Hi Julien,
I’ve successfully enabled diskencryption with uefi secureboot on this release, however Im using a Xavier AGX…
As JerryChang already mentioned, --user-key is not support on this release. See my post: UEFI Secureboot JP 5.1.1 L4T 35.3.1 - #19 by riboyama
I took a quick look at the Jetpack 4.5 docs, it seems that your board is fused correctly and that your fuses are compatible with this release. However, I’m no expert so take this with a grain of salt.
Generating eks_t194.img:
python3 gen_ekb.py -chip t194 -kek2_key kek2.key \
-fv fv_ekb_t194.key \
-in_sym_key sym_t194.key \
-in_sym_key2 sym2_t194.key \
-out eks_t194.img
- The fv_ekb_194.key should be
bad66eb4484983684b992fe54a648bb8, unless you have recompiled the optee sources with another key. ---user-keyis unsupported.sym_t194.keyis the user_key. Sosym_t194.keymust be all zero’s:00000000000000000000000000000000sym2_t194.keyis your rootfs encryption key. It will also be used forflash.sh -i sym2_t194.key- Copy eks_t194.img to Linux_for_Tegra/bootloader/eks_t194.img
Flashing:
The flash.sh script is broken in this release if you enable Secureboot and Diskencryption together when using flash.sh See my post for the fix.
After you’ve edited disk_encryption_helper.func you can now flash:
The correct flash command for PKC + SBK + DiskEncryption + UEFI Secureboot (AGX devkit) is sudo ROOTFS_ENC=1 ./flash.sh --uefi-keys uefi_keys/uefi_keys.conf -i $sym2file -u $keyfile -v $sbkfile jetson-agx-xavier-devkit mmcblk0p1
On first boot you will see that dbx and dbt cannot be enrolled, this is OK.
On reboot you should see Skipped - USER_MODE, this means that the uefi secureboot is enabled.