Partition Layout#
Jetson Linux provides a reference implementation of disk encryption that fulfills the security requirements of many use cases. If your use case’s requirements are different, you can modify the reference implementation or use it as a model for implementing your own.
Layout of an Encrypted Disk#
Because Bootloader cannot read encrypted files, disk encryption
requires Jetson Linux to divide a “naive” system’s APP partition in two:
The unencrypted
APPpartition contains the/bootbranch of the file system, including the kernel, DTB, and initrd images.A new, encrypted
APP_ENCpartition contains the rest of the file system.
The following is an example of the APP partition definition for a system on
which disk encryption is not enabled. You can find a definition like
this one in the Jetson Linux BSP partition configuration files; for example,
Linux_for_Tegra/bootloader/generic/cfg/flash_t234_qspi_sdmmc.xml for booting from SDMMC memory or
Linux_for_Tegra/tools/kernel_flash/flash_l4t_t264_nvme.xml for booting from NVMe for an
NVIDIA® Jetson™ series device:
<partition name="APP" type="data">
<allocation_policy> sequential </allocation_policy>
<filesystem_type> basic </filesystem_type>
<size> APPSIZE </size>
<file_system_attribute> 0 </file_system_attribute>
<allocation_attribute> 0x808 </allocation_attribute>
<align_boundary> 16384 </align_boundary>
<percent_reserved> 0 </percent_reserved>
<unique_guid> APPUUID </unique_guid>
<filename> APPFILE </filename>
<description> **Required.** Contains the rootfs. This partition must be assigned
the "1" for id as it is physically put to the end of the device, so that it
can be accessed as the fixed known special device `/dev/mmcblk0p1`. </description>
</partition>
The following is an example of the APP and APP_ENC partition definitions for a system on
which disk encryption is enabled. You can find a definition like this one in the Jetson Linux BSP partition
configuration files; for example, Linux_for_Tegra/bootloader/generic/cfg/flash_t234_qspi_sdmmc_enc_rfs.xml for the Jetson AGX Orin device or Linux_for_Tegra/tools/kernel_flash/flash_l4t_t264_nvme_rootfs_enc.xml for the Jetson Thor device:
<partition name="APP" id="1" type="data">
<allocation_policy> sequential </allocation_policy>
<filesystem_type> basic </filesystem_type>
<size> 419430400 </size>
<file_system_attribute> 0 </file_system_attribute>
<allocation_attribute> 0x8 </allocation_attribute>
<percent_reserved> 0 </percent_reserved>
<align_boundary> 16384 </align_boundary>
<unique_guid> APPUUID </unique_guid>
<filename> system_boot.img </filename>
<description> **Required.** Contains the boot partition. This partition must be defined
after `primary_GPT` so that it can be accessed as the fixed known special device
`/dev/mmcblk0p1`. </description>
</partition>
<partition name="APP_ENC" id="2" type="data" encrypted="true" reencrypt="false">
<allocation_policy> sequential </allocation_policy>
<filesystem_type> basic </filesystem_type>
<size> APP_ENC_SIZE </size>
<file_system_attribute> 0 </file_system_attribute>
<allocation_attribute> 0x8 </allocation_attribute>
<percent_reserved> 0 </percent_reserved>
<align_boundary> 16384 </align_boundary>
<unique_guid> APP_ENC_UUID </unique_guid>
<filename> system_root_encrypted.img </filename>
<description> **Required.** Contains the encrypted root partition("/"). </description>
</partition>
Notice that the <size> element of APP specifies an actual number, but
the <size> element of APP_ENC specifies a symbol, APP_ENC_SIZE. Later,
the value of APP_ENC_SIZE must be calculated by subtracting the size of
APP from the total rootfs size.
Each partition’s <filename> element specifies the actual file name of
the appropriate disk image (not a symbol that is resolved to the file
name during flashing).
The partitions’ <unique_guid> elements specify the partitions’ UUIDs,
APPUUID and APP_ENC_UUID respectively. Both symbols are translated to
real UUID numbers by the image generation process.
The APP_ENC partition’s encrypted attribute indicates that the partition
is encrypted.
With the new partition layout, new parameters are needed in the board
configuration file to enable disk encryption and apply the new partition
layout file. Use the appropriate board configuration file for your
device; for example, Linux_for_Tegra/p3737-0000-p3701-0000.conf for the Jetson AGX
Orin Developer Kit. When ROOTFS_ENC is set in the flash
command line, the disk_enc_enable setting indicates that disk encryption is enabled,
and EMMC_CFG identifies the partition layout file to use:
disk_enc_enable=1;
EMMC_CFG=flash_l4t_t234_qspi_sdmmc_enc_rfs.xml;
For a Jetson AGX Thor Developer Kit, use Linux_for_Tegra/p3834-0008-p4071-0000-nvme.conf.
When ROOTFS_ENC is set in the flash command line, the disk_enc_enable
setting indicates that disk encryption is enabled, and EXTERNAL_PT_LAYOUT
identifies the partition layout file to use:
disk_enc_enable=1;
EXTERNAL_PT_LAYOUT="tools/kernel_flash/flash_l4t_t264_nvme_rootfs_enc.xml";
The flash tool uses the board configuration file to generate file system images and flash them onto the device.