Massflash, encryption and how we are supposed to produce a flashable artifact for factory deployment

Robotics & Edge Computing Jetson Systems Jetson AGX Orin
1

We are trying to get our Jetson units at a production ready state.

Production ready meaning here

  • A/B partitioned on, for in-field upgrades
  • An encrypted rootfs, for in-field security, with an unattended unlock via hardware (ie: same as a systemd-cryptsetup binding to TPM PCR registries)
  • Massflash-able from an untrusted factory floor - because the dev team don’t live at the factory.

I have read a few topics on this

To my understanding - massflash usage for the l4t_initrd_flash.sh with ROOTFS_ENC=1 will never work as

  • No ECID can be obtained (and ECID is unique per device anyway, so it wouldn’t be useful)
  • As the posts mention - --generic-passphrase is not supported. But that wouldn’t be good anyway as it would not be an unattended unlock, nor is it very safe.

So it begs the question - what is the expected flow for

  • Our developers to produce an artifact representing an image version (ie: something similar to how massflash generates .tar.gz archives)
  • For us to deploy that artifact on factory flashing computers
  • To then flash the elements from artifact to our devices, with per-device encryption

Having to have a full development environment on the factory floor just to make encryption work seems like a terrible idea. Surely this has a solution.

2

*** Please note that this reply is generated by LLM automatically ***

To address the question of generating an encrypted disk image without a Jetson connected, and to understand the expected flow for producing an artifact representing an image version, we need to break down the process and requirements.

Generating Encrypted Disk Image without a Jetson Connected:

The Jetson Linux reference implementation only generates per-device encrypted disk images. This means that the encryption process is tied to the specific device’s ECID (Electronic Chip ID), which is unique to each device. The ECID is used to derive the encryption key, ensuring that the encrypted image can only be decrypted on the specific device it was generated for.

However, as mentioned in the question, this approach has limitations, particularly when it comes to mass production and flashing multiple devices simultaneously. The requirement for an unattended unlock via hardware, such as binding to TPM (Trusted Platform Module) PCR (Platform Configuration Registers) registries, further complicates the process.

To generate an encrypted disk image without a Jetson connected, you would need to modify the encryption process to use a generic passphrase or key, rather than relying on the device’s ECID. This approach would allow you to create a single encrypted image that can be flashed to multiple devices.

Expected Flow for Producing an Artifact Representing an Image Version:

The expected flow for producing an artifact representing an image version would involve the following steps:

  1. Development Environment: Developers would create and configure the image version in a development environment, using tools such as the Jetson Linux reference implementation.
  2. Artifact Generation: The developers would generate an artifact representing the image version, which would include the encrypted disk image, as well as any necessary metadata, such as the encryption key or passphrase.
  3. Artifact Deployment: The artifact would be deployed to the factory flashing computers, where it would be used to flash the devices.
  4. Device Flashing: The devices would be flashed with the encrypted image, using the artifact as the source.

Comparison of Approaches:

There are two main approaches to consider:

  1. Per-Device Encryption: This approach uses the device’s ECID to derive the encryption key, ensuring that the encrypted image can only be decrypted on the specific device it was generated for. This approach is secure, but it has limitations when it comes to mass production and flashing multiple devices simultaneously.
  2. Generic Passphrase or Key: This approach uses a generic passphrase or key to encrypt the disk image, allowing for a single encrypted image to be created that can be flashed to multiple devices. This approach is more flexible, but it may compromise security if the passphrase or key is not properly managed.

Conclusion:

Generating an encrypted disk image without a Jetson connected requires modifying the encryption process to use a generic passphrase or key. The expected flow for producing an artifact representing an image version involves generating an artifact in a development environment, deploying it to the factory flashing computers, and flashing the devices with the encrypted image. The choice of approach depends on the specific requirements and constraints of the production environment.

*** Please give the thumbs up if you get answers you like. Or provide feedback to help us improve the answer. ***

4

hello andrew.lipscomb,

you may see-also Topic 291335 to generate a massflash package with generic-passphrase.

5

Searching for disk encryption with factory deployments on the forums shows those earlier posts I mentioned as the first hits.

It would be good if Nvidia forum maintainers could mark these topics as now outdated, or only for particular L4T versions. Point new searchers at more up-to-date conversations on the same topics.

I found the same information at Disk Encryption — NVIDIA Jetson Linux Developer Guide 1 documentation and am working through that

Also the AI result was not helpful.