Jetson TX2 NX full disk encryption with AB scheme for nvme device

Robotics & Edge Computing Jetson Systems Jetson TX2
1

hi guys,
may I know if any guideline for how to enable the full disk encryption with AB scheme for nvme device?
we want two rootfs which can support full image OTA, and both of them should be encrypted,
from the development guide, I have couple of questions:

  1. is that possible to do that? AB scheme+ encryption on nvme device?
  2. the uncrypted has APP and APP_b partition, does the encrypted needs APP, APP_ENC, and APP_ENC_b?
  3. how to prepare the image for APP_ENC_b if it required?
  4. can full disk encryption support nvme device? currently when I run sudo ROOTFS_ENC=1 ./flash.sh -i “./ekb.key” jetson-xavier-nx-devkit-tx2-nx nvme0n1
    I got
    Error: When disk encryption is enabled, root device cannot be nvme0n1

if there is a guideline or step by step, that will be perfect.

thanks

3

hello jiangpen,

we’ve never test that with TX2 NX.

however, please refer to Topic 273147.
we’ve also tested with AGX Xavier platform to enable ROOTFS_AB=1 and ROOTFS_ENC=1 to confirm it works correctly on JetPack 5.1.2/ l4t-r35.4.1

5

@JerryChang , thanks for reply.
so it sounds like this encryption + A/B should work with ROOTFS_AB=1 and ROOTFS_ENC=1 flag. How about NVME? do I still need to program the internal disk first?

I create a simple script to try the encryption first. I do have 1TB NVME ssd attached. I follow the README to program internal first.
ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash jetson-xavier-nx-devkit-tx2-nx internal ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash --external-device nvme0n1p1 -S 40GiB -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only --append jetson-xavier-nx-devkit-tx2-nx external ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only
the log is like below:

flash_1-1.2_0_20240403-163338.log (10.6 KB)
the xml file is official one except the num_sectors=“976773168”
may I know what could be wrong?
thanks a lot

6

please see-also Partitioning with Orin NX disk encryption is not working properly - #9 by carolyuu to update num_sectors to generate images for external storage device.

7

@JerryChang , my issue seems different, as it is in program stage. Here is the log:
ROOTFS_ENC=1 EXT_NUM_SECTORS=976773168 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -S 160GiB -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only --network usb0 jetson-xavier-nx-devkit-tx2-nx external

./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

last lines of logs says

Active index file is /mnt/external/flash.idx
Number of lines is 16
max_index=15
writing item=1, 9:0:primary_gpt, 512, 19968, gpt_primary_9_0.bin, 16896, fixed-<reserved>-0, 9308a9d059290c808a4a696eb0e746a33637817d
Writing primary_gpt partition with gpt_primary_9_0.bin
Offset is not aligned to K Bytes, no optimization is applied
dd if=/mnt/external/gpt_primary_9_0.bin of=/dev/nvme0n1 bs=1 skip=0  seek=512 count=16896
16896+0 records in
16896+0 records out
16896 bytes (17 kB, 16 KiB) copied, 0.329022 s, 51.4 kB/s
Writing primary_gpt partition done
Error: The backup GPT table is corrupt, but the primary appears OK, so that will be used.
Warning: Not all of the space available to /dev/nvme0n1 appears to be used, you can fix the GPT to use all of the space (an extra 976751999 blocks) or continue with the current setting? 
Writing secondary_gpt partition with gpt_secondary_9_0.bin
Offset is not aligned to K Bytes, no optimization is applied
dd if=/mnt/external/gpt_secondary_9_0.bin of=/dev/nvme0n1 bs=1 skip=0  seek=500107845120 count=16896
16896+0 records in
16896+0 records out
16896 bytes (17 kB, 16 KiB) copied, 0.281062 s, 60.1 kB/s
Writing secondary_gpt partition done
Error: The backup GPT table is not at the end of the disk, as it should be.  Fix, by moving the backup to the end (and removing the old backup)?
Fix/Ignore? Fix                                                           
Warning: Not all of the space available to /dev/nvme0n1 appears to be used, you can fix the GPT to use all of the space (an extra 976751999 blocks) or continue with the current setting? 
Fix/Ignore? Fix                                                           
Model: WD_BLACK SN770 1TB (nvme)
Disk /dev/nvme0n1: 1000GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system  Name               Flags
 1      20.5kB  419MB   419MB   ext4         APP                msftdata
 2      419MB   42.9GB  42.5GB               APP_ENC            msftdata
 3      42.9GB  85.5GB  42.5GB               APP_ENC_b          msftdata
 4      85.5GB  85.5GB  66.1MB               recovery           msftdata
 5      85.5GB  85.5GB  524kB                recovery-dtb       msftdata
 6      85.5GB  85.5GB  65.5kB               kernel-bootctrl    msftdata
 7      85.5GB  85.5GB  65.5kB               kernel-bootctrl_b  msftdata
 8      85.5GB  85.6GB  83.9MB               kernel             msftdata
 9      85.6GB  85.7GB  83.9MB               kernel_b           msftdata
10      85.7GB  85.7GB  524kB                kernel-dtb         msftdata
11      85.7GB  85.7GB  524kB                kernel-dtb_b       msftdata
12      85.7GB  85.8GB  105MB                RECROOTFS          msftdata
13      85.8GB  500GB   414GB                UDA                msftdata

