Apalis iMX8 based environment to boot a USB stick encrypted with CAAM

I am trying to conduct an evaluation in an Apalis iMX8 based environment to boot a USB stick encrypted with CAAM.

By modifying the local.conf as follows based on the information in this URL, the specified disk partition,
I was able to confirm to the point where it is mounted.

local.conf configuration:
INHERIT += “tdx-encrypted”
TDX_ENC_STORAGE_LOCATION = “/dev/sda1”

“/dev/sda1” is a partition created beforehand on a USB flash drive using ext4

With this setup, it seems to work with the default key and signature.
If I boot with the USB flash drive unplugged, an error occurs at boot time,
And the encrypted folder of USB memory is not visible.

I would like to know the correct procedure for setting up the encryption key and certificate to make the encrypted folder of the USB memory visible.
I would like to know the procedure to set up the encryption key and certificate correctly so that I can see the encrypted folder of the USB flash drive.

Teruo

Hi, I’m the Toradex AI Assistant. I’m in early beta, and I would appreciate your feedback.
The Toradex Support team will follow up with you shortly!

Did you like my answer?

:+1: :-1:


Hello Teruo,

To make the encrypted folder of the USB memory visible with a custom encryption key and certificate, you need to follow a procedure that involves generating your own keys and certificates, then integrating them into your system. Here’s a general outline of the steps you should take:

  1. Generate Your Encryption Key and Certificate: First, you need to generate your own encryption key and a certificate. This can be done using tools like OpenSSL. Ensure that your key and certificate meet the security requirements of your application.

  2. Integrate the Key and Certificate into the Build: Once you have your key and certificate, you need to integrate them into your Yocto build. This involves modifying your Yocto project’s configuration to include your custom key and certificate instead of the default ones provided.

  3. Modify the local.conf File: In your local.conf file, you will need to specify the paths to your custom key and certificate. This can be done by setting variables that point to the location of your key and certificate within the build environment. Ensure these files are accessible to the build system.

  4. Use the TDX_ENC_KEY_FILE and TDX_ENC_CERT_FILE Variables: To specify your custom encryption key and certificate, use the TDX_ENC_KEY_FILE and TDX_ENC_CERT_FILE variables in your local.conf file. For example:

    TDX_ENC_KEY_FILE = "/path/to/your/custom/key"
    TDX_ENC_CERT_FILE = "/path/to/your/custom/certificate"
    

    Replace /path/to/your/custom/key and /path/to/your/custom/certificate with the actual paths to your key and certificate files.

  5. Rebuild Your Image: After making these changes, rebuild your Yocto project image to include the custom encryption key and certificate.

  6. Deploy and Test: Finally, deploy the newly built image to your device and test to ensure that the encrypted USB flash drive is mounted correctly and that the encrypted folder is visible when the device boots.

Please note that handling encryption keys and certificates requires careful consideration of security practices, including how they are stored and managed in your development and production environments.

Best regards,
Toradex AI Assistant

Please, also check if these links can help you solve your problem:

TorizonCore Builder Tool - Customizing Torizon OS Images | Toradex Developer Center.

Greetings @Teruo,

Just to make sure I understand your situation. Prior to everything you setup a USB flash drive with this partition unencrypted yes?

With this setup, it seems to work with the default key and signature.

Are you saying once you use your own keys/signature the process no longer works anymore?

If I boot with the USB flash drive unplugged, an error occurs at boot time,
And the encrypted folder of USB memory is not visible.

I would expect some kind of error here. We use a systemd service to run the encryption handler script: meta-toradex-security/recipes-core/tdx-enc-handler/tdx-enc-handler/tdx-enc-handler.service at kirkstone-6.x.y · toradex/meta-toradex-security · GitHub

This service seems to only run once on system boot. If the partition isn’t available at boot time I would expect some issues.

I would like to know the correct procedure for setting up the encryption key and certificate to make the encrypted folder of the USB memory visible.
I would like to know the procedure to set up the encryption key and certificate correctly so that I can see the encrypted folder of the USB flash drive.

Just to understand. You said this works fine with the “default key and signature”. Are you saying this fails with your keys and signature? Or does it fail because the USB drive is unplugged at boot time?

