Apalis iMX8 based environment to boot a USB stick encrypted with CAAM.

I am trying to conduct an evaluation in an Apalis iMX8 based environment to boot a USB stick encrypted with CAAM.

By modifying the local.conf as follows based on the information in this URL, the specified disk partition,
I was able to confirm to the point where it is mounted.

local.conf configuration:
INHERIT += “tdx-encrypted”
TDX_ENC_STORAGE_LOCATION = “/dev/sda1”

“/dev/sda1” is a partition created beforehand on a USB flash drive using ext4

With this setup, it seems to work with the default key and signature.
If I boot with the USB flash drive unplugged, an error occurs at boot time,
And the encrypted folder of USB memory is not visible.

I would like to know the correct procedure for setting up the encryption key and certificate to make the encrypted folder of the USB memory visible.
I would like to know the procedure to set up the encryption key and certificate correctly so that I can see the encrypted folder of the USB flash drive.

Teruo

Hi, I’m the Toradex AI Assistant. I’m in early beta, and I would appreciate your feedback.
The Toradex Support team will follow up with you shortly!

Did you like my answer?

:+1: :-1:


Hello Teruo,

To make the encrypted folder of the USB memory visible with a custom encryption key and certificate, you need to follow a procedure that involves generating your own keys and certificates, then integrating them into your system. Here’s a general outline of the steps you should take:

  1. Generate Your Encryption Key and Certificate: First, you need to generate your own encryption key and a certificate. This can be done using tools like OpenSSL. Ensure that your key and certificate meet the security requirements of your application.

  2. Integrate the Key and Certificate into the Build: Once you have your key and certificate, you need to integrate them into your Yocto build. This involves modifying your Yocto project’s configuration to include your custom key and certificate instead of the default ones provided.

  3. Modify the local.conf File: In your local.conf file, you will need to specify the paths to your custom key and certificate. This can be done by setting variables that point to the location of your key and certificate within the build environment. Ensure these files are accessible to the build system.

  4. Use the TDX_ENC_KEY_FILE and TDX_ENC_CERT_FILE Variables: To specify your custom encryption key and certificate, use the TDX_ENC_KEY_FILE and TDX_ENC_CERT_FILE variables in your local.conf file. For example:

    TDX_ENC_KEY_FILE = "/path/to/your/custom/key"
    TDX_ENC_CERT_FILE = "/path/to/your/custom/certificate"
    

    Replace /path/to/your/custom/key and /path/to/your/custom/certificate with the actual paths to your key and certificate files.

  5. Rebuild Your Image: After making these changes, rebuild your Yocto project image to include the custom encryption key and certificate.

  6. Deploy and Test: Finally, deploy the newly built image to your device and test to ensure that the encrypted USB flash drive is mounted correctly and that the encrypted folder is visible when the device boots.

Please note that handling encryption keys and certificates requires careful consideration of security practices, including how they are stored and managed in your development and production environments.

Best regards,
Toradex AI Assistant

Please, also check if these links can help you solve your problem:

TorizonCore Builder Tool - Customizing Torizon OS Images | Toradex Developer Center.

Greetings @Teruo,

Just to make sure I understand your situation. Prior to everything you setup a USB flash drive with this partition unencrypted yes?

With this setup, it seems to work with the default key and signature.

Are you saying once you use your own keys/signature the process no longer works anymore?

If I boot with the USB flash drive unplugged, an error occurs at boot time,
And the encrypted folder of USB memory is not visible.

I would expect some kind of error here. We use a systemd service to run the encryption handler script: meta-toradex-security/recipes-core/tdx-enc-handler/tdx-enc-handler/tdx-enc-handler.service at kirkstone-6.x.y · toradex/meta-toradex-security · GitHub

This service seems to only run once on system boot. If the partition isn’t available at boot time I would expect some issues.

I would like to know the correct procedure for setting up the encryption key and certificate to make the encrypted folder of the USB memory visible.
I would like to know the procedure to set up the encryption key and certificate correctly so that I can see the encrypted folder of the USB flash drive.

Just to understand. You said this works fine with the “default key and signature”. Are you saying this fails with your keys and signature? Or does it fail because the USB drive is unplugged at boot time?

Could you perhaps share the error you are getting. Also the logs from the tdx-enc-handler service may also be helpful to share.

