Orin NX doesn't boot after Flashing with both rootfs A/B and disk encryption enabled

Hello, I’m trying to flash my Orin NX with both Root A/B and Disk encryption enabled. I have used the following method:

1. BSP packages (Jetson Linux 36.4.3)

$ tar xf ${L4T_RELEASE_PACKAGE}
$ sudo tar xpf ${SAMPLE_FS_PACKAGE} -C Linux_for_Tegra/rootfs/
$ cd Linux_for_Tegra/
$ sudo ./tools/l4t_flash_prerequisites.sh
$ sudo ./apply_binaries.sh

2. Flashing process. Reference from here

# Generate images for QSPI
$ sudo ROOTFS_AB=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" --no-flash --network usb0 p3509-a02-p3767-0000 internal

# Generate ekb.key
echo "f0e0d0c0b0a001020304050607080900" > ekb.key

# Generate images for external storage device
$ sudo ROOTFS_AB=1 ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_ab_enc.xml --external-only --append --network usb0 p3509-a02-p3767-0000 external

# Flash images into the both storage devices
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

Flashing logs shows the SUCCESS of flashing the Orin NX device. However, the device never boots. Here is the boot log and flash log
FlashLog-AB-Disk_encryption.log (52.5 KB)
file for your better understanding the issue.
BootLog-AB-root-and-diskEncryption.log (36.6 KB)

Apart from the log file “No key Available with this passpharse” is showing on the screen.

bootlog1920×333 90.4 KB

Kindly help me with this issue. Am I missing any important part?

hello tanzelur,

here’s preparation, it’s cryptsetup utility to create encrypted rootfs for image flashing. please have $ sudo apt-get install cryptsetup installed.
please also check Tool for EKB Generation, you must re-generate EKS image by adding your encryption key.
please see-also Topic 270934 for disk encryption verification with a custom key.

Hi JerryChang,

Thanks for your response! I successfully enabled my device with both AB rootfs and disk encryption. I had to make a few adjustments, but the instructions from the topic you suggested were helpful and closely related to my issue. Thanks again!

Hi, could you point what exact adjustments did you do? I’ve encountered the same problem and instructions above didn’t help

Hi alex,
I used example.sh from the optee source file to generate my keys and eks_t234.img.
OPTEE PATH: ~/Linux_for_Tegra/source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/

1. Then, copy the sym2_t324.key to the BSP PATH/Linux_for_Tegra/

cp sym2_t234.key /mnt/JetsonLinux/Linux_for_Tegra/

2. Remove the existing eks_t234.img from bootloader and replace it with the generated one.

~/BSP PATH/Linux_for_Tegra/bootloader$
rm eks_t234.img

~/Linux_for_Tegra/source/public/optee/samples/hwkey-agent/host/tool/gen_ekb$
cp eks_t234.img  /BSP PATH/Linux_for_Tegra/bootloader/

3. Sign the generated image with the encryption key.

cd ~/BSP PATH/Linux_for_Tegra/
sudo ./flash.sh --no-flash -k A_eks -i "sym2_t234.key" jetson-orin-nano-devkit-nvme internal

4. Generate images for QSPI with AB ROOTFS enabled.

sudo ROOTFS_AB=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" --no-flash --network usb0 p3509-a02-p3767-0000 internal

5. Replace the signed image in the directory below:

sudo cp ./bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/eks_t234_sigheader.img.encrypt

6. Generate images for external storage device:

sudo ROOTFS_AB=1 ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_ab_enc.xml --external-only --append --network usb0 p3509-a02-p3767-0000 external

7. Flash images into devices

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

Hope this will solve your issue. :)

Very strange. I’ve followed step by step your commands on Orin AGX(not included ROOTFS_AB=1), it still fails. Can you post output of hexdump -C -n 4 -s 0x24 eks_t234.img. I’m suspecting some issues with cryptsetup (or OPTEE package) as mine output is

hexdump -C -n 4 -s 0x24 eks_t234.img
00000024  89 1c 3c 79                                       |..<y|
00000028

And it changes every time I’m using example.sh

Hi Alex,
If you run the example.sh it will overwrite the generated eks_t234image every time. so as the keys will update as well.
Check your commands for the Orin AGX adaptation. The commands I shared were for Jetson Orin NX.

Thanks :)

It’s not about type of Orin, but creating eks image. I’ve tried OPTEE package from Jetpack 35.4.1 and it has “4 magical bytes” (EEKB)

00000024  45 45 4b 42                                       |EEKB|
00000028

As you can see, my last reply doesn’t match with this, so I asked you to execute this command to confirm, that this is problem of my machine, but not package

hi,
I have not said to check your commands for viewing the image content.
Anyway, -n 4 will read only 4 bytes of the file. and I am getting the same values each time for my image.

:)

I think you didn’t understand what I meant. I was reffering to this topic Jetson Orin Nano Custom Key Encryption - #8 by JerryChang
That’s why I asked you to execute this commands. I’ve reinstalled the OPTEE package so I need to know if it is still corrupted or not

Hi JerryChang,
Can you confirm that EKS images still have 4 bytes (EEKB) in the begining?

Found Fusing OemK1 for Disk Encryption - #25 by chinmaypen , so I can confirm the same behaviour in hexdump. I’ve managed to flash Jetpack 35.4.1 but not 36.4.3. From Uart I can see
problem that has been solved much earlier Disk Encryption on Orin NX NVMe Not working

��NOTICE:  BL31: v2.8(release):e12e3fa93
NOTICE:  BL31: Built : 17:14:28, Jan  7 2025
I/TC: 
I/TC: Non-secure external DT found
I/TC: OP-TEE version: 4.2 (gcc version 11.3.0 (Buildroot 2022.08)) #2 Wed Jan  8 01:24:03 UTC 2025 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html
I/TC: Primary CPU initializing
I/TC: Test OEM keys are being used. This is insecure for shipping products!
E/TC:00 00 ekb_extraction_process:404 Tried all EKB_RKs but still can't extract the EKB image.
E/TC:00 00 jetson_user_key_pta_init:1154 jetson_user_key_pta_init: Failed (ffff000f).
E/TC:00 00 call_initcalls:43 Initcall __text_start + 0x001ad380 failed
I/TC: fTPM ID is not enabled.
I/TC: ftpm-helper PTA: fTPM DT or EKB is not available. fTPM provisioning is not supported.
I/TC: Primary CPU switching to normal world boot
��
  Jetson UEFI firmware (version 36.4.3-gcid-38968081 built on 2025-01-08T01:18:20+00:00)

Algorithm is the same, but results is non-bootable devices both Orin AGX and Orin NX

hello alex.iakov1337,

EKS image has 0x34 offset in JP-6.x now to report EEKB,
you should running hexdump -C -n 4 -s 0x34 eks_t234.img for rel-36 public release.

this is a closed topic, it’s suggest you file a new discussion thread,
you may link this topic-id as reference.

My mistake was using

echo "2d4a614e645267556b58703273357638792f423f4428472b4b6250655368566d" > oem_k1.key

in example.sh, right option is

echo "0000000000000000000000000000000000000000000000000000000000000000" > oem_k1.key