Can't use cryptsetup and i2c in Initramfs

Hello,

I work with a RPI COMPUTE MODULE 3 and I try to add decryption stage in my initramfs. I got the BalenaOS Yocto project and I added a script on initrdscripts_framework. My script uses cryptsetup and openssl packages. I checked dependencies are correctly installed in initramfs (libcryptsetup, libopenssl, dm-crypt module kernel). Nonetheless I can’t decrypt my partition with cryptsetup. To make easy debug, I launch sh terminal on initramfs. When I try to decrypt partition, I have the followed error :

cryptsetup -v luksOpen /dev/mmcblk0p7 dsi
[  108.570097] random: cryptsetup: uninitialized urandom read (4 bytes read)
[  108.579953] Enter passphrase for /dev/mmcblk0p7:
[  111.701079]
[  113.692423] Command failed with code -1 (wrong or missing parameters).

On my /dev/ folder I have :

cd /dev
ls
[ 22.883212] autofs
[ 22.883212] block
[ 22.883212] bus
[ 22.883212] cachefiles
[ 22.883212] char
[ 22.883212] console
[ 22.883212] cpu_dma_latency
[ 22.883212] disk
[ 22.883212] fb0
[ 22.883212] fd
[ 22.883212] full
[ 22.883212] gpiochip0
[ 22.883212] gpiochip1
[ 22.883212] gpiochip2
[ 22.883212] gpiomem
[ 22.883212] hwrng
[ 22.883212] input
[ 22.883212] kmsg
[ 22.883212] loop-control
[ 22.883212] loop0
[ 22.883212] loop1
[ 22.883212] loop2
[ 22.883212] loop3
[ 22.883212] loop4
[ 22.883212] loop5
[ 22.883212] loop6
[ 22.883212] loop7
[ 22.883212] mem
[ 22.883212] memory_bandwidth
[ 22.883212] mmcblk0
[ 22.883212] mmcblk0boot0
[ 22.883212] mmcblk0boot1
[ 22.883212] mmcblk0p1
[ 22.883212] mmcblk0p2
[ 22.883212] mmcblk0p3
[ 22.883212] mmcblk0p4
[ 22.883212] mmcblk0p5
[ 22.883212] mmcblk0p6
[ 22.883212] mmcblk0p7
[ 22.883212] mmcblk0rpmb
[ 22.883212] net
[ 22.883212] network_latency
[ 22.883212] network_throughput

Like we can see /dev/random and /dev/urandom are not present. I can’t have more log and I think the problem comes from there. More over, to strengthen my process other step is to communique with a tpm (to136) via i2c to get decryption key. After enable and add i2c-dev module like autoload on kernel I can’t have peripheral /dev/i2c-1 available on my initramfs. However when BalenaOS is launched, I am able to crypt/decrypt partition with cryptsetup and communicate with to136 via i2c.

I tried the same manipulation with another target board based on IMX6 and it’s work fine.

Do you know if there are special process to mount peripheral on initramfs for raspberry ? Can i have support for my issue ?

Thanks,
Ben

Hi @benat,
I’ve reached to the balenaOS team about this and we can confirm that on the balenaFin, which also uses RPi CM3, we do have access to /dev/random and /dev/urandom .
On the other hand we think that the error that you are getting is caused once /dev/urandom is read.
If that’s the case, then It looks more related to the following issue:

Please check it out and let us know whether it seems helpful.

Kind regards,
Thodoris

Thanks for your answer @thgreasi.

After read your link and investigate my issue. I find a solution based on this issue :

Like it said, it’s caused by regression kernel. After adding extension recipe file (.bbappend) to add ecb kernel module, cryptsetup works fine.

Thanks for you help. I always search solution to use i2c on initramfs.

Ben

@benat thanks for letting us know that you found a solution. It might be cool to try contribute your work or create an issue on https://github.com/balena-os/balena-raspberrypi so that others facing this will find the solution more easily.

Hi @benat,

I’m in the same situation as you, I’m trying to decrypt my root partition from a key stored on a persistent memory accessible in I2C. How did you load the i2c module into your initrd image?

In my case I want to use a custom keyscript in C language to retrieve the key.

Thanks in advance and have a nice day