[cip-dev][isar-cip-core][RFC v2 0/7] Encrypt Partition in initramfs

[cip-dev][isar-cip-core][RFC v2 0/7] Encrypt Partition in initramfs

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This encrypts a partition with LUKS and uses the TPM2 to unlock the partition during
boot.

Adapt start-qemu to support tpm2.

Changes v2:
 - rewrite for multiple partition
 - add rencrypt for populated partitions
 - encrypt /var and /home

Quirin Gylstorff (7):
  linux-cip: update kernel configuration for tpm2 support
  use bullseye backports for systemd-cryptenroll
  start-qemu: If swtpm is available create a tpm2 device
  Add initramfs hook to encrypt a partition
  overlay: add prerequisite 'encrypt_partition'
  KConfig: add tpm option
  .gitlabci: Add ci build

 .gitlab-ci.yml                                |  13 ++
 Kconfig                                       |   8 ++
 conf/distro/debian-bullseye-backports.list    |   1 +
 .../preferences.bullseye-backports.tpm.conf   |   3 +
 kas/opt/tpm.yml                               |  20 +++
 .../files/encrypt_partition.env.tmpl          |   2 +
 .../files/encrypt_partition.hook              |  49 +++++++
 .../files/encrypt_partition.script            | 135 ++++++++++++++++++
 .../initramfs-crypt-hook_0.1.bb               |  37 +++++
 .../initramfs-overlay-hook/files/overlay.hook |   1 +
 .../files/overlay.script.tmpl                 |  12 +-
 recipes-kernel/linux/linux-cip-common.inc     |   2 +-
 start-qemu.sh                                 |  23 ++-
 wic/x86-efibootguard.wks.in                   |   4 +-
 14 files changed, 297 insertions(+), 13 deletions(-)
 create mode 100644 conf/distro/debian-bullseye-backports.list
 create mode 100644 conf/distro/preferences.bullseye-backports.tpm.conf
 create mode 100644 kas/opt/tpm.yml
 create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
 create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
 create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
 create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb

-- 
2.39.1

[cip-dev][isar-cip-core][RFC v2 1/7] linux-cip: update kernel configuration for tpm2 support

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 recipes-kernel/linux/linux-cip-common.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc
index 7148a98..6dda973 100644
--- a/recipes-kernel/linux/linux-cip-common.inc
+++ b/recipes-kernel/linux/linux-cip-common.inc
@@ -23,6 +23,6 @@ SRC_URI:append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-confi
     if d.getVar('USE_CIP_KERNEL_CONFIG') == '1' else '' \
     }"
 
-SRCREV_cip-kernel-config ?= "ce52837418aea714e780e0cbc8afb9515c12cc1b"
+SRCREV_cip-kernel-config ?= "351538952cfa7c6336e83bf66ca4f3bbdc06f89b"
 
 S = "${WORKDIR}/linux-cip-${PV}"
-- 
2.39.1

[cip-dev][isar-cip-core][RFC v2 2/7] use bullseye backports for systemd-cryptenroll

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Systemd >= 251 is required for systemd-cryptenroll. This version
is part of backports.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 conf/distro/debian-bullseye-backports.list    |  1 +
 .../preferences.bullseye-backports.tpm.conf   |  3 +++
 kas/opt/tpm.yml                               | 20 +++++++++++++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 conf/distro/debian-bullseye-backports.list
 create mode 100644 conf/distro/preferences.bullseye-backports.tpm.conf
 create mode 100644 kas/opt/tpm.yml

diff --git a/conf/distro/debian-bullseye-backports.list b/conf/distro/debian-bullseye-backports.list
new file mode 100644
index 0000000..3a55e4c
--- /dev/null
+++ b/conf/distro/debian-bullseye-backports.list
@@ -0,0 +1 @@
+deb http://ftp.us.debian.org/debian bullseye-backports main contrib non-free
diff --git a/conf/distro/preferences.bullseye-backports.tpm.conf b/conf/distro/preferences.bullseye-backports.tpm.conf
new file mode 100644
index 0000000..0905fbf
--- /dev/null
+++ b/conf/distro/preferences.bullseye-backports.tpm.conf
@@ -0,0 +1,3 @@
+Package: *
+Pin: release n=bullseye-backports
+Pin-Priority: 801
diff --git a/kas/opt/tpm.yml b/kas/opt/tpm.yml
new file mode 100644
index 0000000..0e4dc95
--- /dev/null
+++ b/kas/opt/tpm.yml
@@ -0,0 +1,20 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+  version: 12
+
+local_conf_header:
+  systemd-cryptenroll: |
+    DISTRO_APT_SOURCES:append:bullseye = " conf/distro/debian-bullseye-backports.list"
+    DISTRO_APT_PREFERENCES:append:bullseye = " conf/distro/preferences.bullseye-backports.tpm.conf"
+  image-option-tpm: |
+    INITRAMFS_INSTALL += " initramfs-crypt-hook"
-- 
2.39.1

[cip-dev][isar-cip-core][RFC v2 3/7] start-qemu: If swtpm is available create a tpm2 device

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This allows testing the tpm2 encryption with qemu.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 start-qemu.sh | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/start-qemu.sh b/start-qemu.sh
index dd16aed..3ef2acc 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -139,11 +139,24 @@ QEMU_COMMON_OPTIONS=" \
 	-m 1G \
 	-serial mon:stdio \
 	-netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \
-	${QEMU_EXTRA_ARGS}"
+	"
 
 if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
 	case "${arch}" in
 		x86|x86_64|amd64)
+			if [ -x /usr/bin/swtpm ]; then
+				swtpm_dir="/tmp/qemu-swtpm"
+				mkdir -p ${swtpm_dir}
+                rm ${swtpm_dir}/*
+				if swtpm socket -d --tpmstate dir=${swtpm_dir} \
+						 --ctrl type=unixio,path=${swtpm_dir}/sock \
+						 --tpm2; then
+					QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \
+                            -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \
+					 		-tpmdev emulator,id=tpm0,chardev=chrtpm \
+					 		-device tpm-tis,tpmdev=tpm0"
+				fi
+			fi
 			if [ -n "${SECURE_BOOT}" ]; then
 				ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secboot.fd}
 				ovmf_vars=${OVMF_VARS:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_VARS_4M.snakeoil.fd}
@@ -154,14 +167,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
 					-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
 					-drive if=pflash,format=raw,file=${ovmf_vars} \
 					-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
-					${QEMU_COMMON_OPTIONS} "$@"
+					${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
 			else
 				ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd}
 
 				${QEMU_PATH}${QEMU} \
 					-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
 					-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
-					${QEMU_COMMON_OPTIONS} "$@"
+					${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
 			fi
 			;;
 		arm64|aarch64|arm|armhf)
@@ -170,7 +183,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
 			${QEMU_PATH}${QEMU} \
 				-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
 				-bios ${u_boot_bin} \
-				${QEMU_COMMON_OPTIONS} "$@"
+				${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
 			;;
 		*)
 			echo "Unsupported architecture: ${arch}"
@@ -187,5 +200,5 @@ else
 			-drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \
 			-kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \
 			-initrd ${INITRD_FILE} \
-			${QEMU_COMMON_OPTIONS} "$@"
+			${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
 fi
-- 
2.39.1

[cip-dev][isar-cip-core][RFC v2 4/7] Add initramfs hook to encrypt a partition

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This creates a new luks encrypted ext4 partition with a the
key stored in the tpm2.

