[cip-dev][isar-cip-core][PATCH v2 0/7] Add option to encrypt the rootfs

[cip-dev][isar-cip-core][PATCH v2 0/7] Add option to encrypt the rootfs

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This adds the option to encrypt both root file system partions(systema
and systemb). The encrypted partition can be updated with SWUpdate.

Currently an update will lead to a reencryption of the update partition as
the underlying device(/dev/sdaX) is written instead of the device mapper
partition.

Changes v2:
 - Rewrite commit messages
 - Rename kas/opt/encrypt-partitions.yml to kas/opt/encrypt-data.yml
 - Rename kas/opt/encrypt-rootfs.yml to kas/opt/encrypt-all.yml
 - Fix assignment of CRYPT_PARTITIONS

Changes from https://lists.cip-project.org/g/cip-dev/message/15512:
 - add partition labels for a/b partitions
 - use a/b rootfs configuration instead seperate wks file


Quirin Gylstorff (7):
  wic/*: Add part-labels to system partition
  initramfs: allow empty mountpoint for crypt hooks
  initramfs-crypt: Only resize partition if ext* formatted
  fix: use luks2 to identify encrypted partition
  Rename encrypt-partitions to encrypt-data
  Kconfig: Add option to encrypt the rootfs
  README: Add rootfs encryption

 .gitlab-ci.yml                                |  2 +-
 Kconfig                                       | 22 ++++++++++++++++---
 doc/README.tpm2.encryption.md                 | 14 ++++++++++--
 kas/opt/encrypt-all.yml                       | 22 +++++++++++++++++++
 ...ncrypt-partitions.yml => encrypt-data.yml} |  0
 kas/opt/security.yml                          |  2 +-
 .../files/encrypt_partition.script            | 22 ++++++++++++++-----
 .../files/mount_crypt_partitions.script       |  4 +++-
 wic/bbb-efibootguard.wks.in                   |  4 ++--
 wic/hihope-rzg2m-efibootguard.wks.in          |  4 ++--
 wic/qemu-amd64-efibootguard-secureboot.wks.in |  4 ++--
 wic/qemu-arm64-efibootguard-secureboot.wks.in |  4 ++--
 wic/qemu-arm64-efibootguard.wks.in            |  4 ++--
 wic/qemu-riscv64-efibootguard.wks.in          |  4 ++--
 wic/x86-efibootguard.wks.in                   |  4 ++--
 15 files changed, 89 insertions(+), 27 deletions(-)
 create mode 100644 kas/opt/encrypt-all.yml
 rename kas/opt/{encrypt-partitions.yml => encrypt-data.yml} (100%)

-- 
2.43.0

[cip-dev][isar-cip-core][PATCH v2 1/7] wic/*: Add part-labels to system partition

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This allows to use the part-label for encryptition or
boot selection.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 wic/bbb-efibootguard.wks.in                   | 4 ++--
 wic/hihope-rzg2m-efibootguard.wks.in          | 4 ++--
 wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 ++--
 wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 ++--
 wic/qemu-arm64-efibootguard.wks.in            | 4 ++--
 wic/qemu-riscv64-efibootguard.wks.in          | 4 ++--
 wic/x86-efibootguard.wks.in                   | 4 ++--
 7 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/wic/bbb-efibootguard.wks.in b/wic/bbb-efibootguard.wks.in
index e9c04b9..b5772c2 100644
--- a/wic/bbb-efibootguard.wks.in
+++ b/wic/bbb-efibootguard.wks.in
@@ -11,8 +11,8 @@ part --source rawcopy --sourceparams "file=/usr/lib/u-boot/bbb/u-boot.img" --no-
 
 include ebg-sysparts.inc
 
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
 
 # home and var are extra partitions
 part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024  --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
diff --git a/wic/hihope-rzg2m-efibootguard.wks.in b/wic/hihope-rzg2m-efibootguard.wks.in
index 9227a71..164e8a9 100644
--- a/wic/hihope-rzg2m-efibootguard.wks.in
+++ b/wic/hihope-rzg2m-efibootguard.wks.in
@@ -3,8 +3,8 @@
 
 include ebg-sysparts.inc
 
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
 
 # home and var are extra partitions
 
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index ef40d70..0f4d637 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -1,7 +1,7 @@
 include ebg-signed-sysparts.inc
 
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
 
 # home and var are extra partitions
 part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
diff --git a/wic/qemu-arm64-efibootguard-secureboot.wks.in b/wic/qemu-arm64-efibootguard-secureboot.wks.in
index 01f395d..00d627d 100644
--- a/wic/qemu-arm64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-arm64-efibootguard-secureboot.wks.in
@@ -1,7 +1,7 @@
 include ebg-signed-sysparts.inc
 
