root@smarcimx8mq4g:~# caam-keygen create randomkey ecb -s 16
root@smarcimx8mq4g:~# cd /data/caam/
root@smarcimx8mq4g:/data/caam# ls -l
total 8
-rw-r--r-- 1 root root 36 Apr 4 13:32 randomkey
-rw-r--r-- 1 root root 96 Apr 4 13:32 randomkey.bb
root@smarcimx8mq4g:/data/caam# cat /data/caam/randomkey | keyctl padd logon logkey: @s
600708898
root@smarcimx8mq4g:/data/caam# keyctl list @s
2 keys in keyring:
63045264: --alswrv 0 65534 keyring: _uid.0
600708898: --alsw-v 0 0 logon: logkey:
root@smarcimx8mq4g:/data/caam# dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/mmcblk1p3) crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 /dev/mmcblk1p3 0 1 sector_size:512"
Name: encrypted
State: ACTIVE
Read Ahead: 256
Tables present: LIVE
Open count: 0
Event number: 0
Major, minor: 252, 0
Number of targets: 1
root@smarcimx8mq4g:/data/caam# dmsetup table --showkey encrypted
0 53933055 crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 179:99 0
root@smarcimx8mq4g:/data/caam# mkfs.ext4 /dev/mapper/encrypted
mke2fs 1.46.2 (28-Feb-2021)
Creating filesystem with 6741631 4k blocks and 1687552 inodes
Filesystem UUID: f28e329b-6f40-47e1-9ef3-893dc2646339
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
root@smarcimx8mq4g:/data/caam# mkdir /mnt/encrypted
root@smarcimx8mq4g:/data/caam# mount -t ext4 /dev/mapper/encrypted /mnt/encrypted/
root@smarcimx8mq4g:/data/caam# echo "This is a test of full disk encryption on i.MX" > /mnt/encrypted/readme.txt
root@smarcimx8mq4g:/data/caam# umount /mnt/encrypted/
root@smarcimx8mq4g:/data/caam# dmsetup remove encrypted
root@smarcimx8mq4g:/data/caam# reboot
The system is going down for reboot NOW!g (pts/0) (Thu Apr 4 13:37:13 2024):
Connection to 10.731.402.2003 closed by remote host.
Connection to 10.731.402.2003 closed.
fadedbee@box ~ $ ssh [email protected]
...
root@smarcimx8mq4g:~# cd /data/caam/
root@smarcimx8mq4g:/data/caam# caam-keygen import /data/caam/randomkey.bb importKey
root@smarcimx8mq4g:/data/caam# sha1sum *
1873e20436126910ea83bcb2bb5229d7d94237ba importKey
5c14092a3be806551df9e1c8bba4dae638bd82d1 randomkey
784a04eef33b21f12c1c9d9c0cdfd754febe34f7 randomkey.bb
root@smarcimx8mq4g:/data/caam# cat /data/caam/importKey | keyctl padd logon logkey: @s
941979697
root@smarcimx8mq4g:/data/caam# dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/mmcblk1p3) crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 /dev/mmcblk1p3 0 1 sector_size:512"
Name: encrypted
State: ACTIVE
Read Ahead: 256
Tables present: LIVE
Open count: 0
Event number: 0
Major, minor: 252, 0
Number of targets: 1
root@smarcimx8mq4g:/data/caam# mount /dev/mapper/encrypted /mnt/encrypted/
root@smarcimx8mq4g:/data/caam# cat /mnt/encrypted/readme.txt
This is a test of full disk encryption on i.MX
root@smarcimx8mq4g:~# caam-keygen create randomkey ecb -s 16
root@smarcimx8mq4g:~# cd /data/caam/
root@smarcimx8mq4g:/data/caam# ls -l
total 8
-rw-r--r-- 1 root root 36 Apr 4 13:32 randomkey
-rw-r--r-- 1 root root 96 Apr 4 13:32 randomkey.bb
root@smarcimx8mq4g:/data/caam# cat /data/caam/randomkey | keyctl padd logon logkey: @s
600708898
root@smarcimx8mq4g:/data/caam# keyctl list @s
2 keys in keyring:
63045264: --alswrv 0 65534 keyring: _uid.0
600708898: --alsw-v 0 0 logon: logkey:
root@smarcimx8mq4g:/data/caam# dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/mmcblk1p3) crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 /dev/mmcblk1p3 0 1 sector_size:512"
Name: encrypted
State: ACTIVE
Read Ahead: 256
Tables present: LIVE
Open count: 0
Event number: 0
Major, minor: 252, 0
Number of targets: 1
root@smarcimx8mq4g:/data/caam# dmsetup table --showkey encrypted
0 53933055 crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 179:99 0
root@smarcimx8mq4g:/data/caam# mkfs.ext4 /dev/mapper/encrypted
mke2fs 1.46.2 (28-Feb-2021)
Creating filesystem with 6741631 4k blocks and 1687552 inodes
Filesystem UUID: f28e329b-6f40-47e1-9ef3-893dc2646339
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
root@smarcimx8mq4g:/data/caam# mkdir /mnt/encrypted
root@smarcimx8mq4g:/data/caam# mount -t ext4 /dev/mapper/encrypted /mnt/encrypted/
root@smarcimx8mq4g:/data/caam# echo "This is a test of full disk encryption on i.MX" > /mnt/encrypted/readme.txt
root@smarcimx8mq4g:/data/caam# umount /mnt/encrypted/
root@smarcimx8mq4g:/data/caam# dmsetup remove encrypted
root@smarcimx8mq4g:/data/caam# reboot
The system is going down for reboot NOW!g (pts/0) (Thu Apr 4 13:37:13 2024):
Connection to 10.73.40.200 closed by remote host.