The initial key is randomly generated and removed from the
LUKS partition. Therefore a new key cannot be added by the user
and if the LUKS header is corrupted the data is no longer readable.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../files/encrypt_partition.env.tmpl          |   2 +
 .../files/encrypt_partition.hook              |  49 +++++++
 .../files/encrypt_partition.script            | 135 ++++++++++++++++++
 .../initramfs-crypt-hook_0.1.bb               |  37 +++++
 wic/x86-efibootguard.wks.in                   |   4 +-
 5 files changed, 225 insertions(+), 2 deletions(-)
 create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
 create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
 create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
 create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
new file mode 100644
index 0000000..943fe4b
--- /dev/null
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
@@ -0,0 +1,2 @@
+PARTITIONS="${CRYPT_PARTITIONS}"
+REDUDUCE_DEVICE_SIZE="${CRYPT_REDUDUCE_DEVICE_SIZE}"
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
new file mode 100644
index 0000000..96e084a
--- /dev/null
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
@@ -0,0 +1,49 @@
+#!/bin/sh
+# Copyright (C) Siemens AG, 2020-2022
+#
+# SPDX-License-Identifier: MIT
+
+PREREQ=""
+
+prereqs()
+{
+     echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+     prereqs
+     exit 0
+     ;;
+esac
+
+. /usr/share/initramfs-tools/scripts/functions
+. /usr/share/initramfs-tools/hook-functions
+
+manual_add_modules tpm
+manual_add_modules tpm_tis_core
+manual_add_modules tpm_tis
+manual_add_modules tpm_crb
+manual_add_modules dm_mod
+manual_add_modules dm_crypt
+
+copy_exec /usr/bin/openssl
+copy_exec /usr/sbin/mke2fs
+copy_exec /usr/bin/grep
+copy_exec /usr/bin/awk
+copy_exec /usr/bin/expr
+copy_exec /usr/sbin/e2fsck
+copy_exec /usr/sbin/resize2fs
+copy_exec /usr/sbin/cryptsetup
+copy_exec /usr/bin/systemd-cryptenroll
+copy_exec /usr/lib/systemd/systemd-cryptsetup
+
+if [ -x cryptsetup-reencrypt ]; then
+    copy_exec /usr/sbin/cryptsetup-reencrypt
+fi
+
+for _LIBRARY in /usr/lib/*/libtss2*; do
+    copy_exec "$_LIBRARY"
+done
+
+copy_file library /usr/share/encrypt_partition/encrypt_partition.env /usr/share/encrypt_partition/encrypt_partition.env
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
new file mode 100644
index 0000000..e58794e
--- /dev/null
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
@@ -0,0 +1,135 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+prereqs()
+{
+	# Make sure that this script is run last in local-top
+	local req
+	for req in "${0%/*}"/*; do
+		script="${req##*/}"
+		if [ "$script" != "${0##*/}" ]; then
+			printf '%s\n' "$script"
+		fi
+	done
+}
+case $1 in
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+. /scripts/functions
+
+# get configuration variables
+. /usr/share/encrypt_partition/encrypt_partition.env
+
+# load necessary kernel modules:
+modprobe tpm_tis
+modprobe tpm_crb
+
+# fixed tpm device or do we need to find it
+tpm_device=/dev/tpmrm0
+partition_sets="$PARTITIONS"
+
+open_tpm2_partition() {
+	if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \
+		 "$1" - tpm2-device="$tpm_device"; then
+		panic "Can't decrypt '$1' !"
+	fi
+}
+
+enroll_tpm2_token() {
+	#check systemd version and export password if necessary
+	if [ -x /usr/bin/systemd-cryptenroll ]; then
+		systemd_version=$(systemd-cryptenroll --version | \
+							  awk -F " " 'NR==1{print $2 }')
+		#check systemd version and export password if necessary
+		if [ "$systemd_version" -ge "251" ]; then
+			PASSWORD=$(cat "$2" )
+			export PASSWORD
+			/usr/bin/systemd-cryptenroll --tpm2-device="$tpm_device" \
+										 --tpm2-pcrs=7 "$1"
+			PASSWORD=
+		else
+			panic "Unknown systemd version: '$systemd_version'!"
+		fi
+	fi
+}
+
+reencrypt_existing_partition() {
+	part_device=$(readlink -f "$partition")
+	part_size_blocks=$(cat /sys/class/block/"$(awk -v dev=$part_device 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)
+	reduced_size=$(expr $part_size_blocks - 65536 )
+	reduced_size_in_byte=$(expr $reduced_size \* 512)
+	reduced_size_in_kb=$(expr $reduced_size_in_byte / 1024)K
+	resize2fs "$1" "$reduced_size_in_kb"
+	if [ -x cryptsetup-reencrypt ]; then
+		/usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
+	else
+		/usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
+	fi
+
+}
+
+
+if [ ! -e "$tpm_device" ]; then
+	panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
+fi
+
+for partition_set in $partition_sets; do
+	partition_label=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[1]}')
+	partition_mountpoint=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[2]}')
+	partition_format=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[3]}')
+	partition=/dev/disk/by-partlabel/$partition_label
+	crypt_mount_name="encrypted_$partition_label"
+	decrypted_part=/dev/mapper/"$crypt_mount_name"
+
+	# check if partition is already encrypted with systemd-tpm2
+	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
+			| grep -q "systemd-tpm2"; then
+		open_tpm2_partition "$partition"
+		if ! mount -t $(get_fstype "${decrypted_part}") "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
+		    panic "Can't mount encrypted partition '${decrypted_part}'!"
+		fi
+		continue
+	fi
+
+	# create random password for initial encryption
+	# this will be dropped after reboot
+	tmp_key=/tmp/"$partition_label-lukskey"
+	openssl rand -base64 32 > "$tmp_key"
+
+	case "${partition_format}" in
+        "reencrypt")
+		    reencrypt_existing_partition "$partition" "$tmp_key"
+		    enroll_tpm2_token "$partition" "$tmp_key"
+		    open_tpm2_partition "$partition"
+        ;;
+        "format")
+		    /usr/sbin/cryptsetup luksFormat --batch-mode \
+							     --type luks2 "$partition" < "$tmp_key"
+		    enroll_tpm2_token "$partition" "$tmp_key"
+		    open_tpm2_partition_tpm2_partition "$partition"
+		    mke2fs -t ext4 "${decrypted_part}"
+        ;;
+        *)
+		    panic "Unknown value ${partition_format}. Cannot create a encrypted partition !"
+         ;;
+	esac
+
+	if ! mount -t $(get_fstype "${decrypted_part}") "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
+		panic "Can't mount encrypted partition '${decrypted_part}'!"
+	fi
+
+	# delete initial key
+	# afterwards no new keys can be enrolled
+	/usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
+done
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
new file mode 100644
index 0000000..ba2b884
--- /dev/null
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -0,0 +1,37 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020-2022
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+
+inherit dpkg-raw
+
+DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, systemd(>= 251), \
+    awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0, e2fsprogs"
+
+SRC_URI += "file://encrypt_partition.hook \
+            file://encrypt_partition.script \
+    file://encrypt_partition.env.tmpl"
+
+CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
+CRYPT_REDUDUCE_DEVICE_SIZE="32M"
+
+TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_REDUDUCE_DEVICE_SIZE"
+TEMPLATE_FILES = "encrypt_partition.env.tmpl"
+
+do_install[cleandirs] += " \
+    ${D}/usr/share/initramfs-tools/hooks \
+    ${D}/usr/share/encrypt_partition \
+    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
+do_install() {
+    install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env"
+    install -m 0755 "${WORKDIR}/encrypt_partition.script" \
+        "${D}/usr/share/initramfs-tools/scripts/local-bottom/encrypt_partition"
+    install -m 0755 "${WORKDIR}/encrypt_partition.hook" \
+        "${D}/usr/share/initramfs-tools/hooks/encrypt_partition"
+}
diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
index b635a8b..1d29583 100644
--- a/wic/x86-efibootguard.wks.in
+++ b/wic/x86-efibootguard.wks.in
@@ -7,7 +7,7 @@ part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1
 part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}"
 
 # home and var are extra partitions
-part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024  --size 1G
-part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024  --size 2G
+part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024  --size 1G --extra-space=100M 
+part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024  --size 2G --extra-space=100M
 
 bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
-- 
2.39.1

[cip-dev][isar-cip-core][RFC v2 5/7] overlay: add prerequisite 'encrypt_partition'

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

If /var shall be encrypted encrypt_partition needs to be executed
before the overlay script.

If the prerequisite is not available the overlay script will be executed.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../initramfs-overlay-hook/files/overlay.hook        |  1 +
 .../initramfs-overlay-hook/files/overlay.script.tmpl | 12 +++++++-----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook b/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook
index 5bec258..bc6a682 100644
--- a/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook
+++ b/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook
@@ -23,4 +23,5 @@ esac
 . /usr/share/initramfs-tools/hook-functions
 
 manual_add_modules overlay
+copy_exec /usr/bin/grep
 copy_exec /usr/bin/awk
diff --git a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl
index 87ec72f..9739197 100644
--- a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl
+++ b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl
@@ -9,7 +9,7 @@
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
 #
 
-PREREQ=""
+PREREQ="encrypt_partition"
 
 prereqs()
 {
@@ -33,10 +33,12 @@ ovl_lower_dirs="${INITRAMFS_OVERLAY_PATHS}"
 
 root_mount_storage=${rootmnt}${ovl_storage_path}
 
-if ! mount -t $(get_fstype /dev/disk/by-label/${ovl_partition_label}) \
-	   /dev/disk/by-label/${ovl_partition_label} \
-	   ${rootmnt}/${ovl_partition_label}; then
-	panic "Can't mount /${ovl_partition_label} partition - overlay will not work!"
+if ! grep -q "${rootmnt}/${ovl_partition_label}" /proc/mounts ; then
+	if ! mount -t $(get_fstype /dev/disk/by-label/${ovl_partition_label}) \
+		 /dev/disk/by-label/${ovl_partition_label} \
+		 ${rootmnt}/${ovl_partition_label}; then
+		panic "Can't mount /${ovl_partition_label} partition - overlay will not work!"
+	fi
 fi
 
 for ovl_lower_dir in ${ovl_lower_dirs}; do
-- 
2.39.1

[cip-dev][isar-cip-core][RFC v2 6/7] KConfig: add tpm option

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 Kconfig | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Kconfig b/Kconfig
index cd24ce2..d976e5b 100644
--- a/Kconfig
+++ b/Kconfig
@@ -189,4 +189,12 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT
 	default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
 	default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
 
+config IMAGE_TPM2_ENCRYPTION
+	bool "Encrypt partitions on first boot with TPM2"
+	depends on TARGET_QEMU_AMD64
+
+config KAS_IMAGE_TPM2_ENCRYPTION
+	string
+	default "kas/opt/tpm.yml" if IMAGE_TPM2_ENCRYPTION
+
 endif
-- 
2.39.1

[cip-dev][isar-cip-core][RFC v2 7/7] .gitlabci: Add ci build

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .gitlab-ci.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index f7c8c88..c6dcab6 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -5,6 +5,7 @@ variables:
   release: bullseye
   extension: none
   use_rt: enable
+  tpm: disable
   wic_targz: enable
   targz: disable
   dtb: none
@@ -37,6 +38,7 @@ default:
     - if [ "${targz}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/targz-img.yml"; fi
     - if [ "${release}" = "buster" ]; then base_yaml="${base_yaml}:kas/opt/buster.yml"; fi
     - if [ "${release}" = "bullseye" ]; then base_yaml="${base_yaml}:kas/opt/bullseye.yml"; fi
+    - if [ "${tpm}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/tpm.yml"; fi
     - echo "Building ${base_yaml}"
     - kas build ${base_yaml}
     - if [ "${deploy}" = "enable" ]; then scripts/deploy-cip-core.sh ${release} ${target} ${extension} ${dtb} ${CI_COMMIT_REF_SLUG}; fi
@@ -206,6 +208,17 @@ build:qemu-amd64-secure-boot:
     wic_targz: disable
     deploy: disable
 
+build:qemu-amd64-secure-boot-tpm:
+  extends:
+    - .build_base
+  variables:
+    target: qemu-amd64
+    extension: ebg-secure-boot-snakeoil
+    use_rt: disable
+    wic_targz: disable
+    deploy: disable
+    tpm: enable
+
 build:qemu-amd64-swupdate:
   extends:
     - .build_base
-- 
2.39.1

Re: [cip-dev][isar-cip-core][RFC v2 3/7] start-qemu: If swtpm is available create a tpm2 device

[Jan Kiszka]

On 17.02.23 14:05, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This allows testing the tpm2 encryption with qemu.
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  start-qemu.sh | 23 ++++++++++++++++++-----
>  1 file changed, 18 insertions(+), 5 deletions(-)
> 
> diff --git a/start-qemu.sh b/start-qemu.sh
> index dd16aed..3ef2acc 100755
> --- a/start-qemu.sh
> +++ b/start-qemu.sh
> @@ -139,11 +139,24 @@ QEMU_COMMON_OPTIONS=" \
>  	-m 1G \
>  	-serial mon:stdio \
>  	-netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \
> -	${QEMU_EXTRA_ARGS}"
> +	"
>  
>  if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
>  	case "${arch}" in
>  		x86|x86_64|amd64)
> +			if [ -x /usr/bin/swtpm ]; then
> +				swtpm_dir="/tmp/qemu-swtpm"
> +				mkdir -p ${swtpm_dir}
> +                rm ${swtpm_dir}/*
> +				if swtpm socket -d --tpmstate dir=${swtpm_dir} \
> +						 --ctrl type=unixio,path=${swtpm_dir}/sock \
> +						 --tpm2; then
> +					QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \
> +                            -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \
> +					 		-tpmdev emulator,id=tpm0,chardev=chrtpm \
> +					 		-device tpm-tis,tpmdev=tpm0"
> +				fi
> +			fi

There are some space-based indentions in this block, messing things up
visually.