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
 
 # home and var are extra partitions
 part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
diff --git a/wic/qemu-arm64-efibootguard.wks.in b/wic/qemu-arm64-efibootguard.wks.in
index 942c3e1..6f03420 100644
--- a/wic/qemu-arm64-efibootguard.wks.in
+++ b/wic/qemu-arm64-efibootguard.wks.in
@@ -3,8 +3,8 @@
 
 include ebg-sysparts.inc
 
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
 
 # home and var are extra partitions
 part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024  --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
diff --git a/wic/qemu-riscv64-efibootguard.wks.in b/wic/qemu-riscv64-efibootguard.wks.in
index 6934977..1704ded 100644
--- a/wic/qemu-riscv64-efibootguard.wks.in
+++ b/wic/qemu-riscv64-efibootguard.wks.in
@@ -3,8 +3,8 @@
 
 include ebg-sysparts.inc
 
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
 
 # home and var are extra partitions
 part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024  --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
index 6382ff7..4c0484f 100644
--- a/wic/x86-efibootguard.wks.in
+++ b/wic/x86-efibootguard.wks.in
@@ -3,8 +3,8 @@
 
 include ebg-sysparts.inc
 
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
 
 # home and var are extra partitions
 
-- 
2.43.0

[cip-dev][isar-cip-core][PATCH v2 2/7] initramfs: allow empty mountpoint for crypt hooks

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This allows to encrypt partition which have as seperate mount
script like verity and abrootfs

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../initramfs-crypt-hook/files/mount_crypt_partitions.script  | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
index 3411e70..b72323f 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
@@ -51,7 +51,9 @@ for partition_set in $partition_sets; do
 	part_device=$(readlink -f "$partition")
 	crypt_mount_name="encrypted_$partition_label"
 	decrypted_part=/dev/mapper/"$crypt_mount_name"
-
+	if [ -z "$partition_mountpoint" ]; then
+		continue
+	fi
 	if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \
 			| grep -q "luks2"; then
 		mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
-- 
2.43.0

[cip-dev][isar-cip-core][PATCH v2 3/7] initramfs-crypt: Only resize partition if ext* formatted

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

squashfs or empty partition cannot be resized with resize2fs.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../files/encrypt_partition.script            | 20 +++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
index 8f6cbf6..51c81f3 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
@@ -64,14 +64,26 @@ service_watchdog() {
 reencrypt_existing_partition() {
 	part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)"
 	# reduce the filesystem and partition by 32M to fit the LUKS header
+	partition_fstype=$(get_fstype "${1}")
 	reduce_device_size=32768
 	reduced_size="$(expr "$part_size_blocks" - 65536 )"
 	reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
 	reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
-	e2fsck -f "$1"
-	if ! resize2fs "$1" "${reduced_size_in_kb}"; then
-		panic "reencryption of filesystem $1 cannot continue!"
-	fi
+	case $partition_fstype in
+	ext*)
+		# reduce the filesystem and partition by 32M to fit the LUKS header
+		e2fsck -f "$1"
+		if ! resize2fs "$1" "${reduced_size_in_kb}"; then
+			panic "reencryption of filesystem $1 cannot continue!"
+		fi
+		;;
+	squashfs|"")
+		echo "skip disk resize as it not support or unnecessary for fstype: '$partition_fstype'"
+		;;
+	*)
+		panic "cannot resize parition. unsupport fstype: $partition_fstype"
+		;;
+	esac
 	if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
 		/usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2"
 	else
-- 
2.43.0

[cip-dev][isar-cip-core][PATCH v2 4/7] fix: use luks2 to identify encrypted partition

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This fixes an issue with encrypted rootfs during system reboot.
With the token option it can happen that during reboot the no
valid Luks partition is found and the boot up fails in the initrd.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../initramfs-crypt-hook/files/encrypt_partition.script         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
index 51c81f3..685d882 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
@@ -134,7 +134,7 @@ for partition_set in $partition_sets; do
 	fi
 
 	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
-			| grep -q "token"; then
+			| grep -q "luks2"; then
 		open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
 		continue
 	fi
-- 
2.43.0

[cip-dev][isar-cip-core][PATCH v2 5/7] Rename encrypt-partitions to encrypt-data

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This makes the purpose of this option more clear.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .gitlab-ci.yml                                       | 2 +-
 Kconfig                                              | 2 +-
 doc/README.tpm2.encryption.md                        | 2 +-
 kas/opt/{encrypt-partitions.yml => encrypt-data.yml} | 0
 kas/opt/security.yml                                 | 2 +-
 5 files changed, 4 insertions(+), 4 deletions(-)
 rename kas/opt/{encrypt-partitions.yml => encrypt-data.yml} (100%)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index bd34c82..aab55be 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -64,7 +64,7 @@ default:
     - if [ "${release}" = "bullseye" ]; then base_yaml="${base_yaml}:kas/opt/bullseye.yml"; fi
     - if [ "${release}" = "bookworm" ]; then base_yaml="${base_yaml}:kas/opt/bookworm.yml"; fi
     - if [ "${release}" = "sid" ]; then base_yaml="${base_yaml}:kas/opt/sid.yml"; fi
-    - if [ "${encrypt}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/encrypt-partitions.yml"; fi
+    - if [ "${encrypt}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/encrypt-data.yml"; fi
     - if [ "${swupdate_version}" = "2022.12" ]; then base_yaml="${base_yaml}:kas/opt/swupdate-2022.12.yaml"; fi
     - echo "Building ${base_yaml}"
     - kas build ${base_yaml}
diff --git a/Kconfig b/Kconfig
index 7c19640..9478a06 100644
--- a/Kconfig
+++ b/Kconfig
@@ -211,6 +211,6 @@ config IMAGE_DATA_ENCRYPTION
 
