How to boot into a luks encrypted rootfs partition from initramfs on imx6 quad?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to boot into a luks encrypted rootfs partition from initramfs on imx6 quad?

8,127 Views
f_alghamdi
Contributor I

Hi everyone,

I have been trying to do full disk encryption on iMX6 Quad eMMC (the version I use is EmbeddedArtists imx6qea COM on their carrier board)

What I have done is:

  1. Rebuilding fsl-image-mfgtool-initramfs to support disk encryption in the kernel and cryptsetup in the image itself.
  2. Attaching initial RAM file system image (initramfs) to the imx6q kernel by adding this to my local.conf and rebuilding core-image-minimal

    INITRAMFS_IMAGE = "core-image-minimal"

    INITRAMFS_IMAGE_BUNDLE = "1"
    IMAGE_FSTYPES = "cpio.gz tar.bz2"

  3. Using mfgtools to flash the newly created core-image-minimal and encrypting the rootfs part using these commands:

    <!-- the passphrase is in the file : "mfgtools_imx6q_4.9.123\Profiles\Linux\OS Firmware\firmware\keyfile" -->

    <CMD state="Updater" type="push" body="send" file="firmware/keyfile" >Sending key file</CMD>
    <CMD state="Updater" type="push" body="$ cat $FILE | cryptsetup luksFormat /dev/mmcblk%mmc%p2 -">Encrypting and Formatting rootfs partition</CMD>
    <CMD state="Updater" type="push" body="$ cryptsetup luksOpen --key-file=$FILE /dev/mmcblk%mmc%p2 mmcblk%mmc%p2">Encrypting and Formatting rootfs partition</CMD>
    <CMD state="Updater" type="push" body="$ mkfs.ext3 -E nodiscard /dev/mapper/mmcblk%mmc%p2">Encrypting and Formatting rootfs partition</CMD>
    <CMD state="Updater" type="push" body="$ mkdir -p /mnt/mmcblk%mmc%p2"/>
    <CMD state="Updater" type="push" body="$ mount -t ext3 /dev/mapper/mmcblk%mmc%p2 /mnt/mmcblk%mmc%p2"/>
    <CMD state="Updater" type="push" body="pipe tar -jxv -C /mnt/mmcblk%mmc%p2" file="files/%rootfs%-%board%.rootfs.tar.bz2">Sending and writting rootfs</CMD>
    <CMD state="Updater" type="push" body="frf">Finishing rootfs write</CMD>

  4. Booting into the kernel and its attached initramfs was successful. 

By doing the above steps, I was able to encrypt the rootfs using cryptsetup. After the boot into initramfs, I successfully decrypted and mounted the rootfs partition with passphrase I provided using mfgtools

$ cryptsetup --debug -v luksOpen /dev/mmcblk3p2 rootfs
$ mkdir /mnt/rootfs && mount -t ext3 /dev/mapper/rootfs /mnt/rootfs

 

What I was not able to do is to auto mount the encrypted rootfs instead of the kernel's attached initramfs rootfs .

  • First, the crypttab infrastructure and its scripts cryptdisks, cryptdisks_start, cryptdisks_stop, etc. used to auto mount encrypted partitions are completely missing from yocto project. When you install cryptsetup on a normal linux distro you get these scripts automatically but not on yocto. 
  • Another way is using mkinitcpio scripts but it's also not a part of yocto. 
  • Finally, I think I will also need to update the initramfs after configuring it to mount another root partition (the luks encrypted one) which is is done using the command update-initramfs which generates a new initramfs image with new conflagrations .. Unfortunately, I was not able to find anything related to updating initramfs after bitbaking or maybe we have to setup everything upfront in yocto so the initramfs should be configured to auto mount the encrypted rootfs and then bitbake.I am not sure if the above steps are the correct way to do full disk encryption on yocto or there is another way of doing it? 

 

Thanks

Labels (1)
0 Kudos
Reply
6 Replies

5,775 Views
marouene_boubakri
NXP Employee
NXP Employee

Dear f.alghamdi@ntis.com.sa‌,

The document "Root filesystem encryption using DM-Crypt" provides detailed steps to make a transperently encrypted Root filesystem using DM-Crypt.

The target is ARM64 you can adapt for your need (Install ARM32 toolchain and compile for ARM target instead).

If this is exactlly what you are looking for, please mark the reply as "Correct Answer" to help other users to quickly identify and access it.

 

Regards

Maro

0 Kudos
Reply

4,442 Views
10sec
Contributor I

Dear @marouene_boubakri,

how can I get access to the document "Root filesystem encryption using DM-Crypt"? 

0 Kudos
Reply

4,420 Views
marouene_boubakri
NXP Employee
NXP Employee

Hi @10sec,

Kindly refer to the Application Note AN12714 i.MX Encrypted Storage Using CAAM Secure Keys Downloadable from nxp.com portale and can be found in the documentation tab of the chip/board's home page.

Regards
Maro

0 Kudos
Reply

5,208 Views
vinothkumars
Senior Contributor IV

Hi @marouene_boubakri 

 

Not able to access the document - The document "Root filesystem encryption using DM-Crypt" 

 

 

Regards,
Vinothkumar Sekar
0 Kudos
Reply

5,775 Views
Yuri
NXP Employee
NXP Employee

Hello,

 

   Please create request to get more information about disk encryption,

using CAAM-accelerated dm-crypt.

Support|NXP 

 

Have a great day,

Yuri

 

------------------------------------------------------------------------------

Note: If this post answers your question, please click the Correct Answer

button. Thank you!

0 Kudos
Reply

2,092 Views
khang_letruong
Senior Contributor III
0 Kudos
Reply