Massflash with disk encryption on Xavier NX eMMC

Hello there,
Last few days we are trying to achieve massflash with disk encryption on unfused Xavier NX eMMC board. We are not considering fusing at this moment, it is our next goal.

We tried initrd approach for flashing and disk encryption together and it works. We followed Workflow 10 from tools/kernel_flash/README_initrd_flash.txt and it works!

We run following commands one by one:

cd ~/nvidia/4.6.1/Linux_for_Tegra
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash \
  -p "-i $XKEYS/ekb.key" \
  jetson-xavier-nx-devkit-emmc internal
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash \
  -p "-i $XKEYS/ekb.key" \
  --external-device nvme0n1p1 \
  -S 220GiB \
  -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml \
  --external-only \
  --append \
  jetson-xavier-nx-devkit-emmc external
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only -p "-i $XKEYS/ekb.key"

But when we add --massflash 5, for example, flashing won’t work.

Could you please guide us to achieve our current goal as we are kind of stuck in this stage.

1 Like

hello AkterHossain,

may I know what’s the failure, you may gather the complete logs for reference,
thanks

Hi @JerryChang last time we tried offline flash and the output kind of as like as --massflash 5.

Following commands (--no-flash) show successful message.

sudo BOARDID=3668 BOARDSKU=0001 FAB=100 \                                                    
     ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash jetson-xavier-nx-devkit-emmc mmcblk0p1

sudo BOARDID=3668 BOARDSKU=0001 FAB=100 ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash \
  --external-device nvme0n1p1 \
  -S 220GiB \
  -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml \
  --external-only \
  --append \
  jetson-xavier-nx-devkit-emmc external

But when we run --flash-only command, it throws Error flashing non-qspi storage message.

Flash Command:

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --showlogs

Logs:

**********************************************
*                                            *
*  Step 1: Build the flashing environment    *
*                                            *
**********************************************
Create flash environment 0
~/nvidia/4.6.1/Linux_for_Tegra/bootloader ~/nvidia/4.6.1/Linux_for_Tegra
~/nvidia/4.6.1/Linux_for_Tegra
Finish creating flash environment 0.
****************************************************
*                                                  *
*  Step 2: Boot the device with flash initrd image *
*                                                  *
****************************************************
~/nvidia/4.6.1/Linux_for_Tegra/temp_initrdflash/bootloader0 ~/nvidia/4.6.1/Linux_for_Tegra
./tegraflash.py --bl nvtboot_recovery_cpu_t194_sigheader.bin.encrypt --bct br_bct_BR.bct --securedev  --applet rcm_2_encrypt.rcm --applet_softfuse rcm_1_encrypt.rcm --cmd "rcmboot"  --cfg secureflash.xml --chip 0x19 --mb1_bct mb1_bct_MB1_sigheader.bct.encrypt --mem_bct mem_rcm_sigheader.bct.encrypt --mb1_cold_boot_bct mb1_cold_boot_bct_MB1_sigheader.bct.encrypt --mem_bct_cold_boot mem_coldboot_sigheader.bct.encrypt  --bins "mb2_bootloader nvtboot_recovery_t194_sigheader.bin.encrypt; mts_preboot preboot_c10_prod_cr_sigheader.bin.encrypt; mts_mce mce_c10_prod_cr_sigheader.bin.encrypt; mts_proper mts_c10_prod_cr_sigheader.bin.encrypt; bpmp_fw bpmp_t194_sigheader.bin.encrypt; bpmp_fw_dtb tegra194-a02-bpmp-p3668-a00_sigheader.dtb.encrypt; spe_fw spe_t194_sigheader.bin.encrypt; tlk tos-trusty_t194_sigheader.img.encrypt; eks eks_sigheader.img.encrypt; kernel boot0.img; kernel_dtb kernel_tegra194-p3668-all-p3509-0000.dtb; bootloader_dtb tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt"    --instance 1-4
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 

 Entering RCM boot

[   0.0000 ] rcm boot with presigned binaries
[   0.0000 ] Boot Rom communication
[   0.0027 ] tegrarcm_v2 --instance 1-4 --chip 0x19 0 --rcm rcm_1_encrypt.rcm --rcm rcm_2_encrypt.rcm
[   0.0036 ] BootRom is not running
[   5.1628 ] 
[   6.1667 ] tegrarcm_v2 --instance 1-4 --isapplet
[   6.1677 ] Applet version 01.00.0000
[   6.1879 ] 
[   6.1879 ] Sending BCTs
[   6.1906 ] tegrarcm_v2 --instance 1-4 --download bct_bootrom br_bct_BR.bct --download bct_mb1 mb1_bct_MB1_sigheader.bct.encrypt --download bct_mem mem_rcm_sigheader.bct.encrypt
[   6.1915 ] Applet version 01.00.0000
[   6.2122 ] Sending bct_bootrom
[   6.2123 ] [................................................] 100%
[   6.2135 ] Sending bct_mb1
[   6.2182 ] [................................................] 100%
[   6.2218 ] Sending bct_mem
[   6.2714 ] [................................................] 100%
[   6.3449 ] 
[   6.3450 ] Generating blob
[   6.3484 ] tegrahost_v2 --chip 0x19 --generateblob blob.xml blob.bin
[   6.3493 ] number of images in blob are 13
[   6.3498 ] blobsize is 61097160
[   6.3500 ] Added binary blob_nvtboot_recovery_cpu_t194_sigheader.bin.encrypt of size 264064
[   6.3810 ] Added binary blob_nvtboot_recovery_t194_sigheader.bin.encrypt of size 181152
[   6.3816 ] Added binary blob_preboot_c10_prod_cr_sigheader.bin.encrypt of size 24016
[   6.3823 ] Added binary blob_mce_c10_prod_cr_sigheader.bin.encrypt of size 143200
[   6.3829 ] Added binary blob_mts_c10_prod_cr_sigheader.bin.encrypt of size 3430416
[   6.3845 ] Added binary blob_bpmp_t194_sigheader.bin.encrypt of size 856352
[   6.3864 ] Added binary blob_tegra194-a02-bpmp-p3668-a00_sigheader.dtb.encrypt of size 391408
[   6.3871 ] Added binary blob_spe_t194_sigheader.bin.encrypt of size 94960
[   6.3876 ] Added binary blob_tos-trusty_t194_sigheader.img.encrypt of size 410560
[   6.3883 ] Added binary blob_eks_sigheader.img.encrypt of size 5136
[   6.3888 ] Added binary blob_boot0.img of size 54882304
[   6.4360 ] Added binary blob_kernel_tegra194-p3668-all-p3509-0000.dtb of size 204640
[   6.4577 ] Added binary blob_tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt of size 208736
[   6.5092 ] 
[   6.5092 ] Sending bootloader and pre-requisite binaries
[   6.5120 ] tegrarcm_v2 --instance 1-4 --download blob blob.bin
[   6.5130 ] Applet version 01.00.0000
[   6.5349 ] Sending blob
[   6.5350 ] [................................................] 100%
[  14.7438 ] 
[  14.7454 ] tegrarcm_v2 --instance 1-4 --boot rcm
[  14.7464 ] Applet version 01.00.0000
[  14.7722 ] 
[  14.7723 ] RCM-boot started