Could you perhaps share the error you are getting. Also the logs from the tdx-enc-handler service may also be helpful to share.

Best Regards,
Jeremias

Dear Jeremias,

I was able to check the contents of tdx-enc-caam.sh and other files to confirm the operation of this matter.
However, when TDX_ENC_STORAGE_MOUNT_POINT is set in local.conf, the data in the USB memory is initialized even if TDX_ENC_PRESERVE_DATA=“1” is set.

Best Regards,
Teruo

However, when TDX_ENC_STORAGE_MOUNT_POINT is set in local.conf, the data in the USB memory is initialized even if TDX_ENC_PRESERVE_DATA=“1” is set.

Okay so you’re saying if you have these 2 variables set, then the data on the USB is not preserved prior to this partition being encrypted. Is that correct? Do you have any logs from the tdx-enc-handler service as I asked for?

Also, what happened to your initial issue? Is that no longer an issue anymore?

Best Regards,
Jeremias

Dear Jeremias,

TDX_ENC_PRESERVE_DATA=“1”
TDX_ENC_STORAGE_LOCATION = “/dev/sda1”
TDX_ENC_STORAGE_MOUNT_POINT =? “/run/encdata”

I am doing bitbake with the following settings
Even if data is written to the /run/encdata folder at the first startup, the next startup will contain nothing, resulting in the same result as when TDX_ENC_PRESERVE_DATA=“0” is set.

If the TDX_ENC_STORAGE_MOUNT_POINT setting is disabled, data will remain in the /run/encdata folder even after restart.

Also, the problem I initially inquired about has been resolved.

Best Regards,
Teruo

Again I am asking you to please provide the logs from the tdx-enc-handler systemd service from your device for further analysis.

If the TDX_ENC_STORAGE_MOUNT_POINT setting is disabled, data will remain in the /run/encdata folder even after restart.

First of all, the variable is TDX_ENC_STORAGE_MOUNTPOINT. Next, what do you mean you “disabled” this setting? This setting needs to be set to something otherwise the encrypted partition can’t be mounted and the process would fail.

Best Regards,
Jeremias

We will send you the logs with and without setting TDX_ENC_STORAGE_MOUNT_POINT in local.conf.

TDX_ENC_PRESERVE_DATA=“1”
TDX_ENC_STORAGE_LOCATION = “/dev/sda1”
#TDX_ENC_STORAGE_MOUNT_POINT =? “/run/encdata”
If bitbake is done with #TDX_ENC_STORAGE_MOUNT_POINT =?

TDX_ENC_PRESERVE_DATA=“1”
TDX_ENC_STORAGE_LOCATION = “/dev/sda1”
TDX_ENC_STORAGE_MOUNT_POINT =? “/run/encdata”
If bitbake is done with “/run/encdata”, the /run/encdata folder will be initialized upon reboot.

