VxWorks

Creating an Encrypted VxWorks-7 File System Partition

by | Jun 1, 2020 | VxWorks

1 Introduction

VxWorks is a Real Time Operating System built by Wind River that supports the creation and use of target resident file systems. Various types of file system are supported by VxWorks, including DOS compatible and Wind River’s own proprietry highly reliable file system (HRFS).

This blog describes how to configure an encrypted DOS compatible file system partition on VxWorks 7.

 

2 Prerequisites

These instructions assume that you are using:

  • Wind River VxWorks 7, SR0620 installed on a Windows workstation
  • Intel target booting from UEFI BIOS
  • Two USB flash drives
  • The target has two file system partitions:
    • /bd0:1 – USB flash drive 1, the boot partition where the UEFI boot loader and the VxWorks kernel image reside
    • /bd16:1 – USB flash drive 2, a DOS compatible file system partition that you intend to encrypt

 

3 Related Wind River Documentation

For more information on these topics, refer to: VxWorks 7 Security Programmer’s Guide VxWorks 7 File Systems and I/O Programmer’s Guide.

 

4 Create and Build the VxWorks Source Build (VSB) Project

Open a DOS shell, configure the build environment and then build the project.

cd                   // your installation directory
wrenv -p vxworks-7
cd              // your workspace
vxprj vsb create encrypt_vsb -bsp itl_generic -smp -force
cd encrypt_vsb                  // your VSB directory
vxprj vsb add DISK_ENCRYPTION   // add the disk encryption layer to the VSB
vxprj vsb add IPNET_SSH         // add IPNET encryption
make -j 32                      // build the VSB

 

5 Create and Build the Basic VxWorks Image Project (VIP)

Create the basic VxWorks image project (VIP) as follows.

cd ..
vxprj create -smp itl_generic encrypt_vip -profile PROFILE_INTEL_GENERIC -vsb encrypt_vsb
cd encrypt_vip
vxprj vip component add INCLUDE_MULTI_STAGE_WARM_REBOOT
vxprj vip bundle add BUNDLE_STANDALONE_SHELL
vxprj parameter set DOSFS_COMPAT_NT TRUE
vxprj vip component add INCLUDE_DOSFS
vxprj vip component add INCLUDE_DOSFS_CACHE
vxprj vip component add INCLUDE_DOSFS_FMT
vxprj vip component add INCLUDE_DISK_UTIL
vxprj vip component add INCLUDE_XBD
vxprj vip component add INCLUDE_DOSFS_MAIN
vxprj vip component add INCLUDE_DOSFS_FAT
vxprj vip component add INCLUDE_DISK_ENCRYPTION
vxprj vip component add INCLUDE_SSH
vxprj vip component add INCLUDE_SEC_VAULT_KEP_OBFUSCATOR
vxprj parameter set meta_SEC_VAULT_KEY_ENCRYPTING_PW "\"harmonicsoftware"\" 
vxprj vip component add INCLUDE_DISK_ENCRYPTION_TOOLS
vxprj parameter set SEC_VAULT_FILE_ROOT "\"/bd0:1"\" 
vxprj vip component add INCLUDE_SEL_AES_256_ECB
vxprj vip component add INCLUDE_SEC_KEY_STORE_CMD
vxprj vip component add INCLUDE_GENRSA_CMD
vxprj vip component add INCLUDE_SEC_SECRET
vxprj vip component add INCLUDE_SEC_SECRET_CMD
vxprj parameter set SSH_RSA_KEYEX_KEY_ID "\"default_rsa"\" 
vxprj parameter set SSH_RSA_KEY_ID "\"default_rsa"\" 
vxprj parameter set SSH_HOST_KEY_RSA "\"1"\" 
vxprj vip component add INCLUDE_DISK_ENCRYPTION_AUTO_MOUNT_1
vxprj parameter set PARTITION_NAME_1 "\"/bd16:1"\" 
vxprj parameter set PARTITION_KEY_ID_1 "\"0"\" 
vxprj build

Make sure you rename meta_SEC_VAULT_KEY_ENCRYPTING_PW as SEC_VAULT_KEY_ENCRYPTING_PW, and use your own unique password.

