Jetson Orin Nano Encrypted RootFs Black Screen

Issue Overview

Users are experiencing issues with disk encryption on the Nvidia Jetson Orin Nano Developer Kit. When attempting to set up encrypted rootfs using the default/test fuse keys with OpTee, the device boots to NVME with a blinking cursor followed by a black screen, then restarts and repeats this cycle. This occurs after flashing the device with what appears to be the correct procedure.

The problem seems to arise when trying to unlock the LUKS partition during the boot process. The system fails to unlock the encrypted partition, resulting in an inability to mount the rootfs and complete the boot sequence.

Possible Causes

1. Incorrect EKS image generation or flashing
2. Improper configuration of the encrypted rootfs
3. Mismatch between the encryption keys used for flashing and those present on the device
4. Issues with the OpTee implementation or configuration
5. Hardware incompatibility or defect
6. Incorrect LUKS partition setup

Troubleshooting Steps, Solutions & Fixes

1. Verify EKS image creation and flashing:

   • Ensure that the EKS image (eks_t234.img) is generated correctly using the example.sh script.
   • Double-check that the EKS image is properly flashed to the device.
   • For unfused devices, do not swap the eks_t234.img file when flashing.

2. Check encryption tools and dependencies:

   • Verify that the necessary encryption tools are installed on the host system:

     sudo apt-get install cryptsetup
     

3. Regenerate encryption keys and EKS image:

   • Ensure the Jetson Orin Nano DevKit is plugged in while generating images.
   • Re-run the example.sh script to generate new encryption keys and EKS image.
   • Flash the newly generated EKS image to the device.

4. Verify LUKS partition setup:

   • Check that the LUKS partition is correctly created and formatted.
   • Ensure the UUID of the LUKS partition matches the one expected by the boot process.

5. Review flashing procedure:

   • Double-check all steps in the flashing procedure, ensuring no steps were missed or performed incorrectly.
   • Pay special attention to the ROOTFS_ENC=1 flag and other encryption-related parameters.

6. Inspect boot logs:

   • If possible, capture detailed boot logs using a serial console connection.
   • Analyze the logs for any specific error messages or indications of where the boot process is failing.

7. Verify OpTee configuration:

   • Ensure that the OpTee image is correctly built and flashed.
   • Check for any known issues or updates related to OpTee and disk encryption for the Jetson Orin Nano.

8. Check for hardware issues:

   • Test with a different NVME drive if available to rule out hardware-specific problems.
   • Verify that all connections are secure and that the hardware is functioning correctly.

9. Consult Nvidia documentation and forums:

   • Review the latest documentation for any updates or known issues related to disk encryption on the Jetson Orin Nano.
   • Search for similar issues in Nvidia developer forums and apply any relevant solutions.

10. Consider alternative encryption methods:

    • If the issue persists, consider exploring alternative encryption methods or configurations that may be more stable on the Jetson Orin Nano platform.

It’s worth bringing up that disk encryption support relies on the correct generation and usage of the Encrypted Key Blob (EKB), which stores two keys: the kernel encryption key and the LUKS key for disk encryption support. Ensure that these keys are correctly generated and applied throughout the process.

If the issue persists after trying these steps, it may be necessary to seek further assistance from Nvidia support or the developer community, providing detailed logs and information about the exact steps taken during the setup process.