Orin nx disk encryption, the device cannot boot normally

I have some problems with orin nx encryption

I use the encrypted disk feature on orin nx 16 GB, using devkit, jetpack5.1.2

My encryption steps (no fuse burned, only tested the default key)
If I don’t encrypt the burning, the machine can boot normally, but after encrypting and burning, it will get stuck and cannot complete the boot.

  1. generate eks Image
    cd Linux_for_Tegra/sources/tegra/optee-src/nv-optee/optee/samples/secure_storage_so/host/tool/gen_ekb
    ./example.sh
    this will generate eks.img
    my script is default
#!/bin/bash

# [T194 example]
# This is default KEK2 root key for unfused board
echo "00000000000000000000000000000000" > kek2.key

# This is the fixed vector for deriving EKB root key from fuse.
# It is expected user to replace the FV below with a user specific
# FV, and code the exact same user specific FV into OP-TEE.
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t194

# Generate user-defined symmetric key files
# openssl rand -rand /dev/urandom -hex 16 > sym_t194.key
# openssl rand -rand /dev/urandom -hex 16 > sym2_t194.key
echo "00000000000000000000000000000000" > sym_t194.key
echo "00000000000000000000000000000000" > sym2_t194.key

python3 gen_ekb.py -chip t194 -kek2_key kek2.key \
        -fv fv_ekb_t194 \
        -in_sym_key sym_t194.key \
        -in_sym_key2 sym2_t194.key \
        -out eks_t194.img

# [T234 example]
# Fill your OEM_K1 fuse key value
echo "2d4a614e645267556b58703273357638792f423f4428472b4b6250655368566d" > oem_k1.key

# This is the fixed vector for deriving EKB root key from fuse.
# It is expected user to replace the FV below with a user specific
# FV, and code the exact same user specific FV into OP-TEE.
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t234

# Generate user-defined symmetric key files
# openssl rand -rand /dev/urandom -hex 32 > sym_t234.key    # kernel/kernel-dtb encryption key
# openssl rand -rand /dev/urandom -hex 16 > sym2_t234.key   # disk encryption key
echo "0000000000000000000000000000000000000000000000000000000000000000" > sym_t234.key
echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key
echo "ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100ffeeddccbbaa99887766554433221100" > device_id.cert    # Not used

python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key \
        -fv fv_ekb_t234 \
        -in_sym_key sym_t234.key \
        -in_sym_key2 sym2_t234.key \
        -in_device_id device_id.cert \
        -out eks_t234.img

then copy this to bootloader

  1. generate tos image
    Here is generated by default
    Copy the file to bootloader
    Copy the relevant files to rootfs
    Like this:
sudo cp t234/bin/xtest /usr/bin/xtest
sudo cp t234/lib/optee_armtz/* /lib/optee_armtz/
sudo cp -r t234/usr/* /usr/
  1. 开始烧录
cd Linux_for_Tegra/tools/pkc/
echo "f0e0d0c0b0a001020304050607080900" > disk_enc.key


cd Linux_for_Tegra

#put board to recover
# Generate images for QSPI  step1
sudo ./tools/kernel_flash/l4t_initrd_flash.sh \
--showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" \
--no-flash --network usb0 jetson-orin-nano-devkit internal

# Generate images for external storage device  step2
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh \
--showlogs --no-flash --external-device nvme0n1p1 -i ./tools/pkc/disk_enc.key \
-c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml \
--external-only --append --network usb0 jetson-orin-nano-devkit external

# Flash images into the both storage devices step 3
sudo ./tools/kernel_flash/l4t_initrd_flash.sh \
--showlogs --network usb0 --flash-only

Some logs
flash log

step1.log (191.1 KB)
step2.log (146.3 KB)
step3.log (40.0 KB)

boot log
boot.log (96.4 KB)

It seems like it’s stuck at the last step before booting, and I can’t figure out what’s causing this.

Am I missing some step that is preventing the system from decrypting?

This is my normal flash unencrypted log:

normalboot.log (92.3 KB)
normalflash.log (294.6 KB)

ues this command:

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1 -p "-c ./bootloader/t186ref/cfg/flash_t234_qspi.xml" -c ./tools/kernel_flash/flash_l4t_t234_nvme.xml --showlogs --network usb0 jetson-orin-nano-devkit nvme0n1p1

Hi 1031150349,

Have you put device in force recovery state in Step 1 to Step 3?

What are these for?
Are they running on the host?

[   13.945268] ext4 filesystem being mounted at /boot supports timestamps until 2038 (0x7fffffff)

I’m not sure if the issue is caused from this since I don’t see them before.

  1. yes ,i put device in force recovery state in Step 1 to Step 3. I referred to the operation here.Jetson Orin Nano DevKit Disk Encryption Could not stat device /dev/mmcblk0 - No such file or directory - #3 by KevinFFF
  2. command like this(sudo cp t234/bin/xtest /usr/bin/xtest) is tee’s operation(use luks-srv to unlock disk), i used the function.you can read this for details:tegra/optee-src/nv-optee/optee/atf_and_optee_README.txt
  3. I tried to encrypt only the UDA partition and the system could run. I also found this sentence in the log:
[   11.098435] bluetooth hci0: Direct firmware load for rtl_bt/rtl8822cu_fw.bin failed with error -2
[   11.098439] bluetooth hci0: Falling back to sysfs fallback for: rtl_bt/rtl8822cu_fw.bin
[   11.861812] ext4 filesystem being mounted at /boot supports timestamps until 2038 (0x7fffffff)
[   13.472402] Bluetooth: hci0: RTL: firmware file rtl_bt/rtl8822cu_fw.bin not found
[   13.786353] ext4 filesystem being mounted at /mnt/crypt_UDA supports timestamps until 2038 (0x7fffffff)
[   14.970904] using random self ethernet address
[   14.970911] using random host ethernet address

Is there anything I need to pay attention to when encrypting the rootfs partition?

I don’t see them in my README file. Could you share me yours as file here?

Have you also verified with the latest Jetpack 5.1.3(R35.5.0)?

atf_and_optee_README.txt (5.7 KB)
2. i don’t have 5.1.3’s bsp package, can i try it at R36.3 ?.

Sorry that which steps do you mean in the README?

I can’t find above messages in your README file.

Yes, you can also enable disk-encryption with R36.3.0.

3. Copy all the files under ./optee/install/t<platform> to the target.

It is mentioned here that TA should be placed in the right place, otherwise CA may not be able to find TA and then fail to communicate.
I tested it in R36.3 and it booted normally without rt.
After changing to the default rootfs and without rt on 5.1.2, it also booted normally. Next, I will test whether it is caused by rt ​​or rootfs.

As my understanding, it is the last steps after you’ve updated the tos image.

Do you mean that R36.3.0 works as expected?

According to my test, after the disk is encrypted, the boot will be abnormal after applying the rt patch on 5.1.2. Is this a known issue?

What does this mean? The patch is put after tos? This is done before kernel build.

yeah, my 6.0 not apply rt patch, it can boot normally.

Sorry I’m not sure if it is a known issue in JP5.1.2 but you could also verify with Jetpack 5.1.3, which is the latest release of JP5.x currently.

If you can work with Jetpack 6.0GA (R36.3), then you can just stay on that.
Or do you have any requirement to use Jetpack 5.x?

You can also refer to the following thread about the steps to enable disk-encryption for Orin NX with Jetpack 5.1.2, which has been verified from us.
Disk Encryption on Orin NX NVMe Not working - #22 by JerryChang

We are currently just verifying the encryption function, and may deploy this function on 6.0 later. There is no special requirement for 5.1.2.
Thanks for your guidance!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.