Disk Encryption Issues on Jetson Orin Nano with Custom OEM Key

Issue Overview

Users are experiencing difficulties enabling disk encryption on the Jetson Orin Nano (custom board) with JetPack 5.1.2 without using Secure Boot or UEFI Secure Boot. The main problem occurs when attempting to use a custom OEM key for disk encryption after burning the fuse. Specifically, users encounter an error message during boot: "ERROR: fail to unlock the encrypted dev /dev/nvme0n1p3" when using ROOTFS_AB=1 and ROOTFS_ENC=1.

The issue appears to be related to key generation and fuse burning processes, particularly when transitioning from default keys to custom OEM keys. Users can successfully encrypt the disk using default keys from example.sh, but face problems when attempting to use their own generated OEM keys.

Possible Causes

1. Incorrect Key Generation: The process of generating custom OEM keys may be flawed, leading to incompatibility with the disk encryption system.

2. Fuse Burning Mismatch: There might be a discrepancy between the OEM key used for fuse burning and the key used for disk encryption.

3. Configuration Errors: Mistakes in the configuration files or command parameters during the flashing process could lead to encryption failures.

4. Incompatibility Issues: The custom board or specific hardware configuration might have compatibility issues with the disk encryption process.

5. Software Bugs: There could be bugs in the JetPack 5.1.2 software or the disk encryption implementation for custom OEM keys.

Troubleshooting Steps, Solutions & Fixes

1. Verify OEM Key Usage:

   • Ensure that the same OEM key used for burning the fuse is also used for creating the disk encryption key.
   • Double-check that you’re not accidentally using the default OEM key for fuse burning.

2. Key Generation Process:

   • Follow the official Nvidia documentation for disk encryption key generation.

   • Use the following command to generate the OEM key and save it in fuse.xml:

     echo "<genericfuse MagicId="0x45535546" version="1.0.0">" > fuse.xml
     echo " <fuse name="OemK1" size="32" value="${OemK1.key}"/>" >> fuse.xml
     echo "" >> fuse.xml
     

3. Fuse Burning:

   • Use the following command to burn the fuse with the generated OEM key:

     sudo ./odmfuse.sh --test -i 0x23 -X fuse.xml jetson-orin-nano-devkit
     

4. Key File Creation:

   • Create the necessary key files with your custom values:

     echo "your_custom_value" > fv_ekb_t234
     echo "your_custom_value" > sym_t234.key
     echo "your_custom_value" > sym2_t234.key
     

5. Generate EKS Image:

   • Use the following command to generate the EKS image with your custom OEM key:

     python3 ./source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/gen_ekb.py -chip t234 -oem_k1_key OemK1.key -fv fv_ekb_t234 -in_sym_key sym_t234.key -in_sym_key2 sym2_t234.key -out bootloader/eks_t234.img
     

6. Flashing Process:

   • Use the following commands for the flashing process:

     sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --no-flash --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" jetson-orin-nano-devkit internal
     
     sudo ROOTFS_AB=1 ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_ab_enc.xml -S 30GiB --external-only --append --network usb0 jetson-orin-nano-devkit external
     
     sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only
     

7. Check for Similar Issues:

   • Review the thread on "SecureBoot and Encrypted RootFs" in the NVIDIA Developer Forums, as it may contain relevant information for resolving this issue.

8. Verify Hardware Compatibility:

   • Ensure that your custom board is fully compatible with the Jetson Orin Nano disk encryption process.

9. Update JetPack:

   • Consider updating to the latest version of JetPack if available, as it may contain fixes for disk encryption issues.

10. Consult NVIDIA Support:

    • If the issue persists after trying these steps, consider reaching out to NVIDIA support or posting a detailed description of your problem, including full flash logs and boot logs, on the NVIDIA Developer Forums.

Remember to always backup your data before attempting disk encryption or making significant changes to your system configuration.