> apalis-imx8-14715180 tdx-enc.sh[637]: CAAM: Checking for the encrypted key...
> apalis-imx8-14715180 tdx-enc.sh[637]: CAAM: Encrypted key exists. Importing it...
> apalis-imx8-14715180 tdx-enc.sh[643]: 722180455
> apalis-imx8-14715180 systemd[1]: Starting Rule-based Manager for Device Events and Files...
> apalis-imx8-14715180 kernel: audit: type=1334 audit(1651167746.160:2): prog-id=5 op=LOAD
> apalis-imx8-14715180 kernel: audit: type=1334 audit(1651167746.160:3): prog-id=6 op=LOAD
> apalis-imx8-14715180 systemd[1]: Mounted /var.
> apalis-imx8-14715180 systemd[1]: Starting OSTree Remount OS/ Bind Mounts...
> apalis-imx8-14715180 systemd[1]: Platform Persistent Storage Archival was skipped because of a failed conditi>
> apalis-imx8-14715180 tdx-enc.sh[637]: CAAM: Data preservation is not enabled
> apalis-imx8-14715180 tdx-enc.sh[637]: CAAM: Setting up partition with dm-crypt...
> apalis-imx8-14715180 systemd[1]: Finished OSTree Remount OS/ Bind Mounts.
> apalis-imx8-14715180 systemd-modules-load[623]: Inserted module 'galcore'
> apalis-imx8-14715180 kernel: [drm] Initialized vivante 1.0.0 20170808 for 80000000.imx8_gpu1_ss on minor 0
> apalis-imx8-14715180 systemd[1]: Starting Flush Journal to Persistent Storage...
> apalis-imx8-14715180 systemd[1]: Starting Load/Save Random Seed...
> apalis-imx8-14715180 systemd-modules-load[623]: Inserted module 'libcomposite'
> apalis-imx8-14715180 systemd-journald[622]: Runtime Journal (/run/log/journal/5df9c476c76e412e83985a4834623e0>
> apalis-imx8-14715180 systemd-journald[622]: Received client request to flush runtime journal.
> apalis-imx8-14715180 systemd[1]: Finished Flush Journal to Persistent Storage.
> apalis-imx8-14715180 systemd[1]: Finished Load Kernel Modules.
> apalis-imx8-14715180 systemd[1]: Finished Load/Save Random Seed.
> apalis-imx8-14715180 systemd[1]: First Boot Complete was skipped because of a failed condition check (Conditi>
> apalis-imx8-14715180 systemd[1]: Starting Apply Kernel Variables...
> apalis-imx8-14715180 systemd-udevd[644]: Configuration file /usr/lib/udev/rules.d/77-mm-fibocom-port-types.ru>
> apalis-imx8-14715180 systemd[1]: Finished Apply Kernel Variables.
> apalis-imx8-14715180 systemd[1]: Started Rule-based Manager for Device Events and Files.
> apalis-imx8-14715180 tdx-enc.sh[648]: Name:              encdata
> apalis-imx8-14715180 tdx-enc.sh[648]: State:             ACTIVE
> apalis-imx8-14715180 tdx-enc.sh[648]: Read Ahead:        256
> apalis-imx8-14715180 tdx-enc.sh[648]: Tables present:    LIVE
> apalis-imx8-14715180 tdx-enc.sh[648]: Open count:        0
> apalis-imx8-14715180 tdx-enc.sh[648]: Event number:      0
> apalis-imx8-14715180 tdx-enc.sh[648]: Major, minor:      252, 0
> apalis-imx8-14715180 tdx-enc.sh[648]: Number of targets: 1
> apalis-imx8-14715180 tdx-enc.sh[637]: CAAM: Mounting encrypted partition...
> apalis-imx8-14715180 tdx-enc.sh[694]: /dev/mapper/encdata: UUID="d58a21cd-2d83-41d9-91c9-65beba375e4f" BLOCK_>
> apalis-imx8-14715180 kernel: EXT4-fs (dm-0): recovery complete
> apalis-imx8-14715180 tdx-enc.sh[637]: CAAM: Data preservation is not enabled
> apalis-imx8-14715180 tdx-enc.sh[637]: CAAM: Success!
> apalis-imx8-14715180 kernel: EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: (null). Quota m>
> apalis-imx8-14715180 systemd[1]: Finished Encryption handler for Toradex modules.
> apalis-imx8-14715180 systemd[1]: Mounting /var/volatile...
> apalis-imx8-14715180 systemd[1]: Mounted /var/volatile.
> apalis-imx8-14715180 systemd[1]: Reached target Local File Systems.
> apalis-imx8-14715180 systemd[1]: Starting Tell Plymouth To Write Out Runtime Data...
> apalis-imx8-14715180 systemd[1]: Commit a transient machine-id on disk was skipped because of a failed condit>
> apalis-imx8-14715180 systemd[1]: Started Systemd Timesync Update Fixes.
> apalis-imx8-14715180 systemd[1]: Starting Create Volatile Files and Directories...
> apalis-imx8-14715180 systemd[1]: systemd-timesyncd-update.service: Deactivated successfully.
> apalis-imx8-14715180 systemd[1]: Finished Tell Plymouth To Write Out Runtime Data.
> apalis-imx8-14715180 systemd-tmpfiles[702]: /usr/lib/tmpfiles.d/legacy.conf:13: Duplicate line for path "/run>
> apalis-imx8-14715180 systemd[1]: Finished Create Volatile Files and Directories.
> apalis-imx8-14715180 systemd[1]: Starting RPC Bind...
> apalis-imx8-14715180 systemd[1]: Rebuild Journal Catalog was skipped because of a failed condition check (Con>

