1

I can create a dm-crypt filesystem with:

root@smarcimx8mq4g:~# cat /data/caam/randomkey | keyctl padd logon logkey: @s
731358804

root@smarcimx8mq4g:~# dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/mmcblk1p3) crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 /dev/mmcblk1p3 0 1 sector_size:512"

(I'm using the imx8's CAAM's implementation of tk(cbc(aes)).)

Unfortunately this wipes (or loses the ability to decode) the data in /dev/mmcblk1p3. I can use /dev/mapper/encrypted, but only once I've run mkfs.ext4 and mounted it.

I've also tried:

root@smarcimx8mq4g:~# dmsetup -v load encrypted --table "0 $(blockdev --getsz /dev/mmcblk1p3) crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 /dev/mmcblk1p3 0 1 sector_size:512"
device-mapper: reload ioctl on encrypted  failed: No such device or address
Command failed.

(I expect that nothing other than "create" will create the /dev/mapper/encrypted node.)

How do I use dm-crypt to get access to the original data?

Improve this question

1 Answer 1

Reset to default
1

What I hadn't realised was that you MUST import the key from the black-blob (.bb) file after every reboot as the keys are session specific. The initial "dmsetup -v create" command should be used on all subsequent reboots, with a newly imported key.

A full, working log:


root@smarcimx8mq4g:~# caam-keygen create randomkey ecb -s 16

root@smarcimx8mq4g:~# cd /data/caam/

root@smarcimx8mq4g:/data/caam# ls -l
total 8
-rw-r--r-- 1 root root 36 Apr  4 13:32 randomkey
-rw-r--r-- 1 root root 96 Apr  4 13:32 randomkey.bb

root@smarcimx8mq4g:/data/caam# cat /data/caam/randomkey | keyctl padd logon logkey: @s
600708898

root@smarcimx8mq4g:/data/caam# keyctl list @s
2 keys in keyring:
 63045264: --alswrv     0 65534 keyring: _uid.0
600708898: --alsw-v     0     0 logon: logkey:

root@smarcimx8mq4g:/data/caam# dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/mmcblk1p3) crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 /dev/mmcblk1p3 0 1 sector_size:512"
Name:              encrypted
State:             ACTIVE
Read Ahead:        256
Tables present:    LIVE
Open count:        0
Event number:      0
Major, minor:      252, 0
Number of targets: 1

root@smarcimx8mq4g:/data/caam# dmsetup table --showkey encrypted
0 53933055 crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 179:99 0
root@smarcimx8mq4g:/data/caam# mkfs.ext4 /dev/mapper/encrypted
mke2fs 1.46.2 (28-Feb-2021)
Creating filesystem with 6741631 4k blocks and 1687552 inodes
Filesystem UUID: f28e329b-6f40-47e1-9ef3-893dc2646339
Superblock backups stored on blocks:
    32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
    4096000

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done   

root@smarcimx8mq4g:/data/caam# mkdir /mnt/encrypted

root@smarcimx8mq4g:/data/caam# mount -t ext4 /dev/mapper/encrypted /mnt/encrypted/

root@smarcimx8mq4g:/data/caam# echo "This is a test of full disk encryption on i.MX" > /mnt/encrypted/readme.txt

root@smarcimx8mq4g:/data/caam# umount /mnt/encrypted/

root@smarcimx8mq4g:/data/caam# dmsetup remove encrypted

root@smarcimx8mq4g:/data/caam# reboot
The system is going down for reboot NOW!g (pts/0) (Thu Apr  4 13:37:13 2024):
Connection to 10.1.2.3 closed by remote host.
Connection to 10.1.2.3 closed.

fadedbee@box ~ $ ssh [email protected]
...

root@smarcimx8mq4g:~# cd /data/caam/
root@smarcimx8mq4g:/data/caam# caam-keygen import /data/caam/randomkey.bb importKey

root@smarcimx8mq4g:/data/caam# sha1sum *

1873e20436126910ea83bcb2bb5229d7d94237ba  importKey
5c14092a3be806551df9e1c8bba4dae638bd82d1  randomkey
784a04eef33b21f12c1c9d9c0cdfd754febe34f7  randomkey.bb

root@smarcimx8mq4g:/data/caam# cat /data/caam/importKey | keyctl padd logon logkey: @s
941979697

root@smarcimx8mq4g:/data/caam# dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/mmcblk1p3) crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 /dev/mmcblk1p3 0 1 sector_size:512"
Name:              encrypted
State:             ACTIVE
Read Ahead:        256
Tables present:    LIVE
Open count:        0
Event number:      0
Major, minor:      252, 0
Number of targets: 1

root@smarcimx8mq4g:/data/caam# mount /dev/mapper/encrypted /mnt/encrypted/

root@smarcimx8mq4g:/data/caam# cat /mnt/encrypted/readme.txt
This is a test of full disk encryption on i.MX
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.