Forums » Software Development »
Encrypted root filesystem experience
Added by don green about 10 years ago
I'm working with a MityArm-335x SOM and attempting to set up an encrypted root file system on an SD card to be mounted during the boot process. I'm using the latest das-boot port from critical link and the mityarm devkit / cross compile environment. I am pursuing using the dm-crypt and luks tools for handling the encryption and I'm in the process of finding and cross-compiling the various libraries and tools I think I will need to put in the init ram disk to mount and get at the encrypted root file system. I'm looking for guidance from anyone with experience with process or pointers to resources I might have missed in my googling on the subject and searching this site in particular. I'm trying to avoid running into a dead end as I chase down and figure out how to cross compile various dependencies and integrate them into the devkit. Thanks in advance for any help.
Replies (6)
RE: Encrypted root filesystem experience - Added by Jonathan Cormier about 10 years ago
Don,
I'm not aware that anyone here has tried to get encrypted filesystems working, if you find any good resources on the subject feel free to post them on this thread.
It would be worth your time setting up a Timesys account and seeing if they already have any of the packages your looking for. You can email their support and see if they have any experience with this. Keep us in the loop as you make headway.
You mentioned using the latest u-boot but didn't mention the kernel version. I recommend using the latest 3.2 kernel, release notes found here Cl_v32_AM335XPSP_
-Jonathan
RE: Encrypted root filesystem experience - Added by don green about 10 years ago
Thanks Jonathan I will check out the timesys SDK some more. I should add that there is significant investment of time and verification in the existing file system and kernel version so I'm going to pursue adding to the critical link based tool-chain and file system image we have started with. Do you know if the Timesys SDK based on what critical link has been providing or did they independently construct it ?
-Don
RE: Encrypted root filesystem experience - Added by Jonathan Cormier about 10 years ago
Timesys has a build system that builds the entire filesystem from source. The only thing we provide them is a working kernel. So it isn't based on our filesystem but most of its file locations should be similar. What would be most useful to you would be if they already support building some of the packages your looking for.
As far as the toolchain, they are using a much newer version of gcc. I haven't seen any issues when using it to compile something I wrote under the older TI toolchain.
If you've modified the kernel, it can be used as is. There shouldn't be any dependencies between the kernel and the filesystem.
RE: Encrypted root filesystem experience - Added by Jonathan Cormier about 10 years ago
Don,
I was able to verify that they have the cryptsetup package which contains dm-crypt and luks tools.
RE: Encrypted root filesystem experience - Added by don green about 10 years ago
Thanks for looking into that for me. In looking at the build summary for the timesys mityarm sdk I didn't see the lvm2 , cryptsetup, or libselinux packages which I believe are required. I should just download the SDK and poke around. I need to get better feel how different the tool chain versions are too and any impact that might have on our own software installation on the target.
RE: Encrypted root filesystem experience - Added by Jonathan Cormier about 10 years ago
Don,
You'll need to create a custom workorder as those tools aren't built into the demo filesystem they provide. You can start with a copy of the demo filesystem and add/remove packages that you want. The demo filesystem is quite large ~470MB so there's probably plenty of packages your not interested in that can be removed.
