7. Set up your device with root filesystem encryption
Root filesystem encryption adds another layer of security to TrustFence. It uses the kernel's cryptographic support to encrypt all the data you store in the root filesystem. Attempting to access this data without the correct encryption key returns random, meaningless bytes.
When you enable TrustFence on the ConnectCore 6UL (see Enable TrustFence™ support in Digi Embedded Yocto), you automatically enable root filesystem encryption. This configures the project so a new ramdisk (dey-image-trustfence-initramfs-ccimx6sbc.cpio.gz.u-boot.tf). This ramdisk is used at boot time to set up the encrypted root filesystem partition.
Program the encrypted rootfs
- Create a software update package. For example, if you have built image core-image-base with rootfs encryption enabled, run the following command to create a software update package:
bitbake core-image-base-swu
- Make sure the update package is accessible locally.
For example, in the update partition:
#> ls -l /mnt/update/ -rw-r--r-- 1 root root 731810304 Jan 26 18:15 dey-image-qt-swu-<platform>.swu
Or in external media:
$ ls -l /run/media/sda1 -rwxrwx--- 1 root disk 241062400 Jan 18 19:30 dey-image-qt-swu-<platform>.swu $ ls -l /run/media/mmcblk1p1 -rwxrwx--- 1 root disk 241062400 Jan 18 19:30 dey-image-qt-swu-<platform>.swu
- From U-Boot, configure the recovery commands to update the system with the previously generated package.
- To set a new encryption key:
You can use a base64-encoded string of a 32-byte binary key:
=> setenv recovery_command "encryption_key=YjNz1psJsO3PsxIcdQwCjW7MA0Y5IryT38UCddViJNM= update_package=file://dey-image-qt-swu-<platform>.swu"
Or generate a random key if none is provided:
=> setenv recovery_command "encryption_key= update_package=file://dey-image-qt-swu-<platform>.swu"
- To use the already configured encryption key:
=> setenv recovery_command "update_package=file://dey-image-qt-swu-<platform>.swu"
- Reset in recovery mode:
=> setenv boot_recovery yes => saveenv => reset
The device boots in recovery mode and starts to update the system with the provided package. Once it finishes, the device reboots and the firmware update is complete.
Note After your first secure system deploy, you can use the update-firmware tool to trigger a new firmware update. See Program the firmware from Linux.
Note To disable root filesystem encryption, add the following to your project's conf/local.conf configuration file:
TRUSTFENCE_INITRAMFS_IMAGE = ""
PDF
