UEFI Secureboot JP 5.1.1 L4T 35.3.1

riboyama · April 20, 2023, 12:41pm

I’ve edited the disk_encryption_helper.func script:

if [ "${__do_sign}" = "True" ]; then
		local kernel_fs_basename;
		kernel_fs_basename=$(basename "${kernel_fs}");
		echo -n -e "\tencrypt of ${kernel_fs_basename} ... ";
		signimage "./${kernel_fs_basename}" "False" "kernel" "${minratchet_configname}"; chkerr;
		echo -n -e "\tgenerating signed file of ${kernel_fs_basename} ... ";
		uefi_signimage "./${kernel_fs_basename}" "${uefi_db_key}" "${uefi_db_cert}" "nosplit"; chkerr;
		
		echo -n -e "\tencrypt ${dtbfilename} ... ";
		signimage "./dtb/${dtbfilename}" "False" "kernel_dtb" "${minratchet_configname}"; chkerr;
		echo -n -e "\tgenerating sig file of ${dtbfilename} ... ";
		uefi_signimage "./dtb/${dtbfilename}" "${uefi_db_key}" "${uefi_db_cert}" "split"; chkerr;
			
		echo -n -e "\tencrypt initrd ... ";
		signimage "./initrd" "False" "data"; chkerr;
		echo -n -e "\tgenerating sig file of initrd ... ";
		uefi_signimage "./initrd" "${uefi_db_key}" "${uefi_db_cert}" "split"; chkerr;
			
		
		echo -n -e "\tencrypt ${_extlinux_conf} ... ";
		# Signing tool will pad extlinux.conf with 0x80 to be 16-byte aligned.
		# This pad byte of 0x80 may cause some utilities fail to read the entire
		# extlinux.conf.
		# So, pad extlinux.conf to 16-byte aligned with linefeed.
		pad_file_aligned "${_extlinux_conf}" 16 "\x0a";
		signimage "${_extlinux_conf}" "False" "data"; chkerr;
		echo -n -e "\tgenerating sig file of extlinux.conf ... ";
		uefi_signimage "${_extlinux_conf}" "${uefi_db_key}" "${uefi_db_cert}" "split"; chkerr;
	fi

Upon further looking at flash.sh:

        --user_key <key_file>   User provided key file (16-byte) to encrypt user images,
                                like kernel, kernel-dtb and initrd.
                                If user_key is specified, SBK key (-v) has to be specified.
                                **For now, user_key file must contain all 0's.**

It seems that --user_key is unsupported in Jetpack 5… This shouldnt really be an issue except for that kernel, kernel-dtb, initrd and extlinux.conf can’t be encrypted.

Now for setting up rootfs encryption with UEFI Secureboot:

For gen_ekb I’ve done echo "00000000000000000000000000000000" > sym_t194.key
The sym_key should be the --user-key, not supplying the --user-key will set it to zeros in flash.sh

The final command to flash:
sudo ROOTFS_ENC=1 ./flash.sh --uefi-keys uefi_keys/uefi_keys.conf -i $sym2file -u $keyfile -v $sbkfile jetson-agx-xavier-devkit mmcblk0p1

Topic		Replies	Views
Jetson was not booting after UEFI secure boot + DiskEncryption Jetson AGX Xavier kernel , uefi	4	29	May 5, 2025
UEFI Secureboot with disk encryption Jetson Xavier NX boot , nvbugs , jetson	57	4270	May 17, 2023
Nx xaviar problem using both uefi secure boot and disk encryption Jetson Xavier NX boot , security	14	117	December 3, 2024
UEFI secureboot and disk encryption in 36.4 Jetson AGX Orin security	11	166	October 28, 2024
Failure to unlock 'crypt_root' with fused module when ROOTFS_ENC=1 Jetson Xavier NX boot , kernel , security	18	1317	January 31, 2024
[Orin Nano NVME] SKU 003 Enable UEFI secure boot by OTA from 35.5.0 to 35.6.0 Jetson Orin Nano security , ota	13	56	April 22, 2025
Synchronous Exception: UEFI Built From Source Jetson Orin NX boot	16	1246	January 16, 2024
Xavier doesn't boot after Secure Boot (PKC + SBK + KEK2) flash (JetPack 5.1.5 / L4T R35.6.1) Jetson AGX Xavier security	14	72	April 23, 2025
JP5.1.2 REL35.4.1 compiled uefi reports error Jetson Orin NX uefi	29	151	December 24, 2024
Secureboot with R35.6 BSP Jetson Xavier NX security	11	92	December 2, 2024

UEFI Secureboot JP 5.1.1 L4T 35.3.1

Related topics