Dear Nvidia,
we have an Orin AGX SoC (integrated by forecr) for which we would like to implement full disk encryption, where the key encryption key is stored in the TPM. We require Secure Boot to confirm the hardware/firmware configuration and a pre-boot authentication PIN from the user.
As a preliminary step, to get the full disk encryption working in the first place, we followed your guide on https://docs.nvidia.com/jetson/archives/r36.5/DeveloperGuide/SD/Security/DiskEncryption.html.
We were able to create the flashable file system with an encrypted partition using a dummy disk_enc.key (using default values otherwise) and successfully flash it to the board. The board was able to load the BIOS and bootloader, but was unable to continue booting because it was unable to decrypt the encrypted partition with the error “No key available with this passphrase”.
We presume this is either because we were not able to properly configure the EKS image with this key (We were unable to find the OP-TEE tools to do so), or because the system was unable to retrieve the hardware-based passphrase from nvluks-srv-app (which by default should be the UUID of the encrypted disk according to the documentation).
Do you know this passphrase retrieval issue or have any experience with OP-TEE tools? Please provide support on what is the intended way to combine full disk encryption on this ARM SoC with TPM.
Please feel free to get in touch with me directly for contact details, especially if you have any dedicated business to business support line.
Thanks and kind regards,
Pascal Engelbarts
Airbus Defence and Space GmbH