Jan

>  			if [ -n "${SECURE_BOOT}" ]; then
>  				ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secboot.fd}
>  				ovmf_vars=${OVMF_VARS:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_VARS_4M.snakeoil.fd}
> @@ -154,14 +167,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
>  					-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
>  					-drive if=pflash,format=raw,file=${ovmf_vars} \
>  					-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
> -					${QEMU_COMMON_OPTIONS} "$@"
> +					${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
>  			else
>  				ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd}
>  
>  				${QEMU_PATH}${QEMU} \
>  					-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
>  					-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
> -					${QEMU_COMMON_OPTIONS} "$@"
> +					${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
>  			fi
>  			;;
>  		arm64|aarch64|arm|armhf)
> @@ -170,7 +183,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
>  			${QEMU_PATH}${QEMU} \
>  				-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
>  				-bios ${u_boot_bin} \
> -				${QEMU_COMMON_OPTIONS} "$@"
> +				${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
>  			;;
>  		*)
>  			echo "Unsupported architecture: ${arch}"
> @@ -187,5 +200,5 @@ else
>  			-drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \
>  			-kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \
>  			-initrd ${INITRD_FILE} \
> -			${QEMU_COMMON_OPTIONS} "$@"
> +			${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
>  fi

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [cip-dev][isar-cip-core][RFC v2 4/7] Add initramfs hook to encrypt a partition

[Jan Kiszka]

On 17.02.23 14:05, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This creates a new luks encrypted ext4 partition with a the
> key stored in the tpm2.
> 
> The initial key is randomly generated and removed from the
> LUKS partition. Therefore a new key cannot be added by the user
> and if the LUKS header is corrupted the data is no longer readable.
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  .../files/encrypt_partition.env.tmpl          |   2 +
>  .../files/encrypt_partition.hook              |  49 +++++++
>  .../files/encrypt_partition.script            | 135 ++++++++++++++++++
>  .../initramfs-crypt-hook_0.1.bb               |  37 +++++
>  wic/x86-efibootguard.wks.in                   |   4 +-
>  5 files changed, 225 insertions(+), 2 deletions(-)
>  create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>  create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>  create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>  create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
> 
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> new file mode 100644
> index 0000000..943fe4b
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> @@ -0,0 +1,2 @@
> +PARTITIONS="${CRYPT_PARTITIONS}"
> +REDUDUCE_DEVICE_SIZE="${CRYPT_REDUDUCE_DEVICE_SIZE}"

Did you mean "REDUCE"?

And what is this variable for?

> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
> new file mode 100644
> index 0000000..96e084a
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
> @@ -0,0 +1,49 @@
> +#!/bin/sh
> +# Copyright (C) Siemens AG, 2020-2022
> +#
> +# SPDX-License-Identifier: MIT
> +
> +PREREQ=""
> +
> +prereqs()
> +{
> +     echo "$PREREQ"
> +}
> +
> +case $1 in
> +prereqs)
> +     prereqs
> +     exit 0
> +     ;;
> +esac
> +
> +. /usr/share/initramfs-tools/scripts/functions
> +. /usr/share/initramfs-tools/hook-functions
> +
> +manual_add_modules tpm
> +manual_add_modules tpm_tis_core
> +manual_add_modules tpm_tis
> +manual_add_modules tpm_crb
> +manual_add_modules dm_mod
> +manual_add_modules dm_crypt
> +
> +copy_exec /usr/bin/openssl
> +copy_exec /usr/sbin/mke2fs
> +copy_exec /usr/bin/grep
> +copy_exec /usr/bin/awk
> +copy_exec /usr/bin/expr
> +copy_exec /usr/sbin/e2fsck
> +copy_exec /usr/sbin/resize2fs
> +copy_exec /usr/sbin/cryptsetup
> +copy_exec /usr/bin/systemd-cryptenroll
> +copy_exec /usr/lib/systemd/systemd-cryptsetup
> +
> +if [ -x cryptsetup-reencrypt ]; then
> +    copy_exec /usr/sbin/cryptsetup-reencrypt
> +fi
> +
> +for _LIBRARY in /usr/lib/*/libtss2*; do
> +    copy_exec "$_LIBRARY"
> +done
> +
> +copy_file library /usr/share/encrypt_partition/encrypt_partition.env /usr/share/encrypt_partition/encrypt_partition.env
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
> new file mode 100644
> index 0000000..e58794e
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
> @@ -0,0 +1,135 @@
> +#!/bin/sh
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +prereqs()
> +{
> +	# Make sure that this script is run last in local-top
> +	local req
> +	for req in "${0%/*}"/*; do
> +		script="${req##*/}"
> +		if [ "$script" != "${0##*/}" ]; then
> +			printf '%s\n' "$script"
> +		fi
> +	done
> +}
> +case $1 in
> +prereqs)
> +	prereqs
> +	exit 0
> +	;;
> +esac
> +
> +. /scripts/functions
> +
> +# get configuration variables
> +. /usr/share/encrypt_partition/encrypt_partition.env
> +
> +# load necessary kernel modules:
> +modprobe tpm_tis
> +modprobe tpm_crb
> +
> +# fixed tpm device or do we need to find it
> +tpm_device=/dev/tpmrm0
> +partition_sets="$PARTITIONS"
> +
> +open_tpm2_partition() {
> +	if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \
> +		 "$1" - tpm2-device="$tpm_device"; then
> +		panic "Can't decrypt '$1' !"
> +	fi
> +}
> +
> +enroll_tpm2_token() {
> +	#check systemd version and export password if necessary
> +	if [ -x /usr/bin/systemd-cryptenroll ]; then

And if that file does not exist? No error? No bail-out?

> +		systemd_version=$(systemd-cryptenroll --version | \
> +							  awk -F " " 'NR==1{print $2 }')
> +		#check systemd version and export password if necessary
> +		if [ "$systemd_version" -ge "251" ]; then
> +			PASSWORD=$(cat "$2" )
> +			export PASSWORD
> +			/usr/bin/systemd-cryptenroll --tpm2-device="$tpm_device" \
> +										 --tpm2-pcrs=7 "$1"
> +			PASSWORD=
> +		else
> +			panic "Unknown systemd version: '$systemd_version'!"
> +		fi
> +	fi
> +}
> +
> +reencrypt_existing_partition() {
> +	part_device=$(readlink -f "$partition")
> +	part_size_blocks=$(cat /sys/class/block/"$(awk -v dev=$part_device 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)
> +	reduced_size=$(expr $part_size_blocks - 65536 )
> +	reduced_size_in_byte=$(expr $reduced_size \* 512)
> +	reduced_size_in_kb=$(expr $reduced_size_in_byte / 1024)K
> +	resize2fs "$1" "$reduced_size_in_kb"
> +	if [ -x cryptsetup-reencrypt ]; then
> +		/usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
> +	else
> +		/usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
> +	fi
> +
> +}
> +
> +

One newline should be enough here.

> +if [ ! -e "$tpm_device" ]; then
> +	panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
> +fi
> +
> +for partition_set in $partition_sets; do
> +	partition_label=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[1]}')
> +	partition_mountpoint=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[2]}')
> +	partition_format=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[3]}')
> +	partition=/dev/disk/by-partlabel/$partition_label
> +	crypt_mount_name="encrypted_$partition_label"
> +	decrypted_part=/dev/mapper/"$crypt_mount_name"
> +
> +	# check if partition is already encrypted with systemd-tpm2
> +	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
> +			| grep -q "systemd-tpm2"; then
> +		open_tpm2_partition "$partition"
> +		if ! mount -t $(get_fstype "${decrypted_part}") "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
> +		    panic "Can't mount encrypted partition '${decrypted_part}'!"
> +		fi
> +		continue
> +	fi
> +
> +	# create random password for initial encryption
> +	# this will be dropped after reboot
> +	tmp_key=/tmp/"$partition_label-lukskey"
> +	openssl rand -base64 32 > "$tmp_key"
> +
> +	case "${partition_format}" in
> +        "reencrypt")
> +		    reencrypt_existing_partition "$partition" "$tmp_key"
> +		    enroll_tpm2_token "$partition" "$tmp_key"
> +		    open_tpm2_partition "$partition"
> +        ;;
> +        "format")
> +		    /usr/sbin/cryptsetup luksFormat --batch-mode \
> +							     --type luks2 "$partition" < "$tmp_key"
> +		    enroll_tpm2_token "$partition" "$tmp_key"
> +		    open_tpm2_partition_tpm2_partition "$partition"
> +		    mke2fs -t ext4 "${decrypted_part}"

We likely want to make this line configurable at recipe-level, both
regarding fs options as well as the fs type itself.

