[yocto] [EXTERNAL] Re: rootfs encryption support

John Finley john.finley at gmail.com
Tue Sep 26 10:40:53 PDT 2017 

On Tue, Sep 26, 2017 at 5:06 AM, Kumar, Shrawan <Shrawan.Kumar at harman.com>
wrote:

> When I execute the cryptsetup manually (with sudo ) on the host , I could
> see " demomap" getting populated . This confirms that it works on  host
> when I run manually and that HOST configuration is OK .
> However this is not happing under yocto fakeroot environment and it says "
> Cannot initialize device-mapper. Is dm_mod kernel module loaded?*"
>
> @:~$ ls -l /dev/mapper/
> total 0
> crw------- 1 root root 10, 236 Sep 15 02:26 control
> lrwxrwxrwx 1 root root       7 Sep 26 11:56 demomap -> ../dm-7
> lrwxrwxrwx 1 root root       7 Sep 15 02:26 vg00-lv2swap -> ../dm-6
> lrwxrwxrwx 1 root root       7 Sep 15 02:26 vg00-lvdocker -> ../dm-1
> lrwxrwxrwx 1 root root       7 Sep 15 02:26 vg00-lvhome -> ../dm-3
> lrwxrwxrwx 1 root root       7 Sep 15 02:26 vg00-lvroot -> ../dm-2
> lrwxrwxrwx 1 root root       7 Sep 15 02:26 vg00-lvswap -> ../dm-5
> lrwxrwxrwx 1 root root       7 Sep 15 02:26 vg00-lvvar -> ../dm-4
> lrwxrwxrwx 1 root root       7 Sep 15 02:26 vgdata-lvdata -> ../dm-0
>
>
> off course , dm_mod which I could confirm with emty output of  lsmod |
> grep dm_mod
> But then how does it works on host when I run cryptsetup manually ?
>
> I could see " dm_crypt" module is loaded .
>

I could not get around needing sudo, and ended up enabling passwordless
sudo for the user doing the build. Inside the fakerooted function, pieces
that don't require sudo look like this:
    cryptsetup luksFormat ...
while others that do require sudo look like this:
    PSEUDO_UNLOAD=1 sudo cryptsetup open ...
The PSEUDO_UNLOAD might just be cosmetic in that it prevents a warning
about not being able to load libpseudo.so; I don't remember if it's
actually required. But it does make it clear that the command done by the
sudo is not in the fakeroot environment.

The root of the problem is that going through device mapper requires real
root, fakeroot doesn't give you that, and luks (as far as I can tell) can
only work through device mapper. You might be about to write your own luks
header with the keys, encrypt it sector-by-sector yourself, blah blah blah.

I *did* want to see if I could avoid luks altogether: encrypt it raw using
an image postprocessing command, then at runtime map it with dm-crypt (vs.
luks), but never got around to it. That should be possible without sudo,
and not having luks seems like it would be okay for many embedded uses.


> -----Original Message-----
> From: Ayoub Zaki [mailto:ayoub.zaki at embexus.com]
> Sent: Tuesday, September 26, 2017 4:17 PM
> To: Kumar, Shrawan <Shrawan.Kumar at harman.com>
> Subject: [EXTERNAL] Re: [yocto] rootfs encryption support
>
>
>
> On 26.09.2017 12:29, Kumar, Shrawan wrote:
> > To add further information to the query , I am executing  "cryptsetup"
> >  from a recipe as below : (/Yocto 2.0.2)/
> >
> > fakeroot do_install() {
> >
> >                cryptsetup --type=plain open hello.enc demomap <
> > dm-crypt-key
> >
> > }
> >
> > Additional debug log :
> >
> > + do_install
> >
> > | + cryptsetup --type=plain open
> > /path_to/tmp/work/cortexa9hf-vfp-neon-elina-linux-gnueabi/DM-CryptSetu
> > p/1.0-r0/hello.enc
> > demomap
> >
> > | *Cannot initialize device-mapper. Is dm_mod kernel module loaded?*
> >
> > |
> >
> > | Cannot initialize device-mapper. Is dm_mod kernel module loaded?
> >
> > | + bb_exit_handler
> >
> *||**Your Host kernel need to have support for DM-Crypt enabled, you can
> autoload the corresponding kernel module by adding to your build host
> modules configuration:
>
> $ sudo sh -c 'echo dm_mod > /etc/modules-load.d/dm_mod.conf'*
> ||
> **
> >
> > Ideally , I was under impression that "fakeroot" shall have allowed to
> > me achieve the goal.
> >
> > Thanks & Regads
> >
> > Shrawan
> >
> > *From:* Kumar, Shrawan
> > *Sent:* Tuesday, September 26, 2017 10:56 AM
> > *To:* 'yocto at yoctoproject.org' <yocto at yoctoproject.org>
> > *Subject:* rootfs encryption support
> >
> > Hello Team ,
> >
> > Is it possible to get encrypted rootfs during image build  ?
> >
> > Currently , I am running "*cryptsetup*" (as sudo) *manually*   after
> > the final image(rootfs.ext4) is produced  . The idea is to get this
> > done within yocto environment without sudo problem .
> >
> > Thanks and Regards
> >
> > Shrawan
> >
> >
> >
>
> --
> Ayoub Zaki
> Embedded Systems Consultant
>
> Vaihinger Straße 2/1
> D-71634 Ludwigsburg
>
> Tel.     : +4971415074546
> Mobile   : +4917662901545
> Email    : ayoub.zaki at embexus.com
> Homepage : https://clicktime.symantec.com/a/1/
> 8fQ575pM7qUybRZBFjM9C7WPhR2dXT1R4k3d_4A9BOc=?d=Tm5cGpFBEW_vK6_eBrh-lyBQV_
> R1miTaoqmkTnsHhnTjNs9fOY92cq9wfN5CbL76p9_yEC-
> LnqRTAKlF1fzjPCBupycsjT3GP6G75yD1UVlxZ7c2mqLgkyrhClC1V-
> 74zP2Zbhs8BAnSEhpjJoqPP_0JU1Lzuo-iK8U_D7B1zQes8b4JBgf3DPo21HUsMa2qEG
> MbeqEDq7LU4y2SXKadgb1xcCNmOTvQIJ9LchpVyTITF0Qw2c5M1--o9oWn7FlThc-
> KBs5TLfBKAIexE3ndzKZOdu9D2NlCmcrEM7q1Oe8sarufZ71B8FsfvU5lT_
> 9gB-hfFD0PEgEJY8VxBGtY4-tLfyAnaY8Z-BlIlSDBgZeorcaKkAzCj4nQTbXIWTT
> IYg%3D%3D&u=https%3A%2F%2Fembexus.com
>
> --
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20170926/c361cbc7/attachment.html>

More information about the yocto mailing list