Steps to do dm-crypt for RootFS partition on Imx6Q.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Steps to do dm-crypt for RootFS partition on Imx6Q.

10,842 Views
katherrafi
Contributor II

1. Can anyone share the steps to do dm-crypt for RootFS partition on imx6Q?

Also let me know,

2.Is it possible to do filesystem encryption on FAT32, which holds the zImage and 

dts files?dm-crypt imx6q sabre sd

Labels (1)
Tags (2)
19 Replies

8,810 Views
Aurelien_BOUIN
Contributor III

Thank you YuriMuhin_ng

0 Kudos
Reply

8,810 Views
marouene_boubakri
NXP Employee
NXP Employee

Hi katherrafi‌, thomasklein‌,

The document "Root filesystem encryption using DM-Crypt" provides detailed steps to make a transperently encrypted Root filesystem using DM-Crypt.

The target is ARM64 you can adapt for your need (Install ARM32 toolchain and compile for ARM target instead).

If this is exactlly what you are looking for, please mark the reply as "Correct Answer" to help other users to quickly identify and access it.

 

Regards

Maro

0 Kudos
Reply

729 Views
cfeuchter
Contributor I

I would like to access the referenced document. We already have a mutual NDA in place, I've also requested access via Secure Files, but I still can't access the provided link. 

0 Kudos
Reply

5,643 Views
adde_ado
Contributor III

Hi Maro,

Do you know where i can get The document "Root filesystem encryption using DM-Crypt" dicument?.

 

Best regards,

Adde

0 Kudos
Reply

6,222 Views
YoussefDALIL
Contributor I

Hello @marouene_boubakri 

Can I have access to this document please "Root filesystem encryption using DM-Crypt" , I really need it urgently.

Thanks

 

0 Kudos
Reply

6,218 Views
marouene_boubakri
NXP Employee
NXP Employee

Kindly refer to AN12714 - i.MX Encrypted Storage Using CAAM Secure Keys document according to if your target chip has CAAM IP or not.

0 Kudos
Reply

6,215 Views
YoussefDALIL
Contributor I

I don't have CAAM in my target board , I'm interested to use the classic way with the DM-crypt module , can you send me the file please ?

0 Kudos
Reply

6,207 Views
marouene_boubakri
NXP Employee
NXP Employee

What is your target ? document can be found and download from the Documentation Tab [1] The AN is only for devices equipped with CAAM. For the classic way kindly refer to the Linux documentation.

[1] https://www.nxp.com/products/processors-and-microcontrollers/arm-processors/i-mx-applications-proces...

 

0 Kudos
Reply

6,205 Views
YoussefDALIL
Contributor I

Thanks @marouene_boubakri  for your response. I have an imx8qmmek board , I just noticed that there is CAAM module inside of it.

But how can I use yocto build BSP to generate an image that has an encrypted root partition included in the .wic sdcard image file directly ? (I mean without using caam)

Thank you 

 

 

0 Kudos
Reply

8,810 Views
jim_albanese
Contributor I

Hi maro,

I'm attempting to access the document at the link specified, but it shows as unavailable.  We are looking into using DM-Crypt to encrypt the RootFS on our i.XM8MM-evk and this document would be very helpful.

Thank you and best regards,

Jim Albanese

0 Kudos
Reply

8,808 Views
Yuri
NXP Employee
NXP Employee

Hello,

  the mentioned document about  RootFS crypt is under NDA. 

So, please create request or separate Community thread for it.

Regards,

Yuri.