> +        ;;
> +        *)
> +		    panic "Unknown value ${partition_format}. Cannot create a encrypted partition !"
> +         ;;
> +	esac
> +
> +	if ! mount -t $(get_fstype "${decrypted_part}") "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
> +		panic "Can't mount encrypted partition '${decrypted_part}'!"
> +	fi
> +
> +	# delete initial key
> +	# afterwards no new keys can be enrolled
> +	/usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
> +done
> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
> new file mode 100644
> index 0000000..ba2b884
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
> @@ -0,0 +1,37 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2020-2022
> +#
> +# Authors:
> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +
> +
> +inherit dpkg-raw
> +
> +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, systemd(>= 251), \
> +    awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0, e2fsprogs"
> +
> +SRC_URI += "file://encrypt_partition.hook \
> +            file://encrypt_partition.script \
> +    file://encrypt_partition.env.tmpl"
> +
> +CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
> +CRYPT_REDUDUCE_DEVICE_SIZE="32M"
> +
> +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_REDUDUCE_DEVICE_SIZE"
> +TEMPLATE_FILES = "encrypt_partition.env.tmpl"
> +
> +do_install[cleandirs] += " \
> +    ${D}/usr/share/initramfs-tools/hooks \
> +    ${D}/usr/share/encrypt_partition \
> +    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> +do_install() {
> +    install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env"
> +    install -m 0755 "${WORKDIR}/encrypt_partition.script" \
> +        "${D}/usr/share/initramfs-tools/scripts/local-bottom/encrypt_partition"
> +    install -m 0755 "${WORKDIR}/encrypt_partition.hook" \
> +        "${D}/usr/share/initramfs-tools/hooks/encrypt_partition"
> +}
> diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
> index b635a8b..1d29583 100644
> --- a/wic/x86-efibootguard.wks.in
> +++ b/wic/x86-efibootguard.wks.in
> @@ -7,7 +7,7 @@ part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1
>  part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}"
>  
>  # home and var are extra partitions
> -part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024  --size 1G
> -part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024  --size 2G
> +part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024  --size 1G --extra-space=100M 
> +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024  --size 2G --extra-space=100M
>  
>  bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [cip-dev][isar-cip-core][RFC v2 7/7] .gitlabci: Add ci build

[Jan Kiszka]

On 17.02.23 14:05, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  .gitlab-ci.yml | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
> 
> diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
> index f7c8c88..c6dcab6 100644
> --- a/.gitlab-ci.yml
> +++ b/.gitlab-ci.yml
> @@ -5,6 +5,7 @@ variables:
>    release: bullseye
>    extension: none
>    use_rt: enable
> +  tpm: disable
>    wic_targz: enable
>    targz: disable
>    dtb: none
> @@ -37,6 +38,7 @@ default:
>      - if [ "${targz}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/targz-img.yml"; fi
>      - if [ "${release}" = "buster" ]; then base_yaml="${base_yaml}:kas/opt/buster.yml"; fi
>      - if [ "${release}" = "bullseye" ]; then base_yaml="${base_yaml}:kas/opt/bullseye.yml"; fi
> +    - if [ "${tpm}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/tpm.yml"; fi
>      - echo "Building ${base_yaml}"
>      - kas build ${base_yaml}
>      - if [ "${deploy}" = "enable" ]; then scripts/deploy-cip-core.sh ${release} ${target} ${extension} ${dtb} ${CI_COMMIT_REF_SLUG}; fi
> @@ -206,6 +208,17 @@ build:qemu-amd64-secure-boot:
>      wic_targz: disable
>      deploy: disable
>  
> +build:qemu-amd64-secure-boot-tpm:
> +  extends:
> +    - .build_base
> +  variables:
> +    target: qemu-amd64
> +    extension: ebg-secure-boot-snakeoil
> +    use_rt: disable
> +    wic_targz: disable
> +    deploy: disable
> +    tpm: enable
> +

Do we then still need to build-test the non-tpm swupdate variant of
qemu-amd64?

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [cip-dev][isar-cip-core][RFC v2 7/7] .gitlabci: Add ci build

[Gylstorff Quirin]

[-- Attachment #1: Type: text/plain, Size: 1838 bytes --]



On 2/17/23 15:55, Jan Kiszka wrote:
> On 17.02.23 14:05, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>   .gitlab-ci.yml | 13 +++++++++++++
>>   1 file changed, 13 insertions(+)
>>
>> diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
>> index f7c8c88..c6dcab6 100644
>> --- a/.gitlab-ci.yml
>> +++ b/.gitlab-ci.yml
>> @@ -5,6 +5,7 @@ variables:
>>     release: bullseye
>>     extension: none
>>     use_rt: enable
>> +  tpm: disable
>>     wic_targz: enable
>>     targz: disable
>>     dtb: none
>> @@ -37,6 +38,7 @@ default:
>>       - if [ "${targz}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/targz-img.yml"; fi
>>       - if [ "${release}" = "buster" ]; then base_yaml="${base_yaml}:kas/opt/buster.yml"; fi
>>       - if [ "${release}" = "bullseye" ]; then base_yaml="${base_yaml}:kas/opt/bullseye.yml"; fi
>> +    - if [ "${tpm}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/tpm.yml"; fi
>>       - echo "Building ${base_yaml}"
>>       - kas build ${base_yaml}
>>       - if [ "${deploy}" = "enable" ]; then scripts/deploy-cip-core.sh ${release} ${target} ${extension} ${dtb} ${CI_COMMIT_REF_SLUG}; fi
>> @@ -206,6 +208,17 @@ build:qemu-amd64-secure-boot:
>>       wic_targz: disable
>>       deploy: disable
>>   
>> +build:qemu-amd64-secure-boot-tpm:
>> +  extends:
>> +    - .build_base
>> +  variables:
>> +    target: qemu-amd64
>> +    extension: ebg-secure-boot-snakeoil
>> +    use_rt: disable
>> +    wic_targz: disable
>> +    deploy: disable
>> +    tpm: enable
>> +
> 
> Do we then still need to build-test the non-tpm swupdate variant of
> qemu-amd64?

I currently use the non-tpm swupdate build as a check that adding the 
tpm didn't break anything. But we can remove it.

Quirin
> 
> Jan
> 

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 7613 bytes --]

Re: [cip-dev][isar-cip-core][RFC v2 4/7] Add initramfs hook to encrypt a partition

[Gylstorff Quirin]

[-- Attachment #1: Type: text/plain, Size: 11626 bytes --]



On 2/17/23 15:53, Jan Kiszka wrote:
> On 17.02.23 14:05, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This creates a new luks encrypted ext4 partition with a the
>> key stored in the tpm2.
>>
>> The initial key is randomly generated and removed from the
>> LUKS partition. Therefore a new key cannot be added by the user
>> and if the LUKS header is corrupted the data is no longer readable.
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>   .../files/encrypt_partition.env.tmpl          |   2 +
>>   .../files/encrypt_partition.hook              |  49 +++++++
>>   .../files/encrypt_partition.script            | 135 ++++++++++++++++++
>>   .../initramfs-crypt-hook_0.1.bb               |  37 +++++
>>   wic/x86-efibootguard.wks.in                   |   4 +-
>>   5 files changed, 225 insertions(+), 2 deletions(-)
>>   create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>>   create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>>   create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>>   create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>
>> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>> new file mode 100644
>> index 0000000..943fe4b
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>> @@ -0,0 +1,2 @@
>> +PARTITIONS="${CRYPT_PARTITIONS}"
>> +REDUDUCE_DEVICE_SIZE="${CRYPT_REDUDUCE_DEVICE_SIZE}"
> 
> Did you mean "REDUCE"?
That was my intenion will fix it in v3.
> 
> And what is this variable for?

If you use online reencryption on a populated partition you need to 
create the space for the LUKS header. The necessary minimum size is 32MB.
As an alternative you can detach the LUKS header.


> 
>> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>> new file mode 100644
>> index 0000000..96e084a
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>> @@ -0,0 +1,49 @@
>> +#!/bin/sh
>> +# Copyright (C) Siemens AG, 2020-2022
>> +#
>> +# SPDX-License-Identifier: MIT
>> +
>> +PREREQ=""
>> +
>> +prereqs()
>> +{
>> +     echo "$PREREQ"
>> +}
>> +
>> +case $1 in
>> +prereqs)
>> +     prereqs
>> +     exit 0
>> +     ;;
>> +esac
>> +
>> +. /usr/share/initramfs-tools/scripts/functions
>> +. /usr/share/initramfs-tools/hook-functions
>> +
>> +manual_add_modules tpm
>> +manual_add_modules tpm_tis_core
>> +manual_add_modules tpm_tis
>> +manual_add_modules tpm_crb
>> +manual_add_modules dm_mod
>> +manual_add_modules dm_crypt
>> +
>> +copy_exec /usr/bin/openssl
>> +copy_exec /usr/sbin/mke2fs
>> +copy_exec /usr/bin/grep
>> +copy_exec /usr/bin/awk
>> +copy_exec /usr/bin/expr
>> +copy_exec /usr/sbin/e2fsck
>> +copy_exec /usr/sbin/resize2fs
>> +copy_exec /usr/sbin/cryptsetup
>> +copy_exec /usr/bin/systemd-cryptenroll
>> +copy_exec /usr/lib/systemd/systemd-cryptsetup
>> +
>> +if [ -x cryptsetup-reencrypt ]; then
>> +    copy_exec /usr/sbin/cryptsetup-reencrypt
>> +fi
>> +
>> +for _LIBRARY in /usr/lib/*/libtss2*; do
>> +    copy_exec "$_LIBRARY"
>> +done
>> +
>> +copy_file library /usr/share/encrypt_partition/encrypt_partition.env /usr/share/encrypt_partition/encrypt_partition.env
>> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>> new file mode 100644
>> index 0000000..e58794e
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>> @@ -0,0 +1,135 @@
>> +#!/bin/sh
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2023
>> +#
>> +# Authors:
>> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +prereqs()
>> +{
>> +	# Make sure that this script is run last in local-top
>> +	local req
>> +	for req in "${0%/*}"/*; do
>> +		script="${req##*/}"
>> +		if [ "$script" != "${0##*/}" ]; then
>> +			printf '%s\n' "$script"
>> +		fi
>> +	done
>> +}
>> +case $1 in
>> +prereqs)
>> +	prereqs
>> +	exit 0
>> +	;;
>> +esac
>> +
>> +. /scripts/functions
>> +
>> +# get configuration variables
>> +. /usr/share/encrypt_partition/encrypt_partition.env
>> +
>> +# load necessary kernel modules:
>> +modprobe tpm_tis
>> +modprobe tpm_crb
>> +
>> +# fixed tpm device or do we need to find it
>> +tpm_device=/dev/tpmrm0
>> +partition_sets="$PARTITIONS"
>> +
>> +open_tpm2_partition() {
>> +	if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \
>> +		 "$1" - tpm2-device="$tpm_device"; then
>> +		panic "Can't decrypt '$1' !"
>> +	fi
>> +}
>> +
>> +enroll_tpm2_token() {
>> +	#check systemd version and export password if necessary
>> +	if [ -x /usr/bin/systemd-cryptenroll ]; then
> 
> And if that file does not exist? No error? No bail-out?
>

I will remove that check and move it to the hook and fail during build 
time. Is that better?

