Disk Encryption Failure on Nvidia Jetson Orin Nano Dev Board

Issue Overview

Users are experiencing difficulties with disk encryption on the Nvidia Jetson Orin Nano Developer Kit. The specific problem involves a failure to unlock the encrypted device /dev/nvme0n1p2 during the boot process. This issue occurs after flashing the system with disk encryption enabled using the default/test fuse keys and OpTee image generated by example.sh. The problem manifests as follows:

• The Jetson boots to NVME with a blinking cursor
• The screen then goes black
• The system restarts and repeats this cycle

This issue prevents the system from fully booting and renders the device unusable. The problem occurs with the following configuration:

• Jetson Orin Nano Devkit
• JetPack SDK 5.1.2
• BSP 35.4.1
• Ubuntu 20.04 Linux host
• OpTee from NVIDIA’s public sources
• Samsung 960 Pro NVME storage
• No SD card inserted

Possible Causes

1. Incorrect encryption keys: The system may be using incorrect or incompatible encryption keys, preventing the decryption of the NVME partition.

2. Misconfiguration in the flashing process: Errors in the flashing procedure, such as using incorrect commands or parameters, could lead to an improperly encrypted system.

3. Incompatibility between software versions: There might be compatibility issues between the JetPack SDK, BSP, and OpTee versions used.

4. Hardware issues: Problems with the NVME drive or its connection could interfere with the decryption process.

5. Corrupted or incomplete flashing: The flashing process might have been interrupted or corrupted, resulting in an improperly configured system.

6. Bootloader configuration issues: Incorrect bootloader settings or a mismatched eks_t234.img file could prevent proper decryption.

Troubleshooting Steps, Solutions & Fixes

1. Use the correct eks_t234.img file:

   • Do not replace the bootloader/eks_t234.img file if you’re using an unfused system.
   • Revert any changes made to this file:

     mv bootloader/eks_t234.img.bak bootloader/eks_t234.img
     

2. Verify the flashing process:

   • Ensure all steps in the flashing process are followed correctly.
   • Double-check the commands used, especially the encryption-related parameters.
   • Confirm that the NUM_SECTORS modification in ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml is correct for your NVME drive.

3. Check software compatibility:

   • Verify that all software components (JetPack SDK, BSP, OpTee) are compatible with each other.
   • Consider updating to the latest compatible versions if available.

4. Inspect NVME drive:

   • Test the NVME drive on another system to ensure it’s functioning correctly.
   • Check for any loose connections or physical damage.

5. Perform a clean flash:

   • Start the entire process from scratch, ensuring a clean slate.
   • Follow these steps carefully:

     sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --no-flash --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" jetson-orin-nano-devkit internal
     
     sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml -S 60GiB --external-only --append --network usb0 jetson-orin-nano-devkit external
     
     sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only
     

6. Verify encryption keys:

   • Double-check that the encryption keys generated by example.sh are correct and properly applied.
   • Ensure the sym2_t234.key file is in the correct location and has not been corrupted.

7. Check for error messages:

   • During the boot process, look for any error messages related to disk decryption.
   • These messages might provide more specific information about the cause of the failure.

8. Consult NVIDIA documentation:

   • Review the official NVIDIA documentation for any known issues or additional troubleshooting steps specific to disk encryption on the Jetson Orin Nano.

9. Consider using unencrypted setup for testing:

   • If the issue persists, try setting up the system without encryption to isolate whether the problem is specifically related to the encryption process.

10. Seek community support:

    • If the issue remains unresolved, consider reaching out to the NVIDIA Jetson community forums or official support channels for further assistance.