topic Signing rootfs using cst for Secure boot on iMX8MP in i.MX Processors

Signing rootfs using cst for Secure boot on iMX8MP

gaurav_bankar — Thu, 30 Nov 2023 07:23:54 GMT

Hello,

I am trying to secure boot my custom iM8MP soc board. I have already secured uboot and kernel following the various documents provided. But I am having trouble extending the root of trust to rootfs. I am using wic file for kernel and rootfs. The filesystem type for rootfs is ext4.

Can I get the procedure to sign rootfs using csf and cst? Thank you.

Re: Signing rootfs using cst for Secure boot on iMX8MP

Harvey021 — Fri, 01 Dec 2023 09:21:37 GMT

I'd recommend i.MX Encrypted Storage Using CAAM Secure Keys (nxp.com)

Regards

Harvey

Re: Signing rootfs using cst for Secure boot on iMX8MP

Torylyrs — Fri, 01 Dec 2023 12:20:55 GMT

Securing the rootfs on your custom iM8MP SOC board involves creating a CSF file with commands to authenticate the rootfs, signing it using CST with your private key, and configuring your bootloader to use this signed CSF for authentication during the boot process. Ensure that the public key corresponding to your private key is properly embedded in your SOC's ROM or fused into the device during manufacturing.

Re: Signing rootfs using cst for Secure boot on iMX8MP

gaurav_bankar — Fri, 15 Dec 2023 07:06:47 GMT

Hello @Harvey021 ,

I am following your suggestion of using i.MX Encrypted Storage Using CAAM Secure Keys, rev 2.

I am following the document and made the necessary changes in the defconfig file to include CAAM and DM-crypt

# Enable DM-Crypt and its dependencies
CONFIG_BLK_DEV_DM=y
CONFIG_BLK_DEV_MD=y
CONFIG_MD=y
CONFIG_DM_CRYPT=y
CONFIG_DM_MULTIPATH=y
# Enable CAAM black key/blob driver and its dependencies (this is enabled, by default)
CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API=y

I have also added

CONFIG_CRYPTO=y

I have made a build with the suggestions made in the document.

According to section 3.2 of AN12714 rev 2 the first point to make sure that cryptographic transformations using Tagged Key are registered. I am not able to see the tagged key in my build.

I do not get any response to this command : cat /proc/crypto | grep -B1 -A2 tk

I am attaching my defconfig for your reference.

Also the document explains about creating a secure volume through image file and then mounting it. But how can I secure an already mounted volume. I want my partitions to be already encrypted before the mounting process during device startup. How can I achieve it ?