Questions on Managing Disk Encryption and OTA Updates for ROOTFS_A/B Devices

Robotics & Edge Computing Jetson Systems Jetson Orin NX
,
1

Hello team,
I have a few general questions regarding disk encryption and OTA updates for devices with ROOTFS_A/B and disk encryption enabled:

  1. I have flashed three devices using the --generic passphrase option. In this scenario, will each device’s disk use the same key (e.g., -i ./sym2_t234.key) for disk encryption, or will the key get replaced during the first boot?
  2. If each device ends up with a unique key or passphrase during the first boot, how can I generate a common ota_payload that can be applied to all three devices?
    If possible can I get a rough example.
  3. Is it possible to generate the ota_payload_package from any extracted BSP + ota_tool folder, as long as the Jetpack version is the same? For example, I flashed the devices using files from folder_A. Can I create the ota_payload_package from folder_B, provided both folders contain the same Jetpack 6.2 BSP and ota_tool versions?

I know my questions could be silly, but your guidance would be greatly appreciated.
Thank you in advance!

3

hello tanzelur,

>> Q1
I assume you’ve also add --massflash option to generate a massflash package for flashing multiple devices with disk encryption by using a generic key, right?
although using --generic-passphrase option, after system booting up, initrd do the replacement with device specific unique key to unlock encrypted device.

>> Q2
please refer to readme file,
$OUT/Linux_for_Tegra/tools/ota_tools/version_upgrade/Image_based_OTA_Examples.txt
please see-also the examples provide the steps for using this golden image in an image-based OTA.
please refer to the steps to add generic passphrase in raw LUKS partition data.
it’s the option -s to check for disk encryption has enabled on the external device.

>> Q3
it should doable, please give it a try for confirmation.

4

Hi JerryChang,

Regarding Q2,
I reviewed the example cases in Image_based_OTA_Examples.txt , and the closest match I found is case-15 , as it enabled both ROOTFS_AB and ROOTFS_ENC.
However, my concern lies with its use of ECID during the OTA payload generation process. If ECID is involved, how can the same ota_payload be applied to all 3 devices that were mass-flashed using the --generic passphrase?

Thank you

5

hello tanzelur,

we can generate common OTA payload package for several devices with the same content based on one golden image.

7

I have flashed jetsons with R35.4.1 BSP and it’s rootfs earlier. Now I also upgraded them via massflash image with new rootfs and new BSP R35.6.0 with disk encryption enabled --generic-passphrase option. This works.!

My use case is to flash NVME and QSPI from bootable USB :

I prepared a bootable USB which contains a /Linux_for_Tegra folder with internal and external images to flash NVME directly from USB. It worked until there is no change in Bootloader, but while updating from r35.4.1 to r35.6.0, the bootloader is not updated and when NVME rootfs is updated, it fails with kernel panic.

#internal image creation
sudo ADDITIONAL_DTB_OVERLAY_OPT="BootOrderNvme.dtbo" BOARDID=3668 FAB=301 BOARDSKU=0001 BOARDREV=E.0 ./tools/kernel_flash/l4t_initrd_flash.sh -u $ROOT_DIR/keys/jetson.pem -v $ROOT_DIR/keys/sbk_key.txt  -p "-c bootloader/t186ref/cfg/flash_l4t_t194_qspi_p3668.xml" --showlogs --no-flash jetson-xavier-nx-devkit-emmc internal

#external image creation
sudo ADDITIONAL_DTB_OVERLAY_OPT="BootOrderNvme.dtbo" ROOTFS_ENC=1 BOARDID=3668 FAB=301 BOARDSKU=0001 BOARDREV=E.0 ./tools/kernel_flash/l4t_initrd_flash.sh -u $ROOT_DIR/keys/jetson.pem -v $ROOT_DIR/keys/sd/sbk_key.txt -i ./ekb.key  ``-p "--generic-passphrase"`` --external-device nvme0n1p1 -c ./tools/kernel_flash/flash_l4t_t194_nvme_rootfs_enc.xml -S 40GiB --no-flash --append --direct nvme0n1 --showlogs jetson-xavier-nx-devkit-emmc external

# create file for usb-image
sudo dd if=/dev/zero of=image.iso bs=1M count=64000 status=progress

# mount usb-image on loop device
loop_device_path=$(sudo losetup -f)
sudo losetup $loop_device_path image.iso
loop_device_path_name="${loop_device_path##*/}"

#Format Loop device
echo "Formatting $loop_device_path with ext4 filesystem..."
sudo mkfs.ext4 -F $loop_device_path

pushd $ROOT_DIR/Linux_for_Tegra
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --direct $loop_device_path_name --external-device sda1 -c ./tools/kernel_flash/flash_l4t_external.xml -S 40GiB jetson-xavier-nx-devkit-emmc external
popd


#This flashes the NVME directly from USB and then after reboot, NVME has new rootfs
pushd /Linux_for_Tegra
sudo  ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --external-device nvme0n1p1 -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml -S 40GiB --direct nvme0n1 --showlogs jetson-xavier-nx-devkit-emmc external
popd

How can I update the bootloader too ? Can’t I do something below ? or what’s the best way to implement it ?

pushd /Linux_for_Tegra
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only jetson-xavier-nx-devkit-emmc internal
[sudo] password for jetson: 
No devices to flash
popd

Please refer my post : Update bootloader QSPI when booted up from USB Stick

Thanks

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.