 

6 Boot VxWorks on the Target

6.1 Deploy the UEFI Bootloader and the VxWorks kernel image

Refer to the itl_generic BSP readme file for instructions on how to build and deploy the UEFI boot loader and the VxWorks image file on the USB flash drive. Find this readme file here:

\vxworks-7\pkgs_v2\os\board\intel\itl_generic-a.b.c.d\itl_generic_readme.md

After following these instructions to deploy the UEFI boot loader and vxWorks kernel image, you will find the following files on the USB flash drive:

EFI \ BOOT \

bootapp.sys
BOOTIA32.EFI
BOOTX64.EFI

6.2 Prepare the Intel target

Configure the target BIOS to boot the target from the USB flash drive.

Attach USB flash drive to the Intel target.

 

6.3 Boot the Target

Power-on the target. Once the target has booted, you will see the kernel shell prompt.

->

 

7 Discover the VxWorks USB flash drive device name

Execute the devs command on the kernel shell to check the file system device names.

-> devs
drv refs name
  1 [ 3] /
  2 [ 3] /bd0:1  ==>  /bd0a
  5 [ 3] /bd0a
  2 [ 3] /bd16:1  ==>  /bd16a
  2 [ 3] /bd16:2  ==>  /bd16b
  5 [ 3] /bd16a
  6 [ 3] /bd16b
value = 2 = 0x2

-> cd "/bd0:1"
value = 0 = 0x0
-> ls
EFI
value = 0 = 0x0

In this example, the boot device name is /bd0:1. You will not encrypt the boot device. Instead, you will encrypt the partition /bd16:1. If you need guidance on how to create a new file system partition, refer to the VxWorks 7 File Systems and I/O Programmer’s Guide.

Note: Encryption of VxWorks RAM disks is not recommended.

 

8 Prepare the /bd16:1 DOS File System Partition

Format /bd16:1 to be DOS compatible.

-> dosFsVolFormat ("/bd16:1", 0, 0)
value = 0 = 0x0

 

9 Prepare the VxWorks Key Store and Secrets Repository

Prime the VxWorks key store and secrets repository by creating and adding a private/public RSA key to it. Also create a secret that you will use to encrypt your file system partition.

-> cd "/bd0:1"
value = 0 = 0x0
-> cmd
[vxWorks *] genrsa -out default_rsa.pem
Generating RSA private key, 2048 bit long modulus (2 primes)
.............
e is 65537 (0x010001)
[vxWorks *] keyStore import default_rsa default_rsa.pem
[vxWorks *] keyStore list
default_rsa
[vxWorks *] secret import 0 MySecret99
[vxWorks *] C

Do not use MySecret99. Instead, make up your own secret. Give it a mixture of numbers and letters of upper and lower case.

 

10 Encrypt the /bd16:1 File System Partition

Encrypt the file system with secret 0 as you just defined it.

-> diskEncrypt ("/bd16:1", "0")
value = 0 = 0x0
->

The disk encryption will take a while. The exact duration depends on the speed of your processor, and the size and type of your file system. After encryption has completed, the file system will function normally but all operations to the disk, and the disk media itself, will reflect your encryption.

Note: If /bd16:1 is a USB disk, once you encrypt it you cannot read this disk on any other workstation. For another VxWorks workstation to read this disk, you need to define secret 0 on that target as above.

 

11 Decrypt the Encrypted /bd16:1 File System Partition

To undo the encryption while protecting the data on the file system partition:

-> diskDecrypt ("/bd16:1", "0")
value = 0 = 0x0
->

The disk decryption will take a while. The exact duration depends on the speed of your processor, and the size and type of your file system. After decryption has completed, the file system will function normally, and will no longer be encrypted.

Note: Both diskEncrypt() and diskDecrypt() are non-destructive on the file system contents.

 

Got A Project In Mind?

Our levels of professionalism and commitment to our clients results in a long waiting list for projects. Let us know in advance if you might need us.