Hamid Fadishei's Blog

July 9, 2013

iMX233 and Full-disk Encryption of Linux on SD Card

Filed under: Uncategorized — fadishei @ 2:54 pm
Tags: , , ,

After weeks of work, I finally was able to boot my iMX233 ARM processor from a fully encrypted linux partition… and most importantly, I was able to use the hardware-stored encryption key for this purpose. What a pleasure!

iMX233 features a hardware engine (known as DCP) which can perform 128-bit AES encryption using either a software-provided or the hardware-stored key. The latter key is burnt into the CPU’s OTP ROM and can be made totally hidden from software. This adds extra security: cryptography without any chance of revealling the encryption key.

To me, an ultimate disk encryption method for protecting an embedded application is one whose boot procedure does not include any non-encrypted stage. Otherwise, a malicious user can use her own modified version of that non-encrypted stage in order to boot her own code and try to break the encryption key by generating lot of plain/cipher patterns. The first boot stage of iMX233 (booting kernel from first SD partition) can be encrypted using the same OTP key (see elftosb -k parameter). Then the next stage of booting an encrypted Linux from the second partition was what I was looking for.

I had several obstacles to overcome:

  • First of all, I had to write my own version of kernel crypto module that can use the OTP hard-key instead of always expecting a soft-key to be provided [see this quesion].
  • Second, the original dm-crypt essiv IV method was not possible without modification in my case. Why? because it relies on the explicit value of the key for IV generation, and as I said, the key value is burried into hardware fuses and unknown to software.
  • Finally, I needed to add my custom initramfs into my compiled Freescale’s kernel. It is responsible to cryptsetup, mount the encrypted root partition, and switch_root to it.

October 13, 2012

Emulate OLinuxino Archlinux Image

Filed under: Uncategorized — fadishei @ 11:14 pm
Tags: , , , ,

OLinuxino is getting more and more popular for offering a good price-performance-size tradeoff. Archlinux now officially supports OLinuxino which means you have access to many prebuilt packages (openjdk, multimedia recorders and players, web servers, etc, etc) ready to be installed by the ‘pacman’ command.
A problem that you may still face as a developer is that due to the limited board resources, compiling programs and building new packages consumes lots of time, if possible at all.
If you want to use the power of your PC in develping for OLinuxino you can either setup a cross compilation environment or an emulation environment. In this post I describe an easy method for emulating the official Archlinux image of OLinuxino.

1. Download kernel, initrd, and filesystem provided by aurel32 for debian emulation from here
kernel: vmlinuz-2.6.32-5-versatile
initrd: initrd.img-2.6.32-5-versatile
filesystem image: debian_squeeze_armel_standard.qcow2

2. mount the first partition of debian_squeeze_armel_standard.qcow2 in /mnt (see here if you don’nt know how)

3. backup /mnt/lib/modules/* somewhere safe, then remove all the files in /mnt

4. extract the official OLinuxino Archlinux filesystem as root into /mnt

5. restore the the backup modules/* folder into /mnt/usr/lib/modules

6. Adjust the filesystem for changes posed by the emulation environment, such as:
change ttyAMA0 to tty1 in /mnt/etc/inittab
change usb0 to eth0 in /etc/rc.conf

7. unmount debian_squeeze_armel_standard.qcow2 and rename it to archlinux_olinuxino.qcow2

8. startup your emulated environment:
sudo qemu-system-arm -M versatilepb -kernel vmlinuz-2.6.32-5-versatile -initrd initrd.img-2.6.32-5-versatile -hda archlinux_olinuxino.qcow2 -append “root=/dev/sda1”

Blog at WordPress.com.