~/nvidia/4.6.1/Linux_for_Tegra
***************************************
*                                     *
*  Step 3: Start the flashing process *
*                                     *
***************************************
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for device to expose ssh ......RTNETLINK answers: File exists
RTNETLINK answers: File exists
...RTNETLINK answers: File exists
RTNETLINK answers: File exists
Run command: if [ -f /qspi/l4t_flash_from_kernel.sh ]; then USER=root /qspi/l4t_flash_from_kernel.sh --no-reboot --qspi-only ; fi on root@fe80::1%enp0s20f0u4
4194304
[ 0]: l4t_flash_from_kernel: Starting to create gpt for emmc
Active index file is /home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/internal/flash.idx
Number of lines is 62
max_index=61
4194304
Flash index file is /qspi/internal/flash.idx
Number of lines is 62
max_index=61
[ 0]: l4t_flash_from_kernel: Starting to flash to qspi
Erasing 64 Kibyte @ 0 --  0 % complete writing item=49, 1:3:primary_gpt, 512, 19968, gpt_primary_1_3.bin, 16896, fixed-<reserved>-0, 2de07aa7b2246f718c8f51cfc4cf4e19d75589ff
Writing primary_gpt partition with gpt_primary_1_3.bin
Offset is not aligned to K Bytes, no optimization is applied
dd if=/home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/internal/gpt_primary_1_3.bin of=/dev/sda bs=1 skip=0  seek=512 count=16896
16896+0 records in
16896+0 records out
16896 bytes (17 kB, 16 KiB) copied, 0,0323988 s, 522 kB/s
Writing primary_gpt partition done
Writing secondary_gpt partition with gpt_secondary_1_3.bin
Offset is not aligned to K Bytes, no optimization is applied
dd if=/home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/internal/gpt_secondary_1_3.bin of=/dev/sda bs=1 skip=0  seek=15757983232 count=16896
16896+0 records in
16896+0 records out
16896 bytes (17 kB, 16 KiB) copied, 0,0411946 s, 410 kB/s
Writing secondary_gpt partition done
[ 3]: l4t_flash_from_kernel: Successfully create gpt for emmc
[ 3]: l4t_flash_from_kernel: Starting to create gpt for external device
Active index file is /home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/flash.idx
Number of lines is 15
max_index=14
writing item=1, 9:0:primary_gpt, 512, 19968, gpt_primary_9_0.bin, 16896, fixed-<reserved>-0, c08fef5608740efa30769481621b747c0e7cf34d
Erasing 64 Kibyte @ 30000 --  0 % complete Writing primary_gpt partition with gpt_primary_9_0.bin
Offset is not aligned to K Bytes, no optimization is applied
dd if=/home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/gpt_primary_9_0.bin of=/dev/sdd bs=1 skip=0  seek=512 count=16896
Erasing 64 Kibyte @ 40000 --  0 % complete 16896+0 records in
16896+0 records out
16896 bytes (17 kB, 16 KiB) copied, 0,0334502 s, 505 kB/s
Writing primary_gpt partition done
Error: Can't have the end before the start! (start sector=819240 length=0)
[ 4]: l4t_flash_from_kernel: Error: partprobe failed. This indicates that:
 -   the xml indicates the gpt is larger than the device storage
 -   the xml might be invalid
 -   the device might have a problem.
 Please make correction.
Erasing 64 Kibyte @ 1ff0000 -- 100 % complete 
Flash index file is /qspi/internal/flash.idx
Number of lines is 62
max_index=61
Writing br_bct_BR.bct (parittion: BCT) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/br_bct_BR.bct
Writing /qspi/internal/br_bct_BR.bct (2888 bytes) into  /dev/mtd0:0
Copied 2888 bytes from /qspi/internal/br_bct_BR.bct to address 0x00000000 in flash
Writing /qspi/internal/br_bct_BR.bct (2888 bytes) into  /dev/mtd0:4096
Copied 2888 bytes from /qspi/internal/br_bct_BR.bct to address 0x00001000 in flash
Writing /qspi/internal/br_bct_BR.bct (2888 bytes) into  /dev/mtd0:32768
Copied 2888 bytes from /qspi/internal/br_bct_BR.bct to address 0x00008000 in flash
Writing mb1_t194_prod_sigheader.bin.encrypt (parittion: mb1) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/mb1_t194_prod_sigheader.bin.encrypt
Writing /qspi/internal/mb1_t194_prod_sigheader.bin.encrypt (250432 bytes) into  /dev/mtd0:131072
Copied 250432 bytes from /qspi/internal/mb1_t194_prod_sigheader.bin.encrypt to address 0x00020000 in flash
Writing mb1_t194_prod_sigheader.bin.encrypt (parittion: mb1_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/mb1_t194_prod_sigheader.bin.encrypt
Writing /qspi/internal/mb1_t194_prod_sigheader.bin.encrypt (250432 bytes) into  /dev/mtd0:393216
Copied 250432 bytes from /qspi/internal/mb1_t194_prod_sigheader.bin.encrypt to address 0x00060000 in flash
Writing mb1_cold_boot_bct_MB1_sigheader.bct.encrypt (parittion: MB1_BCT) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/mb1_cold_boot_bct_MB1_sigheader.bct.encrypt
Writing /qspi/internal/mb1_cold_boot_bct_MB1_sigheader.bct.encrypt (30400 bytes) into  /dev/mtd0:655360
Copied 30400 bytes from /qspi/internal/mb1_cold_boot_bct_MB1_sigheader.bct.encrypt to address 0x000a0000 in flash
Writing mb1_cold_boot_bct_MB1_sigheader.bct.encrypt (parittion: MB1_BCT_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/mb1_cold_boot_bct_MB1_sigheader.bct.encrypt
Writing /qspi/internal/mb1_cold_boot_bct_MB1_sigheader.bct.encrypt (30400 bytes) into  /dev/mtd0:720896
Copied 30400 bytes from /qspi/internal/mb1_cold_boot_bct_MB1_sigheader.bct.encrypt to address 0x000b0000 in flash
Writing mem_coldboot_sigheader.bct.encrypt (parittion: MEM_BCT) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/mem_coldboot_sigheader.bct.encrypt
Writing /qspi/internal/mem_coldboot_sigheader.bct.encrypt (198656 bytes) into  /dev/mtd0:786432
Copied 198656 bytes from /qspi/internal/mem_coldboot_sigheader.bct.encrypt to address 0x000c0000 in flash
Writing mem_coldboot_sigheader.bct.encrypt (parittion: MEM_BCT_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/mem_coldboot_sigheader.bct.encrypt
Writing /qspi/internal/mem_coldboot_sigheader.bct.encrypt (198656 bytes) into  /dev/mtd0:1048576
Copied 198656 bytes from /qspi/internal/mem_coldboot_sigheader.bct.encrypt to address 0x00100000 in flash
Writing spe_t194_sigheader.bin.encrypt (parittion: spe-fw) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/spe_t194_sigheader.bin.encrypt
Writing /qspi/internal/spe_t194_sigheader.bin.encrypt (94960 bytes) into  /dev/mtd0:1310720
Copied 94960 bytes from /qspi/internal/spe_t194_sigheader.bin.encrypt to address 0x00140000 in flash
Writing spe_t194_sigheader.bin.encrypt (parittion: spe-fw_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/spe_t194_sigheader.bin.encrypt
Writing /qspi/internal/spe_t194_sigheader.bin.encrypt (94960 bytes) into  /dev/mtd0:1572864
Copied 94960 bytes from /qspi/internal/spe_t194_sigheader.bin.encrypt to address 0x00180000 in flash
Writing nvtboot_t194_sigheader.bin.encrypt (parittion: mb2) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/nvtboot_t194_sigheader.bin.encrypt
Writing /qspi/internal/nvtboot_t194_sigheader.bin.encrypt (181328 bytes) into  /dev/mtd0:1835008
Copied 181328 bytes from /qspi/internal/nvtboot_t194_sigheader.bin.encrypt to address 0x001c0000 in flash
Writing nvtboot_t194_sigheader.bin.encrypt (parittion: mb2_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/nvtboot_t194_sigheader.bin.encrypt
Writing /qspi/internal/nvtboot_t194_sigheader.bin.encrypt (181328 bytes) into  /dev/mtd0:2097152
Copied 181328 bytes from /qspi/internal/nvtboot_t194_sigheader.bin.encrypt to address 0x00200000 in flash
Writing preboot_c10_prod_cr_sigheader.bin.encrypt (parittion: mts-preboot) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/preboot_c10_prod_cr_sigheader.bin.encrypt
Writing /qspi/internal/preboot_c10_prod_cr_sigheader.bin.encrypt (24016 bytes) into  /dev/mtd0:2359296
Copied 24016 bytes from /qspi/internal/preboot_c10_prod_cr_sigheader.bin.encrypt to address 0x00240000 in flash
Writing preboot_c10_prod_cr_sigheader.bin.encrypt (parittion: mts-preboot_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/preboot_c10_prod_cr_sigheader.bin.encrypt
Writing /qspi/internal/preboot_c10_prod_cr_sigheader.bin.encrypt (24016 bytes) into  /dev/mtd0:2424832
Copied 24016 bytes from /qspi/internal/preboot_c10_prod_cr_sigheader.bin.encrypt to address 0x00250000 in flash
Writing mce_c10_prod_cr_sigheader.bin.encrypt (parittion: mts-mce) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/mce_c10_prod_cr_sigheader.bin.encrypt
Writing /qspi/internal/mce_c10_prod_cr_sigheader.bin.encrypt (143200 bytes) into  /dev/mtd0:2490368
Copied 143200 bytes from /qspi/internal/mce_c10_prod_cr_sigheader.bin.encrypt to address 0x00260000 in flash
Writing mce_c10_prod_cr_sigheader.bin.encrypt (parittion: mts-mce_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/mce_c10_prod_cr_sigheader.bin.encrypt
Writing /qspi/internal/mce_c10_prod_cr_sigheader.bin.encrypt (143200 bytes) into  /dev/mtd0:2686976
Copied 143200 bytes from /qspi/internal/mce_c10_prod_cr_sigheader.bin.encrypt to address 0x00290000 in flash
Writing mts_c10_prod_cr_sigheader.bin.encrypt (parittion: mts-proper) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/mts_c10_prod_cr_sigheader.bin.encrypt
Writing /qspi/internal/mts_c10_prod_cr_sigheader.bin.encrypt (3430416 bytes) into  /dev/mtd0:2883584
Copied 3430416 bytes from /qspi/internal/mts_c10_prod_cr_sigheader.bin.encrypt to address 0x002c0000 in flash
Writing mts_c10_prod_cr_sigheader.bin.encrypt (parittion: mts-proper_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/mts_c10_prod_cr_sigheader.bin.encrypt
Writing /qspi/internal/mts_c10_prod_cr_sigheader.bin.encrypt (3430416 bytes) into  /dev/mtd0:7077888
Copied 3430416 bytes from /qspi/internal/mts_c10_prod_cr_sigheader.bin.encrypt to address 0x006c0000 in flash
Writing warmboot_t194_prod_sigheader.bin.encrypt (parittion: sc7) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/warmboot_t194_prod_sigheader.bin.encrypt