>> +		systemd_version=$(systemd-cryptenroll --version | \
>> +							  awk -F " " 'NR==1{print $2 }')
>> +		#check systemd version and export password if necessary
>> +		if [ "$systemd_version" -ge "251" ]; then
>> +			PASSWORD=$(cat "$2" )
>> +			export PASSWORD
>> +			/usr/bin/systemd-cryptenroll --tpm2-device="$tpm_device" \
>> +										 --tpm2-pcrs=7 "$1"
>> +			PASSWORD=
>> +		else
>> +			panic "Unknown systemd version: '$systemd_version'!"
>> +		fi
>> +	fi
>> +}
>> +
>> +reencrypt_existing_partition() {
>> +	part_device=$(readlink -f "$partition")
>> +	part_size_blocks=$(cat /sys/class/block/"$(awk -v dev=$part_device 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)
>> +	reduced_size=$(expr $part_size_blocks - 65536 )
>> +	reduced_size_in_byte=$(expr $reduced_size \* 512)
>> +	reduced_size_in_kb=$(expr $reduced_size_in_byte / 1024)K
>> +	resize2fs "$1" "$reduced_size_in_kb"
>> +	if [ -x cryptsetup-reencrypt ]; then
>> +		/usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
>> +	else
>> +		/usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
>> +	fi
>> +
>> +}
>> +
>> +
> 
> One newline should be enough here.
Will fix in v3.

> 
>> +if [ ! -e "$tpm_device" ]; then
>> +	panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
>> +fi
>> +
>> +for partition_set in $partition_sets; do
>> +	partition_label=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[1]}')
>> +	partition_mountpoint=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[2]}')
>> +	partition_format=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[3]}')
>> +	partition=/dev/disk/by-partlabel/$partition_label
>> +	crypt_mount_name="encrypted_$partition_label"
>> +	decrypted_part=/dev/mapper/"$crypt_mount_name"
>> +
>> +	# check if partition is already encrypted with systemd-tpm2
>> +	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
>> +			| grep -q "systemd-tpm2"; then
>> +		open_tpm2_partition "$partition"
>> +		if ! mount -t $(get_fstype "${decrypted_part}") "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
>> +		    panic "Can't mount encrypted partition '${decrypted_part}'!"
>> +		fi
>> +		continue
>> +	fi
>> +
>> +	# create random password for initial encryption
>> +	# this will be dropped after reboot
>> +	tmp_key=/tmp/"$partition_label-lukskey"
>> +	openssl rand -base64 32 > "$tmp_key"
>> +
>> +	case "${partition_format}" in
>> +        "reencrypt")
>> +		    reencrypt_existing_partition "$partition" "$tmp_key"
>> +		    enroll_tpm2_token "$partition" "$tmp_key"
>> +		    open_tpm2_partition "$partition"
>> +        ;;
>> +        "format")
>> +		    /usr/sbin/cryptsetup luksFormat --batch-mode \
>> +							     --type luks2 "$partition" < "$tmp_key"
>> +		    enroll_tpm2_token "$partition" "$tmp_key"
>> +		    open_tpm2_partition_tpm2_partition "$partition"
>> +		    mke2fs -t ext4 "${decrypted_part}"
> 
> We likely want to make this line configurable at recipe-level, both
> regarding fs options as well as the fs type itself.

I will add an additional field to the configuration string.

> 
>> +        ;;
>> +        *)
>> +		    panic "Unknown value ${partition_format}. Cannot create a encrypted partition !"
>> +         ;;
>> +	esac
>> +
>> +	if ! mount -t $(get_fstype "${decrypted_part}") "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
>> +		panic "Can't mount encrypted partition '${decrypted_part}'!"
>> +	fi
>> +
>> +	# delete initial key
>> +	# afterwards no new keys can be enrolled
>> +	/usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
>> +done
>> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>> new file mode 100644
>> index 0000000..ba2b884
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>> @@ -0,0 +1,37 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2020-2022
>> +#
>> +# Authors:
>> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +
>> +
>> +inherit dpkg-raw
>> +
>> +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, systemd(>= 251), \
>> +    awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0, e2fsprogs"
>> +
>> +SRC_URI += "file://encrypt_partition.hook \
>> +            file://encrypt_partition.script \
>> +    file://encrypt_partition.env.tmpl"
>> +
>> +CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
>> +CRYPT_REDUDUCE_DEVICE_SIZE="32M"
>> +
>> +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_REDUDUCE_DEVICE_SIZE"
>> +TEMPLATE_FILES = "encrypt_partition.env.tmpl"
>> +
>> +do_install[cleandirs] += " \
>> +    ${D}/usr/share/initramfs-tools/hooks \
>> +    ${D}/usr/share/encrypt_partition \
>> +    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
>> +do_install() {
>> +    install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env"
>> +    install -m 0755 "${WORKDIR}/encrypt_partition.script" \
>> +        "${D}/usr/share/initramfs-tools/scripts/local-bottom/encrypt_partition"
>> +    install -m 0755 "${WORKDIR}/encrypt_partition.hook" \
>> +        "${D}/usr/share/initramfs-tools/hooks/encrypt_partition"
>> +}
>> diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
>> index b635a8b..1d29583 100644
>> --- a/wic/x86-efibootguard.wks.in
>> +++ b/wic/x86-efibootguard.wks.in
>> @@ -7,7 +7,7 @@ part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1
>>   part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}"
>>   
>>   # home and var are extra partitions
>> -part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024  --size 1G
>> -part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024  --size 2G
>> +part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024  --size 1G --extra-space=100M
>> +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024  --size 2G --extra-space=100M
>>   
>>   bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
> 
> Jan
> 
Thanks for the review
Quirin

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 7613 bytes --]

Re: [cip-dev][isar-cip-core][RFC v2 4/7] Add initramfs hook to encrypt a partition

[Jan Kiszka]

On 17.02.23 16:06, Gylstorff Quirin wrote:
> 
> 
> On 2/17/23 15:53, Jan Kiszka wrote:
>> On 17.02.23 14:05, Quirin Gylstorff wrote:
>>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>
>>> This creates a new luks encrypted ext4 partition with a the
>>> key stored in the tpm2.
>>>
>>> The initial key is randomly generated and removed from the
>>> LUKS partition. Therefore a new key cannot be added by the user
>>> and if the LUKS header is corrupted the data is no longer readable.
>>>
>>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>> ---
>>>   .../files/encrypt_partition.env.tmpl          |   2 +
>>>   .../files/encrypt_partition.hook              |  49 +++++++
>>>   .../files/encrypt_partition.script            | 135 ++++++++++++++++++
>>>   .../initramfs-crypt-hook_0.1.bb               |  37 +++++
>>>   wic/x86-efibootguard.wks.in                   |   4 +-
>>>   5 files changed, 225 insertions(+), 2 deletions(-)
>>>   create mode 100644
>>> recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>>>   create mode 100644
>>> recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>>>   create mode 100644
>>> recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>>>   create mode 100644
>>> recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>>
>>> diff --git
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>>> new file mode 100644
>>> index 0000000..943fe4b
>>> --- /dev/null
>>> +++
>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>>> @@ -0,0 +1,2 @@
>>> +PARTITIONS="${CRYPT_PARTITIONS}"
>>> +REDUDUCE_DEVICE_SIZE="${CRYPT_REDUDUCE_DEVICE_SIZE}"
>>
>> Did you mean "REDUCE"?
> That was my intenion will fix it in v3.
>>
>> And what is this variable for?
> 
> If you use online reencryption on a populated partition you need to
> create the space for the LUKS header. The necessary minimum size is 32MB.
> As an alternative you can detach the LUKS header.
> 

And what does this variable contribute to that?