0 Kudos
Reply

8,810 Views
catalinneagu
NXP Employee
NXP Employee

1. This is how I did my setup on i.MX7D. It should be the same for i.MX6Q.

Steps to include dm_crypt and cryptsetup into Yocto build
============================================

//add this local.conf:
    IMAGE_ROOTFS_EXTRA_SPACE = "6606030"
    IMAGE_OVERHEAD_FACTOR = "1.0"
    CORE_IMAGE_EXTRA_INSTALL += " cryptsetup cryptodev-module cryptodev-tests"
    
bitbake -c menuconfig virtual/kernel
    CONFIG_BLK_DEV_DM=m
    CONFIG_DM_DEBUG=y
    CONFIG_DM_CRYPT=m
    
bitbake virtual/kernel -f -c deploy
bitbake virtual/kernel -f -c compile
bitbake -f fsl-image-gui


Example on setup on the board
========================

modprobe dm_crypt

fallocate -l 5.5G test

cryptsetup -y luksFormat test

cryptsetup luksOpen test volumetest

mkfs.ext4 -j /dev/mapper/volumetest

mkdir /mnt/filestest

mount /dev/mapper/volumetest /mnt/filestest

// Work with /mnt/filetest

umount /mnt/filestest

cryptsetup luksClose volumetest

2. I don't think it's possible to have the FAT32 partition encrypted because at boot time, zImage and dts are expected to be in clear and not encrypted. There is no software that loads a dm-crypt based encrypted zImage from what I know. You can look at secure boot for this feature. https://www.nxp.com/docs/en/application-note/AN4581.pdf 

0 Kudos
Reply

8,810 Views
tomasklein
Contributor II

Hi, Thank for you advice.

If I go to the defconfig, I do not have any of this configs option:

    CONFIG_BLK_DEV_DM=m
    CONFIG_DM_DEBUG=y
    CONFIG_DM_CRYPT=m

I am using kernel version 4.1.44-fslc and yocto 2.4 Rocko.

Is there any other option how to enable DM Crypt ?

Thank for any advice or ideas :smileyhappy:

Regards

Tomas Klein

0 Kudos
Reply

8,810 Views
marouene_boubakri
NXP Employee
NXP Employee

Run

bitbake -c menuconfig virtual/kernel

Enable the Kernel to support Device Mapper and Crypt DM target.

Device Drivers --> RAID and LVM Support -->
[*] Multiple devices driver support (RAID and LVM)
<*> Device mapper support
<M> Crypt target support
Exit and save your config.‍‍‍‍‍

Enable the Kernel to support initrd and RAM block devices.

General setup --->
 [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
 () Initramfs source file(s)
[*]   Support initial ramdisk/ramfs compressed using gzip
Device Drivers --->
[*] Block devices --->
 <M> RAM block device support
 (16) Default number of RAM disks
 (16384) Default RAM disk size (kbytes)‍‍‍‍‍‍‍‍‍

Regards

Maro

0 Kudos
Reply

8,810 Views
tomasklein
Contributor II

Problem is that, in menu-config I do not have option to enable the device mapper support or crypt target support as you can see in screenshot.Screenshot from 2019-03-04 10-49-59.png

Regards

Tomas.

0 Kudos
Reply

8,809 Views
kanimozhi_t
Contributor V

Hi,

    Though your comment is aged I like to add my inputs here: You need to open menuconfig and press enter on "Device drivers" and you need to press y to include "Multiple devices driver support (RAID and LVM)" to include the module and press enter to access its options (Device mapper support & Crypt target support).

You can find the instructions on top of the menuconfig.

0 Kudos
Reply

8,810 Views
katherrafi
Contributor II

Hi Igor,

Thanks for sharing the link, from the link it is not mentioned for imx or any other embedded platform,

mostly focused on desktop linux. 

I would like to know the entire encryption on embedded system, especially 

on imx platform with u-boot.

Regards

kather rafi

0 Kudos
Reply

8,810 Views
tomasklein
Contributor II

Hi,

I would like to ask, do you find any solution ? If yes, could you please describe, how ? :smileyhappy: If no, do you have any reference tutorial, for this problem ?

Thank you

Regards

Tomas Klein

0 Kudos
Reply

8,810 Views
igorpadykov
NXP Employee
NXP Employee

Hi Kather

one can look on dm-crypt/Encrypting an entire system - ArchWiki

dm-crypt/Encrypting an entire system - ArchWiki 

also additional help may be provided with Professional Services:

NXP Professional Services|NXP 

Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos
Reply