Orin Nano 8Gb dev-board issues with flashing encrypted root_fs of Jetpack 5.1.2

Thank you @JerryChang for advice it helps

  • I returned a A_eks partition flashing to my routine
  • Also I fixed up messed version of gen_ekb

Now it’s working for me, both for dev-board and prod-module.
Tested on Ubuntu 20.04 PC and Ubuntu18.04 Virtual Machine

ENVIRONMENT SETUP

(1) Non-encrypted flashing

Install SDK manager and flash Jetson.

It creates: ~/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_ORIN_NANO_TARGETS/Linux_for_Tegra

(2) Install crypto-packages

Please use exactly the same version of public sources;
You can check Linux_for_Tegra/kernel/*.deb to know a version

35.4.1 = Jetpack 5.1.2

cd ~/nvidia/nvidia_sdk/JetPack_5.1.2_Linux_JETSON_ORIN_NANO_TARGETS
wget https://developer.nvidia.com/downloads/embedded/l4t/r35_release_v4.1/sources/public_sources.tbz2
tar -xvf public_sources.tbz2
cd Linux_for_Tegra
tar xvf source/public/nvidia-jetson-optee-source.tbz2
cp -r optee/samples/hwkey-agent/host/tool/gen_ekb ./

Libraries

sudo apt-get update
sudo apt-get install cryptsetup dislocker libcryptsetup-dev libcryptsetup12 cryptmount qemu-user-static python3-pip python-pip
pip install cryptography pycrypto

PATCHING

(3) Generate crypto-stuff

Use the code as in gen_ekb/example.sh
Generate sym2_t234.key and eks_t234.img and apply

cd gen_ekb

echo "2d4a614e645267556b58703273357638792f423f4428472b4b6250655368566d" > oem_k1.key
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t234
openssl rand -rand /dev/urandom -hex 32 > sym_t234.key
openssl rand -rand /dev/urandom -hex 16 > sym2_t234.key
echo "ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100" > device_id.cert
python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key -fv fv_ekb_t234 -in_sym_key sym_t234.key -in_sym_key2 sym2_t234.key -in_device_id device_id.cert -out eks_t234.img

cp sym2_t234.key ../sym2_t234.key

rm ../bootloader/eks_t234.img
rm -f ../bootloader/eks_t234_sigheader.img.encrypt
cp eks_t234.img ../bootloader/eks_t234.img
cp sym2_t234.key ../bootloader/sym2_t234.key
cd ..

(4) Calculate the disk and partition

  • Run on flashed Jetson this command
    sudo blockdev --getsz /dev/nvme0n1

  • Output is size of SSD in sectors = 468862128 ~ 223Gib = 240GB

  • As recommended I use smaller value: 468846000 sectors = 228928.71 MiB

  • All partitions excluding encrypted totally take a bit less than 1890 MiB

Let’s assign Encrypted Partition size = 227038 Mib = 238066597888 bytes

Later I set up by command line parameters from tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml:

EXT_NUM_SECTORS=468846000  
APP_ENC_SIZE=238066597888 ~ equals to 221GiB

Part of XML file for your reference

    <device type="external" instance="0" sector_size="512" num_sectors="EXT_NUM_SECTORS" >   
...
        <partition name="APP_ENC" id="2" type="data" encrypted="true" reencrypt="false">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> APP_ENC_SIZE </size>  

Example for WD Green SN350 NVMe SSD 480GB (447GiB)

  • Real sectors count 937703088, use 937703000 sectors = 457862.79 MiB
  • Use partition size 457862.79 MiB - 1890 MiB = 478122124247 bytes

Values for command line:

  • EXT_NUM_SECTORS= 937703000
  • APP_ENC_SIZE= 478122124247 ~ equals to 445GiB

FLASHING

(5) Recovery mode

Connect Jetson by USBC and UART cables and switch it to Forced Recovery mode

(6) Preparation

sudo ./tools/l4t_create_default_user.sh -u user -p password -n host --accept-license

(7) Generate disk images

Image for internal: Jetpack 5.1.2 specific command

sudo BOARDID=3767 BOARDSKU=0005 ./flash.sh --no-flash -k A_eks -i "sym2_t234.key" jetson-agx-orin-devkit mmcblk0p1
sudo ./tools/kernel_flash/l4t_initrd_flash.sh -p "-c ./bootloader/t186ref/cfg/flash_t234_qspi.xml" --showlogs --no-flash --network usb0 jetson-orin-nano-devkit internal
sudo cp ./bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/eks_t234_sigheader.img.encrypt

Image for external: for 240GB SSD (223GiB) and partition with maximal size 221GiB

sudo ROOTFS_ENC=1 EXT_NUM_SECTORS=468846000 ./tools/kernel_flash/l4t_initrd_flash.sh -S 221GiB --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --showlogs --no-flash --network usb0 jetson-orin-nano-devkit external

(8) Physical Flashing

sudo systemctl stop udisks2.service

Sometimes you need to restart Recovery Mode here

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

FINALIZE

(9) Double check

Log in to Jetson using UART or Ethernet
ssh user@192.168.55.1
sudo minicom -D /dev/ttyUSB0 -8 -b 115200 -o -C minicom.log
sudo minicom -D /dev/ttyACM0 -8 -b 115200 -o -C minicom.log

Log in to Jetson using UART console and run this command on the flashed Jetson

BIOS version

sudo dmesg | grep BIOS

Disk Partitions

sudo lsblk -o NAME,SIZE,FSTYPE,MOUNTPOINT
df -h

Example output for 480GB SSD

(10) auto-resize partition

If size is too small, like 64G do this

sudo resize2fs /dev/mapper/crypt_root
1 Like