Writing /qspi/internal/warmboot_t194_prod_sigheader.bin.encrypt (65504 bytes) into  /dev/mtd0:11272192
Copied 65504 bytes from /qspi/internal/warmboot_t194_prod_sigheader.bin.encrypt to address 0x00ac0000 in flash
Writing warmboot_t194_prod_sigheader.bin.encrypt (parittion: sc7_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/warmboot_t194_prod_sigheader.bin.encrypt
Writing /qspi/internal/warmboot_t194_prod_sigheader.bin.encrypt (65504 bytes) into  /dev/mtd0:11403264
Copied 65504 bytes from /qspi/internal/warmboot_t194_prod_sigheader.bin.encrypt to address 0x00ae0000 in flash
Writing slot_metadata.bin (parittion: SMD) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/slot_metadata.bin
Writing /qspi/internal/slot_metadata.bin (191 bytes) into  /dev/mtd0:11534336
Copied 191 bytes from /qspi/internal/slot_metadata.bin to address 0x00b00000 in flash
Writing slot_metadata.bin (parittion: SMD_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/slot_metadata.bin
Writing /qspi/internal/slot_metadata.bin (191 bytes) into  /dev/mtd0:11599872
Copied 191 bytes from /qspi/internal/slot_metadata.bin to address 0x00b10000 in flash
Writing xusb_sil_rel_fw_sigheader.encrypt (parittion: xusb-fw) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/xusb_sil_rel_fw_sigheader.encrypt
Writing /qspi/internal/xusb_sil_rel_fw_sigheader.encrypt (133120 bytes) into  /dev/mtd0:11665408
Copied 133120 bytes from /qspi/internal/xusb_sil_rel_fw_sigheader.encrypt to address 0x00b20000 in flash
Writing xusb_sil_rel_fw_sigheader.encrypt (parittion: xusb-fw_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/xusb_sil_rel_fw_sigheader.encrypt
Writing /qspi/internal/xusb_sil_rel_fw_sigheader.encrypt (133120 bytes) into  /dev/mtd0:11862016
Copied 133120 bytes from /qspi/internal/xusb_sil_rel_fw_sigheader.encrypt to address 0x00b50000 in flash
Writing cboot_t194_sigheader.bin.encrypt (parittion: cpu-bootloader) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/cboot_t194_sigheader.bin.encrypt
Writing /qspi/internal/cboot_t194_sigheader.bin.encrypt (471008 bytes) into  /dev/mtd0:12058624
Copied 471008 bytes from /qspi/internal/cboot_t194_sigheader.bin.encrypt to address 0x00b80000 in flash
Writing cboot_t194_sigheader.bin.encrypt (parittion: cpu-bootloader_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/cboot_t194_sigheader.bin.encrypt
Writing /qspi/internal/cboot_t194_sigheader.bin.encrypt (471008 bytes) into  /dev/mtd0:13500416
Copied 471008 bytes from /qspi/internal/cboot_t194_sigheader.bin.encrypt to address 0x00ce0000 in flash
Writing tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt (parittion: bootloader-dtb) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt
Writing /qspi/internal/tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt (208736 bytes) into  /dev/mtd0:14942208
Copied 208736 bytes from /qspi/internal/tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt to address 0x00e40000 in flash
Writing tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt (parittion: bootloader-dtb_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt
Writing /qspi/internal/tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt (208736 bytes) into  /dev/mtd0:15400960
Copied 208736 bytes from /qspi/internal/tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt to address 0x00eb0000 in flash
Writing bmp.blob (parittion: BMP) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/bmp.blob
Writing /qspi/internal/bmp.blob (149554 bytes) into  /dev/mtd0:15859712
Copied 149554 bytes from /qspi/internal/bmp.blob to address 0x00f20000 in flash
Writing bmp.blob (parittion: BMP_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/bmp.blob
Writing /qspi/internal/bmp.blob (149554 bytes) into  /dev/mtd0:16056320
Copied 149554 bytes from /qspi/internal/bmp.blob to address 0x00f50000 in flash
Writing tos-trusty_t194_sigheader.img.encrypt (parittion: secure-os) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/tos-trusty_t194_sigheader.img.encrypt
Writing /qspi/internal/tos-trusty_t194_sigheader.img.encrypt (410560 bytes) into  /dev/mtd0:16252928
Copied 410560 bytes from /qspi/internal/tos-trusty_t194_sigheader.img.encrypt to address 0x00f80000 in flash
Writing tos-trusty_t194_sigheader.img.encrypt (parittion: secure-os_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/tos-trusty_t194_sigheader.img.encrypt
Writing /qspi/internal/tos-trusty_t194_sigheader.img.encrypt (410560 bytes) into  /dev/mtd0:18874368
Copied 410560 bytes from /qspi/internal/tos-trusty_t194_sigheader.img.encrypt to address 0x01200000 in flash
Writing eks_sigheader.img.encrypt (parittion: eks) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/eks_sigheader.img.encrypt
Writing /qspi/internal/eks_sigheader.img.encrypt (5136 bytes) into  /dev/mtd0:21495808
Copied 5136 bytes from /qspi/internal/eks_sigheader.img.encrypt to address 0x01480000 in flash
Writing eks_sigheader.img.encrypt (parittion: eks_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/eks_sigheader.img.encrypt
Writing /qspi/internal/eks_sigheader.img.encrypt (5136 bytes) into  /dev/mtd0:21561344
Copied 5136 bytes from /qspi/internal/eks_sigheader.img.encrypt to address 0x01490000 in flash
Writing adsp-fw_sigheader.bin.encrypt (parittion: adsp-fw) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/adsp-fw_sigheader.bin.encrypt
Writing /qspi/internal/adsp-fw_sigheader.bin.encrypt (81312 bytes) into  /dev/mtd0:21626880
Copied 81312 bytes from /qspi/internal/adsp-fw_sigheader.bin.encrypt to address 0x014a0000 in flash
Writing adsp-fw_sigheader.bin.encrypt (parittion: adsp-fw_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/adsp-fw_sigheader.bin.encrypt
Writing /qspi/internal/adsp-fw_sigheader.bin.encrypt (81312 bytes) into  /dev/mtd0:22675456
Copied 81312 bytes from /qspi/internal/adsp-fw_sigheader.bin.encrypt to address 0x015a0000 in flash
Writing camera-rtcpu-rce_sigheader.img.encrypt (parittion: rce-fw) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/camera-rtcpu-rce_sigheader.img.encrypt
Writing /qspi/internal/camera-rtcpu-rce_sigheader.img.encrypt (271904 bytes) into  /dev/mtd0:23724032
Copied 271904 bytes from /qspi/internal/camera-rtcpu-rce_sigheader.img.encrypt to address 0x016a0000 in flash
Writing camera-rtcpu-rce_sigheader.img.encrypt (parittion: rce-fw_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/camera-rtcpu-rce_sigheader.img.encrypt
Writing /qspi/internal/camera-rtcpu-rce_sigheader.img.encrypt (271904 bytes) into  /dev/mtd0:24772608
Copied 271904 bytes from /qspi/internal/camera-rtcpu-rce_sigheader.img.encrypt to address 0x017a0000 in flash
[ 174]: l4t_flash_from_kernel: Warning: skip writing sce-fw partition as no image is specified
[ 174]: l4t_flash_from_kernel: Warning: skip writing sce-fw_b partition as no image is specified
Writing bpmp_t194_sigheader.bin.encrypt (parittion: bpmp-fw) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/bpmp_t194_sigheader.bin.encrypt
Writing /qspi/internal/bpmp_t194_sigheader.bin.encrypt (856352 bytes) into  /dev/mtd0:27918336
Copied 856352 bytes from /qspi/internal/bpmp_t194_sigheader.bin.encrypt to address 0x01aa0000 in flash
Writing bpmp_t194_sigheader.bin.encrypt (parittion: bpmp-fw_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/bpmp_t194_sigheader.bin.encrypt
Writing /qspi/internal/bpmp_t194_sigheader.bin.encrypt (856352 bytes) into  /dev/mtd0:29491200
Copied 856352 bytes from /qspi/internal/bpmp_t194_sigheader.bin.encrypt to address 0x01c20000 in flash
Writing tegra194-a02-bpmp-p3668-a00_sigheader.dtb.encrypt (parittion: bpmp-fw-dtb) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/tegra194-a02-bpmp-p3668-a00_sigheader.dtb.encrypt
Writing /qspi/internal/tegra194-a02-bpmp-p3668-a00_sigheader.dtb.encrypt (391408 bytes) into  /dev/mtd0:31064064
Copied 391408 bytes from /qspi/internal/tegra194-a02-bpmp-p3668-a00_sigheader.dtb.encrypt to address 0x01da0000 in flash
Writing tegra194-a02-bpmp-p3668-a00_sigheader.dtb.encrypt (parittion: bpmp-fw-dtb_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/tegra194-a02-bpmp-p3668-a00_sigheader.dtb.encrypt
Writing /qspi/internal/tegra194-a02-bpmp-p3668-a00_sigheader.dtb.encrypt (391408 bytes) into  /dev/mtd0:32112640
Copied 391408 bytes from /qspi/internal/tegra194-a02-bpmp-p3668-a00_sigheader.dtb.encrypt to address 0x01ea0000 in flash
[ 182]: l4t_flash_from_kernel: Warning: skip writing CPUBL-CFG partition as no image is specified
[ 182]: l4t_flash_from_kernel: Warning: skip writing CPUBL-CFG_b partition as no image is specified
Writing qspi_bootblob_ver.txt (parittion: VER) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/qspi_bootblob_ver.txt
Writing /qspi/internal/qspi_bootblob_ver.txt (102 bytes) into  /dev/mtd0:33292288
Copied 102 bytes from /qspi/internal/qspi_bootblob_ver.txt to address 0x01fc0000 in flash
Writing qspi_bootblob_ver.txt (parittion: VER_b) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/qspi_bootblob_ver.txt
Writing /qspi/internal/qspi_bootblob_ver.txt (102 bytes) into  /dev/mtd0:33357824
Copied 102 bytes from /qspi/internal/qspi_bootblob_ver.txt to address 0x01fd0000 in flash
Writing gpt_secondary_3_0.bin (parittion: secondary_gpt) into /dev/mtd0
Sha1 checksum matched for /qspi/internal/gpt_secondary_3_0.bin
Writing /qspi/internal/gpt_secondary_3_0.bin (16896 bytes) into  /dev/mtd0:33537536
Copied 16896 bytes from /qspi/internal/gpt_secondary_3_0.bin to address 0x01ffbe00 in flash
Reach the end of the SPI device
[ 182]: l4t_flash_from_kernel: Successfully flash the qspi
[ 182]: l4t_flash_from_kernel: Flashing success
Error flashing non-qspi storage

