dm_crypt file in /mnt/encrypted unencrypt

Hi @Harvey021 

Thanks for your reply！

I follow the note  AN12714  Rev. 0 — 25 February 2020 step by step. the diffence is my kernel verison(imx-4.14.98). download meta-imx-fde-demo and insert the patch file in the recipes-kernel into my kernel,and modify config file.

.part of kernel startup information：

sdhci-esdhc-imx 2194000.usdhc: assigned as wifi host
mmc1: SDHCI controller on 2194000.usdhc [2194000.usdhc] using ADMA
caam 2140000.caam: ERA source: CCBVID.
caam 2140000.caam: device ID = 0x0a16030000000000 (Era
caam 2140000.caam: job rings = 3, qi = 0, dpaa2 = no
caam_jr 2141000.jr0: Entropy delay = 3200
caam_jr 2141000.jr0: Instantiated RNG4 SH0.
caam_jr 2141000.jr0: Instantiated RNG4 SH1.
caam algorithms registered in /proc/crypto
caam_jr 2141000.jr0: registering rng-caam
caam 2140000.caam: caam pkc algorithms registered in /proc/crypto
platform caam_sm: blkkey_ex: 8 keystore units available
caam_jr 2143000.jr2: caam_black_key input: [key: 00101000(8) black_key: 00101000(128), auth: 0]
caam_jr 2143000.jr2: caam_black_key processing: [key: 00101000(8) black_key: 00101000(8)
caam_jr 2143000.jr2: req:16, auth: 0x0]
caam_jr 2143000.jr2: caam_black_key input: [key: 00101080(16) black_key: 00101080(128), auth: 0]
caam_jr 2143000.jr2: caam_black_key processing: [key: 00101080(16) black_key: 00101080(16)
caam_jr 2143000.jr2: req:16, auth: 0x0]
caam_jr 2143000.jr2: caam_black_key input: [key: 00101100(24) black_key: 00101100(128), auth: 0]
caam_jr 2143000.jr2: caam_black_key processing: [key: 00101100(24) black_key: 00101100(24)
caam_jr 2143000.jr2: req:32, auth: 0x0]
caam_jr 2143000.jr2: caam_black_key input: [key: 00101180(32) black_key: 00101180(128), auth: 0]
caam_jr 2143000.jr2: caam_black_key processing: [key: 00101180(32) black_key: 00101180(32)
caam_jr 2143000.jr2: req:32, auth: 0x0]
platform caam_sm: 64-bit clear key:
platform caam_sm: [0000] 00 01 02 03 04 0f 06 07
platform caam_sm: 64-bit black key:
platform caam_sm: [0000] 66 e4 85 83 07 f2 c9 10
platform caam_sm: [0008] fb c6 2f c3 99 7a 5f 65
platform caam_sm: 128-bit clear key:
platform caam_sm: [0000] 00 01 02 03 04 0f 06 07
platform caam_sm: [0008] 08 09 0a 0b 0c 0d 0e 0f
platform caam_sm: 128-bit black key:
platform caam_sm: [0000] 61 ea 2d b6 28 1c 5f 15
platform caam_sm: [0008] 60 95 c1 5e f9 0b 89 a4
platform caam_sm: 192-bit clear key:
platform caam_sm: [0000] 00 01 02 03 04 0f 06 07
platform caam_sm: [0008] 08 09 0a 0b 0c 0d 0e 0f
platform caam_sm: [0016] 10 11 12 13 14 15 16 17
platform caam_sm: 192-bit black key:
platform caam_sm: [0000] e4 41 b7 ba 9f fc c6 e9
platform caam_sm: [0008] f7 eb ea f1 15 49 51 5a
platform caam_sm: [0016] e2 e2 d5 20 af d8 20 dd
platform caam_sm: [0024] fd 27 4c 7d 2e 22 a6 01
platform caam_sm: 256-bit clear key:
platform caam_sm: [0000] 00 01 02 03 04 0f 06 07
platform caam_sm: [0008] 08 09 0a 0b 0c 0d 0e 0f
platform caam_sm: [0016] 10 11 12 13 14 15 16 17
platform caam_sm: [0024] 18 19 1a 1b 1c 1d 1e 1f
platform caam_sm: 256-bit black key:
platform caam_sm: [0000] fc fd 0b 4f 45 d3 83 fd
platform caam_sm: [0008] 9f 45 2e 2a 03 88 15 8b
platform caam_sm: [0016] 78 d8 37 fd b2 eb d8 71
platform caam_sm: [0024] 05 b7 38 59 bd 49 6f fb
platform caam_sm: 64-bit unwritten blob:
