I have some problems with orin nx encryption
I use the encrypted disk feature on orin nx 16 GB, using devkit, jetpack5.1.2
My encryption steps (no fuse burned, only tested the default key)
If I don’t encrypt the burning, the machine can boot normally, but after encrypting and burning, it will get stuck and cannot complete the boot.
- generate eks Image
cd Linux_for_Tegra/sources/tegra/optee-src/nv-optee/optee/samples/secure_storage_so/host/tool/gen_ekb
./example.sh
this will generate eks.img
my script is default
#!/bin/bash
# [T194 example]
# This is default KEK2 root key for unfused board
echo "00000000000000000000000000000000" > kek2.key
# This is the fixed vector for deriving EKB root key from fuse.
# It is expected user to replace the FV below with a user specific
# FV, and code the exact same user specific FV into OP-TEE.
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t194
# Generate user-defined symmetric key files
# openssl rand -rand /dev/urandom -hex 16 > sym_t194.key
# openssl rand -rand /dev/urandom -hex 16 > sym2_t194.key
echo "00000000000000000000000000000000" > sym_t194.key
echo "00000000000000000000000000000000" > sym2_t194.key
python3 gen_ekb.py -chip t194 -kek2_key kek2.key \
-fv fv_ekb_t194 \
-in_sym_key sym_t194.key \
-in_sym_key2 sym2_t194.key \
-out eks_t194.img
# [T234 example]
# Fill your OEM_K1 fuse key value
echo "2d4a614e645267556b58703273357638792f423f4428472b4b6250655368566d" > oem_k1.key
# This is the fixed vector for deriving EKB root key from fuse.
# It is expected user to replace the FV below with a user specific
# FV, and code the exact same user specific FV into OP-TEE.
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t234
# Generate user-defined symmetric key files
# openssl rand -rand /dev/urandom -hex 32 > sym_t234.key # kernel/kernel-dtb encryption key
# openssl rand -rand /dev/urandom -hex 16 > sym2_t234.key # disk encryption key
echo "0000000000000000000000000000000000000000000000000000000000000000" > sym_t234.key
echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key
echo "ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100" > device_id.cert # Not used
python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key \
-fv fv_ekb_t234 \
-in_sym_key sym_t234.key \
-in_sym_key2 sym2_t234.key \
-in_device_id device_id.cert \
-out eks_t234.img
then copy this to bootloader
- generate tos image
Here is generated by default
Copy the file to bootloader
Copy the relevant files to rootfs
Like this:
sudo cp t234/bin/xtest /usr/bin/xtest
sudo cp t234/lib/optee_armtz/* /lib/optee_armtz/
sudo cp -r t234/usr/* /usr/
- 开始烧录
cd Linux_for_Tegra/tools/pkc/
echo "f0e0d0c0b0a001020304050607080900" > disk_enc.key
cd Linux_for_Tegra
#put board to recover
# Generate images for QSPI step1
sudo ./tools/kernel_flash/l4t_initrd_flash.sh \
--showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" \
--no-flash --network usb0 jetson-orin-nano-devkit internal
# Generate images for external storage device step2
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh \
--showlogs --no-flash --external-device nvme0n1p1 -i ./tools/pkc/disk_enc.key \
-c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml \
--external-only --append --network usb0 jetson-orin-nano-devkit external
# Flash images into the both storage devices step 3
sudo ./tools/kernel_flash/l4t_initrd_flash.sh \
--showlogs --network usb0 --flash-only
Some logs
flash log
step1.log (191.1 KB)
step2.log (146.3 KB)
step3.log (40.0 KB)
boot log
boot.log (96.4 KB)
It seems like it’s stuck at the last step before booting, and I can’t figure out what’s causing this.
Am I missing some step that is preventing the system from decrypting?