 config KAS_INCLUDE_DATA_ENCRYPTION
 	string
-	default "kas/opt/encrypt-partitions.yml" if IMAGE_DATA_ENCRYPTION
+	default "kas/opt/encrypt-data.yml" if IMAGE_DATA_ENCRYPTION
 
 endif
diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md
index 69a18dd..c5ac6c4 100644
--- a/doc/README.tpm2.encryption.md
+++ b/doc/README.tpm2.encryption.md
@@ -27,7 +27,7 @@ An example for qemu-amd64 can be build with by selecting the option after callin
 or by adding using the following command line build:
 
 ```
-./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/encrypt-partitions.yml
+./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/encrypt-data.yml
 ```
 ## initramfs-crypt-hook configuration
 
diff --git a/kas/opt/encrypt-partitions.yml b/kas/opt/encrypt-data.yml
similarity index 100%
rename from kas/opt/encrypt-partitions.yml
rename to kas/opt/encrypt-data.yml
diff --git a/kas/opt/security.yml b/kas/opt/security.yml
index 000c522..4aa40e0 100644
--- a/kas/opt/security.yml
+++ b/kas/opt/security.yml
@@ -11,7 +11,7 @@
 header:
   version: 14
   includes:
-   - kas/opt/encrypt-partitions.yml
+   - kas/opt/encrypt-data.yml
    - kas/opt/ebg-secure-boot-snakeoil.yml
 
 target: cip-core-image-security
-- 
2.43.0

[cip-dev][isar-cip-core][PATCH v2 6/7] Kconfig: Add option to encrypt the rootfs

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This allows to setup a full encrypted system.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 Kconfig                 | 20 ++++++++++++++++++--
 kas/opt/encrypt-all.yml | 22 ++++++++++++++++++++++
 2 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 kas/opt/encrypt-all.yml

diff --git a/Kconfig b/Kconfig
index 9478a06..42e6b67 100644
--- a/Kconfig
+++ b/Kconfig
@@ -202,15 +202,31 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT
 	default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
 	default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
 
+
+menuconfig DISK_ENCRYPTION
+	bool
+	prompt "disk encryption"
+	select IMAGE_SECURE_BOOT
+
 config IMAGE_DATA_ENCRYPTION
 	bool "Encrypt data partitions on first boot"
-	depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM
-	select IMAGE_SECURE_BOOT
+	depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
 	help
 	  This enables LUKS encryption for the partitions /var and /home.
 
+config IMAGE_FULL_ENCRYPTION
+	bool "Encrypt rootfs and data partitions"
+	depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
+	select IMAGE_DATA_ENCRYPTION
+	help
+	  This enables LUKS encryption for all partitions.
+
 config KAS_INCLUDE_DATA_ENCRYPTION
 	string
 	default "kas/opt/encrypt-data.yml" if IMAGE_DATA_ENCRYPTION
 
+config KAS_INCLUDE_FULL_ENCRYPTION
+	string
+	default "kas/opt/encrypt-all.yml" if IMAGE_FULL_ENCRYPTION
+
 endif
diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml
new file mode 100644
index 0000000..edbc820
--- /dev/null
+++ b/kas/opt/encrypt-all.yml
@@ -0,0 +1,22 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+  version: 14
+  includes:
+    - kas/opt/encrypt-data.yml
+local_conf_header:
+  encrypted_root: |
+    # Do not set mount points for systema and systemb as they are mounted by the
+    # abrootfs/verity initramfs
+    # As we use a weak default assignment in the intramfs-crypt-hook recipe we need
+    # to set all partitions
+    CRYPT_PARTITIONS = " systema::reencrypt systemb::reencrypt home:/home:reencrypt var:/var:reencrypt"
-- 
2.43.0

[cip-dev][isar-cip-core][PATCH v2 7/7] README: Add rootfs encryption

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 doc/README.tpm2.encryption.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md
index c5ac6c4..a229d86 100644
--- a/doc/README.tpm2.encryption.md
+++ b/doc/README.tpm2.encryption.md
@@ -44,6 +44,16 @@ Each entry uses the schema `<partition-label>:<mountpoint>:<reencrypt or format>
 - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount
 - `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD`
 
+#### Encrypted root file system
+
+To encrypt the root file system the variable `CRYPT_PARTITIONS` needs to be set to:
+```
+CRYPT_PARTITIONS = "systema::reencrypt systemb::reencrypt"
+```
+The mountpoint is empty as the root partition is mounted by another initramfs service.
+Both partitions are encrypted during first boot. The initramfs opens systema and systemb
+during boot.
+
 ### CRYPT_CREATE_FILE_SYSTEM_CMD
 
 The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly
@@ -59,7 +69,7 @@ based encryption:
  - jq
 
