[cip-dev][isar-cip-core][RFC 0/8] Rework disk encryption

[cip-dev][isar-cip-core][RFC 0/8] Rework disk encryption

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This patchset is a cleanup of the initramfs-crypt-hook:
 - Aligns the systemd and clevis implementation
 - Adds some checks for TPM parameter
 - Remove the dependency in the overlay
 - Adds an example to encrypt the rootfs

Quirin Gylstorff (8):
  initramfs-crypt-hook: Allow switching between clevis and systemd
  initramfs-crypt-hook: Align systemd encryption and clevis encryption
  initramfs-crypt-hook: move the mounting of encrypted disks in a
    seperate function
  initramfs-crypt-hook: Check if the TPM device fulfills the given
    requirements
  initramfs-crypt-hook: add flag to make encryption optional
  initramfs-crypt-hook: add e2fsck to avoid resize error
  initramfs-crypt-hook: split encryption and mounting
  Add example to encrypt the rootfs

 kas/opt/encrypt_rootfs.yml                    | 24 ++++++++
 .../files/encrypt_partition.clevis.script     | 42 +++++++------
 .../files/encrypt_partition.env.tmpl          |  4 +-
 .../files/encrypt_partition.systemd.hook      |  4 +-
 .../files/encrypt_partition.systemd.script    | 55 ++++++++++-------
 .../files/mount_crypt_partitions.script       | 61 +++++++++++++++++++
 .../initramfs-crypt-hook_0.1.bb               | 28 +++++++--
 .../files/overlay.script.tmpl                 |  2 +-
 wic/x86_64-encryption.wks.in                  | 18 ++++++
 9 files changed, 189 insertions(+), 49 deletions(-)
 create mode 100644 kas/opt/encrypt_rootfs.yml
 create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
 create mode 100644 wic/x86_64-encryption.wks.in

-- 
2.43.0

[cip-dev][isar-cip-core][RFC 1/8] initramfs-crypt-hook: Allow switching between clevis and systemd

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This allows device which started on Debian 11 to continue using
clevis for encryption and decryption.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../initramfs-crypt-hook_0.1.bb                    | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
index b275c0f..317ea12 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -1,7 +1,7 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2020-2023
+# Copyright (c) Siemens AG, 2020-2024
 #
 # Authors:
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
@@ -17,7 +17,17 @@ CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools"
 
 DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}, libgcc-7-dev"
 DEBIAN_DEPENDS:append:bullseye = "${CLEVIS_DEPEND}"
-DEBIAN_DEPENDS:append = ", systemd (>= 251) | clevis-tpm2"
+DEBIAN_DEPENDS:append = "${@encryption_dependency(d)}"
+
+def encryption_dependency(d):
+    crypt_backend = d.getVar('CRYPT_BACKEND')
+    if crypt_backend == 'clevis':
+        clevis_depends= d.getVar('CLEVIS_DEPEND')
+        return f"{clevis_depends}, clevis-tpm2"
+    elif crypt_backend == 'systemd':
+        return ", systemd (>= 251)"
+    else:
+        bb.error("unkown cryptbackend defined")
 
 CRYPT_BACKEND:buster = "clevis"
 CRYPT_BACKEND:bullseye = "clevis"
-- 
2.43.0

[cip-dev][isar-cip-core][RFC 2/8] initramfs-crypt-hook: Align systemd encryption and clevis encryption

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

The following changes were copied from systemd to clevis:
 - check return of resize command
The following changes were copied form clevis to systemd:
 - check if create_filesystem command is empty
 - use part_device(/dev/*) instead of disk
   label(/dev/disk/by-partlabel/*)

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../files/encrypt_partition.clevis.script     |  6 ++++--
 .../files/encrypt_partition.systemd.script    | 21 +++++++++++--------
 2 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index 0318966..4e76c44 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -2,7 +2,7 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2023
+# Copyright (c) Siemens AG, 2023-2024
 #
 # Authors:
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
@@ -82,7 +82,9 @@ reencrypt_existing_partition() {
 	reduced_size="$(expr "$part_size_blocks" - 65536 )"
 	reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
 	reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
-	resize2fs "$1" "${reduced_size_in_kb}"
+	if ! resize2fs "$1" "${reduced_size_in_kb}"; then
+		panic "reencryption of filesystem $1 cannot continue!"
+	fi
 	if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
 		/usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2"
 	else
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index eeeb55a..f97a461 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -2,7 +2,7 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2023
+# Copyright (c) Siemens AG, 2023-2024
 #
 # Authors:
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
@@ -47,6 +47,9 @@ modprobe loop
 tpm_device=/dev/tpmrm0
 partition_sets="$PARTITIONS"
 create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
+if [ -z "${create_file_system_cmd}" ]; then
+	create_file_system_cmd="mke2fs -t ext4"
+fi
 
 service_watchdog() {
 	for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
@@ -83,8 +86,7 @@ enroll_tpm2_token() {
 }
 
 reencrypt_existing_partition() {
-	part_device="$(readlink -f "$partition")"
-	part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$part_device" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)"
+	part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)"
 	# reduce the filesystem and partition by 32M to fit the LUKS header
 	reduce_device_size=32768
 	reduced_size="$(expr "$part_size_blocks" - 65536 )"
@@ -111,15 +113,16 @@ for partition_set in $partition_sets; do
 	partition=/dev/disk/by-partlabel/"$partition_label"
 	crypt_mount_name="encrypted_$partition_label"
 	decrypted_part=/dev/mapper/"$crypt_mount_name"
+	part_device=$(readlink -f "$partition")
 
 	# check if partition is already encrypted with systemd-tpm2
 	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
 			| grep -q "systemd-tpm2"; then
-		open_tpm2_partition "$partition"
 		if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \
 			 "${rootmnt}${partition_mountpoint}"; then
 			panic "Can't mount encrypted partition '${decrypted_part}'!"
 		fi
+		open_tpm2_partition "$part_device"
 		continue
 	fi
 
@@ -136,15 +139,15 @@ for partition_set in $partition_sets; do
 
 	case "${partition_format}" in
 		"reencrypt")
-			reencrypt_existing_partition "$partition" "$tmp_key"
-			enroll_tpm2_token "$partition" "$tmp_key"
-			open_tpm2_partition "$partition"
+			reencrypt_existing_partition "$part_device" "$tmp_key"
+			enroll_tpm2_token "$part_device" "$tmp_key"
+			open_tpm2_partition "$part_device"
 		;;
 		"format")
 			/usr/sbin/cryptsetup luksFormat --batch-mode \
 				 --type luks2 "$partition" < "$tmp_key"
-			enroll_tpm2_token "$partition" "$tmp_key"
-			open_tpm2_partition "$partition"
+			enroll_tpm2_token "$part_device" "$tmp_key"
+			open_tpm2_partition "$part_device"
 			eval "${create_file_system_cmd} ${decrypted_part}"
 		;;
 		*)
-- 
2.43.0

[cip-dev][isar-cip-core][RFC 3/8] initramfs-crypt-hook: move the mounting of encrypted disks in a seperate function

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This increase the maintainability and avoids missing checks.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../files/encrypt_partition.clevis.script     | 20 +++++++++++--------
 .../files/encrypt_partition.systemd.script    | 20 +++++++++++--------
 2 files changed, 24 insertions(+), 16 deletions(-)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index 4e76c44..0f82c1a 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -92,6 +92,16 @@ reencrypt_existing_partition() {
 	fi
 }
 
+mount_partition() {
+	partition_dev_path=$1
+	partition_mountpoint=$2
+	echo "mount device: '$partition' to '$partition_mountpoint'"
+	if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \
+		 "${partition_mountpoint}"; then
+		panic "Can't mount encrypted partition '${partition_dev_path}'!"
+	fi
+}
+
 if [ ! -e "$tpm_device" ]; then
 	panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
 fi
@@ -114,10 +124,7 @@ for partition_set in $partition_sets; do
 	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
 			| grep -q "clevis"; then
 		open_tpm2_partition "$part_device"
-		if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \
-			 "${rootmnt}${partition_mountpoint}"; then
-			panic "Can't mount encrypted partition '${decrypted_part}'!"
-		fi
+		mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
 		continue
 	fi
 
