-
Notifications
You must be signed in to change notification settings - Fork 227
OE4T Meeting Notes 2022 05 12
Dan Walkes edited this page May 13, 2022
·
1 revision
9
- Encryption Support work in progress from Tim
- Stuff done by Matt predated LUKS sample application. Now switching over to use the NVIDIA one since this is available.
- Also working to flash the device out of the box with LUKS. Does encryption first, then flashes. Secureboot isn’t working yet, only doing a simple image. Using demo-image-base from tegra-demo-distro. Does bundled initramfs, doesn’t have boot directory, don’t create unencrypted boot partition now. NVIDIA’s disk encryption helper function does this.
- Simplest case is replicated. Working on rootfs a/b for RAUC, will look at Mender after.
- Hard coded for app and UDA partition, only works on AGX Xavier. Customer needs on RAUC A/B flashing. Also desire on secureboot. Don’t understand the specific things that are being signed yet. Going to work on A/B first.
- Created a tegracrypt initramfs and a tegracrypt init. Probably have some assumptions which need to be made more flexible
- Changes will go in both tegrademo. Because cryptsetup is needed in meta-oe.
- Used getvarflags to look at machineoverrides. If cryptparts is in it, toggle which thing happens.
- Put UUIDs in varflags. Key is partition name from flash.xml. Value is UUID.
- Struggling with a couple of remaining things - handling that UUID values change. A content is 99% the same as the B content. All that changes is the uuids in fdcrypt and kernel command line. Need to generalize this better.
- NVIDIA’s implementation uses xmllint to parse flash xml. Injecting values into flash.xml using xmlstarlet. Using this to remove the app partition when you don’t have encrypted boot. Will use this for injection of UUID’s during doflash step.
- Want to create a new WIKI for luks encryption, describe how it works in addition to secureboot.
- tegra-demo-distro includes local.conf sample.
- Tried to create LUKS encryption in bitbake. Need to run outside sudo or fakeroot. Only possibility might be to have bitbake run in qemu. Will need to wait until after figuring out A/B and secureboot.
- Currently using unique passphrase, uses ECID as well as Disk UUID to figure out the passphrase. Need a switch to switch between unique and genric in initramfs.
- Using xmllint can query flash.xml, can get all partition names with encrypted=true. This is difference between Matt’s initial implementation and what is implemented by NVIDIA now. Inject a UUID if needed.
- Taking the BRCID and deriving the ECID from this. Pad the first characters with zeros on AGX. Pass that, user key which can be zeros and the Disk UUID for the image you are encrypting. Pass that into the genlukspassphrase.py script. Allows you to do the encryption off target. Once on target the only time it has the ability to talk to luks, no lukserv or /etc/cryptab in the rootfs. Queries trusted apps for passphrase, unlocks and creates dm-crypt devices, those are mounted in initramfs, do the switchroot to that mount. Data partition isn’t mounting as data - more to be done there.
- Doing cryptsetup in initramfs increases boot time. Alternatively can pass the passphrase into the rootfs to avoid increase in boot time.
- Matt’s implementation was partially for ease of use with manufacturing - wanted to give them no access to secret stuff, plop on the device, device takes care of encryption without manufacturing people need to know anything.
- Current goal is to be as close to nvidia implementation as possible.
- Next steps - prove that keystore works, use systemd instead of init.d
- Haven’t got the digsignserver working yet.
- Probably will be porting trusty apps over to OP-TEE, will be able to use this mechanism in Jetpack 5.
- Currently encryption only, not secureboot. When turning on secureboot will need to come up with some way to sign the image, need to figure out how to do this since there’s not currently a way to encyrypt at build time due to issues mentioned above regarding fakeroot.
- See https://github.com/moto-timo/tegra-demo-distro/tree/wip-dunfell-luks which will bring in https://github.com/moto-timo/meta-tegra/tree/wip-dunfell-luks
- Yocto Project Summit next week
- See https://www.yoctoproject.org/yocto-project-summit-2022-05/
- Tim is presenting a hands-on kernel lab.
- GCC12 just got merged on master in oe-core
- Master branch in demo distro will get updated this weekend.