 ## steps to convert clevis to systemd
-The following script shows how to enroll a systemd-tpm2 token with a existinng clevis based encryption:
+The following script shows how to enroll a systemd-tpm2 token with a existing clevis based encryption:
 ```bash
 export device=/dev/sda6
 export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots | first' | head -n1)
-- 
2.43.0

Re: [cip-dev][isar-cip-core][PATCH v2 7/7] README: Add rootfs encryption

[MOESSBAUER, Felix]

On Mon, 2024-04-22 at 16:09 +0200, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  doc/README.tpm2.encryption.md | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/doc/README.tpm2.encryption.md
> b/doc/README.tpm2.encryption.md
> index c5ac6c4..a229d86 100644
> --- a/doc/README.tpm2.encryption.md
> +++ b/doc/README.tpm2.encryption.md
> @@ -44,6 +44,16 @@ Each entry uses the schema `<partition-
> label>:<mountpoint>:<reencrypt or format>
>  - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting
> content of the partition. This reduces the partition by 32MB and the
> file system by a similar amount
>  - `format` creates a empty LUKS partition and creates a file system
> defined with the shell command given in
> `CRYPT_CREATE_FILE_SYSTEM_CMD`
>  
> +#### Encrypted root file system
> +
> +To encrypt the root file system the variable `CRYPT_PARTITIONS`
> needs to be set to:
> +```
> +CRYPT_PARTITIONS = "systema::reencrypt systemb::reencrypt"
> +```
> +The mountpoint is empty as the root partition is mounted by another
> initramfs service.
> +Both partitions are encrypted during first boot. The initramfs opens
> systema and systemb
> +during boot.

Does that mean, the .swu file still contains the unencrypted
partitions? Or are these partitions encrypted with a fixed key and re-
encrypted on first boot? How are the initial keys distributed?

Before documenting the technical details, please document the general
deployment model, goals and non-goals, as well as security and
confidential guarantees.

For me it is currently unclear which kind of problem we want to solve
with this approach.

Best regards,
Felix

> +
>  ### CRYPT_CREATE_FILE_SYSTEM_CMD
>  
>  The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to
> create a new file system on a newly
> @@ -59,7 +69,7 @@ based encryption:
>   - jq
>  
>  ## steps to convert clevis to systemd
> -The following script shows how to enroll a systemd-tpm2 token with a
> existinng clevis based encryption:
> +The following script shows how to enroll a systemd-tpm2 token with a
> existing clevis based encryption:
>  ```bash
>  export device=/dev/sda6
>  export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-
> metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots
> | first' | head -n1)

-- 
Siemens AG, Technology
Linux Expert Center

Re: [cip-dev][isar-cip-core][PATCH v2 4/7] fix: use luks2 to identify encrypted partition

[MOESSBAUER, Felix]

On Mon, 2024-04-22 at 16:09 +0200, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This fixes an issue with encrypted rootfs during system reboot.
> With the token option it can happen that during reboot the no
> valid Luks partition is found and the boot up fails in the initrd.
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  .../initramfs-crypt-hook/files/encrypt_partition.script         | 2
> +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-
> crypt-hook/files/encrypt_partition.script
> index 51c81f3..685d882 100644
> --- a/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script
> +++ b/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script
> @@ -134,7 +134,7 @@ for partition_set in $partition_sets; do
>         fi
>  
>         if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
> -                       | grep -q "token"; then
> +                       | grep -q "luks2"; then

How do we identify "our" partitions in the first place? If I read the
code correctly, we still identify by label, which is quite risky.
Otherwise we might re-encrypt partitions which are not even under our
control.

We must either identify by UUID, or at least limit the search to the
device that we bootet from (this is known via the systemd
BOOT_LOADER_INTERFACE on recent enough ebg versions).

Felix

>                 open_tpm2_partition "$part_device"
> "$crypt_mount_name" "$tpm_device"
>                 continue
>         fi

-- 
Siemens AG, Technology
Linux Expert Center

Re: [cip-dev][isar-cip-core][PATCH v2 2/7] initramfs: allow empty mountpoint for crypt hooks

[MOESSBAUER, Felix]

On Mon, 2024-04-22 at 16:09 +0200, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This allows to encrypt partition which have as seperate mount
----------------------------------------------^ Typo

> script like verity and abrootfs
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  .../initramfs-crypt-hook/files/mount_crypt_partitions.script  | 4
> +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/recipes-initramfs/initramfs-crypt-
> hook/files/mount_crypt_partitions.script b/recipes-
> initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
> index 3411e70..b72323f 100644
> --- a/recipes-initramfs/initramfs-crypt-
> hook/files/mount_crypt_partitions.script
> +++ b/recipes-initramfs/initramfs-crypt-
> hook/files/mount_crypt_partitions.script
> @@ -51,7 +51,9 @@ for partition_set in $partition_sets; do
>         part_device=$(readlink -f "$partition")