> 
>>
>>> diff --git
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>>> new file mode 100644
>>> index 0000000..96e084a
>>> --- /dev/null
>>> +++
>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>>> @@ -0,0 +1,49 @@
>>> +#!/bin/sh
>>> +# Copyright (C) Siemens AG, 2020-2022
>>> +#
>>> +# SPDX-License-Identifier: MIT
>>> +
>>> +PREREQ=""
>>> +
>>> +prereqs()
>>> +{
>>> +     echo "$PREREQ"
>>> +}
>>> +
>>> +case $1 in
>>> +prereqs)
>>> +     prereqs
>>> +     exit 0
>>> +     ;;
>>> +esac
>>> +
>>> +. /usr/share/initramfs-tools/scripts/functions
>>> +. /usr/share/initramfs-tools/hook-functions
>>> +
>>> +manual_add_modules tpm
>>> +manual_add_modules tpm_tis_core
>>> +manual_add_modules tpm_tis
>>> +manual_add_modules tpm_crb
>>> +manual_add_modules dm_mod
>>> +manual_add_modules dm_crypt
>>> +
>>> +copy_exec /usr/bin/openssl
>>> +copy_exec /usr/sbin/mke2fs
>>> +copy_exec /usr/bin/grep
>>> +copy_exec /usr/bin/awk
>>> +copy_exec /usr/bin/expr
>>> +copy_exec /usr/sbin/e2fsck
>>> +copy_exec /usr/sbin/resize2fs
>>> +copy_exec /usr/sbin/cryptsetup
>>> +copy_exec /usr/bin/systemd-cryptenroll
>>> +copy_exec /usr/lib/systemd/systemd-cryptsetup
>>> +
>>> +if [ -x cryptsetup-reencrypt ]; then
>>> +    copy_exec /usr/sbin/cryptsetup-reencrypt
>>> +fi
>>> +
>>> +for _LIBRARY in /usr/lib/*/libtss2*; do
>>> +    copy_exec "$_LIBRARY"
>>> +done
>>> +
>>> +copy_file library /usr/share/encrypt_partition/encrypt_partition.env
>>> /usr/share/encrypt_partition/encrypt_partition.env
>>> diff --git
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>>> new file mode 100644
>>> index 0000000..e58794e
>>> --- /dev/null
>>> +++
>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>>> @@ -0,0 +1,135 @@
>>> +#!/bin/sh
>>> +#
>>> +# CIP Core, generic profile
>>> +#
>>> +# Copyright (c) Siemens AG, 2023
>>> +#
>>> +# Authors:
>>> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>> +#
>>> +# SPDX-License-Identifier: MIT
>>> +prereqs()
>>> +{
>>> +    # Make sure that this script is run last in local-top
>>> +    local req
>>> +    for req in "${0%/*}"/*; do
>>> +        script="${req##*/}"
>>> +        if [ "$script" != "${0##*/}" ]; then
>>> +            printf '%s\n' "$script"
>>> +        fi
>>> +    done
>>> +}
>>> +case $1 in
>>> +prereqs)
>>> +    prereqs
>>> +    exit 0
>>> +    ;;
>>> +esac
>>> +
>>> +. /scripts/functions
>>> +
>>> +# get configuration variables
>>> +. /usr/share/encrypt_partition/encrypt_partition.env
>>> +
>>> +# load necessary kernel modules:
>>> +modprobe tpm_tis
>>> +modprobe tpm_crb
>>> +
>>> +# fixed tpm device or do we need to find it
>>> +tpm_device=/dev/tpmrm0
>>> +partition_sets="$PARTITIONS"
>>> +
>>> +open_tpm2_partition() {
>>> +    if ! /usr/lib/systemd/systemd-cryptsetup attach
>>> "$crypt_mount_name" \
>>> +         "$1" - tpm2-device="$tpm_device"; then
>>> +        panic "Can't decrypt '$1' !"
>>> +    fi
>>> +}
>>> +
>>> +enroll_tpm2_token() {
>>> +    #check systemd version and export password if necessary
>>> +    if [ -x /usr/bin/systemd-cryptenroll ]; then
>>
>> And if that file does not exist? No error? No bail-out?
>>
> 
> I will remove that check and move it to the hook and fail during build
> time. Is that better?

I just want to avoid that a realistic error leads to improper error
handling. Even worse if that could lead to a usable but unencrypted
partition.

> 
>>> +        systemd_version=$(systemd-cryptenroll --version | \
>>> +                              awk -F " " 'NR==1{print $2 }')
>>> +        #check systemd version and export password if necessary
>>> +        if [ "$systemd_version" -ge "251" ]; then
>>> +            PASSWORD=$(cat "$2" )
>>> +            export PASSWORD
>>> +            /usr/bin/systemd-cryptenroll --tpm2-device="$tpm_device" \
>>> +                                         --tpm2-pcrs=7 "$1"
>>> +            PASSWORD=
>>> +        else
>>> +            panic "Unknown systemd version: '$systemd_version'!"
>>> +        fi
>>> +    fi
>>> +}
>>> +
>>> +reencrypt_existing_partition() {
>>> +    part_device=$(readlink -f "$partition")
>>> +    part_size_blocks=$(cat /sys/class/block/"$(awk -v
>>> dev=$part_device 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)
>>> +    reduced_size=$(expr $part_size_blocks - 65536 )
>>> +    reduced_size_in_byte=$(expr $reduced_size \* 512)
>>> +    reduced_size_in_kb=$(expr $reduced_size_in_byte / 1024)K
>>> +    resize2fs "$1" "$reduced_size_in_kb"
>>> +    if [ -x cryptsetup-reencrypt ]; then
>>> +        /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size
>>> "${REDUDUCE_DEVICE_SIZE}" $1 < $2
>>> +    else
>>> +        /usr/sbin/cryptsetup reencrypt --encrypt
>>> --reduce-device-size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
>>> +    fi
>>> +
>>> +}
>>> +
>>> +
>>
>> One newline should be enough here.
> Will fix in v3.
> 
>>
>>> +if [ ! -e "$tpm_device" ]; then
>>> +    panic "tpm device '$tpm_device' does not exists - cannot create
>>> a encrypted device!"
>>> +fi
>>> +
>>> +for partition_set in $partition_sets; do
>>> +    partition_label=$(awk -v var=$partition_set
>>> 'BEGIN{split(var,a,":"); print a[1]}')
>>> +    partition_mountpoint=$(awk -v var=$partition_set
>>> 'BEGIN{split(var,a,":"); print a[2]}')
>>> +    partition_format=$(awk -v var=$partition_set
>>> 'BEGIN{split(var,a,":"); print a[3]}')
>>> +    partition=/dev/disk/by-partlabel/$partition_label
>>> +    crypt_mount_name="encrypted_$partition_label"
>>> +    decrypted_part=/dev/mapper/"$crypt_mount_name"
>>> +
>>> +    # check if partition is already encrypted with systemd-tpm2
>>> +    if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
>>> +            | grep -q "systemd-tpm2"; then
>>> +        open_tpm2_partition "$partition"
>>> +        if ! mount -t $(get_fstype "${decrypted_part}")
>>> "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
>>> +            panic "Can't mount encrypted partition
>>> '${decrypted_part}'!"
>>> +        fi
>>> +        continue
>>> +    fi
>>> +
>>> +    # create random password for initial encryption
>>> +    # this will be dropped after reboot
>>> +    tmp_key=/tmp/"$partition_label-lukskey"
>>> +    openssl rand -base64 32 > "$tmp_key"
>>> +
>>> +    case "${partition_format}" in
>>> +        "reencrypt")
>>> +            reencrypt_existing_partition "$partition" "$tmp_key"
>>> +            enroll_tpm2_token "$partition" "$tmp_key"
>>> +            open_tpm2_partition "$partition"
>>> +        ;;
>>> +        "format")
>>> +            /usr/sbin/cryptsetup luksFormat --batch-mode \
>>> +                                 --type luks2 "$partition" < "$tmp_key"
>>> +            enroll_tpm2_token "$partition" "$tmp_key"
>>> +            open_tpm2_partition_tpm2_partition "$partition"
>>> +            mke2fs -t ext4 "${decrypted_part}"
>>
>> We likely want to make this line configurable at recipe-level, both
>> regarding fs options as well as the fs type itself.
> 
> I will add an additional field to the configuration string.
> 
>>
>>> +        ;;
>>> +        *)
>>> +            panic "Unknown value ${partition_format}. Cannot create
>>> a encrypted partition !"
>>> +         ;;
>>> +    esac
>>> +
>>> +    if ! mount -t $(get_fstype "${decrypted_part}")
>>> "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
>>> +        panic "Can't mount encrypted partition '${decrypted_part}'!"
>>> +    fi
>>> +
>>> +    # delete initial key
>>> +    # afterwards no new keys can be enrolled
>>> +    /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
>>> +done
>>> diff --git
>>> a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>> b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>> new file mode 100644
>>> index 0000000..ba2b884
>>> --- /dev/null
>>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>> @@ -0,0 +1,37 @@
>>> +#
>>> +# CIP Core, generic profile
>>> +#
>>> +# Copyright (c) Siemens AG, 2020-2022
>>> +#
>>> +# Authors:
>>> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>> +#
>>> +# SPDX-License-Identifier: MIT
>>> +
>>> +
>>> +inherit dpkg-raw
>>> +
>>> +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, systemd(>= 251), \
>>> +    awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0,
>>> e2fsprogs"
>>> +
>>> +SRC_URI += "file://encrypt_partition.hook \
>>> +            file://encrypt_partition.script \
>>> +    file://encrypt_partition.env.tmpl"
>>> +
>>> +CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
>>> +CRYPT_REDUDUCE_DEVICE_SIZE="32M"
>>> +
>>> +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_REDUDUCE_DEVICE_SIZE"
>>> +TEMPLATE_FILES = "encrypt_partition.env.tmpl"
>>> +
>>> +do_install[cleandirs] += " \
>>> +    ${D}/usr/share/initramfs-tools/hooks \
>>> +    ${D}/usr/share/encrypt_partition \
>>> +    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
>>> +do_install() {
>>> +    install -m 0600 "${WORKDIR}/encrypt_partition.env"
>>> "${D}/usr/share/encrypt_partition/encrypt_partition.env"
>>> +    install -m 0755 "${WORKDIR}/encrypt_partition.script" \
>>> +       
>>> "${D}/usr/share/initramfs-tools/scripts/local-bottom/encrypt_partition"
>>> +    install -m 0755 "${WORKDIR}/encrypt_partition.hook" \
>>> +        "${D}/usr/share/initramfs-tools/hooks/encrypt_partition"
>>> +}
>>> diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
>>> index b635a8b..1d29583 100644
>>> --- a/wic/x86-efibootguard.wks.in
>>> +++ b/wic/x86-efibootguard.wks.in
>>> @@ -7,7 +7,7 @@ part --source rawcopy --sourceparams
>>> "file=${IMAGE_FULLNAME}.squashfs" --align 1
>>>   part --source empty --align 1024 --fixed-size 1G --uuid
>>> "${ABROOTFS_PART_UUID_B}"
>>>     # home and var are extra partitions
>>> -part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home
>>> --fstype=ext4 --label home --align 1024  --size 1G
>>> -part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var
>>> --fstype=ext4 --label var --align 1024  --size 2G
>>> +part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home
>>> --fstype=ext4 --label home --align 1024  --size 1G --extra-space=100M
>>> +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var
>>> --fstype=ext4 --label var --align 1024  --size 2G --extra-space=100M
>>>     bootloader --ptable gpt --append="console=tty0
>>> console=ttyS0,115200 rootwait earlyprintk"
>>
>> Jan
>>
> Thanks for the review
> Quirin