Cleaning up...

hello AkterHossain,

please check above error logs, it looks you’re using incorrect flash configuration file.
what’s the real storage of your external device, had you also update the size of the APP partition?

Hi @JerryChang ,
Thanks for your quick reply. The NVMe size is 232GiB. We changed num_sectors from 61079552 to 488397168.

I can share the whole partition template.

<?xml version="1.0"?>
<!-- Nvidia Tegra Partition Layout Version 1.0.0 -->
<partition_layout version="01.00.0000">
    <device type="nvme" instance="0" sector_size="512" num_sectors="488397168">
        <partition name="master_boot_record" type="protective_master_boot_record">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 512 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <description> **Required.** Contains protective MBR. </description>
        </partition>
        <partition name="primary_gpt" type="primary_gpt">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 19968 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <description> **Required.** Contains primary GPT of the `sdmmc_user` device. All
              partitions defined after this entry are configured in the kernel, and are accessible
              by standard partition tools such as gdisk and parted. </description>
        </partition>
        <partition name="APP" type="data">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 419430400 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <align_boundary> 4096 </align_boundary>
            <unique_guid> APPUUID </unique_guid>
            <filename> system_boot.img </filename>
            <description> **Required.** Contains the boot partition. This partition must be defined
              after `primary_GPT` so that it can be accessed as the fixed known special device
              `/dev/mmcblk0p1`. </description>
        </partition>
        <partition name="APP_ENC" type="data" encrypted="true">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> APP_ENC_SIZE </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <align_boundary> 4096 </align_boundary>
            <unique_guid> APP_ENC_UUID </unique_guid>
            <filename> system_root_encrypted.img_ext </filename>
            <description> **Required.** Contains the encrypted root partition("/"). </description>
        </partition>
        <partition name="RECNAME" type="data" oem_sign="true">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> RECSIZE </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <filename> RECFILE </filename>
            <description> **Optional.** Reserved for future use by the recovery image; removable </description>
        </partition>
        <partition name="RECDTB-NAME" type="data" oem_sign="true">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 524288 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <filename> RECDTB-FILE </filename>
            <description> **Optional.** Reserved for future use by the recovery DTB image; removable </description>
        </partition>
        <partition name="BOOTCTRLNAME" type="data">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 65536 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <filename> BOOTCTRL-FILE </filename>
            <description> **Optional.** Slot A; reserved for future use by boot control data; removable </description>
        </partition>
        <partition name="BOOTCTRLNAME_b" type="data">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 65536 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <filename> BOOTCTRL-FILE </filename>
            <description> **Optional.** Slot B; reserved for future use by boot control data; removable </description>
        </partition>
        <partition name="kernel" type="data" oem_sign="true">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> LNXSIZE </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <filename> LNXFILE </filename>
            <description> **Required.** Slot A; contains the Linux kernel. </description>
        </partition>
        <partition name="kernel_b" type="data" oem_sign="true">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> LNXSIZE </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <filename> LNXFILE </filename>
            <description> **Required.** Slot B; contains the Linux kernel. </description>
        </partition>
        <partition name="kernel-dtb" type="data" oem_sign="true">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 524288 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <filename> DTB_FILE </filename>
            <description> **Required.** Slot A; contains kernel device tree blob. </description>
        </partition>
        <partition name="kernel-dtb_b" type="data" oem_sign="true">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 524288 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <filename> DTB_FILE </filename>
            <description> **Required.** Slot B; contains kernel device tree blob. </description>
        </partition>
        <partition name="RECROOTFS" type="data">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> RECROOTFSSIZE </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <description> **Optional.** Reserved for future use by the recovery filesystem;
              removable. </description>
        </partition>
        <partition name="UDA" type="data" encrypted="true">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 335544320 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x808 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <align_boundary> 4096 </align_boundary>
            <filename> system_uda_encrypted.img_ext </filename>
            <description> **Required.** Automatically takes all remaining space on the device except space
              occupied by `secondary_gpt`. Allocation attribute must be set to 0x808. This
              partition may be mounted and used to store user data. </description>
        </partition>
        <partition name="secondary_gpt" type="secondary_gpt">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 0xFFFFFFFFFFFFFFFF </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <description> **Required.** Contains secondary GPT of the `sdmmc_user`
              device. </description>
        </partition>
    </device>
</partition_layout>

Hi @JerryChang,

Ignore my previous message. Now we can massflash without disk encryption. Working commands are here:

sudo BOARDID=3668 BOARDSKU=0001 FAB=100 \                                                    
     ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash --massflash 2 jetson-xavier-nx-devkit-emmc mmcblk0p1

sudo BOARDID=3668 BOARDSKU=0001 FAB=100 ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash \
  --external-device nvme0n1p1 \
  -S 220GiB \
  -c ./tools/kernel_flash/flash_l4t_nvme.xml \
  --external-only --massflash 2 \
  --append \
  jetson-xavier-nx-devkit-emmc external

sudo tar xpfv mfi_jetson-xavier-nx-devkit-emmc.tar.gz

cd mfi_jetson-xavier-nx-devkit-emmc
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --massflash 2 --showlogs

But when we enable disk encryption like ROOTFS_ENC=1 we got error like ERROR: build_enc_fsimg: ECID is null .