>         crypt_mount_name="encrypted_$partition_label"

Please don't rely on labels. This broke things already multiple times.
But that's not part of the patch. Probably the label vs. UUID cleanup
needs to be done first.

Felix

>         decrypted_part=/dev/mapper/"$crypt_mount_name"
> -
> +       if [ -z "$partition_mountpoint" ]; then
> +               continue
> +       fi
>         if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device"
> \
>                         | grep -q "luks2"; then
>                 mount_partition "$decrypted_part"
> "${rootmnt}""$partition_mountpoint"

-- 
Siemens AG, Technology
Linux Expert Center

Re: [cip-dev][isar-cip-core][PATCH v2 1/7] wic/*: Add part-labels to system partition

[MOESSBAUER, Felix]

On Mon, 2024-04-22 at 16:09 +0200, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This allows to use the part-label for encryptition or
> boot selection.

We should not rely on partition labels at all. We had the discussion in
the past already, where swupdate applied the update to the wrong
partition due to having the same label on multiple devices.
We either must use UUIDs, or we must limit the label search to the
current device only. On recent EBG versions this is made available via
the systemd BOOT_LOADER_INTERFACE (EFI variables), but these might be
tricky to check in the initrd. Also, the eifvars fs needs to be
explicitly exposed on RT kernels via efi=runtime.

Felix

> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  wic/bbb-efibootguard.wks.in                   | 4 ++--
>  wic/hihope-rzg2m-efibootguard.wks.in          | 4 ++--
>  wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 ++--
>  wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 ++--
>  wic/qemu-arm64-efibootguard.wks.in            | 4 ++--
>  wic/qemu-riscv64-efibootguard.wks.in          | 4 ++--
>  wic/x86-efibootguard.wks.in                   | 4 ++--
>  7 files changed, 14 insertions(+), 14 deletions(-)
> 
> diff --git a/wic/bbb-efibootguard.wks.in b/wic/bbb-
> efibootguard.wks.in
> index e9c04b9..b5772c2 100644
> --- a/wic/bbb-efibootguard.wks.in
> +++ b/wic/bbb-efibootguard.wks.in
> @@ -11,8 +11,8 @@ part --source rawcopy --sourceparams
> "file=/usr/lib/u-boot/bbb/u-boot.img" --no-
>  
>  include ebg-sysparts.inc
>  
> -part --source rawcopy --sourceparams
> "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4
> +part --source rawcopy --sourceparams
> "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4 --part-name systemb
>  
>  # home and var are extra partitions
>  part /home --source rootfs --change-directory=home --fstype=ext4 --
> label home --align 1024  --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-
> 0242ac120002
> diff --git a/wic/hihope-rzg2m-efibootguard.wks.in b/wic/hihope-rzg2m-
> efibootguard.wks.in
> index 9227a71..164e8a9 100644
> --- a/wic/hihope-rzg2m-efibootguard.wks.in
> +++ b/wic/hihope-rzg2m-efibootguard.wks.in
> @@ -3,8 +3,8 @@
>  
>  include ebg-sysparts.inc
>  
> -part --source rawcopy --sourceparams
> "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4
> +part --source rawcopy --sourceparams
> "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4 --part-name systemb
>  
>  # home and var are extra partitions
>  
> diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in
> b/wic/qemu-amd64-efibootguard-secureboot.wks.in
> index ef40d70..0f4d637 100644
> --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
> +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
> @@ -1,7 +1,7 @@
>  include ebg-signed-sysparts.inc
>  
> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity"
> --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-
> type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity"
> --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-
> type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4 --part-name systemb
>  
>  # home and var are extra partitions
>  part /home --source rootfs --change-directory=home --fstype=ext4 --
> label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-
> 0242ac120002
> diff --git a/wic/qemu-arm64-efibootguard-secureboot.wks.in
> b/wic/qemu-arm64-efibootguard-secureboot.wks.in
> index 01f395d..00d627d 100644
> --- a/wic/qemu-arm64-efibootguard-secureboot.wks.in
> +++ b/wic/qemu-arm64-efibootguard-secureboot.wks.in
> @@ -1,7 +1,7 @@
>  include ebg-signed-sysparts.inc
>  
> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity"
> --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-
> type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity"
> --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-
> type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4 --part-name systemb
>  
>  # home and var are extra partitions
>  part /home --source rootfs --change-directory=home --fstype=ext4 --
> label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-
> 0242ac120002
> diff --git a/wic/qemu-arm64-efibootguard.wks.in b/wic/qemu-arm64-
> efibootguard.wks.in
> index 942c3e1..6f03420 100644
> --- a/wic/qemu-arm64-efibootguard.wks.in
> +++ b/wic/qemu-arm64-efibootguard.wks.in
> @@ -3,8 +3,8 @@
>  
>  include ebg-sysparts.inc
>  
> -part --source rawcopy --sourceparams
> "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4
> +part --source rawcopy --sourceparams
> "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4 --part-name systemb
>  
>  # home and var are extra partitions