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [cip-dev][isar-cip-core][RFC v2 3/7] start-qemu: If swtpm is available create a tpm2 device

[Gylstorff Quirin]

[-- Attachment #1: Type: text/plain, Size: 3254 bytes --]



On 2/17/23 15:49, Jan Kiszka wrote:
> On 17.02.23 14:05, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This allows testing the tpm2 encryption with qemu.
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>   start-qemu.sh | 23 ++++++++++++++++++-----
>>   1 file changed, 18 insertions(+), 5 deletions(-)
>>
>> diff --git a/start-qemu.sh b/start-qemu.sh
>> index dd16aed..3ef2acc 100755
>> --- a/start-qemu.sh
>> +++ b/start-qemu.sh
>> @@ -139,11 +139,24 @@ QEMU_COMMON_OPTIONS=" \
>>   	-m 1G \
>>   	-serial mon:stdio \
>>   	-netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \
>> -	${QEMU_EXTRA_ARGS}"
>> +	"
>>   
>>   if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
>>   	case "${arch}" in
>>   		x86|x86_64|amd64)
>> +			if [ -x /usr/bin/swtpm ]; then
>> +				swtpm_dir="/tmp/qemu-swtpm"
>> +				mkdir -p ${swtpm_dir}
>> +                rm ${swtpm_dir}/*
>> +				if swtpm socket -d --tpmstate dir=${swtpm_dir} \
>> +						 --ctrl type=unixio,path=${swtpm_dir}/sock \
>> +						 --tpm2; then
>> +					QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \
>> +                            -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \
>> +					 		-tpmdev emulator,id=tpm0,chardev=chrtpm \
>> +					 		-device tpm-tis,tpmdev=tpm0"
>> +				fi
>> +			fi
> 
> There are some space-based indentions in this block, messing things up
> visually.
> 
> Jan

I will fix that in v3 and add a check if if TPM2 is requested by KConfig.

Quirin
> 
>>   			if [ -n "${SECURE_BOOT}" ]; then
>>   				ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secboot.fd}
>>   				ovmf_vars=${OVMF_VARS:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_VARS_4M.snakeoil.fd}
>> @@ -154,14 +167,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
>>   					-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
>>   					-drive if=pflash,format=raw,file=${ovmf_vars} \
>>   					-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
>> -					${QEMU_COMMON_OPTIONS} "$@"
>> +					${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
>>   			else
>>   				ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd}
>>   
>>   				${QEMU_PATH}${QEMU} \
>>   					-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
>>   					-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
>> -					${QEMU_COMMON_OPTIONS} "$@"
>> +					${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
>>   			fi
>>   			;;
>>   		arm64|aarch64|arm|armhf)
>> @@ -170,7 +183,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
>>   			${QEMU_PATH}${QEMU} \
>>   				-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
>>   				-bios ${u_boot_bin} \
>> -				${QEMU_COMMON_OPTIONS} "$@"
>> +				${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
>>   			;;
>>   		*)
>>   			echo "Unsupported architecture: ${arch}"
>> @@ -187,5 +200,5 @@ else
>>   			-drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \
>>   			-kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \
>>   			-initrd ${INITRD_FILE} \
>> -			${QEMU_COMMON_OPTIONS} "$@"
>> +			${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
>>   fi
> 

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 7613 bytes --]

Re: [cip-dev][isar-cip-core][RFC v2 4/7] Add initramfs hook to encrypt a partition

[Gylstorff Quirin]

[-- Attachment #1: Type: text/plain, Size: 14082 bytes --]



On 2/17/23 16:10, Jan Kiszka wrote:
> On 17.02.23 16:06, Gylstorff Quirin wrote:
>>
>>
>> On 2/17/23 15:53, Jan Kiszka wrote:
>>> On 17.02.23 14:05, Quirin Gylstorff wrote:
>>>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>>
>>>> This creates a new luks encrypted ext4 partition with a the
>>>> key stored in the tpm2.
>>>>
>>>> The initial key is randomly generated and removed from the
>>>> LUKS partition. Therefore a new key cannot be added by the user
>>>> and if the LUKS header is corrupted the data is no longer readable.
>>>>
>>>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>> ---
>>>>    .../files/encrypt_partition.env.tmpl          |   2 +
>>>>    .../files/encrypt_partition.hook              |  49 +++++++
>>>>    .../files/encrypt_partition.script            | 135 ++++++++++++++++++
>>>>    .../initramfs-crypt-hook_0.1.bb               |  37 +++++
>>>>    wic/x86-efibootguard.wks.in                   |   4 +-
>>>>    5 files changed, 225 insertions(+), 2 deletions(-)
>>>>    create mode 100644
>>>> recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>>>>    create mode 100644
>>>> recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>>>>    create mode 100644
>>>> recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>>>>    create mode 100644
>>>> recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>>>
>>>> diff --git
>>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>>>> new file mode 100644
>>>> index 0000000..943fe4b
>>>> --- /dev/null
>>>> +++
>>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>>>> @@ -0,0 +1,2 @@
>>>> +PARTITIONS="${CRYPT_PARTITIONS}"
>>>> +REDUDUCE_DEVICE_SIZE="${CRYPT_REDUDUCE_DEVICE_SIZE}"
>>>
>>> Did you mean "REDUCE"?
>> That was my intenion will fix it in v3.
>>>
>>> And what is this variable for?
>>
>> If you use online reencryption on a populated partition you need to
>> create the space for the LUKS header. The necessary minimum size is 32MB.
>> As an alternative you can detach the LUKS header.
>>
> 
> And what does this variable contribute to that?

This variable is used to set the size by with cryptsetup reencrypt 
reduces the partition size.

Currently I am not sure if we need to adjust this size during the build 
or not.