Best Regards,
Jeremias

Dear Jeremias,

I was able to check the contents of tdx-enc-caam.sh and other files to confirm the operation of this matter.
However, when TDX_ENC_STORAGE_MOUNT_POINT is set in local.conf, the data in the USB memory is initialized even if TDX_ENC_PRESERVE_DATA=“1” is set.

Best Regards,
Teruo

However, when TDX_ENC_STORAGE_MOUNT_POINT is set in local.conf, the data in the USB memory is initialized even if TDX_ENC_PRESERVE_DATA=“1” is set.

Okay so you’re saying if you have these 2 variables set, then the data on the USB is not preserved prior to this partition being encrypted. Is that correct? Do you have any logs from the tdx-enc-handler service as I asked for?

Also, what happened to your initial issue? Is that no longer an issue anymore?

Best Regards,
Jeremias

Dear Jeremias,

TDX_ENC_PRESERVE_DATA=“1”
TDX_ENC_STORAGE_LOCATION = “/dev/sda1”
TDX_ENC_STORAGE_MOUNT_POINT =? “/run/encdata”

I am doing bitbake with the following settings
Even if data is written to the /run/encdata folder at the first startup, the next startup will contain nothing, resulting in the same result as when TDX_ENC_PRESERVE_DATA=“0” is set.

If the TDX_ENC_STORAGE_MOUNT_POINT setting is disabled, data will remain in the /run/encdata folder even after restart.

Also, the problem I initially inquired about has been resolved.

Best Regards,
Teruo

Again I am asking you to please provide the logs from the tdx-enc-handler systemd service from your device for further analysis.

If the TDX_ENC_STORAGE_MOUNT_POINT setting is disabled, data will remain in the /run/encdata folder even after restart.

First of all, the variable is TDX_ENC_STORAGE_MOUNTPOINT. Next, what do you mean you “disabled” this setting? This setting needs to be set to something otherwise the encrypted partition can’t be mounted and the process would fail.

Best Regards,
Jeremias

We will send you the logs with and without setting TDX_ENC_STORAGE_MOUNT_POINT in local.conf.

TDX_ENC_PRESERVE_DATA=“1”
TDX_ENC_STORAGE_LOCATION = “/dev/sda1”
#TDX_ENC_STORAGE_MOUNT_POINT =? “/run/encdata”
If bitbake is done with #TDX_ENC_STORAGE_MOUNT_POINT =?

TDX_ENC_PRESERVE_DATA=“1”
TDX_ENC_STORAGE_LOCATION = “/dev/sda1”
TDX_ENC_STORAGE_MOUNT_POINT =? “/run/encdata”
If bitbake is done with “/run/encdata”, the /run/encdata folder will be initialized upon reboot.

