我将 i.MX8MP 处理器与 eMMC 一起用于持久存储。我想使用安全启动 (HAB) 并使用 CAAM 安全密钥在 eMMC 上创建加密存储。eMMC 已分区。我使用一个分区存储 caam-keygen 生成的密钥,另一个分区 (/dev/mmcblk2p7) 用于加密存储。我首先使用 AN12714 中描述的步骤在分区 /dev/mmcblk2p7 上创建了加密存储。它工作正常。我创建了一个脚本,Linux 在启动时代表我调用该脚本。该脚本从 blob 导入密钥,将其添加到密钥保留服务并将文件系统挂载在 /fsencrypted。
但是,当我启用 HAB 时,我在 Linux 启动时遇到以下错误。
<13>Jan 1 00:00:00 rc: Moun
ting enrypted storage on /dev/mmcblk2p7
[ 7.771096] caam_jr 30903000.jr: Failed to execute blob decap descriptor
[ 7.779322] caam_jr 30903000.jr: Blob decapsulation failed: -74
<13>Jan 1 00:00:00 rc:
<13>Jan 1 00:00:00 rc: CAAM keygen usage: caam-keygen [options]
<13>Jan 1 00:00:00 rc: Options:
<13>Jan 1 00:00:00 rc: create
<13>Jan 1 00:00:00 rc: the name of the file that will contain the black key.
<13>Jan 1 00:00:00 rc: A file with the same name, but with .bb extension, will contain the black blob.
<13>Jan 1 00:00:00 rc: can be ecb or ccm
<13>Jan 1 00:00:00 rc: can be -s or -t.
<13>Jan 1 00:00:00 rc: -s generate a black key from random with the size given in the next argument
<13>Jan 1 00:00:00 rc: -t generate a black key from a plaintext given in the next argument
<13>Jan 1 00:00:00 rc: the size or the plaintext based on the previous argument ()
<13>Jan 1 00:00:00 rc: can be -h or -p (default argument is -p)
<13>Jan 1 00:00:00 rc: -h generate a black key from the hex text that is provided in previous argument
<13>Jan 1 00:00:00 rc: -p generate a black key from the plain text that is provided in previous argument
<13>Jan 1 00:00:00 rc: import
<13>Jan 1 00:00:00 rc: the absolute path of the file that contains the blob
<13>Jan 1 00:00:00 rc: the name of the file that will contain the black key.
[ 7.915905] trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 204672
[ 7.924042] trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 204673
[ 7.932172] trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 204674
[ 7.940292] trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 204675
[ 7.948466] trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 204676
[ 7.956639] trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 204677
[ 7.964793] trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 204678
[ 7.972971] trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 204679
[ 7.982432] trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 204672
[ 7.990562] trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 204673
[ 7.998853] Buffer I/O error on dev dm-0, logical block 25584, async page read
[ 8.026440] EXT4-fs (dm-0): unable to read superblock
<13>Jan 1 00:00:00 rc: mount: /fsencrypted: can't read superblock on /dev/mapper/encrypted.
<13>Jan 1 00:00:00 rc: error: exit code 32
我发现我必须再次重新创建加密存储(来自 AN12714 的步骤)才能使其正常工作。但是,这会删除我存储在分区上的数据。
为了避免这些问题,我似乎首先必须启用 HAB,然后创建加密存储。
我的问题是为什么?启用 HAB 后,加密存储会发生什么情况?我做错了什么吗?
