imx93: cryptsetup with CONFIG_TEE_CRYPTO=m does not work with foreign LUKS files

mjourdan · ‎07-29-2025

Hi,

I am using linux-fslc-imx 6.6.74 on imx93-evk. Crypto config with CONFIG_TEE_CRYPTO=m is enabled, as I use it to encrypt a partition with dmsetup and a trusted key (works fine).

When trying to open an encrypted LUKS file with cryptsetup however, the call goes fine:

cryptsetup open luks.img luks

But unfortunately, the data in /dev/mapper/luks is garbage (looks random). With CONFIG_TEE_CRYPTO=n, the issue disappears and the decrypted mapped block device appears fine.

I have tried aes-cbc-plain and aes-xts-plain64 with various key sizes (256, 512), and the problem remains.

How to reproduce:

1. Create an encrypted LUKS file on another computer and format it to ext4

dd if=/dev/zero of=luks.img bs=1M count=128
cryptsetup luksFormat --key-size=256 --type luks2 --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --hash "sha256" --cipher=aes-xts-plain64 luks.img
sudo cryptsetup open luks.img luks
sudo mkfs.ext4 /dev/mapper/luks
sudo cryptsetup close luks

2. On the board, simply open the LUKS:

cryptsetup open luks.img luks

Problem: /dev/mapper/luks looks random, not ext4.

What is the correct way to use cryptsetup for foreign LUKS files when CONFIG_TEE_CRYPTO=m?

mjourdan · ‎08-20-2025

Ultimately I ended up disabling the module with CONFIG_TEE_CRYPTO=n.

@omar_aberkan it's a combination of `keyctl add trusted datakey` and `dmsetup create crypt capi:xts(aes)-plain :32:trusted:datakey` following the instructions here: https://www.thegoodpenguin.co.uk/blog/secure-storage-with-i-mx-95-verdin-evk-using-trusted-keys-with.... I only encrypt a data partition though, not the rootfs (the latter would be harder I imagine since you'd have to encrypt it outside the board).

omar_aberkan · ‎07-30-2025

Can you provide your full configuration on how to encrypt the partition? I get problems when i try to start systemd from the encrypted partition.