@@ -150,10 +157,7 @@ for partition_set in $partition_sets; do
 		 ;;
 	esac
 
-	if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \
-		 "${rootmnt}${partition_mountpoint}"; then
-		panic "Can't mount encrypted partition '${decrypted_part}'!"
-	fi
+	mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
 
 	# delete initial key
 	# afterwards no new keys can be enrolled
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index f97a461..6c6d22e 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -102,6 +102,16 @@ reencrypt_existing_partition() {
 	fi
 }
 
+mount_partition() {
+	partition_dev_path=$1
+	partition_mountpoint=$2
+	echo "mount device: '$partition' to '$partition_mountpoint'"
+	if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \
+		 "${partition_mountpoint}"; then
+		panic "Can't mount encrypted partition '${partition_dev_path}'!"
+	fi
+}
+
 if [ ! -e "$tpm_device" ]; then
 	panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
 fi
@@ -118,11 +128,8 @@ for partition_set in $partition_sets; do
 	# check if partition is already encrypted with systemd-tpm2
 	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
 			| grep -q "systemd-tpm2"; then
-		if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \
-			 "${rootmnt}${partition_mountpoint}"; then
-			panic "Can't mount encrypted partition '${decrypted_part}'!"
-		fi
 		open_tpm2_partition "$part_device"
+		mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
 		continue
 	fi
 
@@ -155,10 +162,7 @@ for partition_set in $partition_sets; do
 		 ;;
 	esac
 
-	if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \
-		 "${rootmnt}${partition_mountpoint}"; then
-		panic "Can't mount encrypted partition '${decrypted_part}'!"
-	fi
+	mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
 
 	# delete initial key
 	# afterwards no new keys can be enrolled
-- 
2.43.0

[cip-dev][isar-cip-core][RFC 4/8] initramfs-crypt-hook: Check if the TPM device fulfills the given requirements

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This also adds the Crypt hash and Crypt algorithm parameter.
and avoids errors to missmatchs between Hardware and software.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../files/encrypt_partition.clevis.script      | 18 +++++++++++++-----
 .../files/encrypt_partition.env.tmpl           |  3 ++-
 .../files/encrypt_partition.systemd.hook       |  4 +++-
 .../files/encrypt_partition.systemd.script     | 15 +++++++++++++--
 .../initramfs-crypt-hook_0.1.bb                |  7 ++++---
 5 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index 0f82c1a..f271e85 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -43,12 +43,10 @@ modprobe xts
 # this needs to be probed particularly for re-encryption
 modprobe loop
 
-# fixed tpm device or do we need to find it
-tpm_device=/dev/tpmrm0
 partition_sets="$PARTITIONS"
 create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
-hash_type="$HASH_TYPE"
-
+pcr_bank_hash_type="$HASH_TYPE"
+tpm_key_algorithm="$KEY_ALGORITHM"
 if [ -z "${create_file_system_cmd}" ]; then
 	create_file_system_cmd="mke2fs -t ext4"
 fi
@@ -69,7 +67,7 @@ open_tpm2_partition() {
 
 enroll_tpm2_token() {
 	if [ -x /usr/bin/clevis ]; then
-		clevis luks bind -d "$1" tpm2 '{"pcr_bank":"'"$hash_type"'","pcr_ids":"7"}' < "$2"
+		clevis luks bind -d "$1" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$2"
 	else
 		panic "clevis not available cannot enroll tpm2 key!"
 	fi
@@ -102,6 +100,16 @@ mount_partition() {
 	fi
 }
 
+for candidate in /dev/tpm*; do
+	if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then
+		continue
+	fi
+	if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet 2>/dev/null; then
+		continue
+	fi
+	tpm_device=$candidate
+done
+
 if [ ! -e "$tpm_device" ]; then
 	panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
 fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
index bcc57be..5d28dc5 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
@@ -2,4 +2,5 @@ PARTITIONS="${CRYPT_PARTITIONS}"
 CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}"
 SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}"
 WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}"
-HASH_TYPE="${CRYPT_HASH_TYPE}"
\ No newline at end of file
+HASH_TYPE="${CRYPT_HASH_TYPE}"
+KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}"
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
index c3b31d6..6e2a211 100755
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
@@ -1,5 +1,5 @@
 #!/bin/sh
-# Copyright (C) Siemens AG, 2020-2023
+# Copyright (C) Siemens AG, 2020-2024
 #
 # SPDX-License-Identifier: MIT
 
@@ -49,6 +49,8 @@ copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found"
 copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found"
 copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenroll not found"
 copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found"
+copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread"
+copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms"
 
 copy_exec /usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so || hook_error "/usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so not found"
 if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index 6c6d22e..ea267ac 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -43,10 +43,10 @@ modprobe xts
 # this needs to be probed particularly for re-encryption
 modprobe loop
 
-# fixed tpm device or do we need to find it
-tpm_device=/dev/tpmrm0
 partition_sets="$PARTITIONS"
 create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
+pcr_bank_hash_type="$HASH_TYPE"
+tpm_key_algorithm="$KEY_ALGORITHM"
 if [ -z "${create_file_system_cmd}" ]; then
 	create_file_system_cmd="mke2fs -t ext4"
 fi
@@ -71,6 +71,7 @@ enroll_tpm2_token() {
 		systemd_version=$(systemd-cryptenroll --version | \
 			  awk -F " " 'NR==1{print $2 }')
 		# check systemd version and export password if necessary
+		# systemd version 251 does not suport hash_types
 		if [ "$systemd_version" -ge "251" ]; then
 			PASSWORD=$(cat "$2" )
 			export PASSWORD
@@ -112,6 +113,16 @@ mount_partition() {
 	fi
 }
 
+for candidate in /dev/tpm*; do
+	if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then
+		continue
+	fi
+	if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet 2>/dev/null; then
+		continue
+	fi
+	tpm_device=$candidate
+done
+
 if [ ! -e "$tpm_device" ]; then
 	panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
 fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
index 317ea12..7f732cf 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -11,7 +11,7 @@
 inherit dpkg-raw
 DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \
     awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \
-    libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs"
+    libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs, tpm2-tools"
 
 CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools"
 
@@ -49,10 +49,11 @@ CRYPT_SETUP_TIMEOUT ??= "600"
 INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog"
 # clevis needs tpm hash algorithm type
 CRYPT_HASH_TYPE ??= "sha256"
-
+CRYPT_KEY_ALGORITHM ??= "ecc"
 
 TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
-    CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE"
+    CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \
+    CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL"
 TEMPLATE_FILES = "encrypt_partition.env.tmpl"
 
 do_install[cleandirs] += " \
-- 
2.43.0

[cip-dev][isar-cip-core][RFC 5/8] initramfs-crypt-hook: add flag to make encryption optional

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This allows to use same image on device without or with a disabled
TPM.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../files/encrypt_partition.clevis.script     | 20 +++++++++++++++++-
 .../files/encrypt_partition.env.tmpl          |  1 +
 .../files/encrypt_partition.systemd.script    | 21 ++++++++++++++++++-
 .../initramfs-crypt-hook_0.1.bb               |  1 +
 4 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index f271e85..6e2713f 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -47,6 +47,7 @@ partition_sets="$PARTITIONS"
 create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
 pcr_bank_hash_type="$HASH_TYPE"
 tpm_key_algorithm="$KEY_ALGORITHM"
+tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL"
 if [ -z "${create_file_system_cmd}" ]; then
 	create_file_system_cmd="mke2fs -t ext4"
 fi
@@ -111,7 +112,24 @@ for candidate in /dev/tpm*; do
 done
 
 if [ ! -e "$tpm_device" ]; then
-	panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
+	if [ "$tpm_encryption_optional" = "true" ]; then
+		echo "No tpm_device exists abort optional encryption"
+		for partition_set in $partition_sets; do
+			partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+			partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
+			partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
+			partition=/dev/disk/by-partlabel/"$partition_label"
+			case "${partition_format}" in
+			"reencrypt")
+				mount_partition "$partition" "$rootmnt""$partition_mountpoint"
+				;;
+			*)
+				echo "cannot mount partition '$partition' as it is marked for formatting."
+			esac
+		done
+		exit 0
+	fi
+	panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!"
 fi
 