>  part /home --source rootfs --change-directory=home --fstype=ext4 --
> label home --align 1024  --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-
> 0242ac120002
> diff --git a/wic/qemu-riscv64-efibootguard.wks.in b/wic/qemu-riscv64-
> efibootguard.wks.in
> index 6934977..1704ded 100644
> --- a/wic/qemu-riscv64-efibootguard.wks.in
> +++ b/wic/qemu-riscv64-efibootguard.wks.in
> @@ -3,8 +3,8 @@
>  
>  include ebg-sysparts.inc
>  
> -part --source rawcopy --sourceparams
> "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4
> +part --source rawcopy --sourceparams
> "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4 --part-name systemb
>  
>  # home and var are extra partitions
>  part /home --source rootfs --change-directory=home --fstype=ext4 --
> label home --align 1024  --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-
> 0242ac120002
> diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-
> efibootguard.wks.in
> index 6382ff7..4c0484f 100644
> --- a/wic/x86-efibootguard.wks.in
> +++ b/wic/x86-efibootguard.wks.in
> @@ -3,8 +3,8 @@
>  
>  include ebg-sysparts.inc
>  
> -part --source rawcopy --sourceparams
> "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4
> +part --source rawcopy --sourceparams
> "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-
> 3D69D8477DE4 --part-name systema
>  
>  # home and var are extra partitions
>  

-- 
Siemens AG, Technology
Linux Expert Center

Re: [cip-dev][isar-cip-core][PATCH v2 7/7] README: Add rootfs encryption

[Gylstorff Quirin]

On 4/23/24 11:29 AM, Moessbauer, Felix (T CED OES-DE) wrote:
> On Mon, 2024-04-22 at 16:09 +0200, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>   doc/README.tpm2.encryption.md | 12 +++++++++++-
>>   1 file changed, 11 insertions(+), 1 deletion(-)
>>
>> diff --git a/doc/README.tpm2.encryption.md
>> b/doc/README.tpm2.encryption.md
>> index c5ac6c4..a229d86 100644
>> --- a/doc/README.tpm2.encryption.md
>> +++ b/doc/README.tpm2.encryption.md
>> @@ -44,6 +44,16 @@ Each entry uses the schema `<partition-
>> label>:<mountpoint>:<reencrypt or format>
>>   - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting
>> content of the partition. This reduces the partition by 32MB and the
>> file system by a similar amount
>>   - `format` creates a empty LUKS partition and creates a file system
>> defined with the shell command given in
>> `CRYPT_CREATE_FILE_SYSTEM_CMD`
>>   
>> +#### Encrypted root file system
>> +
>> +To encrypt the root file system the variable `CRYPT_PARTITIONS`
>> needs to be set to:
>> +```
>> +CRYPT_PARTITIONS = "systema::reencrypt systemb::reencrypt"
>> +```
>> +The mountpoint is empty as the root partition is mounted by another
>> initramfs service.
>> +Both partitions are encrypted during first boot. The initramfs opens
>> systema and systemb
>> +during boot.
> 
> Does that mean, the .swu file still contains the unencrypted
> partitions? Or are these partitions encrypted with a fixed key and re-
> encrypted on first boot? How are the initial keys distributed?
We can enable symmetric encryption on the images of the swu. Which are 
then extracted on the target.
This images are still encrypted on first boot. So this this means the 
device needs to boot in a secure environment.
Initial keys almost always leak ;-).

> 
> Before documenting the technical details, please document the general
> deployment model, goals and non-goals, as well as security and
> confidential guarantees.

Sure i will add a section in the README.
> 
> For me it is currently unclear which kind of problem we want to solve
> with this approach.
> 
> Best regards,
> Felix
> 
>> +
>>   ### CRYPT_CREATE_FILE_SYSTEM_CMD
>>   
>>   The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to
>> create a new file system on a newly
>> @@ -59,7 +69,7 @@ based encryption:
>>    - jq
>>   
>>   ## steps to convert clevis to systemd
>> -The following script shows how to enroll a systemd-tpm2 token with a
>> existinng clevis based encryption:
>> +The following script shows how to enroll a systemd-tpm2 token with a
>> existing clevis based encryption:
>>   ```bash
>>   export device=/dev/sda6
>>   export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-
>> metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots
>> | first' | head -n1)
> 

Re: [cip-dev][isar-cip-core][PATCH v2 4/7] fix: use luks2 to identify encrypted partition

[Gylstorff Quirin]

On 4/23/24 11:35 AM, Moessbauer, Felix (T CED OES-DE) wrote:
> On Mon, 2024-04-22 at 16:09 +0200, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This fixes an issue with encrypted rootfs during system reboot.
>> With the token option it can happen that during reboot the no
>> valid Luks partition is found and the boot up fails in the initrd.
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>   .../initramfs-crypt-hook/files/encrypt_partition.script         | 2
>> +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-
>> crypt-hook/files/encrypt_partition.script
>> index 51c81f3..685d882 100644
>> --- a/recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.script
>> +++ b/recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.script
>> @@ -134,7 +134,7 @@ for partition_set in $partition_sets; do
>>          fi
>>   
>>          if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
>> -                       | grep -q "token"; then
