Creating an Encrypted VxWorks 7 File System Partition

VxWorks is a Real Time Operating System built by Wind River that supports the creation and use of target resident file systems. Various types of file system are supported by VxWorks, including DOS compatible and Wind River’s own proprietry highly reliable file system (HRFS).

This blog describes how to configure an encrypted DOS compatible file system partition on VxWorks 7.

These instructions assume that you are using:

• Wind River VxWorks 7, SR0620 installed on a Windows workstation
• Intel target booting from UEFI BIOS
• Two USB flash drives
• The target has two file system partitions:
  • /bd0:1 – USB flash drive 1, the boot partition where the UEFI boot loader and the VxWorks kernel image reside
  • /bd16:1 – USB flash drive 2, a DOS compatible file system partition that you intend to encrypt

For more information on these topics, refer to: VxWorks 7 Security Programmer’s Guide VxWorks 7 File Systems and I/O Programmer’s Guide.

Open a DOS shell, configure the build environment and then build the project.

cd                   // your installation directory
wrenv -p vxworks-7
cd              // your workspace
vxprj vsb create encrypt_vsb -bsp itl_generic -smp -force -S
cd encrypt_vsb                  // your VSB directory
vxprj vsb add DISK_ENCRYPTION   // add the disk encryption layer to the VSB
vxprj vsb add IPNET_SSH         // add IPNET encryption
make -j 32                      // build the VSB

Create the basic VxWorks image project (VIP) as follows.

cd ..
vxprj create -smp itl_generic encrypt_vip -profile PROFILE_INTEL_GENERIC -vsb encrypt_vsb
cd encrypt_vip
vxprj vip component add INCLUDE_MULTI_STAGE_WARM_REBOOT
vxprj vip bundle add BUNDLE_STANDALONE_SHELL
vxprj parameter set DOSFS_COMPAT_NT TRUE
vxprj vip component add INCLUDE_DOSFS
vxprj vip component add INCLUDE_DOSFS_CACHE
vxprj vip component add INCLUDE_DOSFS_FMT
vxprj vip component add INCLUDE_DISK_UTIL
vxprj vip component add INCLUDE_XBD
vxprj vip component add INCLUDE_DOSFS_MAIN
vxprj vip component add INCLUDE_DOSFS_FAT
vxprj vip component add INCLUDE_DISK_ENCRYPTION
vxprj vip component add INCLUDE_SSH
vxprj vip component add INCLUDE_SEC_VAULT_KEP_OBFUSCATOR
vxprj parameter set meta_SEC_VAULT_KEY_ENCRYPTING_PW "\"harmonicsoftware"\" 
vxprj vip component add INCLUDE_DISK_ENCRYPTION_TOOLS
vxprj parameter set SEC_VAULT_FILE_ROOT "\"/bd0:1"\" 
vxprj vip component add INCLUDE_SEL_AES_256_ECB
vxprj vip component add INCLUDE_SEC_KEY_STORE_CMD
vxprj vip component add INCLUDE_GENRSA_CMD
vxprj vip component add INCLUDE_SEC_SECRET
vxprj vip component add INCLUDE_SEC_SECRET_CMD
vxprj parameter set SSH_RSA_KEYEX_KEY_ID "\"default_rsa"\" 
vxprj parameter set SSH_RSA_KEY_ID "\"default_rsa"\" 
vxprj parameter set SSH_HOST_KEY_RSA "\"1"\" 
vxprj vip component add INCLUDE_DISK_ENCRYPTION_AUTO_MOUNT_1
vxprj parameter set PARTITION_NAME_1 "\"/bd16:1"\" 
vxprj parameter set PARTITION_KEY_ID_1 "\"0"\" 
vxprj build

Make sure you rename meta_SEC_VAULT_KEY_ENCRYPTING_PW as SEC_VAULT_KEY_ENCRYPTING_PW, and use your own unique password.

Execute the devs command on the kernel shell to check the file system device names.

-> devs
drv refs name
  1 [ 3] /
  2 [ 3] /bd0:1  ==>  /bd0a
  5 [ 3] /bd0a
  2 [ 3] /bd16:1  ==>  /bd16a
  2 [ 3] /bd16:2  ==>  /bd16b
  5 [ 3] /bd16a
  6 [ 3] /bd16b
value = 2 = 0x2
-> cd "/bd0:1"
value = 0 = 0x0
-> ls
EFI
value = 0 = 0x0

In this example, the boot device name is /bd0:1. You will not encrypt the boot device. Instead, you will encrypt the partition /bd16:1. If you need guidance on how to create a new file system partition, refer to the VxWorks 7 File Systems and I/O Programmer’s Guide.

Note: Encryption of VxWorks RAM disks is not recommended.

Format /bd16:1 to be DOS compatible.

-> dosFsVolFormat ("/bd16:1", 0, 0)
value = 0 = 0x0

Prime the VxWorks key store and secrets repository by creating and adding a private/public RSA key to it. Also create a secret that you will use to encrypt your file system partition.

-> cd "/bd0:1"
value = 0 = 0x0
-> cmd
[vxWorks *] genrsa -out default_rsa.pem
Generating RSA private key, 2048 bit long modulus (2 primes)
.............
e is 65537 (0x010001)
[vxWorks *] keyStore import default_rsa default_rsa.pem
[vxWorks *] keyStore list
default_rsa
[vxWorks *] secret import 0 MySecret99
[vxWorks *] C

Do not use MySecret99. Instead, make up your own secret. Give it a mixture of numbers and letters of upper and lower case.

Encrypt the file system with secret 0 as you just defined it.

-> diskEncrypt ("/bd16:1", "0")
value = 0 = 0x0
->

The disk encryption will take a while. The exact duration depends on the speed of your processor, and the size and type of your file system. After encryption has completed, the file system will function normally but all operations to the disk, and the disk media itself, will reflect your encryption.

Note: If /bd16:1 is a USB disk, once you encrypt it you cannot read this disk on any other workstation. For another VxWorks workstation to read this disk, you need to define secret 0 on that target as above.

To undo the encryption while protecting the data on the file system partition:

-> diskDecrypt ("/bd16:1", "0")
value = 0 = 0x0
->

The disk decryption will take a while. The exact duration depends on the speed of your processor, and the size and type of your file system. After decryption has completed, the file system will function normally, and will no longer be encrypted.

Note: Both diskEncrypt() and diskDecrypt() are non-destructive on the file system contents.