 # clevis needs /dev/fd create it in the initramfs
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
index 5d28dc5..bb93361 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
@@ -4,3 +4,4 @@ SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}"
 WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}"
 HASH_TYPE="${CRYPT_HASH_TYPE}"
 KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}"
+ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}"
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index ea267ac..2e6691a 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -47,6 +47,7 @@ partition_sets="$PARTITIONS"
 create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
 pcr_bank_hash_type="$HASH_TYPE"
 tpm_key_algorithm="$KEY_ALGORITHM"
+tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL"
 if [ -z "${create_file_system_cmd}" ]; then
 	create_file_system_cmd="mke2fs -t ext4"
 fi
@@ -124,9 +125,27 @@ for candidate in /dev/tpm*; do
 done
 
 if [ ! -e "$tpm_device" ]; then
-	panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
+	if [ "$tpm_encryption_optional" = "true" ]; then
+		echo "No tpm_device exists abort optional encryption"
+		for partition_set in $partition_sets; do
+			partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+			partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
+			partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
+			partition=/dev/disk/by-partlabel/"$partition_label"
+			case "${partition_format}" in
+			"reencrypt")
+				mount_partition "$partition" "$rootmnt""$partition_mountpoint"
+				;;
+			*)
+				echo "cannot mount partition '$partition' as it is marked for formatting."
+			esac
+		done
+		exit 0
+	fi
+	panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!"
 fi
 
+
 for partition_set in $partition_sets; do
 	partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
 	partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
index 7f732cf..54c91fd 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -50,6 +50,7 @@ INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog"
 # clevis needs tpm hash algorithm type
 CRYPT_HASH_TYPE ??= "sha256"
 CRYPT_KEY_ALGORITHM ??= "ecc"
+CRYPT_ENCRYPTION_OPTIONAL ??= "false"
 
 TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
     CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \
-- 
2.43.0

[cip-dev][isar-cip-core][RFC 6/8] initramfs-crypt-hook: add e2fsck to avoid resize error

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This avoids the following error during resizing a file system:

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../initramfs-crypt-hook/files/encrypt_partition.clevis.script   | 1 +
 .../initramfs-crypt-hook/files/encrypt_partition.systemd.script  | 1 +
 2 files changed, 2 insertions(+)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index 6e2713f..0bb6720 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -81,6 +81,7 @@ reencrypt_existing_partition() {
 	reduced_size="$(expr "$part_size_blocks" - 65536 )"
 	reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
 	reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
+	e2fsck -f "$1"
 	if ! resize2fs "$1" "${reduced_size_in_kb}"; then
 		panic "reencryption of filesystem $1 cannot continue!"
 	fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index 2e6691a..9809c87 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -94,6 +94,7 @@ reencrypt_existing_partition() {
 	reduced_size="$(expr "$part_size_blocks" - 65536 )"
 	reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
 	reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
+	e2fsck -f "$1"
 	if ! resize2fs "$1" "${reduced_size_in_kb}"; then
 		panic "reencryption of filesystem $1 cannot continue!"
 	fi
-- 
2.43.0

[cip-dev][isar-cip-core][PATCH 7/8] initramfs-crypt-hook: split encryption and mounting

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

The encryption now occurs before the rootfs is mounted.
The file system is mounted after the rootfs.

This removes the required order between overlay and disk encryption.
Also it allows the encryption of the rootfs.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../files/encrypt_partition.clevis.script     | 27 --------
 .../files/encrypt_partition.systemd.script    | 27 --------
 .../files/mount_crypt_partitions.script       | 61 +++++++++++++++++++
 .../initramfs-crypt-hook_0.1.bb               |  6 +-
 .../files/overlay.script.tmpl                 |  2 +-
 5 files changed, 67 insertions(+), 56 deletions(-)
 create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index 0bb6720..eec3cf1 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -92,16 +92,6 @@ reencrypt_existing_partition() {
 	fi
 }
 
-mount_partition() {
-	partition_dev_path=$1
-	partition_mountpoint=$2
-	echo "mount device: '$partition' to '$partition_mountpoint'"
-	if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \
-		 "${partition_mountpoint}"; then
-		panic "Can't mount encrypted partition '${partition_dev_path}'!"
-	fi
-}
-
 for candidate in /dev/tpm*; do
 	if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then
 		continue
@@ -115,19 +105,6 @@ done
 if [ ! -e "$tpm_device" ]; then
 	if [ "$tpm_encryption_optional" = "true" ]; then
 		echo "No tpm_device exists abort optional encryption"
-		for partition_set in $partition_sets; do
-			partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
-			partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
-			partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
-			partition=/dev/disk/by-partlabel/"$partition_label"
-			case "${partition_format}" in
-			"reencrypt")
-				mount_partition "$partition" "$rootmnt""$partition_mountpoint"
-				;;
-			*)
-				echo "cannot mount partition '$partition' as it is marked for formatting."
-			esac
-		done
 		exit 0
 	fi
 	panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!"
@@ -140,7 +117,6 @@ fi
 
 for partition_set in $partition_sets; do
 	partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
-	partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
 	partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
 	partition=/dev/disk/by-partlabel/"$partition_label"
 	crypt_mount_name="encrypted_$partition_label"
@@ -151,7 +127,6 @@ for partition_set in $partition_sets; do
 	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
 			| grep -q "clevis"; then
 		open_tpm2_partition "$part_device"
-		mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
 		continue
 	fi
 
@@ -184,8 +159,6 @@ for partition_set in $partition_sets; do
 		 ;;
 	esac
 
-	mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
-
 	# delete initial key
 	# afterwards no new keys can be enrolled
 	cryptsetup -v luksKillSlot -q  "$part_device" 0
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index 9809c87..c7822f2 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -105,16 +105,6 @@ reencrypt_existing_partition() {
 	fi
 }
 
-mount_partition() {
-	partition_dev_path=$1
-	partition_mountpoint=$2
-	echo "mount device: '$partition' to '$partition_mountpoint'"
-	if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \
-		 "${partition_mountpoint}"; then
-		panic "Can't mount encrypted partition '${partition_dev_path}'!"
-	fi
-}
-
 for candidate in /dev/tpm*; do
 	if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then
 		continue
@@ -128,19 +118,6 @@ done
 if [ ! -e "$tpm_device" ]; then
 	if [ "$tpm_encryption_optional" = "true" ]; then
 		echo "No tpm_device exists abort optional encryption"
-		for partition_set in $partition_sets; do
-			partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
-			partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
-			partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
-			partition=/dev/disk/by-partlabel/"$partition_label"
-			case "${partition_format}" in
-			"reencrypt")
-				mount_partition "$partition" "$rootmnt""$partition_mountpoint"
-				;;
-			*)
-				echo "cannot mount partition '$partition' as it is marked for formatting."
-			esac
-		done
 		exit 0
 	fi
 	panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!"
@@ -149,7 +126,6 @@ fi
 
 for partition_set in $partition_sets; do
 	partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
-	partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
 	partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
 	partition=/dev/disk/by-partlabel/"$partition_label"
 	crypt_mount_name="encrypted_$partition_label"
@@ -160,7 +136,6 @@ for partition_set in $partition_sets; do
 	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
 			| grep -q "systemd-tpm2"; then
 		open_tpm2_partition "$part_device"
-		mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
 		continue
 	fi
 
