Jetson TX2 not booting after ROOTFS_ENC=1 flash

Good afternoon,

Currently I am trying to test the encrypted rootfs option in Tx2 and following instructions here: Tegra Linux Driver

This is after testing and succeeding at using secureboot and therefor my command to flash is
sudo ROOTFS_ENC=1 ./flash.sh -u <rsa_key> jetson-tx2-4GB mmcblk0p12
(currently do not have SBK set)

The flash continues normally with no errors but after booting, I get this:
pca953x 0-0077 : failed reading register…

ERROR: fail to unlock the encrypted dev /dev/mmcblk0p2
Kernel panic…

Then reboot and repeat.

Any idea how we can diagnose the issue?

Thank you

hello nvidiadude,

had you perform cryptsetup to generate a master key?
Disk Encryption it’s using LUKS to enable full disk encryption for Jetson platforms, so, you’ll need to generate a passphrase (or, a password), which provided at boot stage to unlock the encrypted container.

Thank you for the help…

cyptsetup for a master key?
Do you mean set the ekb.key in the script which should be used in the key derivation function?

image

I tried this and it produced the same results.
Using the -i ./ekb.key option

hello nvidiadude,

please follow developer guide, EKB Generation.
you should use the tool for EKB Generation, i.e. gen_ekb.py
thanks

I thought the flashing script would handle the ekb blob,
I can create my own blob using this script but I need to incorporate it into the flashing sequence.

I have made some changes to the init script in order to get more output when my boot is failing.
I am having this error when the nvluks-srv-app queries for the key:

tipc_connect: can't connect to tipc service "hwkey-agent.srv.crypto-srv" (err=107)

I thought maybe the TOS or secure boot is not enabled,
I checked my fuses, the values are (this is on TX2)
odm_lock : 0x00000000
arm_jtag_disable : 0x00000000
odm_production_mode : 0x00000000
boot_security_info : 0x00000002
odm_info : 0x00000000

This looks ok to me, am I reading the documentation in Jetson Download Center | NVIDIA Developer wrong?

As you see above, I am flashing with just PKC currently and do not have SBK set. Do I need to set SBK for this to work correctly?

hello nvidiadude,

you’ll need to enable secureBoot, secureOS, and then Disk Encryption to encrypts a whole disk or partition to protect the data it contains.
please also check this topic, Topic 177180 as see-also. thanks

So I guess I have secureboot enabled, Then secureOS is outlined here as Trusty : https://docs.nvidia.com/jetson/l4t/index.html#page/Tegra%20Linux%20Driver%20Package%20Development%20Guide/trusty.html#wwpID0E0JB0HA

I have not yet used the -p flag when flashing (burn production mode fuse). Is this needed to start encrypting the fs? Thanks

I will also look and test some suggestions from this thread : Will not boot after enabling Security Boot (Jetson AGX Xavier)
Maybe replace the eks.img with a custom generated one

As for the Black Screen after enable SecureBOOT and disk encryption thread, this cboot patch does not match the TX2 cboot file and so i do not see how it will help.

for your reference, here’s very details thread, Topic 180440 to enable SecureBoot/ SecureOS/ Disk Encryption.

Thank you, this thread helped me prepare what I believe will be a working flashing procedure. But one issue. Currently my board has the PKC fuse burnt. From my understanding adding the SBK should be no problem, but when I use the command to burn the fuses again… I get this error

Error: Either RSA key file is not provided or SBK key file is provided for PKC protected target board.

My command is this format:

sudo  BOARDID=<BOARDID> BOARDSKU=<BOARDSKU> FAB=<FAB> BOARDREV=H.0 ./odmfuse.sh -i 0x18 --auth SBKPKC -p -k <rsa_priv.pem> -S ../sbk.txt --KEK2 ../kek2.txt jetson-tx2-4GB

How can I get the board from just PKC to SBKPKC now (since I need it for TOS)?
From my understanding of the fuse specification, burning the fuses to get to this mode should be possible. Should I try the --force option?

hello nvidiadude,

had you enable -p options for the first time?

