Boot encrypted root file system from sd card

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Boot encrypted root file system from sd card

5,688 Views
alampret
Contributor I

Hello everyone,

I try to boot from an encrypted sd card but it's not possible. What have I missed?

Main setup was done as shown here: Installing Ubuntu Rootfs on NXP i.MX6 boards 

The first partition is vfat and the second one ext4 with LUKS.

On boot I get "Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block"

What's necessary for booting? Unfortunately I found hundreds of tutorial how to sign uboot but nothing related encrypting root fs of Linux and booting into it.

Storing the key will be a separate question. For the moment I would be happy if key file is stored on vfat partition (partition one on sd card)

Thx in advance!

Best regards,

Alexander

Labels (2)
0 Kudos
Reply
5 Replies

3,407 Views
Yuri
NXP Employee
NXP Employee

@alampret 
Hello,

   use app note "i.MX Encrypted Storage Using CAAM Secure Keys"

https://www.nxp.com/webapp/Download?colCode=AN12714

 

Regards,
Yuri.

0 Kudos
Reply

3,403 Views
EliteHawk
Contributor II

I may be wrong, but isn't this one a guide to creating a generic new partition on the board instead of a root ("/") partition one? I think that there should be some hooks in initramfs/initrd to do so

0 Kudos
Reply

3,936 Views
dry
Senior Contributor I

Hey,

Dunno if you seen something like this guide :

dm-crypt/Encrypting an entire system - ArchWiki 

Note that you likely need to create a custom initrd/initramfs  and setup/hookup your encrypted root from there, before Linux can use it and jump into it.

0 Kudos
Reply

3,426 Views
EliteHawk
Contributor II

Hi,

I'm trying to do the exact same thing but with another board.

So there is no way to carry out this task without adding an initrd/initramfs?

If is it so, could you kindly link me to any guide to do it?

Thank you and Regards

0 Kudos
Reply

3,936 Views
igorpadykov
NXP Employee
NXP Employee

Hi Alexander

as starting point one can try with uboot:

Use HAB API from u-boot to decrypt Linux image 

High Assurance Boot (HAB) for dummies - Boundary Devices 

AN4581 Secure Boot

https://www.nxp.com/docs/en/application-note/AN4581.pdf 

Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos
Reply