[QUESTION] Jetson AGX Orin Disk Encryption: System Fails to Boot with "Unable to mount root filesystem" Error

Robotics & Edge Computing Jetson Systems Jetson AGX Orin
1

[QUESTION] Jetson AGX Orin Disk Encryption: System Fails to Boot with “Unable to mount root filesystem” Error

Problem Description

I’m attempting to enable disk encryption on a Jetson AGX Orin device using NVIDIA’s official documentation, but after successfully flashing the encrypted root filesystem, the system fails to boot and shows the error: “Unable to mount root filesystem”.

Environment Details:

  • Hardware: NVIDIA Jetson AGX Orin Developer Kit

  • Software Versions:

    • tegra_linux_sample-root-filesystem_r36.4.0_aarch64.tbz2

    • jetson_linux_r36.4.0_aarch64.tbz2

  • Security Configuration: Enabled Secure Boot and disk encryption

Steps Followed (As Per NVIDIA Documentation)

Step 1: Configure Fuses

I created a fuse configuration XML file with the following settings:

<genericfuse MagicId="0x45535546" version="2.0.0">
  <fuse name="PublicKeyHash" size="64" value="0x[REDACTED-64-BYTE-HASH]"/>
  <fuse name="SecurityMode" size="4" value="0x0"/>
  <!-- SBK randomly generated -->
  <fuse name="SecureBootKey" size="32" value="0x[REDACTED-32-BYTE-KEY]"/>
  <fuse name="OemK1" size="32" value="0x[REDACTED-32-BYTE-KEY]"/>
</genericfuse>

Step 2: Verify Current State

Before flashing, I checked the device status:

sudo ./flash.sh --read-info jetson-agx-orin-devkit internal

Output showed:

Board ID(3701) version(501) sku(0005) revision(G.0) Preset RAMCODE is 3 Chip SKU(00:00:00:D0) ramcode(3) fuselevel(fuselevel_production) board_FAB(501) ECID is 0x80012344705E005E140000000DFE0200
PublicKeyHash: a9650f99848475ce8017d914443396c74aed273f8d3398ab181225791266939abcff9036a79cc45044e8766734871b726552d2e511af391eb0006ea158634b10
BootSecurityInfo: 000001e0
SecurityMode: 00000000
...

Step 3: Create EKS (Encrypted Key Store) Image

As per documentation, I generated the EKS image:

cd Linux_for_Tegra/source/optee/samples/hwkey-agent/host/tool/gen_ekb/
./example.sh

Then copied the EKS image to the bootloader directory.

Step 4: Flash Encrypted RootFS

I followed NVIDIA’s disk encryption guide and executed:

sudo ROOTFS_ENC=1 ./flash.sh -i "./disk_enc.key" jetson-agx-orin-devkit internal

The flashing process completed successfully with no errors reported.

The Problem

After the flashing process completed successfully, I rebooted the system. During boot, I encountered the following error:

Error Message:

null1280×960 466 KB

The system hangs at this point and cannot proceed to the login prompt.

What I’ve Tried (Without Success)

  1. Re-flashing without encryption: When I flash without disk encryption, the system boots normally.

  2. Verifying the encryption key: I confirmed the disk_enc.key file exists and contains the correct key used during flashing.

  3. Checking bootloader configuration: The bootloader seems to recognize the encrypted partition but fails to decrypt it.

  4. Reviewing kernel logs: The error suggests the kernel cannot find or mount the root filesystem.

Additional Information

  • The encryption key was generated using proper cryptographic methods

  • I’m following NVIDIA’s official documentation: Disk Encryption Guide

Request for Help

I would greatly appreciate any insights, debugging steps, or solutions from the community. This appears to be a critical issue preventing the deployment of secure, encrypted systems on Jetson Orin platforms.

Thank you for your time and assistance!

2

*** Please note that this reply is generated by LLM automatically ***

Based on the provided context, I’ll attempt to help you troubleshoot the issue with disk encryption on your Jetson AGX Orin device.

