Implementing Password-Protected LUKS Full Disk Encryption on Jetson Orin Nano

Issue Overview

Users are experiencing difficulties in implementing a password-protected Full Disk Encryption (FDE) using LUKS (Linux Unified Key Setup) on the Jetson Orin Nano series. While encryption can be set up using provided samples, the device auto-decrypts on boot without prompting for a user-generated password. This defeats the purpose of encryption, as anyone can power on the device and access its contents without authentication. Additionally, there are challenges in integrating hardware keys (like YubiKey) for decryption during login.

Possible Causes

1. Default configuration: The current setup may be designed for automatic decryption without user intervention.
2. Incorrect implementation: The encryption process might not be properly configured to require a password at boot.
3. Missing or incorrect crypttab entries: The /etc/crypttab file may be empty or improperly configured.
4. Incompatibility with hardware keys: The current implementation may not support or correctly integrate with hardware key solutions like YubiKey.
5. Outdated or incompatible software versions: The issue might be related to specific versions of the Jetson Linux package or OPTEE samples.

Troubleshooting Steps, Solutions & Fixes

1. Update to the latest Secure Samples:

   • Refer to the current Secure Samples 4 documentation for the most up-to-date implementation guidelines.

2. Use the correct public sources:

   • Download the correct public sources for r35.4.1 from the NVIDIA Developer website:

     https://developer.nvidia.com/embedded/jetson-linux-r3541
     

3. Modify the LUKS service:

   • Locate and modify the luks-srv-ca sample in the OP-TEE trusted application.
   • This application is invoked during the boot process to unlock the drive.
   • Modify it to prompt for a user password instead of auto-login.

4. Understand key storage:

   • Keys are stored in the EKB (Encrypted Key Blob).
   • Check the developer guide for information on jetson_user_key_pta for root key derivation from key slots.

5. Generate LUKS passphrase:

   • Use the provided Python script to generate the same LUKS passphrase:

     $public_sources/r35.4.1/atf_and_optee/optee/samples/luks-srv/host/tool/gen_luks_passphrase
     

6. Modify the encryption process:

   • Follow these steps to set up encryption with potential modifications for password prompting:

     wget https://developer.nvidia.com/downloads/embedded/l4t/r35_release_v4.1/release/jetson_linux_r35.4.1_aarch64.tbz2
     tar xvf jetson_linux_r35.4.1_aarch64.tbz2
     wget https://developer.nvidia.com/downloads/embedded/l4t/r35_release_v4.1/release/tegra_linux_sample-root-filesystem_r35.4.1_aarch64.tbz2
     sudo tar xvf tegra_linux_sample-root-filesystem_r35.4.1_aarch64.tbz2 -C Linux_for_Tegra/rootfs/
     wget https://developer.nvidia.com/embedded/l4t/r35_release_v1.0/sources/public_sources.tbz2
     tar xvf public_sources.tbz2
     cd Linux_for_Tegra/source/public/
     tar xvf nvidia-jetson-optee-source.tbz2
     cd ./optee/samples/hwkey-agent/host/tool/gen_ekb/
     sudo chmod +x example.sh && ./example.sh
     cd ../../../../../../../../../Linux_for_Tegra/
     cp source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/*.key ./
     sudo chmod +x apply_binaries.sh && sudo ./apply_binaries.sh
     

   • Modify NUM_SECTORS in ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml (use 900000000 for a 500GiB Drive)

   • Put Jetson Orin Nano Devkit into recovery mode and run:

     sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --no-flash --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" jetson-orin-nano-devkit internal
     
     sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml -S 300GiB --external-only --append --network usb0 jetson-orin-nano-devkit external
     
     sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only
     

7. Integrate hardware key (YubiKey):

   • Follow the tutorial at https://www.endpointdev.com/blog/2022/03/disk-decryption-yubikey/
   • If /etc/crypttab is empty, manually add the necessary configuration line.
   • Ensure the configuration is correct and recognized by the system.

8. Debugging auto-decryption:

   • If the system still auto-decrypts regardless of YubiKey presence, review the boot process and LUKS configuration.
   • Check for any overriding settings in the boot loader or initramfs that might bypass the password prompt.

9. Consult NVIDIA Developer Forums:

   • For persistent issues or more specific guidance, consider posting detailed questions on the NVIDIA Developer Forums, providing information about your exact setup and the steps you’ve already taken.