[Security][Disk Encryption] Creating Encrypted Images with a Generic Key

hi all,

according to below forum topics,
it was not support to use generic passphrase, and suggested to have unique ECID to enable disk encryption.


as you may know,
it’s now able to create encrypted images with a generic key with JetPack 5.1.3 (r35.5.0) release version.

here’re steps
Step-1) please refer to developer guide, Creating Encrypted Images with a Generic Key,
there’s --massflash option to generate a massflash package,
for instance,

$ sudo BOARDID=3767 BOARDSKU=0000 ./tools/kernel_flash/l4t_initrd_flash.sh \
        --network usb0 -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" \
        --no-flash \
        jetson-orin-nano-devkit internal
$ sudo BOARDID=3767 BOARDSKU=0000 ROOTFS_ENC=1 \
        ./tools/kernel_flash/l4t_initrd_flash.sh \
        --network usb0 --showlogs  --no-flash --external-device nvme0n1p1 \
        -S 16GiB -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml \
        --external-only --append -i ./disk_enc.key ``-p "--generic-passphrase"`` \
        --massflash 2 jetson-orin-nano-devkit external

Step-2) after above commands has complete, it should create a massflash (mfi_.tar.gz) package,
by extracting this package, you should then putting two Orin Nano DevKits into recovery mode, and flashing them simultaneously.

$ sudo tar xpfv mfi_<target-board>.tar.gz.
$ cd mfi_<target-board>
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --massflash 2

Step-3) you should be able to perform Massflash to multiple devices.
after image flashing has complete, you should have two Orin Nano with disk encryption enabled.
you may have verification (i.e. $ df -h) after booting into linux.

$ df -h
/dev/mapper/crypt_root 54G 5.6G 46G 12% /
/dev/mapper/crypt_UDA 374M 14K 350M 1% /mnt/crypt_UDA
/dev/nvme0n1p1 371M 97M 247M 29% /boot
1 Like