Connection to 10.73.40.200 closed.
fadedbee@box ~ $ ssh [email protected]
...
root@smarcimx8mq4g:~# cd /data/caam/
root@smarcimx8mq4g:/data/caam# caam-keygen import /data/caam/randomkey.bb importKey
root@smarcimx8mq4g:/data/caam# sha1sum *
1873e20436126910ea83bcb2bb5229d7d94237ba importKey
5c14092a3be806551df9e1c8bba4dae638bd82d1 randomkey
784a04eef33b21f12c1c9d9c0cdfd754febe34f7 randomkey.bb
root@smarcimx8mq4g:/data/caam# cat /data/caam/importKey | keyctl padd logon logkey: @s
941979697
root@smarcimx8mq4g:/data/caam# dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/mmcblk1p3) crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 /dev/mmcblk1p3 0 1 sector_size:512"
Name: encrypted
State: ACTIVE
Read Ahead: 256
Tables present: LIVE
Open count: 0
Event number: 0
Major, minor: 252, 0
Number of targets: 1
root@smarcimx8mq4g:/data/caam# mount /dev/mapper/encrypted /mnt/encrypted/
root@smarcimx8mq4g:/data/caam# cat /mnt/encrypted/readme.txt
This is a test of full disk encryption on i.MX
root@smarcimx8mq4g:~# caam-keygen create randomkey ecb -s 16
root@smarcimx8mq4g:~# cd /data/caam/
root@smarcimx8mq4g:/data/caam# ls -l
total 8
-rw-r--r-- 1 root root 36 Apr 4 13:32 randomkey
-rw-r--r-- 1 root root 96 Apr 4 13:32 randomkey.bb
root@smarcimx8mq4g:/data/caam# cat /data/caam/randomkey | keyctl padd logon logkey: @s
600708898
root@smarcimx8mq4g:/data/caam# keyctl list @s
2 keys in keyring:
63045264: --alswrv 0 65534 keyring: _uid.0
600708898: --alsw-v 0 0 logon: logkey:
root@smarcimx8mq4g:/data/caam# dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/mmcblk1p3) crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 /dev/mmcblk1p3 0 1 sector_size:512"
Name: encrypted
State: ACTIVE
Read Ahead: 256
Tables present: LIVE
Open count: 0
Event number: 0
Major, minor: 252, 0
Number of targets: 1
root@smarcimx8mq4g:/data/caam# dmsetup table --showkey encrypted
0 53933055 crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 179:99 0
root@smarcimx8mq4g:/data/caam# mkfs.ext4 /dev/mapper/encrypted
mke2fs 1.46.2 (28-Feb-2021)
Creating filesystem with 6741631 4k blocks and 1687552 inodes
Filesystem UUID: f28e329b-6f40-47e1-9ef3-893dc2646339
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
root@smarcimx8mq4g:/data/caam# mkdir /mnt/encrypted
root@smarcimx8mq4g:/data/caam# mount -t ext4 /dev/mapper/encrypted /mnt/encrypted/
root@smarcimx8mq4g:/data/caam# echo "This is a test of full disk encryption on i.MX" > /mnt/encrypted/readme.txt
root@smarcimx8mq4g:/data/caam# umount /mnt/encrypted/
root@smarcimx8mq4g:/data/caam# dmsetup remove encrypted
root@smarcimx8mq4g:/data/caam# reboot
The system is going down for reboot NOW!g (pts/0) (Thu Apr 4 13:37:13 2024):
Connection to 10.1.2.3 closed by remote host.
