Is it feasible to replace rootfs before encrypting Orin NX, and are my steps correct?

自主机器 Jetson 开发者专区
,
1

请使用下面的模版提问(创建话题后勾选相应的选项):
Jetson 模组
Jetson Orin NX

Jetson 软件
JetPack 6.2

问题描述
Is it feasible to replace rootfs before encrypting Orin NX, and are my steps correct?

Is it feasible to replace rootfs before encrypting Orin NX, and are my steps correct?

I want to replace the rootfs under Linux_for_Tegra (copied from the NVMe of another working Orin NX board) before performing full-disk encryption on my Orin NX, then flash and encrypt the system.I need to know:

  1. Is this method feasible?
  2. Are my detailed steps below correct?

My full steps:

  1. Generate encryption keys
cd Linux_for_Tegra

  1. Replace Linux_for_Tegra/rootfs with the rootfs copied from another Orin NX board’s NVMe

  2. Generate 32-byte keys (sym2_t234.key)

cd source/tegra/optee-src/nv-optee/optee/samples/hwkey-agent/host/tool/gen_ekb/
openssl rand -hex 32 > sym_t234.key
openssl rand -hex 16 > sym2_t234.key
openssl rand -hex 16 > auth_t234.key
openssl rand -hex 32 > oem_k1.key

echo "0000000000000000000000000000000000000000000000000000000000000000" > oem_k1.key
  1. Generate EKS image
./example.sh

# Verify EKS header (EEKB)
hexdump -C -n 4 -s 0x34 eks_t234.img

# Copy files
cp eks_t234.img /home/nvidia_jetson_orin_nx_Sources/Linux_for_Tegra/bootloader/
cp sym2_t234.key /home/nvidia_jetson_orin_nx_Sources/Linux_for_Tegra/
cd /home/nvidia_jetson_orin_nx_Sources/Linux_for_Tegra/

  1. Put Orin NX into RCM recovery mode

  2. Clean old images and signature files

sudo rm -rf tools/kernel_flash/images/*
sudo rm -rf bootloader/signed/*
sudo rm -rf bootloader/flash.idx
  1. Generate QSPI image and signature files
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --erase-all --network usb0 \
--showlogs -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" \
--no-flash jetson-orin-nano-devkit internal

chmod +x bootloader -Rf
  1. Copy encrypted header files
sudo cp bootloader/eks_t234_sigheader.img.encrypt ./tools/kernel_flash/images/internal/
  1. Generate encrypted rootfs image
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --erase-all --showlogs --no-flash --external-device nvme0n1p1 -i /home/nvidia_jetson_orin_nx_Sources/Linux_for_Tegra/sym2_t234.key -S 230GiB -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
  1. Flash images
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --erase-all --network usb0 --showlogs --flash-only

My actual result:

  • System can boot
  • But some drivers fail and system services abnormal
  • TEE / fTPM errors appear
  • sudo permission broken

Please help check:

  • Is replacing rootfs before encryption supported?
  • Which step is wrong?
  • How to fix driver/service issues after encryption?