JerryChang,
I did not use the -p flag the first time I burned fuses
According to my notes, the command was like

sudo ./odmfuse.sh -i 0x18 -k ../<rsa_key> --KEK2 ../<kek2.txt> jetson-tx2-4GB

hello nvidiadude,

it’s the command to run odmfuse.sh without boards connected (i.e. in offline mode).
please put device to enter forced-recovery mode and perform below to burn PKC+SBK.
for example,
$ sudo ./odmfuse.sh -i <chip_id> -p -k <key.pem> --KEK[0-2] <KEK file> -S <SBK_file> jetson-tx2

Jerrychang, I ran the command with the board connected in recovery mode like this, and this is the resulting message ^^
The fuse burning fails

I have burned fuses successfully earlier using this command :

sudo ./odmfuse.sh -i 0x18 -k ../<rsa_key> --KEK2 ../<kek2.txt> jetson-tx2-4GB

So as you can see, my board currently has the PKC fuses burned but I also want to burn the SBK fuses now to get the TOS.

But, when I now try to burn the SBK as well… I cannot
Proof :

sudo ./odmfuse.sh -i 0x18 --auth SBKPKC -p -k ../.rsa_priv/rsa_priv.pem -S ../.rsa_priv/sbk.key --KEK2 ../.rsa_priv/kek2.txt jetson-tx2-4GB
Error: Either RSA key file is not provided or SBK key file is provided for PKC protected target board.

I know in the odmfuse.func, the check_sbk_pkc function is what performs the check and auth is taken from the get_fuse_level function, which sets the auth based on the current fuses of the board… so this causes the failure. But why not allow me to continue and add SBKPKC still?

hello nvidiadude,

how about running below command-line for burning SBK.
$ sudo ./odmfuse.sh -i 0x18 -S <SBK_file> jetson-tx2-4GB

Same response as above
Error: Either RSA key file is not provided or SBK key file is provided for PKC protected target board.

hello nvidiadude,

could you please include noburn options to the command line,
please share the results for reference,
for example,
$ sudo ./odmfuse.sh --noburn -i 0x18 -c PKC -p -k <PKC Key file> -S <SBK key file> jetson-tx2-devkit-4gb

there’ll be fuseblob.tbz2 and fusecmd.sh created. you should be able to perform the script file to run the fuse again.

I will include both commands so you can see what occurs:

first :

 sudo ./odmfuse.sh --noburn -i 0x18 --auth PKC -p -k <PKC Key file> -S <SBK key file> jetson-tx2-devkit-4gb

command_sbkpkc.txt (401 Bytes)

Second

 sudo ./odmfuse.sh --noburn -i 0x18 --auth PKC -p -k <PKC Key file> jetson-tx2-devkit-4gb

command_pkc.txt (33.1 KB)

But checking the fuseblob generated here… odmfuse_pks.xml does not look right

<genericfuse MagicId="0x45535546" version="1.0.0">
<fuse name="SecurityMode" size="4" value="0x1" />
</genericfuse>

Note that this is using 32.5.1

hello nvidiadude,

currently we don’t have device fused with PKC alone to verify,
could you please perform below command to check if the command run successfully,
this adding --test, and it’s not using --auth for checking.
i.e. $ sudo ./odmfuse.sh -i 0x18 -p -k <PKC Key file> -S <SBK key file> --test jetson-tx2-devkit-4gb

Same result:

sudo ./odmfuse.sh -i 0x18 -p -k ../.rsa_priv/rsa_priv.pem -S ../.rsa_priv/sbk.key --test jetson-tx2-devkit-4gb
Error: Either RSA key file is not provided or SBK key file is provided for PKC protected target board.

hello nvidiadude,

you MUST determine the fuse types, (i.e. NS, PKC, PKCSBK) and burn those keys to the target for the 1st time.

due to safety concerns, we are NOT support 2nd time fuse burning to program SBK into PKC fused device. (instead, KEKs, ODM production…etc are supported.)
so, that’s why you cannot burn SBK key into your device in this use-case.