Best Regards,
Teruo

Again, it does not make sense to “disable” TDX_ENC_STORAGE_MOUNTPOINT. The encryption feature will not work if this variable does not have a valid value. You can see in the scrip itself that it would not work without this variable: meta-toradex-security/recipes-core/tdx-enc-handler/tdx-enc-handler/tdx-enc.sh at kirkstone-6.x.y · toradex/meta-toradex-security · GitHub

As for your logs I can see the line:

CAAM: Data preservation is not enabled

This means TDX_ENC_PRESERVE_DATA is not working or has not taken effect. Perhaps you did not set the variable correctly in your build or something similar. If you check the the contents of /usr/sbin/tdx-enc.sh in the filesystem of the image you built, you should be able to see what values the variables were set to.

Best Regards,
Jeremias

This problem has been partially resolved, though,
If /dev/sda1 is not formatted as ext4 before rebooting, the same error as described above will appear after rebooting.
After formatting with ext4, reboot and copy data. After rebooting, the error message appears again and the encrypted USB is not assigned to /run/encdata, and by formatting /dev/sda1 with ext4 again, it is recognized and the data inside can be referenced.
Is it necessary to reformat the unit to be encrypted at startup with ext4 each time in advance?

Teruo

Is it necessary to reformat the unit to be encrypted at startup with ext4 each time in advance?

No this should not be necessary. If you look at the script it encrypts the location specified by TDX_ENC_STORAGE_LOCATION. It then mounts this encrypted partition to the location defined in TDX_ENC_STORAGE_MOUNTPOINT.

Now the private key used to encrypt is generated at runtime during first boot and encrypted by CAAM. The key is tied to that specific instance of the OS. If you re-flash the device then a new key will be generated. But if your partition was encrypted by the old key then obviously the new key won’t work for this.

After rebooting, the error message appears again

What error message?

Also could you please share the contents of /usr/bin/sbin/tdx-enc.sh as I asked for. Looking at your logs it looks like you don’t have TDX_ENC_PRESERVE_DATA set at all.

Best Regards,
Jeremias

In my environment, it exists in /usr/sbin/tdx-enc.sh.
The contents are as follows.
This file is in the state of changing partition settings from USB memory to eMMC.

#!/bin/sh

# Toradex encryption handler for 'caam' key storage backend

# directory to store CAAM encrypted key
TDX_ENC_KEY_DIR="/var/local/private/.keys"

# key file name
TDX_ENC_KEY_FILE="tdx-enc-key.blob"

# storage location to be encrypted (e.g. partition)
TDX_ENC_STORAGE_LOCATION="/dev/mmcblk0"

# directory to mount the encrypted storage
TDX_ENC_STORAGE_MOUNTPOINT="/run/encdata"

# dm-crypt device to be created
TDX_ENC_DM_DEVICE="encdata"

# Flag to enable preservation of data on partition before encryption
TDX_ENC_PRESERVE_DATA=0

# storage location of data backup file (if needed)
TDX_ENC_BACKUP_FILE="/tmp/encdata.tar.bz2"

# Configurable RAM use percentage
TDX_ENC_BACKUP_STORAGE_PCT=30

# log to standard output
tdx_enc_log() {
    echo "CAAM: $*"
}

# log error message and exit
tdx_enc_exit_error() {
    tdx_enc_log "ERROR: $*"
    exit 1
}

# system checks
tdx_enc_check() {
    if ! dmsetup targets | grep crypt -q; then
        tdx_enc_exit_error "No support for dm-crypt target!"
    fi
    if ! grep -q cbc-aes-caam /proc/crypto; then
        tdx_enc_exit_error "No support for cbc-aes-caam!"
    fi
}

# check if the encrypted key exists and create one if needed
tdx_enc_key_gen() {
    tdx_enc_log "Checking for the encrypted key..."

