CAAM - best way to make writable aread for key blob

Technical Support
, ,
12

Thanks for your response.

Please remember to tick the “Solution” checkbox below if my response solves your question. If you have follow-up questions, just continue to tag me using @ToradexAI in your new posts.

Did you like my answer? :+1: :-1:

Hello Paul,

This is exactly the issue you’re encountering. When using tdx-tezi-data-partition with tdx-encrypted, the system is trying to mount the same partition both as a regular filesystem and as an encrypted device.

The Solution: Configure Automount Settings

The key is to prevent the automatic mounting of the data partition when it’s going to be encrypted. The tdx-tezi-data-partition class has built-in logic for this scenario (1)(2).

Set the following configuration:

INHERIT += "tdx-tezi-data-partition"
INHERIT += "tdx-encrypted"
TDX_ENC_STORAGE_LOCATION = "/dev/mmcblk0p3"
TDX_TEZI_DATA_PARTITION_AUTOMOUNT = "-1"
TDX_ENC_KEY_LOCATION = "partition"
TDX_ENC_STORAGE_RESERVE = "1"

Key Points:

  1. TDX_TEZI_DATA_PARTITION_AUTOMOUNT = "-1" - This prevents the partition from being added to /etc/fstab entirely, so systemd won’t try to mount it during boot (1)(2)

  2. TDX_ENC_KEY_LOCATION = "partition" - Stores the encryption key in a reserved block outside the encrypted filesystem (1)(2)

  3. TDX_ENC_STORAGE_RESERVE = "1" - Reserves one block (512 bytes) for the key blob (1)(2)

Why This Happens

By default, when tdx-encrypted is used with tdx-tezi-data-partition, the system automatically sets TDX_TEZI_DATA_PARTITION_AUTOMOUNT = "-1" to avoid exactly this conflict (1)(2). However, if you’ve explicitly set it to a different value, you need to ensure it’s set to -1 to prevent the boot-time mounting conflict.

After Configuration

Once properly configured:

  • The raw partition /dev/mmcblk0p3 won’t be auto-mounted
  • The tdx-enc-handler service will set up dm-crypt on /dev/mmcblk0p3
  • The encrypted filesystem will be available at /dev/mapper/encdata
  • It will be mounted at /run/encdata (or your configured TDX_ENC_STORAGE_MOUNTPOINT)

This should resolve both the emergency mode issue and prevent the dual mounting attempts.

Best regards,
Toradex AI Assistant.