@@ -193,8 +168,6 @@ for partition_set in $partition_sets; do
 		 ;;
 	esac
 
-	mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
-
 	# delete initial key
 	# afterwards no new keys can be enrolled
 	/usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
new file mode 100644
index 0000000..1d3eb6c
--- /dev/null
+++ b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
@@ -0,0 +1,61 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+prereqs()
+{
+	# Make sure that this script is run last in local-top
+	local req
+	for req in "${0%/*}"/*; do
+		script="${req##*/}"
+		if [ "$script" != "${0##*/}" ]; then
+			printf '%s\n' "$script"
+		fi
+	done
+}
+case $1 in
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+. /scripts/functions
+
+# get configuration variables
+. /usr/share/encrypt_partition/encrypt_partition.env
+
+mount_partition() {
+	partition_dev_path=$1
+	partition_mountpoint=$2
+	echo "mount device: '$partition' to '$partition_mountpoint'"
+	if ! mountpoint -q "${partition_mountpoint}"; then
+		if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \
+			 "${partition_mountpoint}"; then
+			panic "Can't mount encrypted partition '${partition_dev_path}'!"
+		fi
+	fi
+}
+partition_sets="$PARTITIONS"
+for partition_set in $partition_sets; do
+	partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+	partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
+	partition=/dev/disk/by-partlabel/"$partition_label"
+	part_device=$(readlink -f "$partition")
+	crypt_mount_name="encrypted_$partition_label"
+	decrypted_part=/dev/mapper/"$crypt_mount_name"
+
+	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
+			| grep -q "systemd-tpm2"; then
+		mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
+	else
+		mount_partition "$part_device" "$rootmnt""$partition_mountpoint"
+	fi
+done
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
index 54c91fd..4e60c10 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -35,6 +35,7 @@ CRYPT_BACKEND = "systemd"
 
 SRC_URI += "file://encrypt_partition.env.tmpl \
             file://encrypt_partition.${CRYPT_BACKEND}.script \
+            file://mount_crypt_partitions.script \
             file://encrypt_partition.${CRYPT_BACKEND}.hook \
             file://pwquality.conf"
 
@@ -60,12 +61,15 @@ TEMPLATE_FILES = "encrypt_partition.env.tmpl"
 do_install[cleandirs] += " \
     ${D}/usr/share/initramfs-tools/hooks \
     ${D}/usr/share/encrypt_partition \
+    ${D}/usr/share/initramfs-tools/scripts/local-top \
     ${D}/usr/share/initramfs-tools/scripts/local-bottom"
 
 do_install() {
     install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env"
     install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.script" \
-        "${D}/usr/share/initramfs-tools/scripts/local-bottom/encrypt_partition"
+        "${D}/usr/share/initramfs-tools/scripts/local-top/encrypt_partition"
+    install -m 0755 "${WORKDIR}/mount_crypt_partitions.script" \
+        "${D}/usr/share/initramfs-tools/scripts/local-bottom/mount_decrypted_partition"
     install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.hook" \
         "${D}/usr/share/initramfs-tools/hooks/encrypt_partition"
     install -m 0644 "${WORKDIR}/pwquality.conf" "${D}/usr/share/encrypt_partition/pwquality.conf"
diff --git a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl
index a321490..2563dfd 100644
--- a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl
+++ b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl
@@ -9,7 +9,7 @@
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
 #
 
-PREREQ="encrypt_partition"
+PREREQ=""
 
 prereqs()
 {
-- 
2.43.0

[cip-dev][isar-cip-core][RFC 8/8] Add example to encrypt the rootfs

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
This is a rough example to show that rootfs encryption is possible.

 kas/opt/encrypt_rootfs.yml   | 24 ++++++++++++++++++++++++
 wic/x86_64-encryption.wks.in | 18 ++++++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 kas/opt/encrypt_rootfs.yml
 create mode 100644 wic/x86_64-encryption.wks.in

diff --git a/kas/opt/encrypt_rootfs.yml b/kas/opt/encrypt_rootfs.yml
new file mode 100644
index 0000000..4001c75
--- /dev/null
+++ b/kas/opt/encrypt_rootfs.yml
@@ -0,0 +1,24 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+  version: 14
+
+local_conf_header:
+  encrypted_root: |
+    WKS_FILE = "x86_64-encryption.wks.in"
+    CRYPT_PARTITIONS = "platform:/:reencrypt home:/home:reencrypt var:/var:reencrypt"
+    IMAGE_FSTYPES = "wic"
+    IMAGER_INSTALL:wic += "systemd-boot"
+    CIP_IMAGE_OPTIONS:append:qemu-amd64 = " recipes-core/images/deploy-ovmf.inc"
+    INITRAMFS_RECIPE ?= "cip-core-initramfs"
+    INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
+    do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build"
diff --git a/wic/x86_64-encryption.wks.in b/wic/x86_64-encryption.wks.in
new file mode 100644
index 0000000..c143500
--- /dev/null
+++ b/wic/x86_64-encryption.wks.in
@@ -0,0 +1,18 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# SPDX-License-Identifier: MIT
+#
+
+part /boot --source bootimg-efi-isar --sourceparams "loader=systemd-boot,initrd=${INITRD_IMAGE}" --label efi --part-type EF00 --align 1024 --fsuuid 0x4321dcba --uuid cf142945-6fa1-4945-b0f2-b8d6226298c0
+
+# Not nice use the source param label to supress the root commandline
+part / --source rootfs --fstype ext4 --sourceparams "label=BOOT" --mkfs-extraopts "-T default" --label platform --align 1024 --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid f225331b-2d9c-45a2-bcfe-4a6e86287dfb
+# home and var are extra partitions
+part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024  --size 1G --extra-space=100M --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
+part /var --fstype=ext4 --label var --align 1024 --fixed-size 2G --fsuuid 96be3374-4258-11ee-be56-0242ac120002
+
+# This works as we know how that the luks device will be named encrypted_<label of the root device>
+bootloader --ptable gpt --timeout 2 --append "root=/dev/mapper/encrypted_platform console=ttyS0,115200"
-- 
2.43.0

Re: [cip-dev][isar-cip-core][RFC 1/8] initramfs-crypt-hook: Allow switching between clevis and systemd

[Jan Kiszka]

On 19.03.24 19:18, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This allows device which started on Debian 11 to continue using
> clevis for encryption and decryption.
> 

Would an upgrade to systemd tooling be possible as well? Create a new
key with systemd in the TPM and add that to dm-crypt container?

This is just out of the concern if we may have to maintain that clevis
path forever.

Jan

> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  .../initramfs-crypt-hook_0.1.bb                    | 14 ++++++++++++--
>  1 file changed, 12 insertions(+), 2 deletions(-)
> 
> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
> index b275c0f..317ea12 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
> @@ -1,7 +1,7 @@
>  #
>  # CIP Core, generic profile
>  #
> -# Copyright (c) Siemens AG, 2020-2023
> +# Copyright (c) Siemens AG, 2020-2024
>  #
>  # Authors:
>  #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> @@ -17,7 +17,17 @@ CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools"
>  
>  DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}, libgcc-7-dev"
>  DEBIAN_DEPENDS:append:bullseye = "${CLEVIS_DEPEND}"
> -DEBIAN_DEPENDS:append = ", systemd (>= 251) | clevis-tpm2"
> +DEBIAN_DEPENDS:append = "${@encryption_dependency(d)}"
> +
> +def encryption_dependency(d):
> +    crypt_backend = d.getVar('CRYPT_BACKEND')
> +    if crypt_backend == 'clevis':
> +        clevis_depends= d.getVar('CLEVIS_DEPEND')
> +        return f"{clevis_depends}, clevis-tpm2"
> +    elif crypt_backend == 'systemd':
> +        return ", systemd (>= 251)"
> +    else:
> +        bb.error("unkown cryptbackend defined")
>  
>  CRYPT_BACKEND:buster = "clevis"
>  CRYPT_BACKEND:bullseye = "clevis"

-- 
Siemens AG, Technology
Linux Expert Center

Re: [cip-dev][isar-cip-core][RFC 4/8] initramfs-crypt-hook: Check if the TPM device fulfills the given requirements

[Jan Kiszka]

On 19.03.24 19:18, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This also adds the Crypt hash and Crypt algorithm parameter.

not yet the end of the sentence.