The script we run:

sudo ROOTFS_ENC=1 BOARDID=3668 BOARDSKU=0001 FAB=100 \                       
     ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash --massflash 2 jetson-xavier-nx-devkit-emmc mmcblk0p1

Logs:

************************************
*                                  *
*  Step 1: Generate flash packages *
*                                  *
************************************
Create folder to store images to flash
Generate images to be flashed
 /home/akter/nvidia/4.6.1/Linux_for_Tegra/flash.sh --no-flash --sign  jetson-xavier-nx-devkit-emmc mmcblk0p1

###############################################################################
# L4T BSP Information:
# R32 , REVISION: 7.1
###############################################################################
Change device boot from mmcblk0p1 to internal
Board ID(3668) version(100) sku(0001) revision()
Copy /home/akter/nvidia/4.6.1/Linux_for_Tegra/kernel/dtb/tegra194-p3668-all-p3509-0000.dtb to /home/akter/nvidia/4.6.1/Linux_for_Tegra/kernel/dtb/tegra194-p3668-all-p3509-0000.dtb.rec
Generated UUID 5d2d9b32-e2ad-4295-af02-a997787f2824 for mounting root APP partition.
Generated UUID 918cc2c2-181c-4448-97c1-6ad3e9a12045 for mounting root APP_enc partition.
Generated UUID 33bc2d47-fe43-449d-9572-815649a34b2e for mounting boot APP partition.
copying bctfile(/home/akter/nvidia/4.6.1/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-memcfg-p3668-0001-a00.cfg)... done.
copying bctfile1(/home/akter/nvidia/4.6.1/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-memcfg-sw-override.cfg)... done.
copying minratchet_config(/home/akter/nvidia/4.6.1/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-ratchet-p3668.cfg)... done.
copying device_config(/home/akter/nvidia/4.6.1/Linux_for_Tegra/bootloader/t186ref/BCT/tegra19x-mb1-bct-device-qspi-p3668.cfg)... done.
copying misc_cold_boot_config(/home/akter/nvidia/4.6.1/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-misc-l4t.cfg)... done.
copying misc_config(/home/akter/nvidia/4.6.1/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-misc-flash.cfg)... done.
copying pinmux_config(/home/akter/nvidia/4.6.1/Linux_for_Tegra/bootloader/t186ref/BCT/tegra19x-mb1-pinmux-p3668-a01.cfg)... done.
copying gpioint_config(/home/akter/nvidia/4.6.1/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-gpioint-p3668-0001-a00.cfg)... done.
copying pmic_config(/home/akter/nvidia/4.6.1/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-pmic-p3668-0001-a00.cfg)... done.
copying pmc_config(/home/akter/nvidia/4.6.1/Linux_for_Tegra/bootloader/t186ref/BCT/tegra19x-mb1-padvoltage-p3668-a01.cfg)... done.
copying prod_config(/home/akter/nvidia/4.6.1/Linux_for_Tegra/bootloader/t186ref/BCT/tegra19x-mb1-prod-p3668-0001-a00.cfg)... done.
copying scr_config(/home/akter/nvidia/4.6.1/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-scr-cbb-mini-p3668.cfg)... done.
copying scr_cold_boot_config(/home/akter/nvidia/4.6.1/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-scr-cbb-mini-p3668.cfg)... done.
copying bootrom_config(/home/akter/nvidia/4.6.1/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-reset-p3668-0001-a00.cfg)... done.
copying dev_params(/home/akter/nvidia/4.6.1/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-br-bct-qspi.cfg)... done.
Generated UUID 522a4eda-48de-44db-a417-6d06b6787176 for mounting UDA partition.
Making system_uda_encrypted.img... 
ERROR: build_enc_fsimg: ECID is null .
Error: failed to generate images
Cleaning up...

Can you please guide us like before regarding the current errors or what things we are missing?

hello AkterHossain,

since you’re going to have disk encryption, you have to put the EKB key into command-line for generating the image, i.e. ./l4t_initrd_flash.sh -i ekb.key --no-flash ...
please try again with below steps,
for example.
$ echo "123456789abcdef0fedcba9876543210" > ekb.key
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh -p "-i ./ekb.key" --no-flash jetson-xavier-nx-devkit-emmc internal
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh -p "-i ./ekb.key" --no-flash --external-device nvme0n1p1 -S 110GiB -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only --massflash 2 --append jetson-xavier-nx-devkit-emmc external

Hi @JerryChang,
In your internal flash command you did not use --massflash 2 argument. Is it okay or you forgot to add this arg?

the internal is the approach to flash the internal storage for updating the ekb partition.

Thanks for your quick replay @JerryChang.

What about ECID is null error? It is unique per device. But we want to generate flashing image once and reuse them to flash multiple device concurrently (aka massflash). Do you think your last approach is fine with our workflow?

Hi @JerryChang,
We followed your last approach but no help. Let me share details work through:

#1. custom eks.img for our custom ekb.key
cd ~/nvidia/4.6.1/trusty/app/nvidia-sample/hwkey-agent/CA_sample/tool/gen_ekb                             
python3 gen_ekb.py -kek2_key $XKEYS/kek2_unfused.key \
  -fv $XKEYS/fv_ekb.key \
  -in_sym_key $XKEYS/usr_ekb.key \
  -in_sym_key2 $XKEYS/ekb.key \
  -out eks.img

cp eks.img ~/nvidia/4.6.1/Linux_for_Tegra/bootloader/
cd ~/nvidia/4.6.1/Linux_for_Tegra

#2. Put one device into RCM mode

#3. Populate internal flash image (Successful)
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash \                                   
  -p "-i $XKEYS/ekb.key" \
  jetson-xavier-nx-devkit-emmc internal

#4. Put the device RCM mode again

#5. Populate external flash image
udo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash \                                   
  -p "-i $XKEYS/ekb.key" \
  --external-device nvme0n1p1 \
  -S 220GiB \
  -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml \
  --external-only \
  -- massflash 2 \
  --append \
  jetson-xavier-nx-devkit-emmc external

#6. Put two devices into RCM mode

#7. Massflash 2 devices concurrently
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --flash-only -p "-i $XKEYS/ekb.key" --massflash 2

There are two logs file generated.

  1. initrdlog/flash_1-1_0_20220722-115932.log (Looks flashing successful but device didn’t boot)
  2. initrdlog/flash_1-4_1_20220722-115932.log (Flashing failed)
➜  cat initrdlog/flash_1-1_0_20220722-115932.log
**********************************************
*                                            *
*  Step 1: Build the flashing environment    *
*                                            *
**********************************************
Create flash environment 0
~/nvidia/4.6.1/Linux_for_Tegra/bootloader ~/nvidia/4.6.1/Linux_for_Tegra
~/nvidia/4.6.1/Linux_for_Tegra
Finish creating flash environment 0.
****************************************************
*                                                  *
*  Step 2: Boot the device with flash initrd image *
*                                                  *
****************************************************
~/nvidia/4.6.1/Linux_for_Tegra/temp_initrdflash/bootloader0 ~/nvidia/4.6.1/Linux_for_Tegra
./tegraflash.py --bl nvtboot_recovery_cpu_t194_sigheader.bin.encrypt --bct br_bct_BR.bct --securedev  --applet rcm_2_encrypt.rcm --applet_softfuse rcm_1_encrypt.rcm --cmd "rcmboot"  --cfg secureflash.xml --chip 0x19 --mb1_bct mb1_bct_MB1_sigheader.bct.encrypt --mem_bct mem_rcm_sigheader.bct.encrypt --mb1_cold_boot_bct mb1_cold_boot_bct_MB1_sigheader.bct.encrypt --mem_bct_cold_boot mem_coldboot_sigheader.bct.encrypt  --bins "mb2_bootloader nvtboot_recovery_t194_sigheader.bin.encrypt; mts_preboot preboot_c10_prod_cr_sigheader.bin.encrypt; mts_mce mce_c10_prod_cr_sigheader.bin.encrypt; mts_proper mts_c10_prod_cr_sigheader.bin.encrypt; bpmp_fw bpmp_t194_sigheader.bin.encrypt; bpmp_fw_dtb tegra194-a02-bpmp-p3668-a00_sigheader.dtb.encrypt; spe_fw spe_t194_sigheader.bin.encrypt; tlk tos-trusty_t194_sigheader.img.encrypt; eks eks_sigheader.img.encrypt; kernel boot0.img; kernel_dtb kernel_tegra194-p3668-all-p3509-0000.dtb; bootloader_dtb tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt"    --instance 1-1
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 

