jetson-orin: add generic LUKS flash flow for upstream 6.6 targets

vadika · vadika · commit 9bcd9be376d7 · 2026-02-17T11:58:21.000Z
Add opt-in Orin disk encryption targets that reencrypt APP with a shared passphrase during legacy flashing, wire initrd LUKS root mapping, and enable required dm-crypt/device-mapper kernel config for upstream-6-6. Update build docs and target matrix to use the correct flash entrypoint for LUKS targets.

Signed-off-by: vadik likholetov &lt;vadikas@gmail.com&gt;
diff --git a/docs/src/content/docs/ghaf/dev/ref/build_and_run.mdx b/docs/src/content/docs/ghaf/dev/ref/build_and_run.mdx
@@ -90,6 +90,9 @@ This is the primary reference device for Ghaf on AArch64 architecture, built usi
    # For 32GB AGX version (cross-compiled):
    nix build .#nvidia-jetson-orin-agx-debug-from-x86_64-flash-script
 
+   # For 32GB AGX with generic LUKS passphrase rootfs encryption:
+   nix build .#nvidia-jetson-orin-agx-debug-luks-from-x86_64-flash-script
+
    # For 64GB AGX version (cross-compiled):
    nix build .#nvidia-jetson-orin-agx64-debug-from-x86_64-flash-script
    ```
@@ -107,6 +110,16 @@ This is the primary reference device for Ghaf on AArch64 architecture, built usi
    sudo ./flash.sh
    ```
 
+   For `*-luks-*` targets, use the legacy flashing entrypoint so rootfs can be
+   encrypted before APP is written:
+
+   ```sh
+   sudo ./result/bin/flash-ghaf-host
+   ```
+
+   This prompts for a shared LUKS passphrase, encrypts the extracted root image,
+   and then flashes it. On boot, initrd prompts for the same passphrase.
+
 ## Alternative Build Targets
 
 ## Virtual Machine (For Testing)
diff --git a/docs/src/content/docs/ghaf/dev/ref/cross_compilation.mdx b/docs/src/content/docs/ghaf/dev/ref/cross_compilation.mdx
@@ -24,6 +24,7 @@ The NVIDIA Jetson family represents Ghaf's primary AArch64 platform with full cr
 ```sh
 # Debug variants
 nix build .#nvidia-jetson-orin-agx-debug-from-x86_64
+nix build .#nvidia-jetson-orin-agx-debug-luks-from-x86_64
 nix build .#nvidia-jetson-orin-agx-debug-nodemoapps-from-x86_64
 
 # Release variants
@@ -32,6 +33,7 @@ nix build .#nvidia-jetson-orin-agx-release-nodemoapps-from-x86_64
 
 # Flash script generation
 nix build .#nvidia-jetson-orin-agx-debug-from-x86_64-flash-script
+nix build .#nvidia-jetson-orin-agx-debug-luks-from-x86_64-flash-script
 ```
 
 #### Jetson AGX Orin (64GB)
diff --git a/modules/reference/hardware/jetpack/nvidia-jetson-orin/jetson-orin.nix b/modules/reference/hardware/jetpack/nvidia-jetson-orin/jetson-orin.nix
@@ -48,6 +48,22 @@ in
       type = types.str;
       default = "bsp-default";
     };
+
+    diskEncryption = {
+      enable = mkEnableOption "generic LUKS root filesystem encryption for eMMC APP partition";
+
+      mode = mkOption {
+        description = "Disk encryption mode for Jetson root filesystem";
+        type = types.enum [ "generic-luks-passphrase" ];
+        default = "generic-luks-passphrase";
+      };
+
+      mapperName = mkOption {
+        description = "Mapped device name used by initrd after LUKS unlock";
+        type = types.str;
+        default = "cryptroot";
+      };
+    };
   };
 
