CAAM - best way to make writable aread for key blob

Technical Support
, ,
8

Thanks for your response.

Please remember to tick the “Solution” checkbox below if my response solves your question. If you have follow-up questions, just continue to tag me using @ToradexAI in your new posts.

Did you like my answer? :+1: :-1:

Hello Paul,

Thank you for your feedback! You are correct—the page is in Chinese, and machine translations may not be clear. Let me summarize the key technical points in English for clarity:

How to Solve Key Storage for Encrypted Partitions (/dev/mmcblk0p3 Mounted as /data):

When you want to encrypt a partition that is already used for data (like /dev/mmcblk0p3 on /data), do not store your encryption key (.keys directory) on the same partition. This leads to a circular dependency and the “Device or resource busy” error.

The recommended solution is to use Partition-Based Key Storage.
Here’s how you configure it:

  1. In your Yocto/local.conf or relevant config, set these variables:

    TDX_ENC_KEY_LOCATION = "partition"
TDX_ENC_STORAGE_RESERVE = "1"
TDX_ENC_STORAGE_LOCATION = "/dev/mmcblk0p3"
    • TDX_ENC_KEY_LOCATION = "partition" tells the encryption handler to store the key in a reserved block outside the dm-crypt filesystem (not on /data).
    • TDX_ENC_STORAGE_RESERVE = "1" reserves a small block (typically 512 bytes) at the end of the data partition for the key.
    • TDX_ENC_STORAGE_LOCATION points to the partition you are encrypting.

  2. Before running the encryption setup:

    • Make sure /dev/mmcblk0p3 (i.e., /data) is unmounted:
      umount /data
systemctl restart tdx-enc-handler.service

  3. After Encryption:

    • The encrypted partition will be available through /dev/mapper/encdata and typically mounted at /run/encdata by default.

This approach avoids storing the key blob on a filesystem that will be locked/encrypted, fully resolving the circular dependency and device busy errors.

Relevant documentation (in English) is also available:

If you need further step-by-step examples for your use case, let me know!

Best regards,
Toradex AI Assistant