@@ -130,46 +130,81 @@ The following steps describe how to build user-space tools and configuration on
130130
131131 .. code-block :: console
132132
133+ # Extract command
134+ cpio -iv < <path to .cpio>
135+
133136 # Create a random pass key
134137 tr -dc '[:alnum:]' </dev/urandom | head -c64 > <initramfs_root>/home/pass_key
135138
139+ # Create cpio from initramfs folder
140+ cd <initramfs_root>
141+ find . | sort | cpio --reproducible -o -H newc -R root:root > ../<name>.cpio
142+
136143:code: `menuconfig ` and build the kernel.
137144
138145 .. code-block :: kconfig
139146
140147 General setup ->
141148 Initial RAM filesystem and RAM disk (initramfs/initrd) support ->
142149 Initramfs source file(s)
143- /path/to/initramfs
150+ /path/to/initramfs.cpio
144151
145152:file: `root/boot/Image ` with the updated Image and boot.
146153
147154#. Run the following commands in initramfs to setup the crypt and verity partitions
148155
149156 .. code-block :: console
150157
151- # Unmount encrypted partitions
158+ # Unmount encrypted partitions if already mounted
152159 umount /dev/mmcblk1p3
153160 umount /dev/mmcblk1p4
154161
162+ # Create the mount paths
163+ mkdir /old_mnt
164+ mkdir /mnt
165+
155166 # Mount default root
156167 mount /dev/mmcblk1p2 /old_mnt
157168
158169 # Setup the encrypted partition
159170 # The default cipher at the time of writing this guide is aes-xts-plain64
160- # To use the hardware accelerator, use --cipher aes-cbc-plain --key-size 256 --hash 256
171+ # Hardware acceleration for dm-crypt is not tested
161172
162173 cryptsetup luksFormat /dev/mmcblk1p3 --key-file=/home/pass_key --batch-mode
163174 cryptsetup luksOpen /dev/mmcblk1p3 crypt_root --key-file=/home/pass_key
164175
176+ # Use following commands to verify the status of the LUKS device
177+ cryptsetup -v status crypt_root #Status Check
178+ cryptsetup luksDump /dev/mmcblk1p3 #Dump Headers
179+
165180 # Format and copy rootfs inside encrypted partition
166181 mkfs.ext4 /dev/mapper/crypt_root
182+
183+ # If command is successful you should see below output
184+ root@am62xx-evm:~# mkfs.ext4 /dev/mapper/crypt_root
185+ mkfs.ext4 /dev/mapper/crypt_root
186+ mke2fs 1.47.0 (5-Feb-2023)
187+ Creating filesystem with 2952704 4k blocks and 738192 inodes
188+ Filesystem UUID: 8cc1c02e-7b0a-4d57-82f0-f3a4c35e0f00
189+ Superblock backups stored on blocks:
190+ 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208
191+
192+ Allocating group tables: done
193+ Writing inode tables: done
194+ Creating journal (16384 blocks): done
195+ Writing superblocks and filesystem accounting information: done
196+
197+ # Mount the encrypted partition
167198 mount /dev/mapper/crypt_root /mnt
168- cp -r /old_mnt /mnt
199+ cp -ar /old_mnt/. /mnt
169200 umount /mnt
170201
171202 # Setup verity
172- veritysetup format /dev/mapper/crypt_root /dev/mmcblk1p4 > /home/verity.hash
203+ veritysetup format /dev/mapper/crypt_root /dev/mmcblk1p4
204+
205+ # Output will have a Root hash, copy that hash as it will be used in next step
206+ ...
207+ Root hash: 4392712ba01368efdf14b05c76f9e4df0d53664630b5d48632ed17a137f39076
173208
174209
175210
@@ -189,8 +224,8 @@ The following steps describe how to build user-space tools and configuration on
189224 # If the cipher was previously changed, add --cipher aes-cbc-plain
190225 /sbin/cryptsetup luksOpen --key-file=/home/pass_key /dev/mmcblk1p3 crypt_root
191226
192- # Verify
193- /sbin/veritysetup open /dev/mapper/crypt_root verity_root /dev/mmcblk1p4 $( cat /home/verity.hash )
227+ # Verify (use the root hash from the previous ``veritysetup format`` command)
228+ /sbin/veritysetup open /dev/mapper/crypt_root verity_root /dev/mmcblk1p4 4392712ba01368efdf14b05c76f9e4df0d53664630b5d48632ed17a137f39076
194229
195230 mount -o ro /dev/mapper/verity_root /mnt
196231
0 commit comments