Orin Nano 8Gb dev-board issues with flashing encrypted root_fs of Jetpack 5.1.2

I has a success in flashing both dev-board and prod-board with encrypted SSD partition using JetPack 6

Now we have troubles with RTC and GPIO on Jetpack 6 and need to downgrade the system to Jetpack 5.1.2; We can’t use 5.1.3 also, because it doesn’t have IMX477 camera support.

I was failed when I tried just to repeat the steps leading to success on Jetpack 6

    7.281377] Mount initrd as rootfs and enter recovery mode
Finding OTA work dir on external storage devices
Checking whether device /dev/mmcblk?p1 exist
Device /dev/mmcblk?p1 does not exist
Checking whether device /dev/sd?1 exist
Device /dev/sd?1 does not exist
Checking whether device /dev/nvme?n1p1 exist
Looking for OTA work directory on the device(s): /dev/nvme0n1p1
mount /dev/nvme0n1p1 /mnt
[    7.303333] EXT4-fs (nvme0n1p1): mounted filesystem with ordered data mode. Opts: (null)
is_boot_only_partition /mnt
The mounted /dev/nvme0n1p1 is boot partition, try locating rootfs partition and mount it...
mount_rootfs_partition /dev/nvme0n1p1 /mnt
Found encrypted rootfs partition /dev/nvme0n1p2 through UUID(2d4e885a-38cb-41ce-b117-9eb84bcb76fe)
umount /mnt
unlock_encrypted_partition /dev/nvme0n1p2 dm_crypt_ota dm_crypt
is_luks_partition /dev/nvme0n1p2
[    7.364701] random: ld-linux-aarch6: uninitialized urandom read (4 bytes read)
is_unlocked /dev/nvme0n1p2 unlocked_device_name
get_uuid_for_luks_partition /dev/nvme0n1p2 luks_uuid
[    7.372101] random: ld-linux-aarch6: uninitialized urandom read (4 bytes read)
[    7.379682] random: ld-linux-aarch6: uninitialized urandom read (4 bytes read)
[    7.905114] mmc1: SDHCI controller on 3400000.sdhci [3400000.sdhci] using ADMA 64-bit
No key available with this passphrase.
Failed to unlock the LUKS partition /dev/nvme0n1p2(UUID=2d4e885a-38cb-41ce-b117-9eb84bcb76fe)
Failed to run "unlock_encrypted_partition /dev/nvme0n1p2 dm_crypt_ota dm_crypt"
Failed to run "moutn_rootfs_partition /dev/nvme0n1p1 /mnt"
Failed to run "mount_ota_work_partition /dev/nvme0n1p1 /mnt"
Finding OTA work dir on internal storage device
mount /dev/mmcblk0p1 /mnt
mount: /mnt: special device /dev/mmcblk0p1 does not exist.
Failed to mount /dev/mmcblk0p1 on the /mnt
Failed to run "mount_ota_work_partition /dev/mmcblk0p1 /mnt"
OTA work directory is not found on internal and external storage devices
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
bash-5.0# [ 1080.257916] random: crng init done

I recorded full UART logs and host logs while I flash Jetpack 5.1.2 using my guide linked above

minicom.log (162.3 KB)

Also device keep doing something if I don’t touch it
minicom_2.log (168.6 KB)

flash_5-1_0_20240707-162722.log (39.7 KB)

Successful SDK manager flashing logs
flash_5-1_0_20240707-155326.log (41.1 KB)

MY BOARD SPECIFICS

In fact, I got a fresh Jetson Orin Nano 8GB dev-board, then update it to Jetpack 6 with SSD encrypted, then downgrade it back to 5.1.2 and now I’m working with it.

When I’m using SDK manager, Linux kernel flashing normally, but other packages fail: sometimes all of them, sometimes about 20% - there is no pattern, each of them could be installed or not.

Logs of my SDK manager 5.1.2 flashing:
SDKM_logs_JetPack_5.1.2_Linux_for_Jetson_Orin_Nano_modules_2024-07-08_09-07-21.zip (585.6 KB)

UART logs:
minicom_sdkmanager_jp512.log (186.2 KB)

If I flash only Jetson Linux - no issues


Host logs:
SDKM_logs_JetPack_5.1.2_Linux_for_Jetson_Orin_Nano_modules_2024-07-08_10-17-34.zip (511.0 KB)
Uart logs:
minicom_skdmanager_02_short.log (187.4 KB)

Could anyone explain me what does --generic-passphrase mean?