>> +                       | grep -q "luks2"; then
> 
> How do we identify "our" partitions in the first place? If I read the
> code correctly, we still identify by label, which is quite risky.
> Otherwise we might re-encrypt partitions which are not even under our
> control.
We cannot identify our partitions- we can use label or uuid which leads 
to same issue in the long term.

> 
> We must either identify by UUID,
UUID can have the same issue as labels if not used correctly.
  or at least limit the search to the
> device that we bootet from (this is known via the systemd
> BOOT_LOADER_INTERFACE on recent enough ebg versions).
> The encryption should be independent of ebg.


> Felix
> 
>>                  open_tpm2_partition "$part_device"
>> "$crypt_mount_name" "$tpm_device"
>>                  continue
>>          fi
> 

Re: [cip-dev][isar-cip-core][PATCH v2 4/7] fix: use luks2 to identify encrypted partition

[MOESSBAUER, Felix]

On Tue, 2024-04-23 at 12:00 +0200, Gylstorff Quirin wrote:
> 
> 
> On 4/23/24 11:35 AM, Moessbauer, Felix (T CED OES-DE) wrote:
> > On Mon, 2024-04-22 at 16:09 +0200, Quirin Gylstorff wrote:
> > > From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> > > 
> > > This fixes an issue with encrypted rootfs during system reboot.
> > > With the token option it can happen that during reboot the no
> > > valid Luks partition is found and the boot up fails in the
> > > initrd.
> > > 
> > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> > > ---
> > >   .../initramfs-crypt-hook/files/encrypt_partition.script        
> > > | 2
> > > +-
> > >   1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/recipes-initramfs/initramfs-crypt-
> > > hook/files/encrypt_partition.script b/recipes-
> > > initramfs/initramfs-
> > > crypt-hook/files/encrypt_partition.script
> > > index 51c81f3..685d882 100644
> > > --- a/recipes-initramfs/initramfs-crypt-
> > > hook/files/encrypt_partition.script
> > > +++ b/recipes-initramfs/initramfs-crypt-
> > > hook/files/encrypt_partition.script
> > > @@ -134,7 +134,7 @@ for partition_set in $partition_sets; do
> > >          fi
> > >   
> > >          if /usr/sbin/cryptsetup luksDump --batch-mode
> > > "$partition" \
> > > -                       | grep -q "token"; then
> > > +                       | grep -q "luks2"; then
> > 
> > How do we identify "our" partitions in the first place? If I read
> > the
> > code correctly, we still identify by label, which is quite risky.
> > Otherwise we might re-encrypt partitions which are not even under
> > our
> > control.
> We cannot identify our partitions- we can use label or uuid which
> leads 
> to same issue in the long term.
> 
> > 
> > We must either identify by UUID,
> UUID can have the same issue as labels if not used correctly.

Hi, the difference is that UUIDs are (shall be) globally unique - by
definition - while labels only need to be unique per device.

It's well known that UUIDs in the embedded world are not THAT unique,
also for reproducibility reasons. This is still an implementation
issue, while label collisions is a design issue, though.

Felix

>   or at least limit the search to the
> > device that we bootet from (this is known via the systemd
> > BOOT_LOADER_INTERFACE on recent enough ebg versions).
> > The encryption should be independent of ebg.
> 
> 
> > Felix
> > 
> > >                  open_tpm2_partition "$part_device"
> > > "$crypt_mount_name" "$tpm_device"
> > >                  continue
> > >          fi
> > 

-- 
Siemens AG, Technology
Linux Expert Center

Re: [cip-dev][isar-cip-core][PATCH v2 4/7] fix: use luks2 to identify encrypted partition

[Gylstorff Quirin]

On 4/24/24 10:00 AM, Moessbauer, Felix (T CED OES-DE) wrote:
> On Tue, 2024-04-23 at 12:00 +0200, Gylstorff Quirin wrote:
>>
>>
>> On 4/23/24 11:35 AM, Moessbauer, Felix (T CED OES-DE) wrote:
>>> On Mon, 2024-04-22 at 16:09 +0200, Quirin Gylstorff wrote:
>>>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>>
>>>> This fixes an issue with encrypted rootfs during system reboot.
>>>> With the token option it can happen that during reboot the no
>>>> valid Luks partition is found and the boot up fails in the
>>>> initrd.
>>>>
>>>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>> ---
>>>>    .../initramfs-crypt-hook/files/encrypt_partition.script
>>>> | 2
>>>> +-
>>>>    1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/recipes-initramfs/initramfs-crypt-
>>>> hook/files/encrypt_partition.script b/recipes-
>>>> initramfs/initramfs-
>>>> crypt-hook/files/encrypt_partition.script
>>>> index 51c81f3..685d882 100644
>>>> --- a/recipes-initramfs/initramfs-crypt-
>>>> hook/files/encrypt_partition.script
>>>> +++ b/recipes-initramfs/initramfs-crypt-
>>>> hook/files/encrypt_partition.script
>>>> @@ -134,7 +134,7 @@ for partition_set in $partition_sets; do
>>>>           fi
>>>>    
>>>>           if /usr/sbin/cryptsetup luksDump --batch-mode
>>>> "$partition" \
>>>> -                       | grep -q "token"; then
>>>> +                       | grep -q "luks2"; then
>>>
>>> How do we identify "our" partitions in the first place? If I read
>>> the
>>> code correctly, we still identify by label, which is quite risky.
>>> Otherwise we might re-encrypt partitions which are not even under
>>> our
>>> control.
>> We cannot identify our partitions- we can use label or uuid which
>> leads
>> to same issue in the long term.
>>
>>>
>>> We must either identify by UUID,
