I want to implement full disk encryption for Jetson TK1 with R24.4 rootfs on eMMC.
I haven’t found any useful information for this feature neither on docs nor on forum topics. Supposed it’s some kind of essential and common used feature, but seems not.
It will be great if someone can share his experience of implementing full disk encryption (or at least rootfs (APP) partition) or at least provide rough steps.
My ideas according to this:
I’ve found that it’s hard to get direct access to device partitions from the host it connected to. Because of this I suppose that images for flashing should be prepared in advance. Encrypted and sparsed system.img with rootfs could be created, but how to unlock it on boot? Seems boot partition with suitable initrd required.
With proper images nvflash could be used instead of flash.sh. Or it could be done with flash.sh?
I do not know the requirements for encrypting a partition, but some issues to think about…
The u-boot boot loader reads its configuration from “/boot”, as well as loading firmware and kernel files from “/boot”. Should “/boot” be encrypted, u-boot itself would need a massive change to support encrypted partitions.
If you were to flash to eMMC, and the sample rootfs were devoid of anything other than “/boot”, then another partition on eMMC or SD card, so on, could be pointed at in the extlinux.conf u-boot config file to name a separate root partition. If the kernel being loaded had everything it needs to read an encrypted partition compiled directly into the kernel as a non-module feature, then it should be able to deal with an encrypted partition without involving the boot loader (perhaps there would be a special argument passed by u-boot to the kernel, but that’s still the kernel executing related code).
Very likely any prompt for password would be a problem unless the serial console is used for that purpose. Your method of entering a password would change what needs to be done related to password entry.