> and avoids errors to missmatchs between Hardware and software.

errors on mismatches

> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  .../files/encrypt_partition.clevis.script      | 18 +++++++++++++-----
>  .../files/encrypt_partition.env.tmpl           |  3 ++-
>  .../files/encrypt_partition.systemd.hook       |  4 +++-
>  .../files/encrypt_partition.systemd.script     | 15 +++++++++++++--
>  .../initramfs-crypt-hook_0.1.bb                |  7 ++++---
>  5 files changed, 35 insertions(+), 12 deletions(-)
> 
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
> index 0f82c1a..f271e85 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
> @@ -43,12 +43,10 @@ modprobe xts
>  # this needs to be probed particularly for re-encryption
>  modprobe loop
>  
> -# fixed tpm device or do we need to find it
> -tpm_device=/dev/tpmrm0
>  partition_sets="$PARTITIONS"
>  create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
> -hash_type="$HASH_TYPE"
> -
> +pcr_bank_hash_type="$HASH_TYPE"
> +tpm_key_algorithm="$KEY_ALGORITHM"
>  if [ -z "${create_file_system_cmd}" ]; then
>  	create_file_system_cmd="mke2fs -t ext4"
>  fi
> @@ -69,7 +67,7 @@ open_tpm2_partition() {
>  
>  enroll_tpm2_token() {
>  	if [ -x /usr/bin/clevis ]; then
> -		clevis luks bind -d "$1" tpm2 '{"pcr_bank":"'"$hash_type"'","pcr_ids":"7"}' < "$2"
> +		clevis luks bind -d "$1" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$2"
>  	else
>  		panic "clevis not available cannot enroll tpm2 key!"
>  	fi
> @@ -102,6 +100,16 @@ mount_partition() {
>  	fi
>  }
>  
> +for candidate in /dev/tpm*; do
> +	if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then
> +		continue
> +	fi
> +	if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet 2>/dev/null; then
> +		continue
> +	fi
> +	tpm_device=$candidate
> +done
> +
>  if [ ! -e "$tpm_device" ]; then
>  	panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
>  fi
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> index bcc57be..5d28dc5 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> @@ -2,4 +2,5 @@ PARTITIONS="${CRYPT_PARTITIONS}"
>  CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}"
>  SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}"
>  WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}"
> -HASH_TYPE="${CRYPT_HASH_TYPE}"
> \ No newline at end of file
> +HASH_TYPE="${CRYPT_HASH_TYPE}"
> +KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}"
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
> index c3b31d6..6e2a211 100755
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
> @@ -1,5 +1,5 @@
>  #!/bin/sh
> -# Copyright (C) Siemens AG, 2020-2023
> +# Copyright (C) Siemens AG, 2020-2024
>  #
>  # SPDX-License-Identifier: MIT
>  
> @@ -49,6 +49,8 @@ copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found"
>  copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found"
>  copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenroll not found"
>  copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found"
> +copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread"
> +copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms"
>  
>  copy_exec /usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so || hook_error "/usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so not found"
>  if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
> index 6c6d22e..ea267ac 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
> @@ -43,10 +43,10 @@ modprobe xts
>  # this needs to be probed particularly for re-encryption
>  modprobe loop
>  
> -# fixed tpm device or do we need to find it
> -tpm_device=/dev/tpmrm0
>  partition_sets="$PARTITIONS"
>  create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
> +pcr_bank_hash_type="$HASH_TYPE"
> +tpm_key_algorithm="$KEY_ALGORITHM"
>  if [ -z "${create_file_system_cmd}" ]; then
>  	create_file_system_cmd="mke2fs -t ext4"
>  fi
> @@ -71,6 +71,7 @@ enroll_tpm2_token() {
>  		systemd_version=$(systemd-cryptenroll --version | \
>  			  awk -F " " 'NR==1{print $2 }')
>  		# check systemd version and export password if necessary
> +		# systemd version 251 does not suport hash_types
>  		if [ "$systemd_version" -ge "251" ]; then
>  			PASSWORD=$(cat "$2" )
>  			export PASSWORD
> @@ -112,6 +113,16 @@ mount_partition() {
>  	fi
>  }
>  
> +for candidate in /dev/tpm*; do
> +	if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then
> +		continue
> +	fi
> +	if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet 2>/dev/null; then
> +		continue
> +	fi
> +	tpm_device=$candidate
> +done
> +
>  if [ ! -e "$tpm_device" ]; then
>  	panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
>  fi
> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
> index 317ea12..7f732cf 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
> @@ -11,7 +11,7 @@
>  inherit dpkg-raw
>  DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \
>      awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \
> -    libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs"
> +    libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs, tpm2-tools"
>  
>  CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools"
>  
> @@ -49,10 +49,11 @@ CRYPT_SETUP_TIMEOUT ??= "600"
>  INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog"
>  # clevis needs tpm hash algorithm type
>  CRYPT_HASH_TYPE ??= "sha256"
> -
> +CRYPT_KEY_ALGORITHM ??= "ecc"
>  
>  TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
> -    CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE"
> +    CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \
> +    CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL"
>  TEMPLATE_FILES = "encrypt_partition.env.tmpl"
>  
>  do_install[cleandirs] += " \

Jan

-- 
Siemens AG, Technology
Linux Expert Center

Re: [cip-dev][isar-cip-core][RFC 5/8] initramfs-crypt-hook: add flag to make encryption optional

[Jan Kiszka]

On 19.03.24 19:18, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This allows to use same image on device without or with a disabled
> TPM.

"device with and without TPM"?

> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  .../files/encrypt_partition.clevis.script     | 20 +++++++++++++++++-
>  .../files/encrypt_partition.env.tmpl          |  1 +
>  .../files/encrypt_partition.systemd.script    | 21 ++++++++++++++++++-
>  .../initramfs-crypt-hook_0.1.bb               |  1 +
>  4 files changed, 41 insertions(+), 2 deletions(-)
> 
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
> index f271e85..6e2713f 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
> @@ -47,6 +47,7 @@ partition_sets="$PARTITIONS"
>  create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
>  pcr_bank_hash_type="$HASH_TYPE"
>  tpm_key_algorithm="$KEY_ALGORITHM"
> +tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL"
>  if [ -z "${create_file_system_cmd}" ]; then
>  	create_file_system_cmd="mke2fs -t ext4"
>  fi
> @@ -111,7 +112,24 @@ for candidate in /dev/tpm*; do
>  done
>  
>  if [ ! -e "$tpm_device" ]; then
> -	panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
> +	if [ "$tpm_encryption_optional" = "true" ]; then
> +		echo "No tpm_device exists abort optional encryption"
> +		for partition_set in $partition_sets; do
> +			partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
> +			partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
> +			partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
> +			partition=/dev/disk/by-partlabel/"$partition_label"
> +			case "${partition_format}" in
> +			"reencrypt")
> +				mount_partition "$partition" "$rootmnt""$partition_mountpoint"
> +				;;
> +			*)
> +				echo "cannot mount partition '$partition' as it is marked for formatting."
> +			esac
> +		done
> +		exit 0
> +	fi
> +	panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!"
>  fi
>  
>  # clevis needs /dev/fd create it in the initramfs
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> index 5d28dc5..bb93361 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> @@ -4,3 +4,4 @@ SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}"
>  WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}"
>  HASH_TYPE="${CRYPT_HASH_TYPE}"
>  KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}"
> +ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}"
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
> index ea267ac..2e6691a 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
> @@ -47,6 +47,7 @@ partition_sets="$PARTITIONS"
>  create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
>  pcr_bank_hash_type="$HASH_TYPE"
>  tpm_key_algorithm="$KEY_ALGORITHM"
> +tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL"
>  if [ -z "${create_file_system_cmd}" ]; then
>  	create_file_system_cmd="mke2fs -t ext4"
>  fi
> @@ -124,9 +125,27 @@ for candidate in /dev/tpm*; do
>  done
>  
>  if [ ! -e "$tpm_device" ]; then
> -	panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
> +	if [ "$tpm_encryption_optional" = "true" ]; then
> +		echo "No tpm_device exists abort optional encryption"
> +		for partition_set in $partition_sets; do
> +			partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
> +			partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
> +			partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
> +			partition=/dev/disk/by-partlabel/"$partition_label"
> +			case "${partition_format}" in
> +			"reencrypt")
> +				mount_partition "$partition" "$rootmnt""$partition_mountpoint"
> +				;;
> +			*)
> +				echo "cannot mount partition '$partition' as it is marked for formatting."
> +			esac
> +		done
> +		exit 0
> +	fi
> +	panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!"
>  fi
>  
> +