> apalis-imx8-14715180 tdx-enc.sh[637]: CAAM: Checking for the encrypted key...
> apalis-imx8-14715180 tdx-enc.sh[637]: CAAM: Encrypted key exists. Importing it...
> apalis-imx8-14715180 tdx-enc.sh[643]: 722180455
> apalis-imx8-14715180 systemd[1]: Starting Rule-based Manager for Device Events and Files...
> apalis-imx8-14715180 kernel: audit: type=1334 audit(1651167746.160:2): prog-id=5 op=LOAD
> apalis-imx8-14715180 kernel: audit: type=1334 audit(1651167746.160:3): prog-id=6 op=LOAD
> apalis-imx8-14715180 systemd[1]: Mounted /var.
> apalis-imx8-14715180 systemd[1]: Starting OSTree Remount OS/ Bind Mounts...
> apalis-imx8-14715180 systemd[1]: Platform Persistent Storage Archival was skipped because of a failed conditi>
> apalis-imx8-14715180 tdx-enc.sh[637]: CAAM: Data preservation is not enabled
> apalis-imx8-14715180 tdx-enc.sh[637]: CAAM: Setting up partition with dm-crypt...
> apalis-imx8-14715180 systemd[1]: Finished OSTree Remount OS/ Bind Mounts.
> apalis-imx8-14715180 systemd-modules-load[623]: Inserted module 'galcore'
> apalis-imx8-14715180 kernel: [drm] Initialized vivante 1.0.0 20170808 for 80000000.imx8_gpu1_ss on minor 0
> apalis-imx8-14715180 systemd[1]: Starting Flush Journal to Persistent Storage...
> apalis-imx8-14715180 systemd[1]: Starting Load/Save Random Seed...
> apalis-imx8-14715180 systemd-modules-load[623]: Inserted module 'libcomposite'
> apalis-imx8-14715180 systemd-journald[622]: Runtime Journal (/run/log/journal/5df9c476c76e412e83985a4834623e0>
> apalis-imx8-14715180 systemd-journald[622]: Received client request to flush runtime journal.
> apalis-imx8-14715180 systemd[1]: Finished Flush Journal to Persistent Storage.
> apalis-imx8-14715180 systemd[1]: Finished Load Kernel Modules.
> apalis-imx8-14715180 systemd[1]: Finished Load/Save Random Seed.
> apalis-imx8-14715180 systemd[1]: First Boot Complete was skipped because of a failed condition check (Conditi>
> apalis-imx8-14715180 systemd[1]: Starting Apply Kernel Variables...
> apalis-imx8-14715180 systemd-udevd[644]: Configuration file /usr/lib/udev/rules.d/77-mm-fibocom-port-types.ru>
> apalis-imx8-14715180 systemd[1]: Finished Apply Kernel Variables.
> apalis-imx8-14715180 systemd[1]: Started Rule-based Manager for Device Events and Files.
> apalis-imx8-14715180 tdx-enc.sh[648]: Name:              encdata
> apalis-imx8-14715180 tdx-enc.sh[648]: State:             ACTIVE
> apalis-imx8-14715180 tdx-enc.sh[648]: Read Ahead:        256
> apalis-imx8-14715180 tdx-enc.sh[648]: Tables present:    LIVE
> apalis-imx8-14715180 tdx-enc.sh[648]: Open count:        0
> apalis-imx8-14715180 tdx-enc.sh[648]: Event number:      0
> apalis-imx8-14715180 tdx-enc.sh[648]: Major, minor:      252, 0
> apalis-imx8-14715180 tdx-enc.sh[648]: Number of targets: 1
> apalis-imx8-14715180 tdx-enc.sh[637]: CAAM: Mounting encrypted partition...
> apalis-imx8-14715180 tdx-enc.sh[694]: /dev/mapper/encdata: UUID="d58a21cd-2d83-41d9-91c9-65beba375e4f" BLOCK_>
> apalis-imx8-14715180 kernel: EXT4-fs (dm-0): recovery complete
> apalis-imx8-14715180 tdx-enc.sh[637]: CAAM: Data preservation is not enabled
> apalis-imx8-14715180 tdx-enc.sh[637]: CAAM: Success!
> apalis-imx8-14715180 kernel: EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: (null). Quota m>
> apalis-imx8-14715180 systemd[1]: Finished Encryption handler for Toradex modules.
> apalis-imx8-14715180 systemd[1]: Mounting /var/volatile...
> apalis-imx8-14715180 systemd[1]: Mounted /var/volatile.
> apalis-imx8-14715180 systemd[1]: Reached target Local File Systems.
> apalis-imx8-14715180 systemd[1]: Starting Tell Plymouth To Write Out Runtime Data...
> apalis-imx8-14715180 systemd[1]: Commit a transient machine-id on disk was skipped because of a failed condit>
> apalis-imx8-14715180 systemd[1]: Started Systemd Timesync Update Fixes.
> apalis-imx8-14715180 systemd[1]: Starting Create Volatile Files and Directories...
> apalis-imx8-14715180 systemd[1]: systemd-timesyncd-update.service: Deactivated successfully.
> apalis-imx8-14715180 systemd[1]: Finished Tell Plymouth To Write Out Runtime Data.
> apalis-imx8-14715180 systemd-tmpfiles[702]: /usr/lib/tmpfiles.d/legacy.conf:13: Duplicate line for path "/run>
> apalis-imx8-14715180 systemd[1]: Finished Create Volatile Files and Directories.
> apalis-imx8-14715180 systemd[1]: Starting RPC Bind...
> apalis-imx8-14715180 systemd[1]: Rebuild Journal Catalog was skipped because of a failed condition check (Con>

Best Regards,
Teruo