hi all,
I use L4T 35.4.1, use AGX xavier for hardware, and have successfully burned the fuse (pkc, sbk, kek0, kek1, kek2)
I am testing disk encryption and uefi load encryption, and my burn in command is sudo ROOTFS_ENC=1 ./flash.sh -v uefi_keys/sbk.txt -u uefi_keys/rsa_3k.pem -i uefi_keys/sym2_t194.key --uefi-keys uefi_keys/uefi_keys.conf --uefi-enc uefi_keys/sym_t194.key jetson-agx-xavier-devkit mmcblk0p1. How can I confirm that disk encryption and uefi load encryption are running correctly? How can I prove it to my colleagues?
hi jerry,
After I tested and added Disk Encryption and UEFI Load Encryption, these two partitions appeared in the system, but I only added UEFI Load Encryption. After entering the system, df - h did not add any partitions. How can I confirm that UEFI Load Encryption is effective?
Thank you for your reply
please refer to developer guide, UEFI Secureboot.
you may checking with $ efivar -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot to check the return values, a value of 0 means that Secureboot is not enabled.
for disk encryption, you’ll need to put ROOTFS_ENC into the command-line,
this means you’re having partition layout with… flash_l4t_t234_nvme_rootfs_enc.xml during image flash to enable disk encryption. if you look into this configuration file, you’ll see there’s partition named APP_ENC for encrypted root partition.