Root Filesystem Encryption/Decryption with CAAM on an i.MX8M-Mini

bobjenkins · ‎07-04-2022

Hello,

I was wondering if you could direct on how to encrypt, and decrypt, a Linux root filesystem using CAAM on an i.MX8M-Mini?

I've read AN12714 "i.MX Encrypted Storage Using CAAM Secure Keys" but that only shows me how to use CAAM to perform encryption on a flat-file in an already booted OS. What I am looking for is how to decrypt the root filesystem during boot using CAAM.

Thanks,
Bob

richc128 · ‎07-14-2022

people typically use an initramfs for this. you can also use u-boot but I don't think there is caam support in u-boot.

bobjenkins · ‎07-12-2022

Hello, thanks for the tip! I am able to do "disk image" file or full, non-root, partition encryption as per the example in AN12714. However, this is from a non-encrypted root filesystem.

What I am unsure about is if I encrypt the entire root (/) partition/filesystem with CAAM, how would I be able to get the early stage of the kernel to decrypt that root filesystem during boot, using the Black Blob/Black Key/imported session key from CAAM?

The kernel would need to do this decryption early in the boot process, as with the root (/) filesystem being encrypted at this point, the kernel modules (/lib/modules/...), config files (/etc/...), executables (/bin/...), etc. would be unavailable to the kernel and OS later in boot, if it isn't decrypted with CAAM early.

Any advice would be greatly appreciated!

richc128 · ‎07-07-2022

you can just replace the looper with the drive / partition device. But, that being said, I've had consistent problems with re-mounting

https://community.nxp.com/t5/i-MX-Processors/AN12714-can-t-re-mount-encrypted-drive/m-p/1485545#M192...

Root Filesystem Encryption/Decryption with CAAM on an i.MX8M-Mini

Root Filesystem Encryption/Decryption with CAAM on an i.MX8M-Mini

i.MX 8M | i.MX 8M Mini | i.MX 8M Nano

Linux

Security