Extra newline.

>  for partition_set in $partition_sets; do
>  	partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
>  	partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
> index 7f732cf..54c91fd 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
> @@ -50,6 +50,7 @@ INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog"
>  # clevis needs tpm hash algorithm type
>  CRYPT_HASH_TYPE ??= "sha256"
>  CRYPT_KEY_ALGORITHM ??= "ecc"
> +CRYPT_ENCRYPTION_OPTIONAL ??= "false"
>  
>  TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
>      CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \

Jan

-- 
Siemens AG, Technology
Linux Expert Center

Re: [cip-dev][isar-cip-core][RFC 6/8] initramfs-crypt-hook: add e2fsck to avoid resize error

[Jan Kiszka]

On 19.03.24 19:18, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This avoids the following error during resizing a file system:
> 

"Error: Success"? Or what should be here? :)

> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  .../initramfs-crypt-hook/files/encrypt_partition.clevis.script   | 1 +
>  .../initramfs-crypt-hook/files/encrypt_partition.systemd.script  | 1 +
>  2 files changed, 2 insertions(+)
> 
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
> index 6e2713f..0bb6720 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
> @@ -81,6 +81,7 @@ reencrypt_existing_partition() {
>  	reduced_size="$(expr "$part_size_blocks" - 65536 )"
>  	reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
>  	reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
> +	e2fsck -f "$1"
>  	if ! resize2fs "$1" "${reduced_size_in_kb}"; then
>  		panic "reencryption of filesystem $1 cannot continue!"
>  	fi
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
> index 2e6691a..9809c87 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
> @@ -94,6 +94,7 @@ reencrypt_existing_partition() {
>  	reduced_size="$(expr "$part_size_blocks" - 65536 )"
>  	reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
>  	reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
> +	e2fsck -f "$1"
>  	if ! resize2fs "$1" "${reduced_size_in_kb}"; then
>  		panic "reencryption of filesystem $1 cannot continue!"
>  	fi

Jan

-- 
Siemens AG, Technology
Linux Expert Center

Re: [cip-dev][isar-cip-core][RFC 8/8] Add example to encrypt the rootfs

[Jan Kiszka]

On 19.03.24 19:18, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> This is a rough example to show that rootfs encryption is possible.
> 
>  kas/opt/encrypt_rootfs.yml   | 24 ++++++++++++++++++++++++
>  wic/x86_64-encryption.wks.in | 18 ++++++++++++++++++
>  2 files changed, 42 insertions(+)
>  create mode 100644 kas/opt/encrypt_rootfs.yml
>  create mode 100644 wic/x86_64-encryption.wks.in
> 
> diff --git a/kas/opt/encrypt_rootfs.yml b/kas/opt/encrypt_rootfs.yml
> new file mode 100644
> index 0000000..4001c75
> --- /dev/null
> +++ b/kas/opt/encrypt_rootfs.yml
> @@ -0,0 +1,24 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2024
> +#
> +# Authors:
> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +header:
> +  version: 14
> +
> +local_conf_header:
> +  encrypted_root: |
> +    WKS_FILE = "x86_64-encryption.wks.in"
> +    CRYPT_PARTITIONS = "platform:/:reencrypt home:/home:reencrypt var:/var:reencrypt"
> +    IMAGE_FSTYPES = "wic"
> +    IMAGER_INSTALL:wic += "systemd-boot"
> +    CIP_IMAGE_OPTIONS:append:qemu-amd64 = " recipes-core/images/deploy-ovmf.inc"
> +    INITRAMFS_RECIPE ?= "cip-core-initramfs"
> +    INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
> +    do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build"
> diff --git a/wic/x86_64-encryption.wks.in b/wic/x86_64-encryption.wks.in
> new file mode 100644
> index 0000000..c143500
> --- /dev/null
> +++ b/wic/x86_64-encryption.wks.in
> @@ -0,0 +1,18 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2024
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +part /boot --source bootimg-efi-isar --sourceparams "loader=systemd-boot,initrd=${INITRD_IMAGE}" --label efi --part-type EF00 --align 1024 --fsuuid 0x4321dcba --uuid cf142945-6fa1-4945-b0f2-b8d6226298c0
> +
> +# Not nice use the source param label to supress the root commandline

"suppress"

Can you elaborate what will happen without this label? Another, wrong
"root=..." would be appended?

> +part / --source rootfs --fstype ext4 --sourceparams "label=BOOT" --mkfs-extraopts "-T default" --label platform --align 1024 --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid f225331b-2d9c-45a2-bcfe-4a6e86287dfb
> +# home and var are extra partitions
> +part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024  --size 1G --extra-space=100M --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
> +part /var --fstype=ext4 --label var --align 1024 --fixed-size 2G --fsuuid 96be3374-4258-11ee-be56-0242ac120002
> +
> +# This works as we know how that the luks device will be named encrypted_<label of the root device>

A bit ugly, indeed. Is there no way to let the script set the
appropriate root?

> +bootloader --ptable gpt --timeout 2 --append "root=/dev/mapper/encrypted_platform console=ttyS0,115200"
Jan

-- 
Siemens AG, Technology
Linux Expert Center

Re: [cip-dev][isar-cip-core][RFC 1/8] initramfs-crypt-hook: Allow switching between clevis and systemd

[Gylstorff Quirin]

On 3/19/24 7:33 PM, Jan Kiszka wrote:
> On 19.03.24 19:18, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This allows device which started on Debian 11 to continue using
>> clevis for encryption and decryption.
>>
> 
> Would an upgrade to systemd tooling be possible as well? Create a new
> key with systemd in the TPM and add that to dm-crypt container?

I need to try this. We need a passphrase to add additional keys. So we 
would need to store the passphrase for the encryption somewhere on the 
system. A possible solution would be to encrypt the passphrase with
the TPM chip and store it somewhere on the system.

