NVMe disk encryption and default encryption key

Robotics & Edge Computing Jetson & Embedded Systems Jetson AGX Orin
1

Hi.
I’m trying to flash an encrypted image to an NVMe and it’s not booting.
I’m using L4t 36.3 and an Orin AGX devkit.
I don’t want to fuse anything yet, I want to verify that encryption with default keys is working before fusing anything.

The steps I followed are below. I am using Workflow 10 from README_initrd_flash.txt.
However, I don’t understand what the default encryption key is.
I am using “00000000000000000000000000000000” from the `gen_ekb sample but booting is failing.

Is there another default encryption key I should use, or do I need to supply my own and recreate eks_t234.img myself?
flashlog.txt (210.1 KB)
bootlog.txt (40.1 KB)

#!/bin/bash
set -e
##### SETUP SYSTEM #####
# echo "Stopping Services"
# sudo systemctl stop udisks2
# sudo -s echo -1 > /sys/module/usbcore/parameters/autosuspend
# sudo ufw disable
echo "Installing packages"
sudo apt-get install dislocker cryptsetup libcryptsetup-dev libcryptsetup12 cryptmount cryptmount overlayroot qemu-user-static pip python-is-python3
pip install cryptography
pip install pycrypto
pip install pycryptodome
echo "Creating Directory"
sudo rm -rf ~/jetson_install || true
mkdir ~/jetson_install
cd ~/jetson_install
# echo "Downloading Packages"
# wget https://developer.nvidia.com/downloads/embedded/l4t/r35_release_v4.1/release/jetson_linux_r35.4.1_aarch64.tbz2
# wget https://developer.nvidia.com/downloads/embedded/l4t/r35_release_v4.1/release/tegra_linux_sample-root-filesystem_r35.4.1_aarch64.tbz2
# wget https://developer.nvidia.com/downloads/embedded/l4t/r35_release_v4.1/sources/public_sources.tbz2
echo "Unpacking Packages"
tar xvf ~/Downloads/Jetson_Linux_R36.3.0_aarch64.tbz2
sudo tar xvf ~/Downloads/Tegra_Linux_Sample-Root-Filesystem_R36.3.0_aarch64.tbz2 -C Linux_for_Tegra/rootfs/
tar xvf ~/Downloads/public_sources.tbz2
cd Linux_for_Tegra/source/
tar xvf nvidia-jetson-optee-source.tbz2
cd ../
echo "Running prerequeisites script"
sudo tools/l4t_flash_prerequisites.sh
echo "Applying Binaries"
sudo ./apply_binaries.sh


### Create the key
## Copy this line from source/optee/samples/luks-srv/host/tool/gen_luks_passphrase/example.sh:
## But I' not sure of this is the default key
echo "00000000000000000000000000000000" > ekb.key

# Flashing
# Flash a jetson agx orin with a 500gb NVME and the key we have above:
echo "Put Jetson Orin into recovery mode and plug it in"
read -p "Press key to continue"
# This uses workflow 10 from README_initrd_flash.txt
sudo EXT_NUM_SECTORS=964689920 ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1 \
      -c tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml       --showlogs --network usb0 -p "-i ekb.key" \
      --external-only       -S 200GiB jetson-agx-orin-devkit external

It flashes successfully but when I boot I get this error:

[   13.710040] ERROR: fail to unlock the encrypted dev /dev/nvme0n1p2.
[   13.717269] Kernel panic - not syncing:

Bootlog and flashlog are attached.

2

Hi,
If the device cannot be flashed/booted, please refer to the page to get uart log from the device:
Jetson/General debug - eLinux.org
And get logs of host PC and Jetson device for reference. If you are using custom board, you can compare uart log of developer kit and custom board to get more information.
Also please check FAQs:
Jetson AGX Orin FAQ
If possible, we would suggest follow quick start in developer guide to re-flash the system:
Quick Start — NVIDIA Jetson Linux Developer Guide 1 documentation
And see if the issue still persists on a clean-flashed system.
Thanks!

3

The UART log is attached above.
I am using an orin AGX devkit not a custom board.
I can enter recovery mode and reflash the system successfully with an unencrypted image. I am asking specifically about encryption support.

6

hello c.blair,

you need to update EKS image manually,
please see-also Topic 270934 for reference.