imx6q root file system encryption problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

imx6q root file system encryption problem

4,710 Views
yenchao
Contributor IV

Hi All,

 

I'm working on imx6q and would like to encrypt the root file system by mfgtools.

Attachment ucl2.xml is the script for mfgtools that I used for encryption.

After executing "cryptsetup luksOpen", it always crash when I try to copy root file system into the partition.

It will show some messages as attachment console.txt when it crashed.

I saw some key words like "aes_encrypt", "async_encrypt"...etc in the messages.

So I guess that the problem might be the encryption.

But I have no idea how to fix it.

Does anyone know how to resolve this problem?

Any advices and suggestions will be greatly appreciated!!

 

Thx

Yen

Original Attachment has been moved to: console.txt.zip

Original Attachment has been moved to: ucl2.xml.zip

Labels (2)
13 Replies

3,293 Views
poonguzhalip
Contributor II

Hi Yen,

While trying rootfile system encryption using mfgtool, stuck at a point wherein cryptsetup command is not available.

So, just tried listing of cryptsetup command by adding the below line in ucl2.xml

<CMD state="Updater" type="push" body="$ ls -al cryptsetup"/>

to check whether cryptsetup command is available in mfgtool or not. But the above command fails with "no such file or directory error".

The log contents are below.

UTP: received command '$ ls -al cryptsetup'

UTP: executing "ls -al cryptsetup"

ls: cryptsetup: No such file or directory

UTP: sending Non-success to kernel for command $ ls -al cryptsetup.

Can you please share the steps of how you included the cryptsetup command in the mfgtool.

Regards

Poonguzhali

0 Kudos
Reply

3,293 Views
yenchao
Contributor IV

Hi Poonguzhali,

<CMD state="Updater" type="push" body="send" file="firmware/keyfile" >Sending key file</CMD>

  <CMD state="Updater" type="push" body="$ cat $FILE | cryptsetup luksFormat /dev/mmcblk%mmc%p3 -">Encrypting and Formatting rootfs partition</CMD>

  <CMD state="Updater" type="push" body="$ cryptsetup luksOpen --key-file=$FILE /dev/mmcblk%mmc%p3 mmcblk%mmc%p3">Encrypting and Formatting rootfs partition</CMD>

  <CMD state="Updater" type="push" body="$ mkfs.ext3 -E nodiscard /dev/mapper/mmcblk%mmc%p3">Encrypting and Formatting rootfs partition</CMD>

  <CMD state="Updater" type="push" body="$ mkdir -p /mnt/mmcblk%mmc%p3"/>

<CMD state="Updater" type="push" body="$ mount -t ext3 /dev/mapper/mmcblk%mmc%p3 /mnt/mmcblk%mmc%p3"/>
<CMD state="Updater" type="push" body="pipe tar -jxv -C /mnt/mmcblk%mmc%p3" file="files/rootfs.tar.bz2">Sending and writting rootfs</CMD>

<CMD state="Updater" type="push" body="frf">Finishing rootfs write</CMD>

This is the mfgtools script that we use to encrypt rootfs.

Best Regards,

Yen

0 Kudos
Reply

3,293 Views
poonguzhalip
Contributor II

Hi Yen,

Thanks for the quick response and the details.

In my case, cryptsetup command itself is not found.

My question is how to get the cryptsetup command available in order to perform the steps mentioned by you for encrypt rootfs. Have you done anything for enabling the cryptsetup command in mfgtool before updating the ucl2.xml.

Regards

Poonguzhali

0 Kudos
Reply

3,293 Views
yenchao
Contributor IV

Hi Poonguzhali,

We build the rootfs by yocto project.

I guess you have to build "cryptsetup" into your rootfs.

Sorry, I'm a newbie on bsp, so maybe I can't give you any helpful advice or suggestion.

Best Regards,

Yen

0 Kudos
Reply

3,293 Views
poonguzhalip
Contributor II

Hi Yen,

Thanks for the info.