    ENC_KEY_FILE="${TDX_ENC_KEY_DIR}/${TDX_ENC_KEY_FILE}"

    if [ ! -e "${ENC_KEY_FILE}" ]; then
        tdx_enc_log "Encrypted key not found. Creating it..."
        KEY="$(keyctl add trusted tdxenc 'new 32' @s)"
        mkdir -p "${TDX_ENC_KEY_DIR}"
        if ! keyctl pipe "$KEY" > "${ENC_KEY_FILE}"; then
            tdx_enc_exit_error "Error saving encrypted key!"
        fi
    else
        tdx_enc_log "Encrypted key exists. Importing it..."
        keyctl add trusted tdxenc "load $(cat ${ENC_KEY_FILE})" @s
    fi

    if ! keyctl list @s | grep -q "trusted: tdxenc"; then
        tdx_enc_exit_error "Error adding key to kernel keyring!"
    fi
}

# backup original data in partition (if not encrypted)
tdx_enc_backup_data() {
    if [ ${TDX_ENC_PRESERVE_DATA} -ne 1 ]; then
        tdx_enc_log "Data preservation is not enabled"
        return 0
    fi

    mkdir -p "${TDX_ENC_STORAGE_MOUNTPOINT}"
    if ! mount ${TDX_ENC_STORAGE_LOCATION} "${TDX_ENC_STORAGE_MOUNTPOINT}"; then
        return 0
    fi

    tdx_enc_log "Backing up original content..."
    TDX_ENC_BACKUP_FILE=$(mktemp)
    MEM_FREE=$(grep MemFree: /proc/meminfo | tr -s ' ' | cut -d ' ' -f 2)
    BACKUP_STORAGE_LIMIT=$((MEM_FREE * TDX_ENC_BACKUP_STORAGE_PCT / 100))
    tdx_enc_log "Backup limit determined: ${BACKUP_STORAGE_LIMIT}"
    
    msgs="$({ { tar -C "${TDX_ENC_STORAGE_MOUNTPOINT}" -c . || echo "ERROR" >&2; } | { bzip2 -cz || echo "ERROR" >&2; } | dd bs=1024 count=${BACKUP_STORAGE_LIMIT} of=${TDX_ENC_BACKUP_FILE}; } 2>&1)"
    if [ "$?" -ne 0 ] || echo "${msgs}" | grep -qi 'error\|invalid'; then
        tdx_enc_exit_error "Couldn't save original data."
    fi

    tdx_enc_log "Backup created at: ${TDX_ENC_BACKUP_FILE}"
    umount "${TDX_ENC_STORAGE_MOUNTPOINT}"
}

# setup partition with dm-crypt
tdx_enc_partition_setup() {
    tdx_enc_log "Setting up partition with dm-crypt..."

    if ! dmsetup -v create ${TDX_ENC_DM_DEVICE} \
                 --table "0 $(blockdev --getsz ${TDX_ENC_STORAGE_LOCATION}) \
                 crypt capi:cbc(aes)-plain :32:trusted:tdxenc \
                 0 ${TDX_ENC_STORAGE_LOCATION} 0 1 sector_size:512"; then
        tdx_enc_exit_error "Error setting up dm-crypt partition!"
    fi

    if ! dmsetup table --showkey encdata | grep -q tdxenc; then
        tdx_enc_exit_error "Key not found in dm-crypt partition!"
    fi
}

# mount encrypted partition
tdx_enc_partition_mount() {
    tdx_enc_log "Mounting encrypted partition..."

    # format encrypted partition (if not formatted)
    if ! blkid /dev/mapper/"${TDX_ENC_DM_DEVICE}"; then
        tdx_enc_log "Formatting encrypted partition with ext4..."
        mkfs.ext4 -q /dev/mapper/"${TDX_ENC_DM_DEVICE}"
    fi

    # mount encrypted partition
    mkdir -p "${TDX_ENC_STORAGE_MOUNTPOINT}"
    if ! mount -t ext4 /dev/mapper/"${TDX_ENC_DM_DEVICE}" "${TDX_ENC_STORAGE_MOUNTPOINT}"; then
        tdx_enc_exit_error "Could not mount encrypted partition!"
    fi
}