Connection to 10.1.2.3 closed.
fadedbee@box ~ $ ssh [email protected]
...
root@smarcimx8mq4g:~# cd /data/caam/
root@smarcimx8mq4g:/data/caam# caam-keygen import /data/caam/randomkey.bb importKey
root@smarcimx8mq4g:/data/caam# sha1sum *
1873e20436126910ea83bcb2bb5229d7d94237ba importKey
5c14092a3be806551df9e1c8bba4dae638bd82d1 randomkey
784a04eef33b21f12c1c9d9c0cdfd754febe34f7 randomkey.bb
root@smarcimx8mq4g:/data/caam# cat /data/caam/importKey | keyctl padd logon logkey: @s
941979697
root@smarcimx8mq4g:/data/caam# dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/mmcblk1p3) crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 /dev/mmcblk1p3 0 1 sector_size:512"
Name: encrypted
State: ACTIVE
Read Ahead: 256
Tables present: LIVE
Open count: 0
Event number: 0
Major, minor: 252, 0
Number of targets: 1
root@smarcimx8mq4g:/data/caam# mount /dev/mapper/encrypted /mnt/encrypted/
root@smarcimx8mq4g:/data/caam# cat /mnt/encrypted/readme.txt
This is a test of full disk encryption on i.MX
What I hadn't realised was that you MUST import the key from the black-blob (.bb) file after every reboot as the keys are session specific. The initial "dmsetup -v create" command should be used on all subsequent reboots, with a newly imported key.
A full, working log:
root@smarcimx8mq4g:~# caam-keygen create randomkey ecb -s 16
root@smarcimx8mq4g:~# cd /data/caam/
root@smarcimx8mq4g:/data/caam# ls -l
total 8
-rw-r--r-- 1 root root 36 Apr 4 13:32 randomkey
-rw-r--r-- 1 root root 96 Apr 4 13:32 randomkey.bb
root@smarcimx8mq4g:/data/caam# cat /data/caam/randomkey | keyctl padd logon logkey: @s
600708898
root@smarcimx8mq4g:/data/caam# keyctl list @s
2 keys in keyring:
63045264: --alswrv 0 65534 keyring: _uid.0
600708898: --alsw-v 0 0 logon: logkey:
root@smarcimx8mq4g:/data/caam# dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/mmcblk1p3) crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 /dev/mmcblk1p3 0 1 sector_size:512"
Name: encrypted
State: ACTIVE
Read Ahead: 256
Tables present: LIVE
Open count: 0
Event number: 0
Major, minor: 252, 0
Number of targets: 1
root@smarcimx8mq4g:/data/caam# dmsetup table --showkey encrypted
0 53933055 crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 179:99 0
root@smarcimx8mq4g:/data/caam# mkfs.ext4 /dev/mapper/encrypted
mke2fs 1.46.2 (28-Feb-2021)
Creating filesystem with 6741631 4k blocks and 1687552 inodes
Filesystem UUID: f28e329b-6f40-47e1-9ef3-893dc2646339
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
root@smarcimx8mq4g:/data/caam# mkdir /mnt/encrypted
root@smarcimx8mq4g:/data/caam# mount -t ext4 /dev/mapper/encrypted /mnt/encrypted/
root@smarcimx8mq4g:/data/caam# echo "This is a test of full disk encryption on i.MX" > /mnt/encrypted/readme.txt
root@smarcimx8mq4g:/data/caam# umount /mnt/encrypted/
root@smarcimx8mq4g:/data/caam# dmsetup remove encrypted
root@smarcimx8mq4g:/data/caam# reboot
The system is going down for reboot NOW!g (pts/0) (Thu Apr 4 13:37:13 2024):
Connection to 10.73.40.200 closed by remote host.
Connection to 10.73.40.200 closed.
fadedbee@box ~ $ ssh [email protected]
...
root@smarcimx8mq4g:~# cd /data/caam/
root@smarcimx8mq4g:/data/caam# caam-keygen import /data/caam/randomkey.bb importKey
root@smarcimx8mq4g:/data/caam# sha1sum *
1873e20436126910ea83bcb2bb5229d7d94237ba importKey
5c14092a3be806551df9e1c8bba4dae638bd82d1 randomkey
784a04eef33b21f12c1c9d9c0cdfd754febe34f7 randomkey.bb
root@smarcimx8mq4g:/data/caam# cat /data/caam/importKey | keyctl padd logon logkey: @s
941979697
root@smarcimx8mq4g:/data/caam# dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/mmcblk1p3) crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 /dev/mmcblk1p3 0 1 sector_size:512"
Name: encrypted
State: ACTIVE
Read Ahead: 256
Tables present: LIVE
Open count: 0
Event number: 0
Major, minor: 252, 0
Number of targets: 1
root@smarcimx8mq4g:/data/caam# mount /dev/mapper/encrypted /mnt/encrypted/
root@smarcimx8mq4g:/data/caam# cat /mnt/encrypted/readme.txt
This is a test of full disk encryption on i.MX