Where is encrypted data stored in the boot partition?

Where is encrypted data stored in the boot partition?

The encrypted key blob can then be stored in the boot partition. This is done as a part of the manufacturing step. During the boot process a script is run from initramfs to decrypt the key blob using CAAM kernel driver and the plain key is then used to decrypt the root filesystem.

How to enable full disk encryption with encrypted boot?

So, when booting, you can ask for a password, load both files (kernel and ramdisk) and then run them. The system base is then able to crack the encrypted disk and the system normally boots. The advantage of this procedure is that the disk remains pure Grub boot loader on the EFI partition.

How to encrypt root partition and entire file system using?

As a safety measurement please take backup before applying the below steps. On RHEL Linux system you must have an active subscription to RHN or you can configure a local offline repository using which “yum” package manager can install the provided rpm and it’s dependencies. I have already created a partition /dev/sdb1 on my /dev/sdb disk.

Is the U-boot authenticated by the ROM?

Since the signed U-Boot is authenticated by the ROM, we can trust the public key inside of U-Boot to verify the FIT image. Verified boot using FIT image is part of mainline U-Boot and FIT image signing is supported by mainline Yocto. Depending on the version of U-Boot/Yocto, certain patches might need to backported.

How to decrypt root filesystem using CAAM kernel driver?

During the boot process a script is run from initramfs to decrypt the key blob using CAAM kernel driver and the plain key is then used to decrypt the root filesystem. Since secure boot or high assurance boot (HAB) is enabled, we do not have to worry about malicious firmware being able to decrypt the encrypted key blob.

What are root key types for secure boot?

Table 2. Root Key Types Root Key Key Type Description Secure User Key Fuse You generate secure key pair for boot RO FPGA Key FPGA The public key originates from your bits Unsecured User Key User You generate a secure key pair but it is

Where is the public key embedded in U-Boot?

The public key is then embedded inside U-Boot as part of U-Boot device tree. Since the signed U-Boot is authenticated by the ROM, we can trust the public key inside of U-Boot to verify the FIT image. Verified boot using FIT image is part of mainline U-Boot and FIT image signing is supported by mainline Yocto.