# restore data if available
tdx_enc_restore_data() {
    if [ ${TDX_ENC_PRESERVE_DATA} -ne 1 ]; then
        tdx_enc_log "Data preservation is not enabled"
        return 0
    fi

    if ! [ -f ${TDX_ENC_BACKUP_FILE} ]; then
        tdx_enc_log "No data backup to restore"
        return 0
    fi

    tdx_enc_log "Restoring original content..."
    msgs="$({ { bzip2 -cd ${TDX_ENC_BACKUP_FILE} || echo "ERROR" >&2; } | tar -C ${TDX_ENC_STORAGE_MOUNTPOINT} -xf -; } 2>&1)"
    if [ "$?" -ne 0 ] || echo "${msgs}" | grep -qi 'error\|invalid'; then
        tdx_enc_exit_error "Failed to restore backup."
    fi

    rm -rf ${TDX_ENC_BACKUP_FILE}
}

# umount partition
tdx_enc_clear_keys_keyring() {
    tdx_enc_log "Removing key from kernel keyring..."
    keyctl clear @s
}

# umount partition
tdx_enc_partition_umount() {
    tdx_enc_log "Unmounting dm-crypt partition..."
    umount "${TDX_ENC_STORAGE_MOUNTPOINT}"
}

# remove dm-crypt partition
tdx_enc_partition_remove() {
    tdx_enc_log "Removing dm-crypt partition..."
    dmsetup remove ${TDX_ENC_DM_DEVICE}
}

# mount encrypted partition
tdx_enc_main_start() {
    tdx_enc_check
    tdx_enc_key_gen
    tdx_enc_backup_data
    tdx_enc_partition_setup
    tdx_enc_partition_mount
    tdx_enc_restore_data
}

# umount encrypted partition
tdx_enc_main_stop() {
    tdx_enc_partition_umount
    tdx_enc_partition_remove
    tdx_enc_clear_keys_keyring
}

tdx_enc_main() {
    case $1 in
        start)
            tdx_enc_main_start
            ;;
        stop)
            tdx_enc_main_stop
            ;;
        *)
            tdx_enc_exit_error "Invalid option! Please use 'start' or 'stop'."
            ;;
    esac

    tdx_enc_log "Success!"
}

tdx_enc_main "$1"

Okay so looking at your tdx-enc.sh file it seems you’re now encrypting /dev/mmclbk0 is that correct?

Also you have TDX_ENC_PRESERVE_DATA=0, meaning the data on the to-be encrypted partition will not be preserved.

What exactly is the problem then? You have data preservation disabled so data not being preserved is expected.

Best Regards,
Jeremias

This was the file that was being checked with the new settings.
Here is the configuration being checked using usb memory.

#!/bin/sh

# Toradex encryption handler for 'caam' key storage backend

# directory to store CAAM encrypted key
TDX_ENC_KEY_DIR="/var/local/private/.keys"

# key file name
TDX_ENC_KEY_FILE="tdx-enc-key.blob"

# storage location to be encrypted (e.g. partition)
TDX_ENC_STORAGE_LOCATION="/dev/sda1"

# directory to mount the encrypted storage
TDX_ENC_STORAGE_MOUNTPOINT="/run/encdata"

# dm-crypt device to be created
TDX_ENC_DM_DEVICE="encdata"

Teruo

Okay now this time I don’t even see TDX_ENC_PRESERVE_DATA. I can’t tell if you have data preservation enabled or not.

It’s still not clear to me what your current issue is. You’ve described several issues over the course of this thread, you then said some of these were “fixed”.

I’m a little confused now on where the situation is currently at.

Best Regards,
Jeremias

The latest situation is that the target USB flash drive is encrypted, but since tdx-enc.sh is started as a systemd service, it may be executed before the target device is mounted depending on the timing, or the device may not be properly encrypted and cannot be recognized.

Due to this problem, the device is not recognized or not recognized after each reboot, and is not included in the release version.

Teruo

but since tdx-enc.sh is started as a systemd service, it may be executed before the target device is mounted depending on the timing, or the device may not be properly encrypted and cannot be recognized.

Okay, so is the USB drive attached to the system before boot? Or is it attached after boot?

If it’s attached before boot then the tdx-enc-handler.service is configured to run after systemd-remount-fs.service: meta-toradex-security/recipes-core/tdx-enc-handler/tdx-enc-handler/tdx-enc-handler.service at kirkstone-6.x.y · toradex/meta-toradex-security · GitHub

The systemd-remount-fs.service ensures that mounts options from /etc/fstab are applied: systemd-remount-fs.service

If your USB drive is configured in /etc/fstab then it should be mounted by systemd-remount-fs.service which runs before tdx-enc-handler.service. Otherwise you could need to adapt the depedencies of tdx-enc-handler.service in order to have it run the way you want.