 Entering RCM boot

[   0.0000 ] rcm boot with presigned binaries
[   0.0000 ] Boot Rom communication
[   0.0023 ] tegrarcm_v2 --instance 1-1 --chip 0x19 0 --rcm rcm_1_encrypt.rcm --rcm rcm_2_encrypt.rcm
[   0.0033 ] BR_CID: 0x880219116401d240240000000e008280
[   0.0145 ] Boot Rom communication completed
[   1.0410 ] 
[   2.0469 ] tegrarcm_v2 --instance 1-1 --isapplet
[   2.0494 ] Applet version 01.00.0000
[   2.0750 ] 
[   2.0751 ] Sending BCTs
[   2.0774 ] tegrarcm_v2 --instance 1-1 --download bct_bootrom br_bct_BR.bct --download bct_mb1 mb1_bct_MB1_sigheader.bct.encrypt --download bct_mem mem_rcm_sigheader.bct.encrypt
[   2.0783 ] Applet version 01.00.0000
[   2.0988 ] Sending bct_bootrom
[   2.0989 ] [................................................] 100%
[   2.1002 ] Sending bct_mb1
[   2.1054 ] [................................................] 100%
[   2.1091 ] Sending bct_mem
[   2.1597 ] [................................................] 100%
[   2.2344 ] 
[   2.2345 ] Generating blob
[   2.2403 ] tegrahost_v2 --chip 0x19 --generateblob blob.xml blob.bin
[   2.2413 ] number of images in blob are 13
[   2.2417 ] blobsize is 55868616
[   2.2418 ] Added binary blob_nvtboot_recovery_cpu_t194_sigheader.bin.encrypt of size 264064
[   2.2667 ] Added binary blob_nvtboot_recovery_t194_sigheader.bin.encrypt of size 181152
[   2.2671 ] Added binary blob_preboot_c10_prod_cr_sigheader.bin.encrypt of size 24016
[   2.2675 ] Added binary blob_mce_c10_prod_cr_sigheader.bin.encrypt of size 143200
[   2.2678 ] Added binary blob_mts_c10_prod_cr_sigheader.bin.encrypt of size 3430416
[   2.2691 ] Added binary blob_bpmp_t194_sigheader.bin.encrypt of size 856352
[   2.2703 ] Added binary blob_tegra194-a02-bpmp-p3668-a00_sigheader.dtb.encrypt of size 391408
[   2.2707 ] Added binary blob_spe_t194_sigheader.bin.encrypt of size 94960
[   2.2710 ] Added binary blob_tos-trusty_t194_sigheader.img.encrypt of size 410560
[   2.2713 ] Added binary blob_eks_sigheader.img.encrypt of size 5136
[   2.2716 ] Added binary blob_boot0.img of size 49653760
[   2.3040 ] Added binary blob_kernel_tegra194-p3668-all-p3509-0000.dtb of size 204640
[   2.3158 ] Added binary blob_tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt of size 208736
[   2.3544 ] 
[   2.3544 ] Sending bootloader and pre-requisite binaries
[   2.3569 ] tegrarcm_v2 --instance 1-1 --download blob blob.bin
[   2.3578 ] Applet version 01.00.0000
[   2.3781 ] Sending blob
[   2.3781 ] [................................................] 100%
[  10.6334 ] 
[  10.6377 ] tegrarcm_v2 --instance 1-1 --boot rcm
[  10.6401 ] Applet version 01.00.0000
[  10.6664 ] 
[  10.6664 ] RCM-boot started

~/nvidia/4.6.1/Linux_for_Tegra
***************************************
*                                     *
*  Step 3: Start the flashing process *
*                                     *
***************************************
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for device to expose ssh ......RTNETLINK answers: File exists
RTNETLINK answers: File exists
...RTNETLINK answers: File exists
RTNETLINK answers: File exists
Run command: if [ -f /qspi/l4t_flash_from_kernel.sh ]; then USER=root /qspi/l4t_flash_from_kernel.sh --no-reboot --qspi-only ; fi on root@fe80::1%enp0s20f0u1
4194304
[ 0]: l4t_flash_from_kernel: Starting to create gpt for external device
Active index file is /home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/flash.idx
Number of lines is 15
max_index=14
writing item=1, 9:0:primary_gpt, 512, 19968, gpt_primary_9_0.bin, 16896, fixed-<reserved>-0, eddae1f16db1485192a1403364525e8c90a68968
Writing primary_gpt partition with gpt_primary_9_0.bin
Offset is not aligned to K Bytes, no optimization is applied
dd if=/home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/gpt_primary_9_0.bin of=/dev/sdd bs=1 skip=0  seek=512 count=16896
16896+0 records in
16896+0 records out
16896 bytes (17 kB, 16 KiB) copied, 0,0723086 s, 234 kB/s
Writing primary_gpt partition done
Writing secondary_gpt partition with gpt_secondary_9_0.bin
Offset is not aligned to K Bytes, no optimization is applied
dd if=/home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/gpt_secondary_9_0.bin of=/dev/sdd bs=1 skip=0  seek=250059333120 count=16896
16896+0 records in
16896+0 records out
16896 bytes (17 kB, 16 KiB) copied, 0,0359728 s, 470 kB/s
Writing secondary_gpt partition done
[ 2]: l4t_flash_from_kernel: Successfully create gpt for external device
Run command: partprobe on root@fe80::1%enp0s20f0u1
Warning: Error fsyncing/closing /dev/mmcblk0rpmb: Input/output error
Warning: Error fsyncing/closing /dev/mmcblk0rpmb: Input/output error
[ 3]: l4t_flash_from_kernel: Starting to flash to external device
Active index file is /home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/flash.idx
Number of lines is 15
max_index=14
writing item=0, 9:0:master_boot_record, 0, 512, mbr_9_0.bin, 512, fixed-<reserved>-0, 694898d1c345bdb31b377790ed7fc0b0db184bf7
writing item=1, 9:0:primary_gpt, 512, 19968, gpt_primary_9_0.bin, 16896, fixed-<reserved>-0, eddae1f16db1485192a1403364525e8c90a68968
writing item=2, 9:0:APP, 20480, 419430400, , , fixed-<reserved>-1, 
Formatting APP partition /dev/sdd1 ...
mke2fs 1.44.1 (24-Mar-2018)
Creating filesystem with 409600 1k blocks and 102400 inodes
Filesystem UUID: 181a0f34-def4-4f8a-b30f-4b13911dc6b3
Superblock backups stored on blocks: 
        8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done 

