,

you’ll need to enable secureBoot, secureOS, and then Disk Encryption to encrypts a whole disk or partition to protect the data it contains.
please also check this topic, Topic 177180 as see-also. thanks

So I guess I have secureboot enabled, Then secureOS is outlined here as Trusty : https://docs.nvidia.com/jetson/l4t/index.html#page/Tegra%20Linux%20Driver%20Package%20Development%20Guide/trusty.html#wwpID0E0JB0HA

I have not yet used the -p flag when flashing (burn production mode fuse). Is this needed to start encrypting the fs? Thanks

I will also look and test some suggestions from this thread : Will not boot after enabling Security Boot (Jetson AGX Xavier)
Maybe replace the eks.img with a custom generated one

As for the Black Screen after enable SecureBOOT and disk encryption thread, this cboot patch does not match the TX2 cboot file and so i do not see how it will help.

for your reference, here’s very details thread, Topic 180440 to enable SecureBoot/ SecureOS/ Disk Encryption.

Thank you, this thread helped me prepare what I believe will be a working flashing procedure. But one issue. Currently my board has the PKC fuse burnt. From my understanding adding the SBK should be no problem, but when I use the command to burn the fuses again… I get this error

Error: Either RSA key file is not provided or SBK key file is provided for PKC protected target board.

My command is this format:

sudo  BOARDID=<BOARDID> BOARDSKU=<BOARDSKU> FAB=<FAB> BOARDREV=H.0 ./odmfuse.sh -i 0x18 --auth SBKPKC -p -k <rsa_priv.pem> -S ../sbk.txt --KEK2 ../kek2.txt jetson-tx2-4GB

How can I get the board from just PKC to SBKPKC now (since I need it for TOS)?
From my understanding of the fuse specification, burning the fuses to get to this mode should be possible. Should I try the --force option?

hello nvidiadude,

had you enable -p options for the first time?

JerryChang,
I did not use the -p flag the first time I burned fuses
According to my notes, the command was like

sudo ./odmfuse.sh -i 0x18 -k ../<rsa_key> --KEK2 ../<kek2.txt> jetson-tx2-4GB