platform caam_sm: [0000] 00 00 00 00 00 00 00 00
platform caam_sm: [0008] 00 00 00 00 00 00 00 00
platform caam_sm: [0016] 00 00 00 00 00 00 00 00
platform caam_sm: [0024] 00 00 00 00 00 00 00 00
platform caam_sm: [0032] 00 00 00 00 00 00 00 00
platform caam_sm: [0040] 00 00 00 00 00 00 00 00
platform caam_sm: [0048] 00 00 00 00 00 00 00 00
platform caam_sm: [0056] 00 00 00 00 00 00 00 00
platform caam_sm: [0064] 00 00 00 00 00 00 00 00
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 128-bit unwritten blob:
platform caam_sm: [0000] 00 00 00 00 00 00 00 00
platform caam_sm: [0008] 00 00 00 00 00 00 00 00
platform caam_sm: [0016] 00 00 00 00 00 00 00 00
platform caam_sm: [0024] 00 00 00 00 00 00 00 00
platform caam_sm: [0032] 00 00 00 00 00 00 00 00
platform caam_sm: [0040] 00 00 00 00 00 00 00 00
platform caam_sm: [0048] 00 00 00 00 00 00 00 00
platform caam_sm: [0056] 00 00 00 00 00 00 00 00
platform caam_sm: [0064] 00 00 00 00 00 00 00 00
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 196-bit unwritten blob:
platform caam_sm: [0000] 00 00 00 00 00 00 00 00
platform caam_sm: [0008] 00 00 00 00 00 00 00 00
platform caam_sm: [0016] 00 00 00 00 00 00 00 00
platform caam_sm: [0024] 00 00 00 00 00 00 00 00
platform caam_sm: [0032] 00 00 00 00 00 00 00 00
platform caam_sm: [0040] 00 00 00 00 00 00 00 00
platform caam_sm: [0048] 00 00 00 00 00 00 00 00
platform caam_sm: [0056] 00 00 00 00 00 00 00 00
platform caam_sm: [0064] 00 00 00 00 00 00 00 00
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 256-bit unwritten blob:
platform caam_sm: [0000] 00 00 00 00 00 00 00 00
platform caam_sm: [0008] 00 00 00 00 00 00 00 00
platform caam_sm: [0016] 00 00 00 00 00 00 00 00
platform caam_sm: [0024] 00 00 00 00 00 00 00 00
platform caam_sm: [0032] 00 00 00 00 00 00 00 00
platform caam_sm: [0040] 00 00 00 00 00 00 00 00
platform caam_sm: [0048] 00 00 00 00 00 00 00 00
platform caam_sm: [0056] 00 00 00 00 00 00 00 00
platform caam_sm: [0064] 00 00 00 00 00 00 00 00
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 64-bit black key in blob:
platform caam_sm: [0000] 06 0d b0 d0 31 91 82 71
platform caam_sm: [0008] e9 b3 59 80 ca f5 ef 90
platform caam_sm: [0016] 0c 30 a1 d1 61 70 96 f7
platform caam_sm: [0024] 3c e6 d7 a6 a7 4b c6 13
platform caam_sm: [0032] 3f 38 e9 e2 8b 2e fc 03
platform caam_sm: [0040] 88 7d af 67 5c ed bc 7e
platform caam_sm: [0048] 67 e7 65 69 4b 4d b8 82
platform caam_sm: [0056] 00 00 00 00 00 00 00 00
platform caam_sm: [0064] 00 00 00 00 00 00 00 00
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 128-bit black key in blob:
platform caam_sm: [0000] 66 b0 db 79 be 57 a7 fe
platform caam_sm: [0008] 38 7e a9 63 fa f9 23 be
platform caam_sm: [0016] 2e a7 fd 0c d2 71 13 99
platform caam_sm: [0024] 53 54 f5 80 d4 e5 ff 5a
platform caam_sm: [0032] f2 ba e2 76 21 21 68 68
platform caam_sm: [0040] 4c 1b 17 90 a4 df 8b 6a
platform caam_sm: [0048] 35 9c 77 f8 10 c0 6c a9
platform caam_sm: [0056] fa e0 d9 3d cc 79 d6 99
platform caam_sm: [0064] 00 00 00 00 00 00 00 00
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 192-bit black key in blob:
platform caam_sm: [0000] f1 26 9d d2 de 91 3f a2
platform caam_sm: [0008] bb d3 4a c7 1e da 6b 40
platform caam_sm: [0016] 04 79 08 04 f3 df 0f 3f
