imx6q root file system encryption problem

Hi Poonguzhali,

  <CMD state="Updater" type="push" body="$ cat $FILE | cryptsetup luksFormat /dev/mmcblk%mmc%p3 -">Encrypting and Formatting rootfs partition</CMD>

  <CMD state="Updater" type="push" body="$ cryptsetup luksOpen --key-file=$FILE /dev/mmcblk%mmc%p3 mmcblk%mmc%p3">Encrypting and Formatting rootfs partition</CMD>

  <CMD state="Updater" type="push" body="$ mkfs.ext3 -E nodiscard /dev/mapper/mmcblk%mmc%p3">Encrypting and Formatting rootfs partition</CMD>

  <CMD state="Updater" type="push" body="$ mkdir -p /mnt/mmcblk%mmc%p3"/>

Hi Yen,

Thanks for the quick response and the details.

In my case, cryptsetup command itself is not found.

My question is how to get the cryptsetup command available in order to perform the steps mentioned by you for encrypt rootfs. Have you done anything for enabling the cryptsetup command in mfgtool before updating the ucl2.xml.

Regards

Poonguzhali

Hi Poonguzhali,

We build the rootfs by yocto project.

I guess you have to build "cryptsetup" into your rootfs.

Sorry, I'm a newbie on bsp, so maybe I can't give you any helpful advice or suggestion.

Best Regards,

Yen

Hi Yen,

Thanks for the info.

I have included "cryptsetup" in the rootfs and now the command is available.:smileyhappy:

Also updated the ucl2.xml script as mentioned by you and now my mfgtool itself is not launching :smileysad:.

While launching, it throws the error in the "Initialize operation failed" and the mfgtool log says that

push command --file ..Profiles\MX6Q Linux Update\OS Firmware\firmware\keyfile failed to open.errcode is 2

parse ucl script failed, error code: 4

But firmware\keyfile exists in the respective folder and it has all the permissions.. Not clear why this is happening..

any idea of how to solve this.

Regards

Poonguzhali

Hi Poonguzhali,

The keyfile is the key for encryption.

please ref. this web site https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Keyfiles

Best Regards,

Yen

Hi Yen,

I understand that the keyfile is for encryption and I have generated it already and put into firmware folder.

But, while launching, mfgtool throws the error "Initialize operation failed" and the log says that

push command --file ..Profiles\MX6Q Linux Update\OS Firmware\firmware\keyfile failed to open.errcode is 2

parse ucl script failed, error code: 4

i.e the launching of mfgtool is interupted in the below line in ucl2.xml

Any ideas?

is there any document explaining the ucl script error codes.

Regards

Poonguzhali

Hi Poonguzhali,

Sorry, I don't know why it still show this error message.

I  don't know if there is any document for script error code.

Best Regards,

Yen

Hi Yen,

I got it working. :smileyhappy:

I just replaced the below line

Poonguzhali P

Hi Poonguzhali,

That's great to hear that!!

Yen

Hi Yen

Have you successfully booted after encrypting the root filesystem using mfgtool.

In my case, I am successful in encrypting the partition, copy the contents into the encrypted partition, and checked it by listing the copied contents. But no success in booting the device. :smileycry:. I added the decrypt logic in "on early-fs" before the mounting file system using "on fs" in the init.rc file, but no success. Any ideas??

Regards

Poonguzhali

Hi Igor,

Thanks for your reply.

I add "maxcpus=1" at the kernel command line and it is fine for mfgtools to encrypt root file system.

After mfgtools and log into the os, it still crash when I copy or un-tar file into encrypted root file system.(I didn't set maxcpus=1 at regular boot)

Is encryption only could use on one cpu?

Thx

Yen