Securing Flash Partition

MichaelBMiner · ‎09-04-2024

Hello,

I am looking to use the Yocto project and CAAM to create a secure flash partition on my custom board. Note I cannot use the SNVS as the device will not always be powered, the design does not allow for a battery.

In my yocto project I am going to create a new 8MB partition and call it securednand. As the device is to ship out the door there is an End of Line configuration step. Here we will run a script as root to do the following:

Log in as root over a serial connection
Run caam-keygen to create a key ie. caam_key
Store caam_key to the securednand partition
Use dm-crypt to encrypt securednand with a password file to be stored in /root (or another user protected folder)
When the caam_key is needed, a service will be run to decrypt the securednand, read the caam_key and use it as needed.

Is there anything else I need to be doing? Is this a moderately deceny security strategy?

MichaelBMiner · ‎09-04-2024

I am thinking of revising my plan. I am not familiar with security but I want to do the following.

Log in as root over a serial connection
Run caam-keygen to create a key ie. caam_key
Store caam_key to the securednand partition
Use dm-crypt to encrypt securednand with a password file to be stored in /root/dm-crypt-pw
Use the caam_key to encrypt the file /root/dm-crypt-pw

Now on boot I need to decrypt securednand using /root/dm-crypt-pw to get caam_key. This seems like a cyclic dependency. Not sure how to get around this.

Harvey021 · ‎09-06-2024

Hi,

Please have the reference - the section <10.5 Disk encryption acceleration> of IMX_LINUX_USERS_GUIDE.pdf

Regards

Harvey

Securing Flash Partition

Securing Flash Partition

i.MX6UL