platform caam_sm: [0024] bf b7 ac 93 1a 02 15 db
platform caam_sm: [0032] dc de 8f 35 2e 3c 95 79
platform caam_sm: [0040] df 59 d8 14 ba 3d ae 46
platform caam_sm: [0048] eb 71 8d 8b 38 02 15 d8
platform caam_sm: [0056] c9 28 fb d5 f9 98 fa 54
platform caam_sm: [0064] ae 81 d2 d1 5f de 17 47
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 256-bit black key in blob:
platform caam_sm: [0000] 1f 60 64 a4 72 ca c2 b1
platform caam_sm: [0008] 9b 68 47 e3 8b c8 ab 85
platform caam_sm: [0016] a2 50 b9 4a c9 b1 3a bf
platform caam_sm: [0024] 73 53 b9 60 83 61 13 69
platform caam_sm: [0032] b2 8d 08 26 b1 7f ed 79
platform caam_sm: [0040] 1e a0 6a 8d c7 fd a3 bb
platform caam_sm: [0048] bd c5 9e f1 6d 50 cb a8
platform caam_sm: [0056] bd b0 91 6b f3 1a 97 83
platform caam_sm: [0064] 13 8d 6b 0c 35 78 7f fd
platform caam_sm: [0072] 89 c2 1b 61 d1 90 0b ac
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: restored 64-bit black key:
platform caam_sm: [0000] 17 8b 93 6d 2c 58 81 c0
platform caam_sm: [0008] ee ec f5 34 9e e2 67 58
platform caam_sm: restored 128-bit black key:
platform caam_sm: [0000] 61 ea 2d b6 28 1c 5f 15
platform caam_sm: [0008] 60 95 c1 5e f9 0b 89 a4
platform caam_sm: restored 192-bit black key:
platform caam_sm: [0000] e4 41 b7 ba 9f fc c6 e9
platform caam_sm: [0008] f7 eb ea f1 15 49 51 5a
platform caam_sm: [0016] 67 1e 14 77 5a 19 4e 54
platform caam_sm: [0024] 55 00 7c 73 ed 46 1c fa
platform caam_sm: restored 256-bit black key:
platform caam_sm: [0000] fc fd 0b 4f 45 d3 83 fd
platform caam_sm: [0008] 9f 45 2e 2a 03 88 15 8b
platform caam_sm: [0016] 78 d8 37 fd b2 eb d8 71
platform caam_sm: [0024] 05 b7 38 59 bd 49 6f fb
caam-snvs 20cc000.caam-snvs: can't get snvs clock
caam-snvs 20cc000.caam-snvs: violation handlers armed - trusted state
usbcore: registered new interface driver usbhid
usbhid: USB HID core driver
vf610-adc 2198000.adc: 2198000.adc supply vref not found, using dummy regulator
NET: Registered protocol family 26
nf_conntrack version 0.5.0 (2048 buckets, 8192 max)
xt_time: kernel timezone is -0000
ip_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 10
Segment Routing with IPv6
NET: Registered protocol family 17
can: controller area network core (rev 20170425 abi 9)
NET: Registered protocol family 29
can: raw protocol (rev 20170425)
can: broadcast manager protocol (rev 20170425 t)
can: netlink gateway (rev 20170425) max_hops=1
Bluetooth: RFCOMM TTY layer initialized
Bluetooth: RFCOMM socket layer initialized
Bluetooth: RFCOMM ver 1.11
Bluetooth: BNEP (Ethernet Emulation) ver 1.3
Bluetooth: BNEP filters: protocol multicast
Bluetooth: BNEP socket layer initialized
Bluetooth: HIDP (Human Interface Emulation) ver 1.2
Bluetooth: HIDP socket layer initialized
Key type dns_resolver registered
mmc0: new high speed SDHC card at address aaaa
mmcblk0: mmc0:aaaa SA08G 7.40 GiB
mmcblk0: p1
imx_thermal 2000000.aips-bus:tempmon: Automotive CPU temperature grade - max:125C critical:120C passive:115C
snvs_rtc 20cc000.snvs:snvs-rtc-lp: setting system clock to 1970-01-01 22:06:52 UTC (79612)
Key type caam_tk registered
wlreg_on: disabling
md: Waiting for all devices to be available before autodetect
md: If you don't use raid, use raid=noautodetect
md: Autodetecting RAID arrays.
..................

