Hello, I am attempting to create encrypted partitions with Toradex Easy Installer and I have 2 questions.
Currently, I am creating the encrypted partitions with the prepare.sh script, and I am wondering if it is possible to skip the partitioning step in Toradex Easy Installer as the eMMC will already be partitioned.
The unlocked encrypted partitions are mapped inside the /dev/mapper directory and I am wondering about how I should specify the partitions in the image.json file.
For question 2, set the following in image.json:
tezi should be able to handle that.
For question 1, not sure why bothering skipping partitioning step? Just set up a cryptographic volume (/dev/mapper/XXX) in prepare.sh would be good enough from my point of view
I am encrypting individual partitions and not the entire eMMC. The boot partition needs to be unencrypted so that u-boot can read from it. The partitions need to be created before I can encrypt them. The steps I want to execute are below:
- Run fdisk to create partitions.
- Run dmsetup to encrypt/unlock selected partitions.
- Run mkfs.ext4 to format the unlocked partitions.
- Populate the partitions.
I don’t mind which parts need to be in the prepare.sh script and which parts are handled by TEZI.
TEZI does not support encrypted partitions. However, you can encrypt a partition, convert it into a blob for the installation image, and then define a RAW partition using that blob as its content. In this way, TEZI will directly write (using the ‘dd’ command) that blob to the chosen partition. Please refer to this article - Configuration Files | Toradex Developer Center
The blob method doesn’t work for me because I’m currently using the onboard CAAM’s secure key feature with randomly generated keys, so each device image would be different.
I found a workaround by using TEZI for just doing partition setup and flashing the bootloader and boot partition, then doing further setup from an initrd script and a USB drive.