Formatting APP parition done
Formatting APP partition /dev/sdd1 ...
tar --xattrs -xpf /home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/system_boot.img  --checkpoint=10000 --warning=no-timestamp --numeric-owner  -C  /tmp/ci-7ENgubQ8jH
writing item=3, 9:0:APP_ENC, 419450880, 235803770880, system_root_encrypted.img_ext, 6601117856, fixed-<reserved>-2, 
Writing APP_ENC partition with system_root_encrypted.img_ext
Get size of partition through connection.
Run command: if ! blkdiscard /dev/nvme0n1p2; then
                echo Cannot erase before writing sparse image. Write zero to partition /dev/nvme0n1p2;
                dd if=/dev/zero of=/dev/nvme0n1p2 status=progress oflag=direct; fi on root@fe80::1%enp0s20f0u1
nvsimg2img /home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/system_root_encrypted.img_ext /dev/sdd2
Writing APP_ENC partition done
writing item=4, 9:0:recovery, 236223221760, 66060288, recovery_sigheader.img.encrypt, 49483776, fixed-<reserved>-3, a59c80ac0ab03dcd155ff96b53828901b39d5ee9
Writing recovery partition with recovery_sigheader.img.encrypt
Get size of partition through connection.
49483776 bytes from /home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/recovery_sigheader.img.encrypt to /dev/sdd: 1KB block=48324 remainder=0
dd if=/home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/recovery_sigheader.img.encrypt of=/dev/sdd bs=1K skip=0  seek=230686740 count=48324
48324+0 records in
48324+0 records out
49483776 bytes (49 MB, 47 MiB) copied, 4,32001 s, 11,5 MB/s
Writing recovery partition done
writing item=5, 9:0:recovery-dtb, 236289282048, 524288, tegra194-p3668-all-p3509-0000.dtb_sigheader.rec.encrypt, 208736, fixed-<reserved>-4, a2725542c394a7f2f3bfcf195c761e620b2597cd
Writing recovery-dtb partition with tegra194-p3668-all-p3509-0000.dtb_sigheader.rec.encrypt
Get size of partition through connection.
208736 bytes from /home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/tegra194-p3668-all-p3509-0000.dtb_sigheader.rec.encrypt to /dev/sdd: 1KB block=203 remainder=864
dd if=/home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/tegra194-p3668-all-p3509-0000.dtb_sigheader.rec.encrypt of=/dev/sdd bs=1K skip=0  seek=230751252 count=203
203+0 records in
203+0 records out
207872 bytes (208 kB, 203 KiB) copied, 0,114987 s, 1,8 MB/s
dd if=/home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/tegra194-p3668-all-p3509-0000.dtb_sigheader.rec.encrypt of=/dev/sdd bs=1 skip=207872  seek=236289489920 count=864
864+0 records in
864+0 records out
864 bytes copied, 0,00204506 s, 422 kB/s
Writing recovery-dtb partition done
writing item=6, 9:0:kernel-bootctrl, 236289806336, 65536, kernel_bootctrl.bin, 20, fixed-<reserved>-5, 6768033e216468247bd031a0a2d9876d79818f8f
Writing kernel-bootctrl partition with kernel_bootctrl.bin
Get size of partition through connection.
20 bytes from /home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/kernel_bootctrl.bin to /dev/sdd: 1KB block=0 remainder=20
dd if=/home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/kernel_bootctrl.bin of=/dev/sdd bs=1 skip=0  seek=236289806336 count=20
20+0 records in
20+0 records out
20 bytes copied, 0,000392602 s, 50,9 kB/s
Writing kernel-bootctrl partition done
writing item=7, 9:0:kernel-bootctrl_b, 236289871872, 65536, kernel_bootctrl.bin, 20, fixed-<reserved>-6, 6768033e216468247bd031a0a2d9876d79818f8f
Writing kernel-bootctrl_b partition with kernel_bootctrl.bin
Get size of partition through connection.
20 bytes from /home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/kernel_bootctrl.bin to /dev/sdd: 1KB block=0 remainder=20
dd if=/home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/kernel_bootctrl.bin of=/dev/sdd bs=1 skip=0  seek=236289871872 count=20
20+0 records in
20+0 records out
20 bytes copied, 0,000364291 s, 54,9 kB/s
Writing kernel-bootctrl_b partition done
writing item=8, 9:0:kernel, 236289937408, 83886080, boot_sigheader.img.encrypt, 45850624, fixed-<reserved>-7, fb2192fe1824169974211f2b90b53fcf46f1c8dd
Writing kernel partition with boot_sigheader.img.encrypt
Get size of partition through connection.
45850624 bytes from /home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/boot_sigheader.img.encrypt to /dev/sdd: 1KB block=44776 remainder=0
dd if=/home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/boot_sigheader.img.encrypt of=/dev/sdd bs=1K skip=0  seek=230751892 count=44776
44776+0 records in
44776+0 records out
45850624 bytes (46 MB, 44 MiB) copied, 4,75086 s, 9,7 MB/s
Writing kernel partition done
writing item=9, 9:0:kernel_b, 236373823488, 83886080, boot_sigheader.img.encrypt, 45850624, fixed-<reserved>-8, fb2192fe1824169974211f2b90b53fcf46f1c8dd
Writing kernel_b partition with boot_sigheader.img.encrypt
Get size of partition through connection.
45850624 bytes from /home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/boot_sigheader.img.encrypt to /dev/sdd: 1KB block=44776 remainder=0
dd if=/home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/boot_sigheader.img.encrypt of=/dev/sdd bs=1K skip=0  seek=230833812 count=44776
44776+0 records in
44776+0 records out
45850624 bytes (46 MB, 44 MiB) copied, 4,35238 s, 10,5 MB/s
Writing kernel_b partition done
writing item=10, 9:0:kernel-dtb, 236457709568, 524288, kernel_tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt, 208736, fixed-<reserved>-9, a2725542c394a7f2f3bfcf195c761e620b2597cd
Writing kernel-dtb partition with kernel_tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt
Get size of partition through connection.
208736 bytes from /home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/kernel_tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt to /dev/sdd: 1KB block=203 remainder=864
dd if=/home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/kernel_tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt of=/dev/sdd bs=1K skip=0  seek=230915732 count=203
203+0 records in
203+0 records out
207872 bytes (208 kB, 203 KiB) copied, 0,0607029 s, 3,4 MB/s
dd if=/home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/kernel_tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt of=/dev/sdd bs=1 skip=207872  seek=236457917440 count=864
864+0 records in
864+0 records out
864 bytes copied, 0,0257983 s, 33,5 kB/s
Writing kernel-dtb partition done
writing item=11, 9:0:kernel-dtb_b, 236458233856, 524288, kernel_tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt, 208736, fixed-<reserved>-10, a2725542c394a7f2f3bfcf195c761e620b2597cd
Writing kernel-dtb_b partition with kernel_tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt
Get size of partition through connection.
208736 bytes from /home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/kernel_tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt to /dev/sdd: 1KB block=203 remainder=864
dd if=/home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/kernel_tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt of=/dev/sdd bs=1K skip=0  seek=230916244 count=203
203+0 records in
203+0 records out
207872 bytes (208 kB, 203 KiB) copied, 0,0179895 s, 11,6 MB/s
dd if=/home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/kernel_tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt of=/dev/sdd bs=1 skip=207872  seek=236458441728 count=864
864+0 records in
864+0 records out
864 bytes copied, 0,00186345 s, 464 kB/s
Writing kernel-dtb_b partition done
writing item=12, 9:0:RECROOTFS, 236458758144, 314572800, , , fixed-<reserved>-11, 
[ 254]: l4t_flash_from_kernel: Warning: skip writing RECROOTFS partition as no image is specified
writing item=13, 9:0:UDA, 236773330944, 13286002176, system_uda_encrypted.img_ext, 11514280, expand-<reserved>-12, bb623e2b53d976ca22f4ac75ac1cfe41796fda1e
Writing UDA partition with system_uda_encrypted.img_ext
Get size of partition through connection.
Run command: if ! blkdiscard /dev/nvme0n1p12; then
                echo Cannot erase before writing sparse image. Write zero to partition /dev/nvme0n1p12;
                dd if=/dev/zero of=/dev/nvme0n1p12 status=progress oflag=direct; fi on root@fe80::1%enp0s20f0u1
nvsimg2img /home/akter/nvidia/4.6.1/Linux_for_Tegra/tools/kernel_flash/images/external/system_uda_encrypted.img_ext /dev/sdd12
Writing UDA partition done
writing item=14, 9:0:secondary_gpt, 250059333120, 16896, gpt_secondary_9_0.bin, 16896, fixed-<reserved>-0, 692c35fe0ac87cbd5c38efabff759def8ed9333e
[ 255]: l4t_flash_from_kernel: Successfully flash the external device
[ 255]: l4t_flash_from_kernel: Flashing success

