Support for LUKS encryption via initrd flashing on Orin AGX / scarthgap

[jpeeee]

It looks like the initrd-flash script in the tegraflash generated via meta-tegra currently does not support LUKS partition encryption.

I was wondering if there was any plan to add support for it or if there is a reason why it cannot / won't be done?

I'm looking for a solution to program devices in factory so that I end-up with encrypted rootfs + user partitions that will also allow me to support OTA updates.

Nvidia documents their solution here which consists of:

1. generating an encrypted partition with a generic key,
2. program all devices with that same encrypted rootfs
3. on first boot, their initrd init script replaces the generic key with a per-device unique key

This is implemented by Nvidia via tools/kernel_flash/l4t_initrd_flash.sh and option "ROOTFS_ENC=1".

I have also come across this repo, which encrypts the rootfs on the device itself on first boot.
Is this the preferred solution in the meta-tegra community for LUKS encryption, and hence the reason for not supporting the initrd-flash/ROOTFS_ENC?

[dwalkes]

@jpeeee you may want to check out the OE4T meeting from this week, notes and video at https://github.com/OE4T/meta-tegra/wiki/OE4T-Meeting-Notes-2024%E2%80%9010%E2%80%9010, which included a discussion about disk encryption. You may also checkout this ELC presentation if you haven't seen it already which goes over some different approaches and tradeoffs.

[jpeeee]

@dwalkes thanks for the reply. I did come across the "on-device" solution and have prototyped a version of it. Am I right in thinking that this is the solution used and discussed by Chad McQuillen during the OE4T meeting from last week? Am I also right in thinking that there is currently no plans to support Nvidia's "masslfash" for encrypted rootfs? If so, this is something we may look into contributing if we end-up trying to use it, but I don't want to reinvent the wheel...

[dwalkes]

I did come across the "on-device" solution and have prototyped a version of it. Am I right in thinking that this is the solution used and discussed by Chad McQuillen during the OE4T meeting from last week?

I believe so, but don't know much more about it other than what was shared last week.

Am I also right in thinking that there is currently no plans to support Nvidia's "masslfash" for encrypted rootfs?

I don't know of anyone working on this myself.

If so, this is something we may look into contributing if we end-up trying to use it

More public examples of anything encryption related would be a good thing as far as I'm concerned.

[Lexmark-chad]

Yes, tegra-test-distro and the referenced presentation is what we were working from. We have a working solution now and are tidying up loose-ends.