Problem Analysis

The error message “Unable to mount root filesystem” suggests that the kernel is unable to access the encrypted root filesystem. This could be due to various reasons, including:

  1. Incorrect fuse configuration
  2. Invalid or missing encryption key
  3. Bootloader or kernel issues

Comparison with Similar Issues

Looking at the provided context, I noticed that there are similar issues reported by other users, such as:

  • “Xavier doesn’t boot after Secure Boot flash (JetPack 5.1.2 / L4T R35.4.1)” - This issue is related to Secure Boot, which is also involved in your problem.
  • “Can’t Image-Based OTA update after I patch my tos-img in bootloader” - This issue is related to OTA updates, which might not be directly related to your problem, but it shows that there are issues with the bootloader and firmware updates.

Troubleshooting Steps

To help you debug the issue, I recommend the following steps:

  1. Verify fuse configuration: Double-check that your fuse configuration XML file is correct and that the encrypted attribute is set to true in the APP_ENC section.
  2. Check encryption key: Ensure that the encryption key is correct and that it matches the key used during flashing. You can try regenerating the key and updating the disk_enc.key file.
  3. Bootloader and kernel logs: Check the bootloader and kernel logs for any error messages that might indicate the cause of the problem. You can do this by connecting to the device’s serial console or by checking the system logs.
  4. Secure Boot configuration: Verify that Secure Boot is configured correctly and that the device is set to boot in UEFI mode.
  5. Try a different encryption method: If possible, try using a different encryption method, such as AES-XTS, to see if the issue persists.

Additional Information

To help you further, I would like to know more about your setup and configuration. Please provide the following information:

  • The exact version of the JetPack and L4T you are using
  • The output of the flash.sh command during flashing
  • The contents of the flash_t234_qspi_sdmmc_enc_rfs.xml file
  • Any other relevant configuration files or logs that might help diagnose the issue

By following these troubleshooting steps and providing additional information, we can work together to resolve the issue and get your Jetson AGX Orin device booting with disk encryption enabled.

*** Please give the thumbs up if you get answers you like. Or provide feedback to help us improve the answer. ***

4

  • The exact version of the JetPack and L4T you are usin

    • tegra_linux_sample-root-filesystem_r36.4.0_aarch64.tbz2

    • jetson_linux_r36.4.0_aarch64.tbz2

  • The output of the flash.sh command during flashing

sudo ROOTFS_ENC=1 ./flash.sh -i "./disk_enc.key" jetson-agx-orin-devkit internal
  • The contents of the flash_t234_qspi_sdmmc_enc_rfs.xml file
 <partition name="APP" id="1" type="data">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 419430400 </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <align_boundary> 16384 </align_boundary>
            <unique_guid> APPUUID </unique_guid>
            <filename> system_boot.img </filename>
            <description> **Required.** Contains the boot partition. This partition must be defined
                    after `primary_GPT` so that it can be accessed as the fixed known special device
                    `/dev/mmcblk0p1`. </description>
        </partition>
        <partition name="APP_ENC" id="2" type="data" encrypted="true" reencrypt="false">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> APP_ENC_SIZE </size>
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <align_boundary> 16384 </align_boundary>
            <unique_guid> APP_ENC_UUID </unique_guid>
            <filename> system_root_encrypted.img </filename>
            <description> **Required.** Contains the encrypted root partition("/"). </description>
        </partition>
5

hello zc.bj,

let’s try resolve your fuse burning issue.

please refer to Jetson Orin Fuse Specification for the fuse name, i.e. FUSE_BOOT_SECURITY_INFO_0 .
it’s BootSecurityInfo ’s bit [3:0] to indicate the target’s secureboot authentication scheme.
please refer to Jetson Orin Series Modules Fuse Update Field Services Bulletin for the details of FUSE_BOOT_SECURITY_INFO_0 changing to 0x1e0 . you must do bitwise logically OR your desired value with 0x1E0 in the fuse programming flow.

BTW,
you may refer to Topic 359163, let’s try to burn BootSecurityInfo correctly.