Orin Nano 8GB Encrypted SSD flashing FAILS on prod-module - devboard is OK

isapient · July 5, 2024, 8:28am

Working solution for us, tested on Ubuntu 20.04 host machine and Ubuntu 20.04 Virtual Machine under Windows.

ENVIRONMENT SETUP

(1) Non-encrypted flashing

Install SDK manager and flash Jetson.

It creates: ~/nvidia/nvidia_sdk/JetPack_6.0_Linux_JETSON_ORIN_NANO_TARGETS/Linux_for_Tegra

(2) Install crypto-packages

Please use exactly the same version of public sources; 36.3 for me
You can check Linux_for_Tegra/kernel/*.debfor a version

cd ~/nvidia/nvidia_sdk/JetPack_6.0_Linux_JETSON_ORIN_NANO_TARGETS
wget https://developer.nvidia.com/downloads/embedded/l4t/r36_release_v3.0/sources/public_sources.tbz2
tar -xvf public_sources.tbz2
cd Linux_for_Tegra
tar xvf source/nvidia-jetson-optee-source.tbz2
cp -r optee/samples/hwkey-agent/host/tool/gen_ekb ./

sudo apt-get update

sudo apt-get install cryptsetup dislocker libcryptsetup-dev libcryptsetup12 cryptmount qemu-user-static python3-pip

pip install cryptography pycrypto

PATCHING

(3) Generate crypto-stuff

Uncomment 4 key-generation lines in gen_ekb/example.sh

# [T234 example]
# Fill your OEM_K1 fuse key value
echo "0000000000000000000000000000000000000000000000000000000000000000" > oem_k1.key

# Generate user-defined symmetric key files
# A random generate key is recommended for production, and a specified key is recommended for testing
# For each key, there are reference examples for generating random key and specifying keys.
openssl rand -rand /dev/urandom -hex 32 > sym_t234.key    # kernel/kernel-dtb encryption key
# echo "0000000000000000000000000000000000000000000000000000000000000000" > sym_t234.key
openssl rand -rand /dev/urandom -hex 16 > sym2_t234.key   # disk encryption key
# echo "00000000000000000000000000000000" > sym2_t234.key
openssl rand -rand /dev/urandom -hex 16 > auth_t234.key   # uefi variables authentication key
# echo "00000000000000000000000000000000" > auth_t234.key

python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key \
        -in_sym_key sym_t234.key \
        -in_sym_key2 sym2_t234.key \
        -in_auth_key auth_t234.key \
        -out eks_t234.img

Generate sym2_t234.key and eks_t234.img and apply

cd gen_ekb
./example.sh
cp sym2_t234.key ../sym2_t234.key
cp eks_t234.img ../bootloader/eks_t234.img
cd ..

(4) Tune the disk and partition

Run on flashed Jetson this command sudo blockdev --getsz /dev/nvme0n1
Output is size of SSD in sectors = 468862128
As recommended I use smaller value: 468846000 sectors = 228928.71 MiB
All partitions excluding encrypted totally take a bit less than 1890 MiB
Let’s assign Encrypted Partition size = 227038 Mib = 238066597888 bytes

Edit tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml and replace:

EXT_NUM_SECTORS by 468846000
APP_ENC_SIZE by 238066597888

    <device type="external" instance="0" sector_size="512" num_sectors="468846000" >   
...
        <partition name="APP_ENC" id="2" type="data" encrypted="true" reencrypt="false">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 238066597888 </size>

Example for WD Green SN350 NVMe SSD 480GB:

Real sectors count 937703088, use 937703000 sectors = 457862.79 MiB
Use partition size 457862.79 MiB - 1890 MiB = 478122124247 bytes

Values for config: EXT_NUM_SECTORS = 937703000, APP_ENC_SIZE = 478122124247

FLASHING

(5) Recovery mode

Connect Jetson by USBC and UART cables and switch it to Forced Recovery mode

[black] Cable GND → GND pin 7
[green] Cable RX → TXD pin 4
[white] Cable TX → RXD pin 3

sudo minicom -D /dev/ttyUSB0 -8 -b 115200
sudo reboot --force forced-recovery

You can shorten RECOVERY MODE pin 9 and pin 10 instead of using sudo reboot

(6) Pre-config

sudo ./tools/l4t_create_default_user.sh -u user -p password -n hostname --accept-license -a
# -a for autologin

(7) Generate disk images

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c ./bootloader/generic/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external

(8) Physical Flashing

sudo systemctl stop udisks2.service
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

FINALIZE

(9) Adjust filesystem

Log in to Jetson using UART or Ethernet

sudo resize2fs /dev/mapper/crypt_root

(10) Double chek

Log in to Jetson using UART console and run this command on the flashed Jetson

sudo lsblk -o NAME,SIZE,FSTYPE,MOUNTPOINT
df -h

Example output for 480GB SSD

Topic		Replies	Views
Orin Nano 8Gb dev-board issues with flashing encrypted root_fs of Jetpack 5.1.2 Jetson Orin Nano reflash , security	6	397	July 30, 2024
Failing with custom keys for encrypting NVME on Jetson Orin Nano Jetson Orin Nano boot , security , nvbugs	29	3413	November 13, 2023
Disk encryption on Jetson Orin Nano Jetson Orin Nano boot , security , flash	29	1302	June 5, 2024
Error: /mnt/internal/flash.idx is not found Jetson Orin Nano reflash	18	770	August 28, 2024
Firmware with daisk encryption Jetson Orin NX security	8	417	April 15, 2024
Jetson Orin Nano DevKit Disk Encryption Could not stat device /dev/mmcblk0 - No such file or directory Jetson Orin Nano security	7	1801	November 6, 2023
Try to enable hdmi on jetson Orin nano for custom carrier board on Jetpack 5.1.3 Jetson Orin Nano board-design , hdmi	22	593	June 17, 2024
Flashing Nano Devkit NVMe over USB fails Jetson Orin Nano reflash	80	5597	June 7, 2023
Failed to flash Jetson Orin Nano Jetson Orin Nano reflash	6	1579	September 3, 2023
Cannot Flash r36.4.3 to Jetson Orin Nano NVMe SSD Jetson Orin Nano nvme , jetson , flash	11	377	March 26, 2025