I have included "cryptsetup" in the rootfs and now the command is available.:smileyhappy:

Also updated the ucl2.xml script as mentioned by you and now my mfgtool itself is not launching :smileysad:.

While launching, it throws the error in the "Initialize operation failed" and the mfgtool log says that

push command --file ..Profiles\MX6Q Linux Update\OS Firmware\firmware\keyfile failed to open.errcode is 2

parse ucl script failed, error code: 4

But firmware\keyfile exists in the respective folder and it has all the permissions.. Not clear why this is happening..

any idea of how to solve this.

Regards

Poonguzhali

0 Kudos
Reply

3,293 Views
yenchao
Contributor IV

Hi Poonguzhali,

The keyfile is the key for encryption.

please ref. this web site https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Keyfiles

Best Regards,

Yen

0 Kudos
Reply

3,293 Views
poonguzhalip
Contributor II

Hi Yen,

I understand that the keyfile is for encryption and I have generated it already and put into firmware folder.

But, while launching, mfgtool throws the error "Initialize operation failed" and the log says that

push command --file ..Profiles\MX6Q Linux Update\OS Firmware\firmware\keyfile failed to open.errcode is 2

parse ucl script failed, error code: 4

i.e the launching of mfgtool is interupted in the below line in ucl2.xml

<CMD state="Updater" type="push" body="send" file="firmware/keyfile" >Sending key file</CMD>

Any ideas?

is there any document explaining the ucl script error codes.

Regards

Poonguzhali

0 Kudos
Reply

3,293 Views
yenchao
Contributor IV

Hi Poonguzhali,

Sorry, I don't know why it still show this error message.

I  don't know if there is any document for script error code.

Best Regards,

Yen

0 Kudos
Reply

3,293 Views
poonguzhalip
Contributor II

Hi Yen,

I got it working. :smileyhappy:

I just replaced the below line

<CMD state="Updater" type="push" body="send" file="firmware/keyfile" >Sending key file</CMD>

with

<CMD state="Updater" type="push" body="send" file="firmware/keyfile.tar" >Sending key file</CMD>

<CMD state="Updater" type="push" body="$ tar xf $FILE" >Sending key file</CMD>

Basically I compressed the keyfile and copied & uncompressed it in the ucl2.xml file. Don't know why it didn't work when uncompressed file is given. After compressing the mfgtool is launching properly.:smileyhappy::smileyhappy: and this issue can be closed.

Regards

Poonguzhali P

0 Kudos
Reply

3,293 Views
yenchao
Contributor IV

Hi Poonguzhali,

That's great to hear that!!

Yen

0 Kudos
Reply

3,293 Views
poonguzhalip
Contributor II

Hi Yen

Have you successfully booted after encrypting the root filesystem using mfgtool.

In my case, I am successful in encrypting the partition, copy the contents into the encrypted partition, and checked it by listing the copied contents. But no success in booting the device. :smileycry:. I added the decrypt logic in "on early-fs" before the mounting file system using "on fs" in the init.rc file, but no success. Any ideas??

Regards

Poonguzhali

0 Kudos
Reply

3,293 Views
igorpadykov
NXP Employee
NXP Employee

Hi Yen

from console log there is no indication that problem is encryption,

seems there are problems with memory, may be insufficient or

misconfigured. One can try to run it with one core: maxcpus=1 or nosmp and

decrease cma size. Also it may be recommended to run these commands

on linux image.

Best regards

igor

-----------------------------------------------------------------------------------------------------------------------

Note: If this post answers your question, please click the Correct Answer button. Thank you!

-----------------------------------------------------------------------------------------------------------------------

0 Kudos
Reply

3,293 Views
yenchao
Contributor IV

Hi Igor,

Thanks for your reply.

I add "maxcpus=1" at the kernel command line and it is fine for mfgtools to encrypt root file system.

After mfgtools and log into the os, it still crash when I copy or un-tar file into encrypted root file system.(I didn't set maxcpus=1 at regular boot)

Is encryption only could use on one cpu?

Thx

Yen