- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
imx93: cryptsetup with CONFIG_TEE_CRYPTO=m does not work with foreign LUKS files
Hi,
I am using linux-fslc-imx 6.6.74 on imx93-evk. Crypto config with CONFIG_TEE_CRYPTO=m is enabled, as I use it to encrypt a partition with dmsetup and a trusted key (works fine).
When trying to open an encrypted LUKS file with cryptsetup however, the call goes fine:
cryptsetup open luks.img luksBut unfortunately, the data in /dev/mapper/luks is garbage (looks random). With CONFIG_TEE_CRYPTO=n, the issue disappears and the decrypted mapped block device appears fine.
I have tried aes-cbc-plain and aes-xts-plain64 with various key sizes (256, 512), and the problem remains.
How to reproduce:
1. Create an encrypted LUKS file on another computer and format it to ext4
dd if=/dev/zero of=luks.img bs=1M count=128
cryptsetup luksFormat --key-size=256 --type luks2 --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --hash "sha256" --cipher=aes-xts-plain64 luks.img
sudo cryptsetup open luks.img luks
sudo mkfs.ext4 /dev/mapper/luks
sudo cryptsetup close luks2. On the board, simply open the LUKS:
cryptsetup open luks.img luksProblem: /dev/mapper/luks looks random, not ext4.
What is the correct way to use cryptsetup for foreign LUKS files when CONFIG_TEE_CRYPTO=m?
Ultimately I ended up disabling the module with CONFIG_TEE_CRYPTO=n.
@omar_aberkan it's a combination of `keyctl add trusted datakey` and `dmsetup create crypt capi:xts(aes)-plain :32:trusted:datakey` following the instructions here: https://www.thegoodpenguin.co.uk/blog/secure-storage-with-i-mx-95-verdin-evk-using-trusted-keys-with.... I only encrypt a data partition though, not the rootfs (the latter would be harder I imagine since you'd have to encrypt it outside the board).