I’ve just tried to do following being inspired by [Security][Disk Encryption] Creating Encrypted Images with a Generic Key

Prepare keys

# [T234 example]
# Fill your OEM_K1 fuse key value
echo "0000000000000000000000000000000000000000000000000000000000000000" > oem_k1.key

# Generate user-defined symmetric key files
# A random generate key is recommended for production, and a specified key is recommended for testing
# For each key, there are reference examples for generating random key and specifying keys.
openssl rand -rand /dev/urandom -hex 32 > sym_t234.key    # kernel/kernel-dtb encryption key
openssl rand -rand /dev/urandom -hex 16 > sym2_t234.key   # disk encryption key
openssl rand -rand /dev/urandom -hex 16 > auth_t234.key   # uefi variables authentication key

python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key \
        -in_sym_key sym_t234.key \
        -in_sym_key2 sym2_t234.key \
        -in_auth_key auth_t234.key \
        -out eks_t234.img

Generate and copy sym2_t234.key and eks_t234.img

cd gen_ekb
./example.sh

cp sym2_t234.key ../sym2_t234.key

rm ../bootloader/eks_t234.img
rm -f ../bootloader/eks_t234_sigheader.img.encrypt
cp eks_t234.img ../bootloader/eks_t234.img

cd ..

Tuned EXT_NUM_SECTORS=937703000 in tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml

Prepared internal

sudo BOARDID=3767 BOARDSKU=0005 ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --no-flash -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" jetson-orin-nano-devkit internal

Prepared external

sudo BOARDID=3767 BOARDSKU=0005 ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --append --network usb0 --no-flash --showlogs --external-only --external-device nvme0n1p1 -S 64GiB -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml -i ./sym2_t234.key ``-p "--generic-passphrase"`` jetson-orin-nano-devkit external

Flashed

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

Failure of new type

Waiting for target to boot-up...
Waiting for target to boot-up...
Waiting for device to expose ssh ......RTNETLINK answers: File exists
RTNETLINK answers: File exists
Waiting for device to expose ssh ...Run command: flash on fc00:1:1:0::2
SSH ready
blockdev: cannot open /dev/mmcblk0boot0: No such file or directory
[ 0]: l4t_flash_from_kernel: Starting to create gpt for emmc
Active index file is /mnt/internal/flash.idx
Number of lines is 58
max_index=57
[ 1]: l4t_flash_from_kernel: Successfully create gpt for emmc
[ 1]: l4t_flash_from_kernel: Starting to create gpt for external device
Active index file is /mnt/external/flash.idx
Number of lines is 76
max_index=75
writing item=59, 6:0:primary_gpt, 512, 19968, gpt_primary_6_0.bin, 16896, fixed-<reserved>-0, 27fd0d0bebfc926e28e20774b22e1375a9a9303c
Error: Could not stat device /dev/mmcblk0 - No such file or directory.
Flash failure
Cleaning up...

Host logs:
flash_5-1_0_20240708-105825.log (7.0 KB)

Uart logs:
uart_01_preparation.log (105.7 KB)
uart_02_flashing.log (79 KB)

Suspicious part in flashing logs

NOTICE:  BL31: v2.6(release):346877e39
NOTICE:  BL31: Built : 12:32:40, Aug  1 2023
I/TC: Physical secure memory base 0x27c040000 size 0x3fc0000
I/TC: 
I/TC: Non-secure external DT found
I/TC: OP-TEE version: 3.21 (gcc version 9.3.0 (Buildroot 2020.08)) #2 Tue Aug  1 19:39:55 UTC 2023 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html
I/TC: Primary CPU initializing
I/TC: Test OEM keys are being used. This is insecure for shipping products!
E/TC:00 00 ekb_extraction_process:319 Tried all EKB_RKs but still can't extract the EKB image.
E/TC:00 00 jetson_user_key_pta_init:898 jetson_user_key_pta_init: Failed (ffff000f).
E/TC:00 00 call_initcalls:43 Initcall __text_start + 0x000f2848 failed
I/TC: Primary CPU switching to normal world boot
яб
Jetson UEFI firmware (version 4.1-33958178 built on 2023-08-01T19:34:02+00:00)

hello isapient,

just double confirm…
are you going to create encrypted images with a generic key on JP-5.1.2?

I just want to generate disk encryption key sym2_t234.key and flash the encrypted root_fs, but if I do it straightforward it failed - so I’m looking for any possibility to change something in flashing procedure.

you’ll have to update EKS image as well.
please see-also Topic 270934 for the steps.

Thank you @JerryChang for advice it helps

  • I returned a A_eks partition flashing to my routine
  • Also I fixed up messed version of gen_ekb

Now it’s working for me, both for dev-board and prod-module.
Tested on Ubuntu 20.04 PC and Ubuntu18.04 Virtual Machine

ENVIRONMENT SETUP

(1) Non-encrypted flashing

Install SDK manager and flash Jetson.

