Failing with Custom Keys for Encrypting NVME on Jetson Orin Nano

Issue Overview

Users are experiencing failures when attempting to flash an NVME drive with disk encryption using custom keys on the Nvidia Jetson Orin Nano Developer Kit. The issue manifests during the final flashing step, where the system fails to unlock the encrypted device, resulting in a kernel panic.

Symptoms:

• The device fails to boot, displaying an error message indicating it cannot unlock the encrypted device (ERROR: fail to unlock the encrypted dev /dev/nvme0n1p2).
• Kernel panic occurs with an exit code indicating an issue during the initialization process.

Context:

• The problem arises during the flashing process after generating custom keys and an image.
• Users have reported consistent failures across different setups, including fresh installations of Ubuntu 18.04 and 20.04.
• The workflow succeeds when using default keys, suggesting that the issue is specifically related to custom key generation or usage.

Hardware/Software Specifications:

• Jetson Orin Nano Developer Kit
• Ubuntu 18.04 and 20.04
• Jetson Linux R35.4.1

Impact:

This issue significantly hampers user experience by preventing successful booting and utilization of NVME drives with custom encryption, limiting the functionality of the development board.

Possible Causes

• Key Generation Errors: Incorrectly generated custom keys may not be compatible with the encryption process.

• Image Replacement Issues: Failing to replace both the key file and the image file may lead to mismatches during decryption.

• Configuration Errors: Misconfigurations in command-line parameters or scripts could result in improper flashing sequences.

• Driver or Firmware Conflicts: Potential conflicts between software versions or drivers might interfere with the flashing process.

• Environmental Factors: Power supply issues or overheating could affect the hardware’s ability to perform operations correctly.

• User Misconfigurations: Errors in following documentation or command sequences could lead to failed attempts.

Troubleshooting Steps, Solutions & Fixes

Step-by-Step Instructions:

1. Verify Key Generation:

   • Ensure that you are modifying example.sh correctly:

     vim example.sh
     # Update line for custom key
     echo "f0e0d0c0b0a0010203040506070809aa" > sym2_t234.key
     

   • Run the script to generate new keys:

     ./example.sh
     

2. Replace Key and Image Files:

   • Ensure both sym2_t234.key and eks_t234.img are updated correctly:

     cp eks_t234.img ~/nvidia_boot/Linux_for_Tegra/bootloader/.
     cp sym2_t234.key ~/nvidia_boot/Linux_for_Tegra/.
     

3. Flashing Process:

   • Attach the device in Recovery Mode (RM) and run:

     sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" -p "-i sym2_t234.key" --no-flash --network usb0 jetson-orin-nano-devkit internal
     

4. Flash EKS Image:

   • Reattach in RM mode and run:

     sudo ./flash.sh --no-flash -k A_eks jetson-orin-nano-devkit internal
     sudo cp bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/.
     

5. Flash NVME Drive:

   • Reattach in RM mode and execute:

     sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-i sym2_t234.key" --no-flash --external-device nvme0n1p1 -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
     

6. Final Flash Command:

   • Reattach in RM mode and run:

     sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only
     

Additional Recommendations:

• Check Secure Boot Configuration: Ensure that Secure Boot is set up correctly and that keys are burned into the board if required.

• Examine UART Logs: Review UART logs from boot to identify specific errors related to key extraction or image verification.

• Update Documentation References: Follow any new updates or community feedback regarding successful configurations shared by other users who resolved similar issues.

Unresolved Aspects:

While many users have shared their experiences, some still face unresolved issues despite following suggested troubleshooting steps. Further investigation may be necessary regarding specific hardware configurations or firmware versions that could affect compatibility with custom encryption setups.