[dm-crypt] Using dm-verity+dm-crypt on rootfs (Embedded Linux)

From: Andrii Voloshyn <a.voloshyn@d.mobilunity.com>
To: dm-crypt <dm-crypt@saout.de>
Subject: [dm-crypt] Using dm-verity+dm-crypt on rootfs (Embedded Linux)
Date: Fri, 07 Aug 2020 12:15:28 +0300	[thread overview]
Message-ID: <173c83429e8.ccbeba0f94728.5730675362566872944@d.mobilunity.com> (raw)
In-Reply-To: 

[-- Attachment #1: Type: text/plain, Size: 1244 bytes --]

Hi there,

      Spent quite some time looking on the Internet for a reference, and couldn't find anything that would satisfy my requirements.

Let's imagine an Embedded Linux setup, where size of the NOR flash is limited to say 16MB, root filesystem is squashfs, and assume

that the bootloader (U-Boot) is trusted, and it validates kernel+dts. Alright, now I need to check validity of the rootfs, plus it needs to be

encrypted, and failsafe  (in case power is gone while writing to the flash). So I guess, I need to use a combination dm-verity+dm-crypt?

      From my experiments, I found out that I couldn't really use LUKS, as the header size would not fit into the flash. So I need to use plain mode, and that's Ok.

      Now, the question is, what information to pass to the kernel, and how (bootargs?, initrd?), so that it could verify and mount encrypted squashfs as rootfs?

      Have seen a lot of articles how to get it done on a partition, USB drive, etc. but not as the rootfs.

Any reference on any project already existing or documentation would be helpful. Or, any thoughts on how it could be done differently?

Thank you for your wisdom

Cheers,

Andrew

[-- Attachment #2: Type: text/html, Size: 1789 bytes --]