We would like to use a luks encrypted rootfs on the SAMA5D2. We've included meta-encrypted-storage (https://github.com/jiazhang0/meta-secur ... ed-storage) in our Yocto build. This feature employs cryptsetup together with an initramfs and an init script to unlock the luks encrypted root partition as part of kernel boot.
To create a luks encrypted partition the following steps are generally needed:
Code: Select all
cryptsetup luksFormat /dev/mmcblkxxx keyfile cryptroot cryptsetup luksOpen -d keyfile /dev/mmcblkxxx cryptroot mkfs.ext4 /dev/mapper/cryptroot mount /dev/mapper/cryptroot /mnt/cryptroot cp -ax /mnt/path-to-rootfs/* /mnt/cryptroot # populate luks encrypted partition unmount /mnt/crtyproot cryptsetup luksClose cryptroot
Does anyone know how to best handle this or something similar within the Yocto built process? The desire is to to have the build process automatically create and package a luks encrypted rootfs in the .wic file instead of the plain rootfs.