If your USB drive is attached after the system boots then you’ll need to trigger the script/process after your USB drive is attached. This means you’ll need some kind of mechanism/scrip that detects your USB drive then executs the tdx-enc.sh script.

You’re building the OS so you have full control over the timing of processes to ensure it fits your specific needs.

Best Regards,
Jeremias

We created a partition on the eMMC and verified its operation.

We created a new partition on eMMC using the DATA partition function defined below, and set up encryption.

  • layers/meta-toradex-bsp-common/classes/image_type_tezi.bbclass

The DATA partition function was not working in “1. Investigation of the environment,” but now that we checked again with 6.7.0, it is working.

To enable the DATA partition function, the following settings were made in local.conf.

  • Allocated a 512MB partition.
  • Mounted to /data (actually, it will be an encrypted partition, so it will not be used)
INHERIT += “tdx-tezi-data-partition”
TDX_TEZI_DATA_PARTITION_MOUNTPOINT = “/data”
tezi_data_enabled = “1”
tezi_data_partition_size = “512”

In fact, the DATA partition and rootfs partition are set to be the same size in image_type_tezi.bbclass, so the following modification is made.

$ cd layers/meta-torizon-bsp-common
$ git diff classes/image_type_tezi.bbclass
diff --git a/classes/image_type_tezi.bbclass b/classes/image_type_tezi.bbclass
index fd53b3e..8f5f60b 100644
--- a/classes/image_type_tezi.bbclass
+++ b/classes/image_type_tezi.bbclass
@@ -286,7 +286,8 @@ def rootfs_tezi_emmc(d, use_bootfiles):
     	data = {
                    "partition_size_nominal": d.getVar('TEZI_DATA_PART_SIZE'),
                	"partition_type": d.getVar('TEZI_DATA_PART_TYPE'),
-               	"want_maximised": True,
+#####               	"want_maximised": True,
+               	"want_maximised": False,
                	"content": {
                  	"label": d.getVar('TEZI_DATA_LABEL'),

Since the DATA partition is created as /dev/mmcblk0p2, this partition was set to be the encrypted partition.
The following settings were made in local.conf.

  • Set mmcblk0p2 as an encrypted partition
INHERIT += "tdx-encrypted"
TDX_ENC_STORAGE_LOCATION = "/dev/mmcblk0p2"
TDX_ENC_PRESERVE_DATA = "1"

The following situation was observed.

  • The existing data is saved normally by specifying TDX_ENC_PRESERVE_DATA.
  • When power is turned off, if shutdown is performed, the data corruption symptom does not occur.
    If the power is suddenly turned off, all data will be erased with a high probability.

As a result, it is more stable than USB memory, but if the power is suddenly turned off, all data will be erased at a high frequency, just like USB memory.
Is there any other countermeasure against power off in a case where shutdown process cannot be executed, except for securing shutdown time with a capacitor, etc.?

Okay, so now you’re encrypting a location on the eMMC (/dev/mmcblk0p2). You have data preservation enabled. If power to the system is cut without proper shutdown, then you’re saying that data is lost with high probability.

When you say the “data will be erased” are you saying the data was erased from the original encrypted partition (i.e /dev/mmcblk0p2)? Or was it erased from the mounted location?

Also what was the system doing when power was turned off? Was this after the system had already mounted the encrypted data?

Best Regards,
Jeremias

Dear Jeremias

When you say the “data will be erased” are you saying the data was erased from the original encrypted partition (i.e /dev/mmcblk0p2)? Or was it erased from the mounted location?

Also what was the system doing when power was turned off? Was this after the system had already mounted the encrypted data?

The mounted location has been erased.

When the power is turned off, the system is able to retain voltage for about 2 seconds with the assistance of capacitors, but the system side is still in a state where the encrypted data is mounted.
We are working on changing the shutdown process to be executed based on the information of power failure, but is it difficult to recover the data if this process is not completed in time?

Teruo