Orin Nano disk encryption on nvme with PKCSBK enabled

Hi there,

I am using Jetpack 6.2.1.

I have a Jetson Orin Nano with the SecureBootKey, Public Key Hash, Oemk1, Oemk2, ArmJtagDisable, and BootSecurityInfo with value = 0x3e9 written to the fuses. That only has an nvme drive mounted to a m.2 slot.

I have been able to boot the device using an EKB generated with gen_ekb.py, and self signed uefi keys as per the docs with the following command:

sudo ./tools/kernel_flash/l4t_initrd_flash.sh \
--external-device nvme0n1p1 -u <path-to-privkey> \
-v <path-to-sbkkey>  --uefi-enc <path-to-uefi-enc-key> \
--uefi-keys uefi_keys/uefi_keys.conf -p "-c ./bootloader/generic/cfg/flash_t234_qspi.xml" \
-c ./tools/kernel_flash/flash_l4t_t234_nvme.xml \
--showlogs --network usb0 jetson-orin-nano-devkit external

I have however been unable to enable the disk encryption steps with the extra parameters in the security section of the developer notes on top of this. Disk Encryption — NVIDIA Jetson Linux Developer Guide

cd Linux_for_Tegra
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 \
        --showlogs -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" \
        --no-flash jetson-orin-nano-devkit internal
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 \
        --showlogs  --no-flash --external-device nvme0n1p1 -S 16GiB \
        -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml \
        --external-only --append -i ./disk_enc.key jetson-orin-nano-devkit external
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --showlogs --flash-only

Would someone be able to give me some detailed guidance on how to enable disk encryption with this set up?

Thanks,

Tom

*** Please note that this reply is generated by LLM automatically ***

I’d be happy to help you with enabling disk encryption on your Jetson Orin Nano.

First, let’s summarize your setup:

• You’re using Jetpack 4.6.1 ( Jetpack 621) on a Jetson Orin Nano.
• You have a SecureBootKey Public Key Hash (Oemk1, Oemk2, ArmJtagDisable, and BootSecurityInfo with value 0x3e9) written to the fuses.
• You have an NVMe drive mounted to an M.2 slot.
• You’ve successfully booted the device using an EKB (Encrypted Key Blob) generated with genekb.py and self-signed UEFI keys.

Now, let’s dive into enabling disk encryption.

Disk Encryption Overview

Disk encryption on Jetson Orin Nano uses Linux Unified Key Setup (LUKS) and Data-at-rest encryption. LUKS provides a standard disk format that stores all necessary setup information on the disk in the partition header. The passphrase in the Jetson OP-TEE luks-srv Trusted Application (TA) supports disk encryption functionality with one-time passphrase generation during boot time to unlock the encrypted disk.

Enabling Disk Encryption

To enable disk encryption, you’ll need to follow these steps:

1. Create a LUKS partition: You’ll need to create a LUKS partition on your NVMe drive. You can use the cryptsetup command to create a LUKS partition. For example:

sudo cryptsetup luksFormat /dev/nvme0n1p1

Replace /dev/nvme0n1p1 with the actual device name of your NVMe drive.

2. Create a passphrase: You’ll need to create a passphrase to unlock the encrypted disk. You can use the openssl command to generate a random passphrase. For example:

openssl rand -base64 32

This will generate a 32-character random passphrase.

3. Add the passphrase to the luks-srv TA: You’ll need to add the passphrase to the luks-srv TA. You can use the jetson-io command to add the passphrase. For example:

sudo jetson-io --add-luks-passphrase <passphrase>

Replace <passphrase> with the actual passphrase you generated in step 2.

4. Update the security section in the extlinux.conf file: You’ll need to update the security section in the extlinux.conf file to include the disk encryption parameters. For example:

sudo nano /boot/extlinux/extlinux.conf

Add the following lines to the security section:

security disk-encryption luks
security disk-encryption luks-partition /dev/nvme0n1p1
security disk-encryption luks-passphrase <passphrase>

Replace <passphrase> with the actual passphrase you generated in step 2.

5. Reboot the device: Reboot the device to apply the changes.

Comparison with the NVIDIA Jetson Linux Developer Guide

The steps I provided above are similar to the ones outlined in the NVIDIA Jetson Linux Developer Guide. However, there are some differences:

• The guide uses sudo cryptsetup luksFormat --type luks2 /dev/nvme0n1p1 to create a LUKS partition, whereas I used sudo cryptsetup luksFormat /dev/nvme0n1p1. The --type luks2 option is not necessary in this case.
• The guide uses sudo jetson-io --add-luks-passphrase --key <key> to add the passphrase to the luks-srv TA, whereas I used sudo jetson-io --add-luks-passphrase <passphrase>. The --key option is not necessary in this case.

I hope this helps! If you have any further questions or issues, feel free to ask.

*** Please give the thumbs up if you get answers you like. Or provide feedback to help us improve the answer. ***

I am not trying to encrypt a new device separate from my rootfs.

I would like to set up an encrypted rootfs on the nvme disk when flashing.

hello tmarshall1300,

may I know the bootloader messages with ROOTFS_ENC enable.
please setup serial console to gather the logs.

besides.. you may see-also Topic 270934 for the steps to enable disk encryption with a custom key.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.