[yocto] Building .wic with luks encrypted rootfs
Don Schoppe
don.schoppe at connecteddev.com
Wed Jul 3 12:52:38 PDT 2019
Hi,
We would like to use a luks encrypted rootfs with the SAMA5D2. We've included meta-encrypted-storage (https://github.com/jiazhang0/meta-secure-core/tree/master/meta-encrypted-storage) in our Yocto configuration. This leverages an initramfs with cryptsetup and init scripts to unlock and mount an encrypted rootfs during boot.
The issue we have is not knowing how to automatically build the encrypted rootfs and package it into the .wic file during the Yocto build process. Today our Yocto build produces a .wic with a boot partition and a plain rootfs which is then flashed to eMMC. We would like to replace the plain rootfs in the .wic with an encrypted one.
The basic steps to create a luks encrypted file system look something like this:
cryptsetup luksFormat /dev/mmcblkxxx keyfile cryptroot
cryptsetup luksOpen -d keyfile /dev/mmcblkxxx cryptroot
mkfs.ext4 /dev/mapper/cryptroot
mount /dev/mapper/cryptroot /mnt/cryptroot
cp -ax /mnt/path-to-rootfs/* /mnt/cryptroot # populate luks encrypted partition
unmount /mnt/crtyproot
cryptsetup luksClose cryptroot
Where would we incorporate this into the BB recipes? Or is this a case where we would need to make changes / extension so the WIC scripts and/or plugins?
Thanks in advance for any suggestions.
Regards,
Don
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20190703/65ff77a5/attachment.html>
More information about the yocto
mailing list