Hello,
I was wondering if you could direct on how to encrypt, and decrypt, a Linux root filesystem using CAAM on an i.MX8M-Mini?
I've read AN12714 "i.MX Encrypted Storage Using CAAM Secure Keys" but that only shows me how to use CAAM to perform encryption on a flat-file in an already booted OS. What I am looking for is how to decrypt the root filesystem during boot using CAAM.
Thanks,
Bob
people typically use an initramfs for this. you can also use u-boot but I don't think there is caam support in u-boot.
Hello, thanks for the tip! I am able to do "disk image" file or full, non-root, partition encryption as per the example in AN12714. However, this is from a non-encrypted root filesystem.
What I am unsure about is if I encrypt the entire root (/) partition/filesystem with CAAM, how would I be able to get the early stage of the kernel to decrypt that root filesystem during boot, using the Black Blob/Black Key/imported session key from CAAM?
The kernel would need to do this decryption early in the boot process, as with the root (/) filesystem being encrypted at this point, the kernel modules (/lib/modules/...), config files (/etc/...), executables (/bin/...), etc. would be unavailable to the kernel and OS later in boot, if it isn't decrypted with CAAM early.
Any advice would be greatly appreciated!
you can just replace the looper with the drive / partition device. But, that being said, I've had consistent problems with re-mounting