Verify encrypted boot/root

webbbn · November 2, 2021, 11:35pm

I’ve gone trough the process outlined in README_secureboot.txt to (I believe) burn the fuse and flash an encrypted root partition on a 16GB Xavier AGX development system. It booted without error and I am able to user it like normal, and the flashing process appears to have worked and used my .pem and key files, but I would like some verification that it is actually encrypted.

All I’ve found via a Google search on verifying that a partition is encrypted is using blkid, but when I run blkid on /dev/mmcblk0 and/or /dev/mmcblk0p1 it just shows a standard gpt partition table and ext4 filesystem. Is there any way that I can be sure that it is actually encrypted?

My ultimate goal is to boot from the NVME SSD, but I haven’t figured that out yet. I have been able to use the jetsonhacks method to install root on the SSD, and I also found a forum post that had a script that purported to boot off of an encrypted SSD, but that didn’t work for me. I think it’s based on an older jetpack version, and I have seen indications that the standard installation in 4.6 should support root on SSD, but I don’t know if it supports encryption.

Any pointers on how to verify that I actually have an encrypted root partition, and whatever the best option is for an encrypted SSD installation would be appreciated. If the best I can do is to format the SSD as an encrypted volume then that’s okay as well. I’m not sure how to do that, but I assume there’s documentation somewhere.

JerryChang · November 3, 2021, 5:45am

hello webbbn ,

the concept of Secureboot is to prevent execution of unauthorized code during boot process through chain-of-trust;
those authenticates boot components (such as, Boot Configuration Table, bootloader binaries, and warmboot vector) were signed using private key.
you’ll also need to enable SecureOS, please check Trusty, a Trusted Execution Environment to include security features to ensure code and data on a device is protected.
you may also see Disk Encryption chapter, which encrypts a whole disk or partition to protect the data it contains.
thanks

webbbn · November 3, 2021, 7:27am

Thanks. That did give me a pointer that I think worked. I have to dig a bit deeper, but now it is booting with root on the SSD, and root it mounted on /dev/mapper/crypt_root, which gives me some confidence that it is actually encrypted.

The command that I used is this: sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh -u …/…/rsa_priv.pem -v …/…/sbk.key --external-device nvme0n1p1 -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only -S 900GiB jetson-xavier external

I had previously modified the xml file to conform to a 1TB SSD, and the 900GB on the command line is approximate, but, at the very least, I think it’s close.

system · November 24, 2021, 6:33am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.