   config = mkIf cfg.enable {
@@ -85,7 +101,73 @@ in
             VIRTIO_VSOCKETS_COMMON = yes;
           };
         }
+      ]
+      ++ lib.optionals (cfg.diskEncryption.enable && cfg.kernelVersion == "upstream-6-6") [
+        {
+          name = "dm-crypt-config";
+          patch = null;
+          structuredExtraConfig = with lib.kernel; {
+            BLK_DEV_DM = yes;
+            DM_BUFIO = yes;
+            DM_BIO_PRISON = yes;
+            DM_CRYPT = yes;
+            CRYPTO_USER_API = yes;
+            CRYPTO_USER_API_HASH = yes;
+            CRYPTO_USER_API_SKCIPHER = yes;
+            CRYPTO_XTS = yes;
+          };
+        }
       ];
+
+    };
+
+    boot.initrd = mkIf cfg.diskEncryption.enable {
+      # Keep module selection aligned with the Orin JetPack baseline and avoid
+      # requesting dm-crypt as a loadable module for upstream-6-6.
+      availableKernelModules = lib.mkForce [
+        "xhci-tegra"
+        "ucsi_ccg"
+        "typec_ucsi"
+        "typec"
+        "nvme"
+        "tegra_mce"
+        "phy-tegra-xusb"
+        "i2c-tegra"
+        "fusb301"
+        "phy_tegra194_p2u"
+        "pcie_tegra194"
+        "nvpps"
+        "nvethernet"
+      ];
+      kernelModules = lib.mkForce [ ];
+      # algif_skcipher is not available with the upstream-6-6 kernel variant
+      # used by current Orin reference targets.
+      luks.cryptoModules = lib.mkForce [
+        "aes"
+        "aes_generic"
+        "cbc"
+        "xts"
+        "sha1"
+        "sha256"
+        "sha512"
+        "af_alg"
+      ];
+      luks.devices.${cfg.diskEncryption.mapperName} = {
+        device = "/dev/mmcblk0p1";
+        allowDiscards = true;
+      };
+
+      systemd.services."systemd-cryptsetup@${cfg.diskEncryption.mapperName}".after = [
+        "initrd-root-device.target"
+        "cryptsetup.target"
+      ];
+    };
+
+    fileSystems = mkIf cfg.diskEncryption.enable {
+      "/" = lib.mkForce {
+        device = "/dev/mapper/${cfg.diskEncryption.mapperName}";
+        fsType = "ext4";
+      };
     };
 
     services.nvpmodel = {
diff --git a/modules/reference/hardware/jetpack/nvidia-jetson-orin/partition-template.nix b/modules/reference/hardware/jetpack/nvidia-jetson-orin/partition-template.nix
@@ -133,6 +133,7 @@ let
     runtimeInputs = [
       pkgs.pkgsBuildBuild.zstd
       pkgs.pkgsBuildBuild.gnused
+      pkgs.pkgsBuildBuild.cryptsetup
     ];
     text = ''
       echo "============================================================"
@@ -166,15 +167,69 @@ let
            bs=512 iseek="$ESP_OFFSET" count="$ESP_SIZE" status=progress
 
         echo "Extracting root partition..."
+        ROOT_IMAGE_PATH="$WORKDIR/bootloader/root.img"
+        ${lib.optionalString cfg.diskEncryption.enable ''
+          ROOT_IMAGE_PATH="$WORKDIR/bootloader/root.enc.img"
+        ''}
         dd if=<(pzstd -d "$img" -c) \
-           of="$WORKDIR/bootloader/root.img" \
+           of="$ROOT_IMAGE_PATH" \
            bs=512 iseek="$ROOT_OFFSET" count="$ROOT_SIZE" status=progress
 