It creates: ~/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_ORIN_NANO_TARGETS/Linux_for_Tegra

(2) Install crypto-packages

Please use exactly the same version of public sources;
You can check Linux_for_Tegra/kernel/*.deb to know a version

35.4.1 = Jetpack 5.1.2

cd ~/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_ORIN_NANO_TARGETS
wget https://developer.nvidia.com/downloads/embedded/l4t/r35_release_v4.1/sources/public_sources.tbz2
tar -xvf public_sources.tbz2
cd Linux_for_Tegra
tar xvf source/public/nvidia-jetson-optee-source.tbz2
cp -r optee/samples/hwkey-agent/host/tool/gen_ekb ./

Libraries

sudo apt-get update
sudo apt-get install cryptsetup dislocker libcryptsetup-dev libcryptsetup12 cryptmount qemu-user-static python3-pip python-pip
pip install cryptography pycrypto

PATCHING

(3) Generate crypto-stuff

Use the code as in gen_ekb/example.sh
Generate sym2_t234.key and eks_t234.img and apply

cd gen_ekb

echo "2d4a614e645267556b58703273357638792f423f4428472b4b6250655368566d" > oem_k1.key
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t234
openssl rand -rand /dev/urandom -hex 32 > sym_t234.key
openssl rand -rand /dev/urandom -hex 16 > sym2_t234.key
echo "ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100" > device_id.cert
python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key -fv fv_ekb_t234 -in_sym_key sym_t234.key -in_sym_key2 sym2_t234.key -in_device_id device_id.cert -out eks_t234.img

cp sym2_t234.key ../sym2_t234.key

rm ../bootloader/eks_t234.img
rm -f ../bootloader/eks_t234_sigheader.img.encrypt
cp eks_t234.img ../bootloader/eks_t234.img
cp sym2_t234.key ../bootloader/sym2_t234.key
cd ..

(4) Calculate the disk and partition

  • Run on flashed Jetson this command
    sudo blockdev --getsz /dev/nvme0n1

  • Output is size of SSD in sectors = 468862128 ~ 223Gib = 240GB

  • As recommended I use smaller value: 468846000 sectors = 228928.71 MiB

  • All partitions excluding encrypted totally take a bit less than 1890 MiB

Let’s assign Encrypted Partition size = 227038 Mib = 238066597888 bytes

Later I set up by command line parameters from tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml:

EXT_NUM_SECTORS=468846000  
APP_ENC_SIZE=238066597888 ~ equals to 221GiB

Part of XML file for your reference

    <device type="external" instance="0" sector_size="512" num_sectors="EXT_NUM_SECTORS" >   
...
        <partition name="APP_ENC" id="2" type="data" encrypted="true" reencrypt="false">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> APP_ENC_SIZE </size>  

Example for WD Green SN350 NVMe SSD 480GB (447GiB)

  • Real sectors count 937703088, use 937703000 sectors = 457862.79 MiB
  • Use partition size 457862.79 MiB - 1890 MiB = 478122124247 bytes

Values for command line:

  • EXT_NUM_SECTORS= 937703000
  • APP_ENC_SIZE= 478122124247 ~ equals to 445GiB

FLASHING

(5) Recovery mode

Connect Jetson by USBC and UART cables and switch it to Forced Recovery mode

(6) Preparation

sudo ./tools/l4t_create_default_user.sh -u user -p password -n host --accept-license

(7) Generate disk images

Image for internal: Jetpack 5.1.2 specific command

sudo BOARDID=3767 BOARDSKU=0005 ./flash.sh --no-flash -k A_eks -i "sym2_t234.key" jetson-agx-orin-devkit mmcblk0p1
sudo ./tools/kernel_flash/l4t_initrd_flash.sh -p "-c ./bootloader/t186ref/cfg/flash_t234_qspi.xml" --showlogs --no-flash --network usb0 jetson-orin-nano-devkit internal
sudo cp ./bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/eks_t234_sigheader.img.encrypt

Image for external: for 240GB SSD (223GiB) and partition with maximal size 221GiB

sudo ROOTFS_ENC=1 EXT_NUM_SECTORS=468846000 ./tools/kernel_flash/l4t_initrd_flash.sh -S 221GiB --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --showlogs --no-flash --network usb0 jetson-orin-nano-devkit external

(8) Physical Flashing

sudo systemctl stop udisks2.service

Sometimes you need to restart Recovery Mode here

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

FINALIZE

(9) Double check

Log in to Jetson using UART or Ethernet
ssh user@192.168.55.1
sudo minicom -D /dev/ttyUSB0 -8 -b 115200 -o -C minicom.log
sudo minicom -D /dev/ttyACM0 -8 -b 115200 -o -C minicom.log

Log in to Jetson using UART console and run this command on the flashed Jetson

BIOS version

sudo dmesg | grep BIOS

Disk Partitions

sudo lsblk -o NAME,SIZE,FSTYPE,MOUNTPOINT
df -h

Example output for 480GB SSD

(10) auto-resize partition

If size is too small, like 64G do this

sudo resize2fs /dev/mapper/crypt_root
1 Like