Quirin
> 
> This is just out of the concern if we may have to maintain that clevis
> path forever.
> 
> Jan
> 
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>   .../initramfs-crypt-hook_0.1.bb                    | 14 ++++++++++++--
>>   1 file changed, 12 insertions(+), 2 deletions(-)
>>
>> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>> index b275c0f..317ea12 100644
>> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>> @@ -1,7 +1,7 @@
>>   #
>>   # CIP Core, generic profile
>>   #
>> -# Copyright (c) Siemens AG, 2020-2023
>> +# Copyright (c) Siemens AG, 2020-2024
>>   #
>>   # Authors:
>>   #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> @@ -17,7 +17,17 @@ CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools"
>>   
>>   DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}, libgcc-7-dev"
>>   DEBIAN_DEPENDS:append:bullseye = "${CLEVIS_DEPEND}"
>> -DEBIAN_DEPENDS:append = ", systemd (>= 251) | clevis-tpm2"
>> +DEBIAN_DEPENDS:append = "${@encryption_dependency(d)}"
>> +
>> +def encryption_dependency(d):
>> +    crypt_backend = d.getVar('CRYPT_BACKEND')
>> +    if crypt_backend == 'clevis':
>> +        clevis_depends= d.getVar('CLEVIS_DEPEND')
>> +        return f"{clevis_depends}, clevis-tpm2"
>> +    elif crypt_backend == 'systemd':
>> +        return ", systemd (>= 251)"
>> +    else:
>> +        bb.error("unkown cryptbackend defined")
>>   
>>   CRYPT_BACKEND:buster = "clevis"
>>   CRYPT_BACKEND:bullseye = "clevis"
> 

Re: [cip-dev][isar-cip-core][RFC 8/8] Add example to encrypt the rootfs

[Gylstorff Quirin]

On 3/19/24 7:42 PM, Jan Kiszka wrote:
> On 19.03.24 19:18, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>> This is a rough example to show that rootfs encryption is possible.
>>
>>   kas/opt/encrypt_rootfs.yml   | 24 ++++++++++++++++++++++++
>>   wic/x86_64-encryption.wks.in | 18 ++++++++++++++++++
>>   2 files changed, 42 insertions(+)
>>   create mode 100644 kas/opt/encrypt_rootfs.yml
>>   create mode 100644 wic/x86_64-encryption.wks.in
>>
>> diff --git a/kas/opt/encrypt_rootfs.yml b/kas/opt/encrypt_rootfs.yml
>> new file mode 100644
>> index 0000000..4001c75
>> --- /dev/null
>> +++ b/kas/opt/encrypt_rootfs.yml
>> @@ -0,0 +1,24 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2024
>> +#
>> +# Authors:
>> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +
>> +header:
>> +  version: 14
>> +
>> +local_conf_header:
>> +  encrypted_root: |
>> +    WKS_FILE = "x86_64-encryption.wks.in"
>> +    CRYPT_PARTITIONS = "platform:/:reencrypt home:/home:reencrypt var:/var:reencrypt"
>> +    IMAGE_FSTYPES = "wic"
>> +    IMAGER_INSTALL:wic += "systemd-boot"
>> +    CIP_IMAGE_OPTIONS:append:qemu-amd64 = " recipes-core/images/deploy-ovmf.inc"
>> +    INITRAMFS_RECIPE ?= "cip-core-initramfs"
>> +    INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
>> +    do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build"
>> diff --git a/wic/x86_64-encryption.wks.in b/wic/x86_64-encryption.wks.in
>> new file mode 100644
>> index 0000000..c143500
>> --- /dev/null
>> +++ b/wic/x86_64-encryption.wks.in
>> @@ -0,0 +1,18 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2024
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +
>> +part /boot --source bootimg-efi-isar --sourceparams "loader=systemd-boot,initrd=${INITRD_IMAGE}" --label efi --part-type EF00 --align 1024 --fsuuid 0x4321dcba --uuid cf142945-6fa1-4945-b0f2-b8d6226298c0
>> +
>> +# Not nice use the source param label to supress the root commandline
> 
> "suppress"
> 
> Can you elaborate what will happen without this label? Another, wrong
> "root=..." would be appended?
Yes the default behaviour from bootimg-efi-isar is to add `root=<uuid>` 
to the kernel commandline

> 
>> +part / --source rootfs --fstype ext4 --sourceparams "label=BOOT" --mkfs-extraopts "-T default" --label platform --align 1024 --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid f225331b-2d9c-45a2-bcfe-4a6e86287dfb
>> +# home and var are extra partitions
>> +part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024  --size 1G --extra-space=100M --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
>> +part /var --fstype=ext4 --label var --align 1024 --fixed-size 2G --fsuuid 96be3374-4258-11ee-be56-0242ac120002
>> +
>> +# This works as we know how that the luks device will be named encrypted_<label of the root device>
> 
> A bit ugly, indeed. Is there no way to let the script set the
> appropriate root?
We can work with templates for the rootfs label or set the ROOT variable 
in the initramfs like verity and or abrootfs. The second case would 
require the initramfs to detect a encrypted root.

Quirin
> 
>> +bootloader --ptable gpt --timeout 2 --append "root=/dev/mapper/encrypted_platform console=ttyS0,115200"
> Jan
> 

Re: [cip-dev][isar-cip-core][RFC 6/8] initramfs-crypt-hook: add e2fsck to avoid resize error

[Gylstorff Quirin]

On 3/19/24 7:37 PM, Jan Kiszka wrote:
> On 19.03.24 19:18, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This avoids the following error during resizing a file system:
>>
> 
> "Error: Success"? Or what should be here? :)

oops the error message is `Please run ‘e2fsck -f /dev/<disk>’ first`.
I had it once so I am not sure it is required.

Quirin
> 
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>   .../initramfs-crypt-hook/files/encrypt_partition.clevis.script   | 1 +
>>   .../initramfs-crypt-hook/files/encrypt_partition.systemd.script  | 1 +
>>   2 files changed, 2 insertions(+)
>>
>> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
>> index 6e2713f..0bb6720 100644
>> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
>> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
>> @@ -81,6 +81,7 @@ reencrypt_existing_partition() {
>>   	reduced_size="$(expr "$part_size_blocks" - 65536 )"
>>   	reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
>>   	reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
>> +	e2fsck -f "$1"
>>   	if ! resize2fs "$1" "${reduced_size_in_kb}"; then
>>   		panic "reencryption of filesystem $1 cannot continue!"
>>   	fi
>> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
>> index 2e6691a..9809c87 100644
>> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
>> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
>> @@ -94,6 +94,7 @@ reencrypt_existing_partition() {
>>   	reduced_size="$(expr "$part_size_blocks" - 65536 )"
>>   	reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
>>   	reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
>> +	e2fsck -f "$1"
>>   	if ! resize2fs "$1" "${reduced_size_in_kb}"; then
>>   		panic "reencryption of filesystem $1 cannot continue!"
>>   	fi
> 
> Jan
> 

Re: [cip-dev][isar-cip-core][RFC 8/8] Add example to encrypt the rootfs

[Jan Kiszka]