[ 3]: l4t_flash_from_kernel: Expanding last partition to fill the storage device
[ 3]: l4t_flash_from_kernel: Successfully create gpt for external device
[ 3]: l4t_flash_from_kernel: Starting to flash to external device
Active index file is /mnt/external/flash.idx
Number of lines is 16
max_index=15
writing item=0, 9:0:master_boot_record, 0, 512, mbr_9_0.bin, 512, fixed-<reserved>-0, 694898d1c345bdb31b377790ed7fc0b0db184bf7
writing item=1, 9:0:primary_gpt, 512, 19968, gpt_primary_9_0.bin, 16896, fixed-<reserved>-0, 9308a9d059290c808a4a696eb0e746a33637817d
writing item=2, 9:0:APP, 20480, 419430400, , , fixed-<reserved>-1, 
Formatting APP partition /dev/nvme0n1p1 ...
mke2fs 1.44.1 (24-Mar-2018)
Discarding device blocks: done                            
Creating filesystem with 409600 1k blocks and 102400 inodes
Filesystem UUID: 8e8307af-d973-48f8-a207-9b67e4de65e2
Superblock backups stored on blocks: 
	8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done 

Formatting APP parition done
Formatting APP partition /dev/nvme0n1p1 ...
tar --xattrs -xpf /mnt/external/system_boot.img  --checkpoint=10000 --warning=no-timestamp --numeric-owner  -C  /tmp/ci-gZWGfNQNnL
writing item=3, 9:0:APP_ENC, 419450880, 42530242560, system_root_encrypted.img_ext, 13919892112, fixed-<reserved>-2, 
Writing APP_ENC partition with system_root_encrypted.img_ext
Get size of partition through connection.
blkdiscard /dev/nvme0n1p2
[ 8]: l4t_flash_from_kernel: The device size indicated in the partition layout xml is smaller than the actual size. This utility will try to fix the GPT.
[ 8]: l4t_flash_from_kernel: Error: /mnt/internal/flash.idx is not found
[ 8]: l4t_flash_from_kernel: ERROR simg2img not found! To install - please run: "sudo apt-get install 	simg2img" or "sudo apt-get install android-tools-fsutils"
[ 8]: l4t_flash_from_kernel: Error flashing qspi
[ 8]: l4t_flash_from_kernel: Error flashing external device
Cleaning up...

It looks to program the NVME device, but show this error, may I know what could be wrong? I tried without APP_ENC_b, that is same thing.

10

hello jiangpen,

according to the error logs…
The device size indicated in the partition layout xml is smaller than the actual size.

you should edit “/tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml” xml file and change the num_sectors size. note, this size should bigger than -S size.

besides, the error logs has indicate that… ERROR simg2img not found!
please have the utility installed on your host machine.
for instance,
$ sudo apt-get install simg2img
$ sudo apt-get install android-tools-fsutils

11

Hi JerryChang, thanks for reply.
yes, I have find out the problem and now it can flash the nvme disk, but it failed to boot up.
BTW, the simg2img seems running in device not host, my host has already install this. But anyway, after I change parameter of size, it is OK to program now.
Buy it failed to boot up,
I think what I did is just enable the encryption on NVME device:

12

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.