>> UUID can have the same issue as labels if not used correctly.
> 
> Hi, the difference is that UUIDs are (shall be) globally unique - by
> definition - while labels only need to be unique per device.

And because of that global uniques UUIDs are not feasible for an 
automated way to encrypt partitions with the TPM. We need to define  and 
identify the partitions which should be encrypted - independent of the 
bootloader because the EFI variables only show boot partitions for 
example data partition are not part of the schema.

And using /dev/sdaXm, /dev/mmc0p1,... is also to brittle.

Quirin
> 
> It's well known that UUIDs in the embedded world are not THAT unique,
> also for reproducibility reasons. This is still an implementation
> issue, while label collisions is a design issue, though.
> 
> Felix
> 
>>    or at least limit the search to the
>>> device that we bootet from (this is known via the systemd
>>> BOOT_LOADER_INTERFACE on recent enough ebg versions).
>>> The encryption should be independent of ebg.
>>
>>
>>> Felix
>>>
>>>>                   open_tpm2_partition "$part_device"
>>>> "$crypt_mount_name" "$tpm_device"
>>>>                   continue
>>>>           fi
>>>
> 

Re: [cip-dev][isar-cip-core][PATCH v2 4/7] fix: use luks2 to identify encrypted partition

[MOESSBAUER, Felix]

On Wed, 2024-04-24 at 10:22 +0200, Gylstorff Quirin wrote:
> 
> 
> On 4/24/24 10:00 AM, Moessbauer, Felix (T CED OES-DE) wrote:
> > On Tue, 2024-04-23 at 12:00 +0200, Gylstorff Quirin wrote:
> > > 
> > > 
> > > On 4/23/24 11:35 AM, Moessbauer, Felix (T CED OES-DE) wrote:
> > > > On Mon, 2024-04-22 at 16:09 +0200, Quirin Gylstorff wrote:
> > > > > From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> > > > > 
> > > > > This fixes an issue with encrypted rootfs during system
> > > > > reboot.
> > > > > With the token option it can happen that during reboot the no
> > > > > valid Luks partition is found and the boot up fails in the
> > > > > initrd.
> > > > > 
> > > > > Signed-off-by: Quirin Gylstorff
> > > > > <quirin.gylstorff@siemens.com>
> > > > > ---
> > > > >    .../initramfs-crypt-hook/files/encrypt_partition.script
> > > > > > 2
> > > > > +-
> > > > >    1 file changed, 1 insertion(+), 1 deletion(-)
> > > > > 
> > > > > diff --git a/recipes-initramfs/initramfs-crypt-
> > > > > hook/files/encrypt_partition.script b/recipes-
> > > > > initramfs/initramfs-
> > > > > crypt-hook/files/encrypt_partition.script
> > > > > index 51c81f3..685d882 100644
> > > > > --- a/recipes-initramfs/initramfs-crypt-
> > > > > hook/files/encrypt_partition.script
> > > > > +++ b/recipes-initramfs/initramfs-crypt-
> > > > > hook/files/encrypt_partition.script
> > > > > @@ -134,7 +134,7 @@ for partition_set in $partition_sets; do
> > > > >           fi
> > > > >    
> > > > >           if /usr/sbin/cryptsetup luksDump --batch-mode
> > > > > "$partition" \
> > > > > -                       | grep -q "token"; then
> > > > > +                       | grep -q "luks2"; then
> > > > 
> > > > How do we identify "our" partitions in the first place? If I
> > > > read
> > > > the
> > > > code correctly, we still identify by label, which is quite
> > > > risky.
> > > > Otherwise we might re-encrypt partitions which are not even
> > > > under
> > > > our
> > > > control.
> > > We cannot identify our partitions- we can use label or uuid which
> > > leads
> > > to same issue in the long term.
> > > 
> > > > 
> > > > We must either identify by UUID,
> > > UUID can have the same issue as labels if not used correctly.
> > 
> > Hi, the difference is that UUIDs are (shall be) globally unique -
> > by
> > definition - while labels only need to be unique per device.
> 
> And because of that global uniques UUIDs are not feasible for an 
> automated way to encrypt partitions with the TPM.

Ok, got it. But then we still need to limit the search to the boot
device.

> We need to define  and 
> identify the partitions which should be encrypted - independent of
> the 
> bootloader because the EFI variables only show boot partitions for 
> example data partition are not part of the schema.

This is a solved problem. I wrote a similar implementation to detect
the "correct" EBG partitions based on the boot partition we get via the
BOOT_LOADER_INTERFACE [1].

[1]
https://github.com/siemens/efibootguard/commit/ffbd35f76b7ae587211f999a8cbf4514b0ac4ed2

> 
> And using /dev/sdaXm, /dev/mmc0p1,... is also to brittle.

Agree. But just relying on labels is also quite error prone. We saw
that when running cip-core tests via MTDA and SD emulation. That's why
we added support for the BOOT_LOADER_INTERFACE to EBG in the first
place.

Felix

> 
> Quirin
> > 
> > It's well known that UUIDs in the embedded world are not THAT
> > unique,
> > also for reproducibility reasons. This is still an implementation
> > issue, while label collisions is a design issue, though.
> > 
> > Felix
> > 
> > >    or at least limit the search to the
> > > > device that we bootet from (this is known via the systemd
> > > > BOOT_LOADER_INTERFACE on recent enough ebg versions).
> > > > The encryption should be independent of ebg.
> > > 
> > > 
> > > > Felix
> > > > 
> > > > >                   open_tpm2_partition "$part_device"
> > > > > "$crypt_mount_name" "$tpm_device"
> > > > >                   continue
> > > > >           fi
> > > > 
> > 

-- 
Siemens AG, Technology
Linux Expert Center