AnsweredAssumed Answered

How to boot into a luks encrypted rootfs partition from initramfs on imx6 quad?

Question asked by Faisal Alghamdi on Nov 23, 2018
Latest reply on Dec 11, 2018 by Yuri Muhin

Hi everyone,

 

I have been trying to do full disk encryption on iMX6 Quad eMMC (the version I use is EmbeddedArtists imx6qea COM on their carrier board)

What I have done is:

  1. Rebuilding fsl-image-mfgtool-initramfs to support disk encryption in the kernel and cryptsetup in the image itself.
  2. Attaching initial RAM file system image (initramfs) to the imx6q kernel by adding this to my local.conf and rebuilding core-image-minimal

    INITRAMFS_IMAGE = "core-image-minimal"

    INITRAMFS_IMAGE_BUNDLE = "1"
    IMAGE_FSTYPES = "cpio.gz tar.bz2"

  3. Using mfgtools to flash the newly created core-image-minimal and encrypting the rootfs part using these commands:

    <!-- the passphrase is in the file : "mfgtools_imx6q_4.9.123\Profiles\Linux\OS Firmware\firmware\keyfile" -->

    <CMD state="Updater" type="push" body="send" file="firmware/keyfile" >Sending key file</CMD>
    <CMD state="Updater" type="push" body="$ cat $FILE | cryptsetup luksFormat /dev/mmcblk%mmc%p2 -">Encrypting and Formatting rootfs partition</CMD>
    <CMD state="Updater" type="push" body="$ cryptsetup luksOpen --key-file=$FILE /dev/mmcblk%mmc%p2 mmcblk%mmc%p2">Encrypting and Formatting rootfs partition</CMD>
    <CMD state="Updater" type="push" body="$ mkfs.ext3 -E nodiscard /dev/mapper/mmcblk%mmc%p2">Encrypting and Formatting rootfs partition</CMD>
    <CMD state="Updater" type="push" body="$ mkdir -p /mnt/mmcblk%mmc%p2"/>
    <CMD state="Updater" type="push" body="$ mount -t ext3 /dev/mapper/mmcblk%mmc%p2 /mnt/mmcblk%mmc%p2"/>
    <CMD state="Updater" type="push" body="pipe tar -jxv -C /mnt/mmcblk%mmc%p2" file="files/%rootfs%-%board%.rootfs.tar.bz2">Sending and writting rootfs</CMD>
    <CMD state="Updater" type="push" body="frf">Finishing rootfs write</CMD>

  4. Booting into the kernel and its attached initramfs was successful. 

By doing the above steps, I was able to encrypt the rootfs using cryptsetup. After the boot into initramfs, I successfully decrypted and mounted the rootfs partition with passphrase I provided using mfgtools

$ cryptsetup --debug -v luksOpen /dev/mmcblk3p2 rootfs
$ mkdir /mnt/rootfs && mount -t ext3 /dev/mapper/rootfs /mnt/rootfs

 

What I was not able to do is to auto mount the encrypted rootfs instead of the kernel's attached initramfs rootfs .

  • First, the crypttab infrastructure and its scripts cryptdisks, cryptdisks_start, cryptdisks_stop, etc. used to auto mount encrypted partitions are completely missing from yocto project. When you install cryptsetup on a normal linux distro you get these scripts automatically but not on yocto. 
  • Another way is using mkinitcpio scripts but it's also not a part of yocto. 
  • Finally, I think I will also need to update the initramfs after configuring it to mount another root partition (the luks encrypted one) which is is done using the command update-initramfs which generates a new initramfs image with new conflagrations .. Unfortunately, I was not able to find anything related to updating initramfs after bitbaking or maybe we have to setup everything upfront in yocto so the initramfs should be configured to auto mount the encrypted rootfs and then bitbake.I am not sure if the above steps are the correct way to do full disk encryption on yocto or there is another way of doing it? 

 

Thanks

Outcomes