Reboot target
Run command: sync; { sleep 1; reboot; } >/dev/null & on root@fe80::1%enp0s20f0u1
Success
Cleaning up...
cat initrdlog/flash_1-4_1_20220722-115932.log 
**********************************************
*                                            *
*  Step 1: Build the flashing environment    *
*                                            *
**********************************************
Create flash environment 1
~/nvidia/4.6.1/Linux_for_Tegra/bootloader ~/nvidia/4.6.1/Linux_for_Tegra
~/nvidia/4.6.1/Linux_for_Tegra
Finish creating flash environment 1.
****************************************************
*                                                  *
*  Step 2: Boot the device with flash initrd image *
*                                                  *
****************************************************
~/nvidia/4.6.1/Linux_for_Tegra/temp_initrdflash/bootloader1 ~/nvidia/4.6.1/Linux_for_Tegra
./tegraflash.py --bl nvtboot_recovery_cpu_t194_sigheader.bin.encrypt --bct br_bct_BR.bct --securedev  --applet rcm_2_encrypt.rcm --applet_softfuse rcm_1_encrypt.rcm --cmd "rcmboot"  --cfg secureflash.xml --chip 0x19 --mb1_bct mb1_bct_MB1_sigheader.bct.encrypt --mem_bct mem_rcm_sigheader.bct.encrypt --mb1_cold_boot_bct mb1_cold_boot_bct_MB1_sigheader.bct.encrypt --mem_bct_cold_boot mem_coldboot_sigheader.bct.encrypt  --bins "mb2_bootloader nvtboot_recovery_t194_sigheader.bin.encrypt; mts_preboot preboot_c10_prod_cr_sigheader.bin.encrypt; mts_mce mce_c10_prod_cr_sigheader.bin.encrypt; mts_proper mts_c10_prod_cr_sigheader.bin.encrypt; bpmp_fw bpmp_t194_sigheader.bin.encrypt; bpmp_fw_dtb tegra194-a02-bpmp-p3668-a00_sigheader.dtb.encrypt; spe_fw spe_t194_sigheader.bin.encrypt; tlk tos-trusty_t194_sigheader.img.encrypt; eks eks_sigheader.img.encrypt; kernel ; kernel_dtb kernel_tegra194-p3668-all-p3509-0000.dtb; bootloader_dtb tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt"    --instance 1-4
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 

 Entering RCM boot

[   0.0000 ] rcm boot with presigned binaries
[   0.0000 ] Boot Rom communication
[   0.0024 ] tegrarcm_v2 --instance 1-4 --chip 0x19 0 --rcm rcm_1_encrypt.rcm --rcm rcm_2_encrypt.rcm
[   0.0032 ] BR_CID: 0x880219116404c0831800000009038240
[   0.0151 ] Boot Rom communication completed
[   1.0414 ] 
[   2.0469 ] tegrarcm_v2 --instance 1-4 --isapplet
[   2.0494 ] Applet version 01.00.0000
[   2.0757 ] 
[   2.0757 ] Sending BCTs
[   2.0778 ] tegrarcm_v2 --instance 1-4 --download bct_bootrom br_bct_BR.bct --download bct_mb1 mb1_bct_MB1_sigheader.bct.encrypt --download bct_mem mem_rcm_sigheader.bct.encrypt
[   2.0786 ] Applet version 01.00.0000
[   2.0997 ] Sending bct_bootrom
[   2.0998 ] [................................................] 100%
[   2.1009 ] Sending bct_mb1
[   2.1059 ] [................................................] 100%
[   2.1095 ] Sending bct_mem
[   2.1601 ] [................................................] 100%
[   2.2344 ] 
[   2.2345 ] Generating blob
Error: invalid format kernel
Cleaning up...

hello AkterHossain,

I would like to confirm the JetPack release version you’re using, is it JetPack-4.6.1/ l4t-r32.7.1?
please refer to Release Notes for the [Top Fixed Issues], and please check Issue-200707117 for workarounds.
in addition,
are you able moving to the latest release, l4t-r32.7.2 and testing massflash with disk encryption?

Hi @JerryChang,
Thank you for your reply.

Yes it is 4.6.1. But we are not considering to migrate to latest version at this moment. Any hotfix for massflashing in 4.6.1?

hello AkterHossain,

may I also know your host machine environments, for example, are you having ubuntu-18.04 or 20.04?

Hi @JerryChang,

It is ubuntu-18.04.

➜  ~ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.6 LTS
Release:        18.04
Codename:       bionic

Hi @JerryChang,
Regarding fix 200707117, we are facing problem with massflashing with ROOTFS_ENC=1. We can do single flash with disk encryption and even massflash but without disk encryption. The fix doesn’t look related to massflash. Am I right?

hello AkterHossain,

I’ve check both success and failure logs, it turns out the boot0.img parameter is missed in the command-line.
could you please add it to the command-line manually to check whether it works,
for example,
./tegraflash.py --bl nvtboot_recovery_cpu_t194_sigheader.bin.encrypt --bct br_bct_BR.bct --securedev --applet rcm_2_encrypt.rcm --applet_softfuse rcm_1_encrypt.rcm --cmd "rcmboot" --cfg secureflash.xml --chip 0x19 --mb1_bct mb1_bct_MB1_sigheader.bct.encrypt --mem_bct mem_rcm_sigheader.bct.encrypt --mb1_cold_boot_bct mb1_cold_boot_bct_MB1_sigheader.bct.encrypt --mem_bct_cold_boot mem_coldboot_sigheader.bct.encrypt --bins "mb2_bootloader nvtboot_recovery_t194_sigheader.bin.encrypt; mts_preboot preboot_c10_prod_cr_sigheader.bin.encrypt; mts_mce mce_c10_prod_cr_sigheader.bin.encrypt; mts_proper mts_c10_prod_cr_sigheader.bin.encrypt; bpmp_fw bpmp_t194_sigheader.bin.encrypt; bpmp_fw_dtb tegra194-a02-bpmp-p3668-a00_sigheader.dtb.encrypt; spe_fw spe_t194_sigheader.bin.encrypt; tlk tos-trusty_t194_sigheader.img.encrypt; eks eks_sigheader.img.encrypt; kernel boot0.img; kernel_dtb kernel_tegra194-p3668-all-p3509-0000.dtb; bootloader_dtb tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt" --instance 1-4

Hi @JerryChang,
Let’s keep it simple. We want to achieve two things

Build image once for same kind of device (xavier-nx-emmc)
Reuse image to massflash multiple devices concurrently (including disk/nvme encryption with generic passphrase)

Massflash is working as per documentation. But disk encryption seems like tightly coupled with device ECID (embed chip id). ECID is being used passphrase for cryptsetup/LUKS. You get more clarification from flash.sh, disk_encryption_helper.func and gen_luks_passphrase.py file.

For example, in disk_encryption_helper.func

	# Check gen_luks_passphrase.py
	local genpass_dir="${LDK_DIR}/tools/disk_encryption";
	local genpass_opt="";
	GEN_LUKS_PASS_CMD="${genpass_dir}/gen_luks_passphrase.py";
	if [ ! -f "${GEN_LUKS_PASS_CMD}" ]; then
		echo "ERROR ${GEN_LUKS_PASS_CMD} is not found.";
		exit 1;
	fi;
	if [ "${enc_rfs_keyfile}" != "" ]; then
		genpass_opt+="-k \"${enc_rfs_keyfile}\" ";
	fi;
	genpass_opt+="-u -e '${__ecid}' "
	genpass_opt+="-c '${__fsuuid}'";
	GEN_LUKS_PASS_CMD+=" ${genpass_opt}";

So we want to use generic (-g) passphrase instead of unique (-u). In ~/nvidia/4.6.1/trusty/app/nvidia-sample/luks-srv/CA_sample/tool/gen_luks_passphrase/example.sh there is an example like our requirement.

#!/bin/bash

# This is the default ekb key.
echo "00000000000000000000000000000000" > ekb.key

# Generate a unique passphrase.
python3 gen_luks_passphrase.py -k ekb.key \
			       -c "UUID of the disk" \
			       -u \
			       -e "0x880219116451e2c60c00000001ff0140"

# Generate a generic passphrase.
python3 gen_luks_passphrase.py -k ekb.key \
			       -c "UUID of the disk" \
			       -g

hello AkterHossain,

FYI,
basically, LUKS defines a mechanism to protect the master key (i.e. disk encryption key) in the LUKS header.
the mechanism is using the passphrase to generate a key and uses that key to encrypt the master key, then stores the key in the LUKS header.
during boot time, it’s TA in OP-TEE to generate passphrase to unlock the encrypted disk. and you’ll need to flash the same passphrase, which is used for creating the encrypted disk image. the passphrase is from the disk encryption key in the EKB.

hello AkterHossain,

please check the l4t configure which include the UDA partition, i.e. flash_l4t_t194_spi_emmc_p3668_enc_rfs.xml,
you may change the UDA partition size to 122880000 in the NX emmc rootfs enc partition configuration xml file.
and,
please also check the disk_encryption_helper.func file, it shows the cryptsetup default luks cryptfs types.
please check you have --type luks1 included to maintain backward compatibility,
for example,

        # Add the LUKS header
        eval ${GEN_LUKS_PASS_CMD} | ${CRYPTSETUP_BIN} \
                --type luks1 \
                -c aes-cbc-essiv:sha256 \
                -s 128 \
...