Refer to Section 3.2,the implementation results of each step are as follows:

1.make sure that cryptographic transformations using Tagged Key are registered.

# grep -B1 -A2 tk- /proc/crypto|grep -v kernel
name : tk(ecb(aes))
driver : tk-ecb-aes-caam
priority : 1
--
name : tk(cbc(aes))
driver : tk-cbc-aes-caam
priority : 1

2.Make sure Dm-Crypt is enabled

# ./dmsetup targets
crypt v1.18.1
striped v1.6.0
linear v1.4.0
error v1.5.0

3. provide the device with its key

#./keyctl add caam_tk seckey "new ecb 16" @s | xargs ./keyctl print > blob
keyctl_read_alloc: Permission denied
# ./keyctl list @s
1 key in keyring:
228517484: --alswrv 0 65534 keyring: _uid.0
# ./keyctl session
Joined session keyring: 1066486877
# ./keyctl list @s
keyring is empty
# ./keyctl add caam_tk seckey "new ecb 16" @s | xargs ./keyctl print > blob
# ./keyctl list @s
1 key in keyring:
972125402: --als-rv 0 0 caam_tk: seckey
# cat blob
:hex:9926ac021bdba1a40875778dd9aed6a560673ea8fcad7554456ab8826d67743af1304086076f7a5b9fc88ba6a1f5741243f4637fbc15d284f417166b4354d867

4. Create a secure volue

# ./dd if=/dev/zero of=encrypted.img bs=1M count=8
8+0 records in
8+0 records out
8388608 bytes (8.4 MB, 8.0 MiB) copied, 1.74919 s, 4.8 MB/s
# ./losetup /dev/loop0 encrypted.img

5. create a new device-mapper device named encrypted

# ./dmsetup -v create encrypted --table "0 $(./blockdev --getsz /dev/loop0) crypt capi:tk(cbc(aes))-plain :32:caam_tk:secke
Name:              encrypted
State:             ACTIVE
Read Ahead:        256
Tables present:    LIVE
Open count:        0
Event number:      0
Major, minor:      253, 0
Number of targets: 1

# ./dmsetup table --showkey encrypted
0 16384 crypt capi:tk(cbc(aes))-plain :32:caam_tk:seckey 0 7:0 0
# ls -l /dev/mapper/
total 0
crw-------    1 root     root       10, 236 Jan  1  1970 control
brw-------    1 root     root      253,   0 Mar  9 21:37 encrypted

6,7,8 set mount point and mount

# ./mkfs.ext4 /dev/mapper/encrypted
mke2fs 1.47.0 (5-Feb-2023)
Creating filesystem with 8192 1k blocks and 2048 inodes

Allocating group tables: done
Writing inode tables: done
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done

# mkdir -p ./mnt/encrypted
# mount -t ext4 /dev/mapper/encrypted ./mnt/encrypted/
# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                18.3M     18.3M         0 100% /
..............
/dev/mmcblk0p1            7.4G     58.1M      7.3G   1% /media/mmcblk0p1
tmpfs                    58.0M    584.0K     57.4M   1% /root/.ssh
/dev/mapper/encrypted
                          6.4M     46.0K      5.8M   1% /jffs/dm_crypt/mnt/encrypted

When I execute the mount command, the serial port has the following information，I'm not sure if this is abnormal information

EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: (null)

9. write to device

# echo "hello,world"  > ./mnt/encrypted/readme.txt
# cat ./mnt/encrypted/readme.txt
hello,world

According to step 8------At this level, everything data you write to /mnt/encrypted is encrypted on the real block device /dev/loop0

I think the readme.txt file should be encrypted, but it is  unencrypted

I don't why and how to solve it 

Best regards

haichao

Hi @Harvey021 

I already know why. It's explained on the document---“NAND flash is an MTD device, hence, DM-Crypt cannot be used with”， my flash is NAND flash, I made a big joke