On 20.03.24 12:41, Gylstorff Quirin wrote:
> 
> 
> On 3/19/24 7:42 PM, Jan Kiszka wrote:
>> On 19.03.24 19:18, Quirin Gylstorff wrote:
>>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>
>>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>> ---
>>> This is a rough example to show that rootfs encryption is possible.
>>>
>>>   kas/opt/encrypt_rootfs.yml   | 24 ++++++++++++++++++++++++
>>>   wic/x86_64-encryption.wks.in | 18 ++++++++++++++++++
>>>   2 files changed, 42 insertions(+)
>>>   create mode 100644 kas/opt/encrypt_rootfs.yml
>>>   create mode 100644 wic/x86_64-encryption.wks.in
>>>
>>> diff --git a/kas/opt/encrypt_rootfs.yml b/kas/opt/encrypt_rootfs.yml
>>> new file mode 100644
>>> index 0000000..4001c75
>>> --- /dev/null
>>> +++ b/kas/opt/encrypt_rootfs.yml
>>> @@ -0,0 +1,24 @@
>>> +#
>>> +# CIP Core, generic profile
>>> +#
>>> +# Copyright (c) Siemens AG, 2024
>>> +#
>>> +# Authors:
>>> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>> +#
>>> +# SPDX-License-Identifier: MIT
>>> +#
>>> +
>>> +header:
>>> +  version: 14
>>> +
>>> +local_conf_header:
>>> +  encrypted_root: |
>>> +    WKS_FILE = "x86_64-encryption.wks.in"
>>> +    CRYPT_PARTITIONS = "platform:/:reencrypt home:/home:reencrypt
>>> var:/var:reencrypt"
>>> +    IMAGE_FSTYPES = "wic"
>>> +    IMAGER_INSTALL:wic += "systemd-boot"
>>> +    CIP_IMAGE_OPTIONS:append:qemu-amd64 = "
>>> recipes-core/images/deploy-ovmf.inc"
>>> +    INITRAMFS_RECIPE ?= "cip-core-initramfs"
>>> +    INITRD_IMAGE =
>>> "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
>>> +    do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build"
>>> diff --git a/wic/x86_64-encryption.wks.in b/wic/x86_64-encryption.wks.in
>>> new file mode 100644
>>> index 0000000..c143500
>>> --- /dev/null
>>> +++ b/wic/x86_64-encryption.wks.in
>>> @@ -0,0 +1,18 @@
>>> +#
>>> +# CIP Core, generic profile
>>> +#
>>> +# Copyright (c) Siemens AG, 2024
>>> +#
>>> +# SPDX-License-Identifier: MIT
>>> +#
>>> +
>>> +part /boot --source bootimg-efi-isar --sourceparams
>>> "loader=systemd-boot,initrd=${INITRD_IMAGE}" --label efi --part-type
>>> EF00 --align 1024 --fsuuid 0x4321dcba --uuid
>>> cf142945-6fa1-4945-b0f2-b8d6226298c0
>>> +
>>> +# Not nice use the source param label to supress the root commandline
>>
>> "suppress"
>>
>> Can you elaborate what will happen without this label? Another, wrong
>> "root=..." would be appended?
> Yes the default behaviour from bootimg-efi-isar is to add `root=<uuid>`
> to the kernel commandline
> 

Is that a problem of the -isar part in bootimg-efi-isar or also in
upstream? Wouldn't it make sense to add some flexibility here?

Or can't we ignore that specific "root=" from the command line in the
initramfs?

>>
>>> +part / --source rootfs --fstype ext4 --sourceparams "label=BOOT"
>>> --mkfs-extraopts "-T default" --label platform --align 1024 --fsuuid
>>> 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid
>>> f225331b-2d9c-45a2-bcfe-4a6e86287dfb
>>> +# home and var are extra partitions
>>> +part /home --source rootfs --change-directory=home --fstype=ext4
>>> --label home --align 1024  --size 1G --extra-space=100M --fsuuid
>>> 1f55d66a-40d8-11ee-be56-0242ac120002
>>> +part /var --fstype=ext4 --label var --align 1024 --fixed-size 2G
>>> --fsuuid 96be3374-4258-11ee-be56-0242ac120002
>>> +
>>> +# This works as we know how that the luks device will be named
>>> encrypted_<label of the root device>
>>
>> A bit ugly, indeed. Is there no way to let the script set the
>> appropriate root?
> We can work with templates for the rootfs label or set the ROOT variable
> in the initramfs like verity and or abrootfs. The second case would
> require the initramfs to detect a encrypted root.

Yeah, but the effort should be in generic code ideally, not in
individual config files like this one here.

Jan

-- 
Siemens AG, Technology
Linux Expert Center

Re: [isar-cip-core][RFC 8/8] Add example to encrypt the rootfs

[JohnW]

[-- Attachment #1: Type: text/plain, Size: 477 bytes --]

Thanks for sharing the example.

I'm trying to build the example and test it on my device using an USB as boot media. I am getting Secure Boot Violation error (Invalid signature detected). Is there anything that I have to do to properly set up secure boot? I see that the KAS config automatically include secure boot recipes if encryption is selected.

If I disable secure boot from BIOS, I got a "ERROR: Cannot probe watchdog (Unsupported)" error while it tries to boot.

[-- Attachment #2: Type: text/html, Size: 494 bytes --]

Re: [cip-dev] [isar-cip-core][RFC 8/8] Add example to encrypt the rootfs

[Gylstorff Quirin]

On 3/22/24 1:24 AM, JohnW via lists.cip-project.org wrote:
> Thanks for sharing the example.
> 
> I'm trying to build the example and test it on my device using an USB as 
> boot media. I am getting Secure Boot Violation error (Invalid signature 
> detected). Is there anything that I have to do to properly set up secure 
> boot? I see that the KAS config automatically include secure boot 
> recipes if encryption is selected.

The Secure boot certificates used by cip-core are the edk2 snakeoils 
keys provided by Debian[1],[2].

This is working for the QEMU targets. For hardware you need to provide
your own secure boot certificates. see [3] for more information.

For testing you can disable secure boot.

[1]: 
https://gitlab.com/cip-project/cip-core/isar-cip-core/-/blob/master/recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb?ref_type=heads

[2]: 
https://salsa.debian.org/qemu-team/edk2/-/blob/debian/debian/PkKek-1-snakeoil.pem?ref_type=heads

[3]: 
https://gitlab.com/cip-project/cip-core/isar-cip-core/-/blob/master/doc/README.secureboot.md?ref_type=heads

> 
> If I disable secure boot from BIOS, I got a "ERROR: Cannot probe 
> watchdog (Unsupported)" error while it tries to boot.

This sounds like your hardware has no watchdog or the watchdog is not 
supported by efibootguard with should not be used in the rfc for root 
file encryption. How did you build the image?

This should build an rootfs without efibootguard and with systemd-boot:

```
kas-container build 
kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/encrypt_rootfs.yml
```


Quirin

> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#15395): https://lists.cip-project.org/g/cip-dev/message/15395
> Mute This Topic: https://lists.cip-project.org/mt/105029665/1753640
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129121/1753640/1405269326/xyzzy [quirin.gylstorff@siemens.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [isar-cip-core][RFC 8/8] Add example to encrypt the rootfs

[JohnW]

[-- Attachment #1: Type: text/plain, Size: 634 bytes --]

> 
> This should build an rootfs without efibootguard and with systemd-boot:
> 
> ```
> kas-container build
> kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/encrypt_rootfs.yml
> ```

I tried this build and tried to boot this image from USB with secure boot disabled in BIOS. The boot stuck at
> 
> 
> EFI stub: Loaded initrd from LINUX_EFI_INITRD_MEDIA_GUID device path
> EFI stub: Measured initrd data into PCR9

I currently have a image build based on ISAR with grub boot loader that has secure boot working properly with all of my test devices. Is it possible if I can add the /opt/encrypt_rootfs.yml into that build?

[-- Attachment #2: Type: text/html, Size: 671 bytes --]

Re: [cip-dev] [isar-cip-core][RFC 8/8] Add example to encrypt the rootfs

[Gylstorff Quirin]

On 3/25/24 6:48 PM, JohnW via lists.cip-project.org wrote:
>     This should build an rootfs without efibootguard and with systemd-boot:
> 
>     ```
>     kas-container build
>     kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/encrypt_rootfs.yml
>     ```
> 
> I tried this build and tried to boot this image from USB with secure 
> boot disabled in BIOS. The boot stuck at
> 
>     EFI stub: Loaded initrd from LINUX_EFI_INITRD_MEDIA_GUID device path
>     EFI stub: Measured initrd data into PCR9
> 
> I currently have a image build based on ISAR with grub boot loader that 
> has secure boot working properly with all of my test devices. Is it 
> possible if I can add the /opt/encrypt_rootfs.yml into that build?


This should not be necessary - the only changes necessary to encrypt the 
rootfs ontop of v2:
  - using the custom initrd for the initrd changes
  -     CRYPT_PARTITIONS = "platform:/:reencrypt home:/home:reencrypt 
var:/var:reencrypt"

Quirin
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#15413): https://lists.cip-project.org/g/cip-dev/message/15413
> Mute This Topic: https://lists.cip-project.org/mt/105029665/1753640
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129121/1753640/1405269326/xyzzy [quirin.gylstorff@siemens.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>