Steps to do dm-crypt for RootFS partition on Imx6Q.

katherrafi · ‎07-20-2018

1. Can anyone share the steps to do dm-crypt for RootFS partition on imx6Q?

Also let me know,

2.Is it possible to do filesystem encryption on FAT32, which holds the zImage and

dts files?dm-crypt imx6q sabre sd

Aurelien_BOUIN · ‎08-03-2020

Thank you YuriMuhin_ng‌

marouene_boubakri · ‎01-08-2019

Hi katherrafi‌, thomasklein‌,

The document "Root filesystem encryption using DM-Crypt" provides detailed steps to make a transperently encrypted Root filesystem using DM-Crypt.

The target is ARM64 you can adapt for your need (Install ARM32 toolchain and compile for ARM target instead).

If this is exactlly what you are looking for, please mark the reply as "Correct Answer" to help other users to quickly identify and access it.

Regards

Maro

cfeuchter · ‎05-13-2024

I would like to access the referenced document. We already have a mutual NDA in place, I've also requested access via Secure Files, but I still can't access the provided link.

adde_ado · ‎04-21-2022

Hi Maro,

Do you know where i can get The document "Root filesystem encryption using DM-Crypt" dicument?.

Best regards,

Adde

YoussefDALIL · ‎01-28-2022

Hello @marouene_boubakri

Can I have access to this document please "Root filesystem encryption using DM-Crypt" , I really need it urgently.

Thanks

marouene_boubakri · ‎01-28-2022

Kindly refer to AN12714 - i.MX Encrypted Storage Using CAAM Secure Keys document according to if your target chip has CAAM IP or not.

YoussefDALIL · ‎01-28-2022

I don't have CAAM in my target board , I'm interested to use the classic way with the DM-crypt module , can you send me the file please ?

marouene_boubakri · ‎01-28-2022

What is your target ? document can be found and download from the Documentation Tab [1] The AN is only for devices equipped with CAAM. For the classic way kindly refer to the Linux documentation.

[1] https://www.nxp.com/products/processors-and-microcontrollers/arm-processors/i-mx-applications-proces...

YoussefDALIL · ‎01-28-2022

Thanks @marouene_boubakri for your response. I have an imx8qmmek board , I just noticed that there is CAAM module inside of it.

But how can I use yocto build BSP to generate an image that has an encrypted root partition included in the .wic sdcard image file directly ? (I mean without using caam)

Thank you

jim_albanese · ‎07-30-2019

Hi maro,

I'm attempting to access the document at the link specified, but it shows as unavailable. We are looking into using DM-Crypt to encrypt the RootFS on our i.XM8MM-evk and this document would be very helpful.

Thank you and best regards,

Jim Albanese

Yuri · ‎08-06-2019

Hello,

the mentioned document about RootFS crypt is under NDA.

So, please create request or separate Community thread for it.

Regards,

Yuri.

catalinneagu · ‎11-21-2018

1. This is how I did my setup on i.MX7D. It should be the same for i.MX6Q.

Steps to include dm_crypt and cryptsetup into Yocto build
============================================

//add this local.conf:
   IMAGE_ROOTFS_EXTRA_SPACE = "6606030"
   IMAGE_OVERHEAD_FACTOR = "1.0"
   CORE_IMAGE_EXTRA_INSTALL += " cryptsetup cryptodev-module cryptodev-tests"

bitbake -c menuconfig virtual/kernel
   CONFIG_BLK_DEV_DM=m
   CONFIG_DM_DEBUG=y
   CONFIG_DM_CRYPT=m

bitbake virtual/kernel -f -c deploy
bitbake virtual/kernel -f -c compile
bitbake -f fsl-image-gui

Example on setup on the board
========================

modprobe dm_crypt

fallocate -l 5.5G test

cryptsetup -y luksFormat test

cryptsetup luksOpen test volumetest

mkfs.ext4 -j /dev/mapper/volumetest

mkdir /mnt/filestest

mount /dev/mapper/volumetest /mnt/filestest

// Work with /mnt/filetest

umount /mnt/filestest

cryptsetup luksClose volumetest

2. I don't think it's possible to have the FAT32 partition encrypted because at boot time, zImage and dts are expected to be in clear and not encrypted. There is no software that loads a dm-crypt based encrypted zImage from what I know. You can look at secure boot for this feature. https://www.nxp.com/docs/en/application-note/AN4581.pdf

tomasklein · ‎02-25-2019

Hi, Thank for you advice.

If I go to the defconfig, I do not have any of this configs option:

   CONFIG_BLK_DEV_DM=m
   CONFIG_DM_DEBUG=y
   CONFIG_DM_CRYPT=m

I am using kernel version 4.1.44-fslc and yocto 2.4 Rocko.

Is there any other option how to enable DM Crypt ?

Thank for any advice or ideas :smileyhappy:

Regards

Tomas Klein

marouene_boubakri · ‎02-25-2019

Run

bitbake -c menuconfig virtual/kernel‍

Enable the Kernel to support Device Mapper and Crypt DM target.

Device Drivers --> RAID and LVM Support -->
[*] Multiple devices driver support (RAID and LVM)
<*> Device mapper support
<M> Crypt target support
Exit and save your config.‍‍‍‍‍‍‍‍‍‍

Enable the Kernel to support initrd and RAM block devices.

General setup --->
 [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
 () Initramfs source file(s)
[*]   Support initial ramdisk/ramfs compressed using gzip
Device Drivers --->
[*] Block devices --->
 <M> RAM block device support
 (16) Default number of RAM disks
 (16384) Default RAM disk size (kbytes)‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Regards

Maro

tomasklein · ‎03-04-2019

Problem is that, in menu-config I do not have option to enable the device mapper support or crypt target support as you can see in screenshot.

Regards

Tomas.

kanimozhi_t · ‎07-01-2020

Hi,

Though your comment is aged I like to add my inputs here: You need to open menuconfig and press enter on "Device drivers" and you need to press y to include "Multiple devices driver support (RAID and LVM)" to include the module and press enter to access its options (Device mapper support & Crypt target support).

You can find the instructions on top of the menuconfig.

katherrafi · ‎07-27-2018

Hi Igor,

Thanks for sharing the link, from the link it is not mentioned for imx or any other embedded platform,

mostly focused on desktop linux.

I would like to know the entire encryption on embedded system, especially

on imx platform with u-boot.

Regards

kather rafi

tomasklein · ‎11-16-2018

Hi,

I would like to ask, do you find any solution ? If yes, could you please describe, how ? :smileyhappy: If no, do you have any reference tutorial, for this problem ?

Thank you

Regards

Tomas Klein

igorpadykov · ‎07-23-2018

Hi Kather

one can look on dm-crypt/Encrypting an entire system - ArchWiki

dm-crypt/Encrypting an entire system - ArchWiki

also additional help may be provided with Professional Services:

NXP Professional Services|NXP

Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

Steps to do dm-crypt for RootFS partition on Imx6Q.

Steps to do dm-crypt for RootFS partition on Imx6Q.

i.MX6Quad