From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from sender11-op-o12.zoho.eu (sender11-op-o12.zoho.eu [31.186.226.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Fri, 7 Aug 2020 11:30:38 +0200 (CEST) Date: Fri, 07 Aug 2020 12:15:28 +0300 From: Andrii Voloshyn Message-Id: <173c83429e8.ccbeba0f94728.5730675362566872944@d.mobilunity.com> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_301783_769959408.1596791728616" Subject: [dm-crypt] Using dm-verity+dm-crypt on rootfs (Embedded Linux) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt ------=_Part_301783_769959408.1596791728616 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi there, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Spent quite some time looking on the Interne= t for a reference, and couldn't find anything that would satisfy my require= ments. Let's imagine an Embedded Linux setup, where size of the NOR flash is limit= ed to say 16MB, root filesystem is squashfs, and assume that the bootloader (U-Boot) is trusted, and it validates kernel+dts. Alrig= ht, now I need to check validity of the rootfs, plus it needs to be encrypted, and failsafe=C2=A0 (in case power is gone while writing to the f= lash). So I guess, I need to use a combination dm-verity+dm-crypt? =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=20 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 From my experiments, I found out that I coul= dn't really use LUKS, as the header size would not fit into the flash. So I= need to use plain mode, and that's Ok. =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Now, the question is, what information to pa= ss to the kernel, and how (bootargs?, initrd?), so that it could verify and= mount encrypted squashfs as rootfs? =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Have seen a lot of articles how to get it do= ne on a partition, USB drive, etc. but not as the rootfs. Any reference on any project already existing or documentation would be hel= pful. Or, any thoughts on how it could be done differently? Thank you for your wisdom Cheers, Andrew ------=_Part_301783_769959408.1596791728616 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =
Hi there,

  = ;    Spent quite some time looking on the Internet for a ref= erence, and couldn't find anything that would satisfy my requirements.
<= /div>
Let's imagine an Embedded Linux setup, where size of the NOR flas= h is limited to say 16MB, root filesystem is squashfs, and assume
=
that the bootloader (U-Boot) is trusted, and it validates kernel+dts. = Alright, now I need to check validity of the rootfs, plus it needs to be
encrypted, and failsafe  (in case power is gone while writ= ing to the flash). So I guess, I need to use a combination dm-verity+dm-cry= pt?
     
  = ;    From my experiments, I found out that I couldn't really= use LUKS, as the header size would not fit into the flash. So I need to us= e plain mode, and that's Ok.
      N= ow, the question is, what information to pass to the kernel, and how (boota= rgs?, initrd?), so that it could verify and mount encrypted squashfs as roo= tfs?
      Have seen a lot of articl= es how to get it done on a partition, USB drive, etc. but not as the rootfs= .
Any reference on any project already existing or documentat= ion would be helpful. Or, any thoughts on how it could be done differently?=

Thank you for your wisdom

<= /div>
Cheers,
Andrew

------=_Part_301783_769959408.1596791728616--