TX2 NX full disk encryption +AB scheme does not work

Hi ALL,
I work on full disk encryption on top of our AB scheme, based on TX2 NX Som and a 1TB NVME ssd. It targets boot up from external.
I did a bunch of test:
ROOTFS_AB=1
working

sudo ROOTFS_AB=1 ./tools/kernel_flash/l4t_initrd_flash.sh  --external-device nvme0n1p1 -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_ab.xml --external-only -S 40GiB jetson-xavier-nx-devkit-tx2-nx nvme0n1p1

ROOTFS_ENC=1
working

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh  --external-device nvme0n1p1 -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only -S 40GiB jetson-xavier-nx-devkit-tx2-nx nvme0n1p1

ROOTFS_AB=1 ROOTFS_ENC=1
Not working

sudo ROOTFS_AB=1 ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash --external-device nvme0n1p1 -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc_ab.xml --external-only -S 40GiB jetson-xavier-nx-devkit-tx2-nx nvme0n1p1

the xml file are here:
flash_l4t_nvme_rootfs_enc_ab.xml.txt (9.8 KB)
flash_l4t_nvme_rootfs_enc.xml.txt (9.1 KB)
flash_l4t_nvme_rootfs_ab.xml.txt (9.2 KB)

the error log is here
log.txt (14.1 KB)
showing missing file operand, but I don’t know which file it missing.
please help.
thanks

Hi jiangpen,

Are you using the devkit or custom board for TX2 NX?
What’s your Jetpack version in use?

Do you create flash_l4t_nvme_rootfs_enc_ab.xml.txt by yourself?
It seems we don’t have this partition layout in our BSP package.

@KevinFFF , yes, I created flash_l4t_nvme_rootfs_enc_ab.xml.txt by myself, it is pretty much same with flash_l4t_nvme_rootfs_ab.xml.txt, but I add one more partition called APP_ENC_b to support the A/B scheme.
May I know do you see anything wrong here?
there is no direct xml file available for edit for A/B scheme + encryption.
thanks

@KevinFFF , I pretty much narrow it down the issue that as long as a new partition is added like APP_ENC_b in xml file flash_l4t_nvme_rootfs_enc_ab.xml.txt, then the device failed to boot up.
I try to move the partition in different name, place and encrypted or not, none working.

I am not quite sure my change of xml file is oK, could you please give me some review and suggestion.
the program log is here:
program.txt (53.3 KB)
the flash log is here:
flash_3-2.1.4_0_20240502-145944.log (22.8 KB)
the boot up log is here
bootup.log (59.7 KB)

really appreciate is any help.

TX2 is using L4T R32 release, it seems enabling rootfs A/B and disk-encryption is supported for internal device only (like eMMC, SD).
For external storage like NVMe, it is not supported.
If you customize the partition layout file, you should specify all the partitions. You can refer to the partition layout we used in R35. But we don’t verify it locally to enable both of them with R32.

It seems you don’t have APP_b in your flash_l4t_nvme_rootfs_enc_ab.xml.txt.

@KevinFFF This is a shame that A/B scheme with disk encryption is not supported for NVME on TX2. We are running with TX2 A/B and require disk encryption, and are attempting to make this work.

• Can you please advise if there is any technical reason why it is not possible ?

Hi majh,

Are you working with jiangpen?

It should work technically but we won’t add new feature in JP4.X.
JP4.X is a quite old release. We implement them(redundant rootfs and disk-encryption) for external storage separately.
They are supported in JP5 so that you can refer to the configuration in L4T R35.X.

Hi @KevinFFF - Yes, I am working with jiangpen, he is working attempting to get the redundant rootfs and disk-encryption working. We hope you can assist him in the problems he is finding as this is important for us to be able to run securely on Jetson.

From a quick check for your custom partition layout file, it seems the APP_b is missing.
Please add it back and check if you can use that partition layout for both redundant rootfs and disk-encryption enabled.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.