+        ${lib.optionalString cfg.diskEncryption.enable ''
+          echo ""
+          echo "Generic LUKS rootfs encryption is enabled."
+          GHAF_SKIP_LUKS_ENCRYPTION=0
+
+          if [ -n "''${GHAF_LUKS_PASSPHRASE-}" ]; then
+            GHAF_LUKS_PASSPHRASE_CONFIRM="$GHAF_LUKS_PASSPHRASE"
+          elif [ -t 0 ] && [ -t 1 ]; then
+            while true; do
+              read -r -s -p "Enter shared LUKS passphrase: " GHAF_LUKS_PASSPHRASE
+              echo ""
+              read -r -s -p "Confirm shared LUKS passphrase: " GHAF_LUKS_PASSPHRASE_CONFIRM
+              echo ""
+
+              if [ -z "$GHAF_LUKS_PASSPHRASE" ]; then
+                echo "Passphrase cannot be empty."
+                continue
+              fi
+
+              if [ "$GHAF_LUKS_PASSPHRASE" != "$GHAF_LUKS_PASSPHRASE_CONFIRM" ]; then
+                echo "Passphrases do not match. Try again."
+                continue
+              fi
+
+              break
+            done
+          else
+            GHAF_SKIP_LUKS_ENCRYPTION=1
+            echo "Non-interactive environment without GHAF_LUKS_PASSPHRASE; skipping root image encryption."
+          fi
+
+          if [ "$GHAF_SKIP_LUKS_ENCRYPTION" -eq 0 ]; then
+            GHAF_LUKS_PASSPHRASE_FILE=$(mktemp "$WORKDIR/.luks-passphrase.XXXXXX")
+            chmod 600 "$GHAF_LUKS_PASSPHRASE_FILE"
+            printf '%s' "$GHAF_LUKS_PASSPHRASE" > "$GHAF_LUKS_PASSPHRASE_FILE"
+            unset GHAF_LUKS_PASSPHRASE GHAF_LUKS_PASSPHRASE_CONFIRM
+
+            echo "Encrypting extracted root image with LUKS2 ..."
+            cryptsetup reencrypt \
+              --encrypt \
+              --type luks2 \
+              --batch-mode \
+              --reduce-device-size $((16 * 1024 * 1024)) \
+              --key-file "$GHAF_LUKS_PASSPHRASE_FILE" \
+              "$ROOT_IMAGE_PATH"
+
+            rm -f "$GHAF_LUKS_PASSPHRASE_FILE"
+          fi
+        ''}
+
         echo ""
         echo "Patching flash.xml with image paths and sizes..."
         sed -i \
           -e "s#bootloader/esp.img#$WORKDIR/bootloader/esp.img#" \
-          -e "s#root.img#$WORKDIR/bootloader/root.img#" \
+          -e "s#root.img#$ROOT_IMAGE_PATH#" \
           -e "s#ESP_SIZE#$((ESP_SIZE * 512))#" \
           -e "s#ROOT_SIZE#$((ROOT_SIZE * 512))#" \
           flash.xml
diff --git a/targets/nvidia-jetson-orin/flake-module.nix b/targets/nvidia-jetson-orin/flake-module.nix
@@ -174,8 +174,27 @@ let
       package = hostConfiguration.config.system.build.ghafImage;
     };
 
+  generate-luks =
+    tgt:
+    tgt
+    // rec {
+      name = tgt.name + "-luks";
+      hostConfiguration = tgt.hostConfiguration.extendModules {
+        modules = [
+          {
+            ghaf.hardware.nvidia.orin.diskEncryption.enable = true;
+          }
+        ];
+      };
+      package = hostConfiguration.config.system.build.ghafImage;
+    };
+
   # Add nodemoapps targets
-  targets = target-configs ++ (map generate-nodemoapps target-configs);
+  targets =
+    target-configs
+    ++ (map generate-nodemoapps target-configs)
+    ++ (map generate-luks target-configs)
+    ++ (map (t: generate-luks (generate-nodemoapps t)) target-configs);
   crossTargets = map generate-cross-from-x86_64 targets;
 in
 {
@@ -191,7 +210,12 @@ in
         // builtins.listToAttrs (
           map (
             t:
-            lib.nameValuePair "${t.name}-flash-script" t.hostConfiguration.pkgs.nvidia-jetpack.legacyFlashScript
+            lib.nameValuePair "${t.name}-flash-script" (
+              if t.hostConfiguration.config.ghaf.hardware.nvidia.orin.diskEncryption.enable then
+                t.hostConfiguration.pkgs.nvidia-jetpack.legacyFlashScript
+              else
+                t.hostConfiguration.pkgs.nvidia-jetpack.flashScript
+            )
           ) crossTargets
         )
         // builtins.listToAttrs (