Quirin

> 
>>
>>>
>>>> diff --git
>>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>>>> new file mode 100644
>>>> index 0000000..96e084a
>>>> --- /dev/null
>>>> +++
>>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>>>> @@ -0,0 +1,49 @@
>>>> +#!/bin/sh
>>>> +# Copyright (C) Siemens AG, 2020-2022
>>>> +#
>>>> +# SPDX-License-Identifier: MIT
>>>> +
>>>> +PREREQ=""
>>>> +
>>>> +prereqs()
>>>> +{
>>>> +     echo "$PREREQ"
>>>> +}
>>>> +
>>>> +case $1 in
>>>> +prereqs)
>>>> +     prereqs
>>>> +     exit 0
>>>> +     ;;
>>>> +esac
>>>> +
>>>> +. /usr/share/initramfs-tools/scripts/functions
>>>> +. /usr/share/initramfs-tools/hook-functions
>>>> +
>>>> +manual_add_modules tpm
>>>> +manual_add_modules tpm_tis_core
>>>> +manual_add_modules tpm_tis
>>>> +manual_add_modules tpm_crb
>>>> +manual_add_modules dm_mod
>>>> +manual_add_modules dm_crypt
>>>> +
>>>> +copy_exec /usr/bin/openssl
>>>> +copy_exec /usr/sbin/mke2fs
>>>> +copy_exec /usr/bin/grep
>>>> +copy_exec /usr/bin/awk
>>>> +copy_exec /usr/bin/expr
>>>> +copy_exec /usr/sbin/e2fsck
>>>> +copy_exec /usr/sbin/resize2fs
>>>> +copy_exec /usr/sbin/cryptsetup
>>>> +copy_exec /usr/bin/systemd-cryptenroll
>>>> +copy_exec /usr/lib/systemd/systemd-cryptsetup
>>>> +
>>>> +if [ -x cryptsetup-reencrypt ]; then
>>>> +    copy_exec /usr/sbin/cryptsetup-reencrypt
>>>> +fi
>>>> +
>>>> +for _LIBRARY in /usr/lib/*/libtss2*; do
>>>> +    copy_exec "$_LIBRARY"
>>>> +done
>>>> +
>>>> +copy_file library /usr/share/encrypt_partition/encrypt_partition.env
>>>> /usr/share/encrypt_partition/encrypt_partition.env
>>>> diff --git
>>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>>>> new file mode 100644
>>>> index 0000000..e58794e
>>>> --- /dev/null
>>>> +++
>>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>>>> @@ -0,0 +1,135 @@
>>>> +#!/bin/sh
>>>> +#
>>>> +# CIP Core, generic profile
>>>> +#
>>>> +# Copyright (c) Siemens AG, 2023
>>>> +#
>>>> +# Authors:
>>>> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>> +#
>>>> +# SPDX-License-Identifier: MIT
>>>> +prereqs()
>>>> +{
>>>> +    # Make sure that this script is run last in local-top
>>>> +    local req
>>>> +    for req in "${0%/*}"/*; do
>>>> +        script="${req##*/}"
>>>> +        if [ "$script" != "${0##*/}" ]; then
>>>> +            printf '%s\n' "$script"
>>>> +        fi
>>>> +    done
>>>> +}
>>>> +case $1 in
>>>> +prereqs)
>>>> +    prereqs
>>>> +    exit 0
>>>> +    ;;
>>>> +esac
>>>> +
>>>> +. /scripts/functions
>>>> +
>>>> +# get configuration variables
>>>> +. /usr/share/encrypt_partition/encrypt_partition.env
>>>> +
>>>> +# load necessary kernel modules:
>>>> +modprobe tpm_tis
>>>> +modprobe tpm_crb
>>>> +
>>>> +# fixed tpm device or do we need to find it
>>>> +tpm_device=/dev/tpmrm0
>>>> +partition_sets="$PARTITIONS"
>>>> +
>>>> +open_tpm2_partition() {
>>>> +    if ! /usr/lib/systemd/systemd-cryptsetup attach
>>>> "$crypt_mount_name" \
>>>> +         "$1" - tpm2-device="$tpm_device"; then
>>>> +        panic "Can't decrypt '$1' !"
>>>> +    fi
>>>> +}
>>>> +
>>>> +enroll_tpm2_token() {
>>>> +    #check systemd version and export password if necessary
>>>> +    if [ -x /usr/bin/systemd-cryptenroll ]; then
>>>
>>> And if that file does not exist? No error? No bail-out?
>>>
>>
>> I will remove that check and move it to the hook and fail during build
>> time. Is that better?
> 
> I just want to avoid that a realistic error leads to improper error
> handling. Even worse if that could lead to a usable but unencrypted
> partition.
> 
>>
>>>> +        systemd_version=$(systemd-cryptenroll --version | \
>>>> +                              awk -F " " 'NR==1{print $2 }')
>>>> +        #check systemd version and export password if necessary
>>>> +        if [ "$systemd_version" -ge "251" ]; then
>>>> +            PASSWORD=$(cat "$2" )
>>>> +            export PASSWORD
>>>> +            /usr/bin/systemd-cryptenroll --tpm2-device="$tpm_device" \
>>>> +                                         --tpm2-pcrs=7 "$1"
>>>> +            PASSWORD=
>>>> +        else
>>>> +            panic "Unknown systemd version: '$systemd_version'!"
>>>> +        fi
>>>> +    fi
>>>> +}
>>>> +
>>>> +reencrypt_existing_partition() {
>>>> +    part_device=$(readlink -f "$partition")
>>>> +    part_size_blocks=$(cat /sys/class/block/"$(awk -v
>>>> dev=$part_device 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)
>>>> +    reduced_size=$(expr $part_size_blocks - 65536 )
>>>> +    reduced_size_in_byte=$(expr $reduced_size \* 512)
>>>> +    reduced_size_in_kb=$(expr $reduced_size_in_byte / 1024)K
>>>> +    resize2fs "$1" "$reduced_size_in_kb"
>>>> +    if [ -x cryptsetup-reencrypt ]; then
>>>> +        /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size
>>>> "${REDUDUCE_DEVICE_SIZE}" $1 < $2
>>>> +    else
>>>> +        /usr/sbin/cryptsetup reencrypt --encrypt
>>>> --reduce-device-size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
>>>> +    fi
>>>> +
>>>> +}
>>>> +
>>>> +
>>>
>>> One newline should be enough here.
>> Will fix in v3.
>>
>>>
>>>> +if [ ! -e "$tpm_device" ]; then
>>>> +    panic "tpm device '$tpm_device' does not exists - cannot create
>>>> a encrypted device!"
>>>> +fi
>>>> +
>>>> +for partition_set in $partition_sets; do
>>>> +    partition_label=$(awk -v var=$partition_set
>>>> 'BEGIN{split(var,a,":"); print a[1]}')
>>>> +    partition_mountpoint=$(awk -v var=$partition_set
>>>> 'BEGIN{split(var,a,":"); print a[2]}')
>>>> +    partition_format=$(awk -v var=$partition_set
>>>> 'BEGIN{split(var,a,":"); print a[3]}')
>>>> +    partition=/dev/disk/by-partlabel/$partition_label
>>>> +    crypt_mount_name="encrypted_$partition_label"
>>>> +    decrypted_part=/dev/mapper/"$crypt_mount_name"
>>>> +
>>>> +    # check if partition is already encrypted with systemd-tpm2
>>>> +    if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
>>>> +            | grep -q "systemd-tpm2"; then
>>>> +        open_tpm2_partition "$partition"
>>>> +        if ! mount -t $(get_fstype "${decrypted_part}")
>>>> "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
>>>> +            panic "Can't mount encrypted partition
>>>> '${decrypted_part}'!"
>>>> +        fi
>>>> +        continue
>>>> +    fi
>>>> +
>>>> +    # create random password for initial encryption
>>>> +    # this will be dropped after reboot
>>>> +    tmp_key=/tmp/"$partition_label-lukskey"
>>>> +    openssl rand -base64 32 > "$tmp_key"
>>>> +
>>>> +    case "${partition_format}" in
>>>> +        "reencrypt")
>>>> +            reencrypt_existing_partition "$partition" "$tmp_key"
>>>> +            enroll_tpm2_token "$partition" "$tmp_key"
>>>> +            open_tpm2_partition "$partition"
>>>> +        ;;
>>>> +        "format")
>>>> +            /usr/sbin/cryptsetup luksFormat --batch-mode \
>>>> +                                 --type luks2 "$partition" < "$tmp_key"
>>>> +            enroll_tpm2_token "$partition" "$tmp_key"
>>>> +            open_tpm2_partition_tpm2_partition "$partition"
>>>> +            mke2fs -t ext4 "${decrypted_part}"
>>>
>>> We likely want to make this line configurable at recipe-level, both
>>> regarding fs options as well as the fs type itself.
>>
>> I will add an additional field to the configuration string.
>>
>>>
>>>> +        ;;
>>>> +        *)
>>>> +            panic "Unknown value ${partition_format}. Cannot create
>>>> a encrypted partition !"
>>>> +         ;;
>>>> +    esac
>>>> +
>>>> +    if ! mount -t $(get_fstype "${decrypted_part}")
>>>> "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
>>>> +        panic "Can't mount encrypted partition '${decrypted_part}'!"
>>>> +    fi
>>>> +
>>>> +    # delete initial key
>>>> +    # afterwards no new keys can be enrolled
>>>> +    /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
>>>> +done
>>>> diff --git
>>>> a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>>> b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>>> new file mode 100644
>>>> index 0000000..ba2b884
>>>> --- /dev/null
>>>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>>> @@ -0,0 +1,37 @@
>>>> +#
>>>> +# CIP Core, generic profile
>>>> +#
>>>> +# Copyright (c) Siemens AG, 2020-2022
>>>> +#
>>>> +# Authors:
>>>> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>> +#
>>>> +# SPDX-License-Identifier: MIT
>>>> +
>>>> +
>>>> +inherit dpkg-raw
>>>> +
>>>> +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, systemd(>= 251), \
>>>> +    awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0,
>>>> e2fsprogs"
>>>> +
>>>> +SRC_URI += "file://encrypt_partition.hook \
>>>> +            file://encrypt_partition.script \
>>>> +    file://encrypt_partition.env.tmpl"
>>>> +
>>>> +CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
>>>> +CRYPT_REDUDUCE_DEVICE_SIZE="32M"
>>>> +
>>>> +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_REDUDUCE_DEVICE_SIZE"
>>>> +TEMPLATE_FILES = "encrypt_partition.env.tmpl"
>>>> +
>>>> +do_install[cleandirs] += " \
>>>> +    ${D}/usr/share/initramfs-tools/hooks \
>>>> +    ${D}/usr/share/encrypt_partition \
>>>> +    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
>>>> +do_install() {
>>>> +    install -m 0600 "${WORKDIR}/encrypt_partition.env"
>>>> "${D}/usr/share/encrypt_partition/encrypt_partition.env"
>>>> +    install -m 0755 "${WORKDIR}/encrypt_partition.script" \
>>>> +
>>>> "${D}/usr/share/initramfs-tools/scripts/local-bottom/encrypt_partition"
>>>> +    install -m 0755 "${WORKDIR}/encrypt_partition.hook" \
>>>> +        "${D}/usr/share/initramfs-tools/hooks/encrypt_partition"
>>>> +}
>>>> diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
>>>> index b635a8b..1d29583 100644
>>>> --- a/wic/x86-efibootguard.wks.in
>>>> +++ b/wic/x86-efibootguard.wks.in
>>>> @@ -7,7 +7,7 @@ part --source rawcopy --sourceparams
>>>> "file=${IMAGE_FULLNAME}.squashfs" --align 1
>>>>    part --source empty --align 1024 --fixed-size 1G --uuid
>>>> "${ABROOTFS_PART_UUID_B}"
>>>>      # home and var are extra partitions
>>>> -part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home
>>>> --fstype=ext4 --label home --align 1024  --size 1G
>>>> -part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var
>>>> --fstype=ext4 --label var --align 1024  --size 2G
>>>> +part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home
>>>> --fstype=ext4 --label home --align 1024  --size 1G --extra-space=100M
>>>> +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var
>>>> --fstype=ext4 --label var --align 1024  --size 2G --extra-space=100M
>>>>      bootloader --ptable gpt --append="console=tty0
>>>> console=ttyS0,115200 rootwait earlyprintk"
>>>
>>> Jan
>>>
>> Thanks for the review
>> Quirin
> 
> Jan
> 

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 7613 bytes --]

Re: [cip-dev][isar-cip-core][RFC v2 2/7] use bullseye backports for systemd-cryptenroll

[Moessbauer, Felix]

On Fri, 2023-02-17 at 14:05 +0100, Quirin Gylstorff via lists.cip-
project.org wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> Systemd >= 251 is required for systemd-cryptenroll. This version
> is part of backports.
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  conf/distro/debian-bullseye-backports.list    |  1 +
>  .../preferences.bullseye-backports.tpm.conf   |  3 +++
>  kas/opt/tpm.yml                               | 20
> +++++++++++++++++++
>  3 files changed, 24 insertions(+)
>  create mode 100644 conf/distro/debian-bullseye-backports.list
>  create mode 100644 conf/distro/preferences.bullseye-
> backports.tpm.conf
>  create mode 100644 kas/opt/tpm.yml
> 
> diff --git a/conf/distro/debian-bullseye-backports.list
> b/conf/distro/debian-bullseye-backports.list
> new file mode 100644
> index 0000000..3a55e4c
> --- /dev/null
> +++ b/conf/distro/debian-bullseye-backports.list
> @@ -0,0 +1 @@
> +deb http://ftp.us.debian.org/debian bullseye-backports main contrib
> non-free
> diff --git a/conf/distro/preferences.bullseye-backports.tpm.conf
> b/conf/distro/preferences.bullseye-backports.tpm.conf
> new file mode 100644
> index 0000000..0905fbf
> --- /dev/null
> +++ b/conf/distro/preferences.bullseye-backports.tpm.conf
> @@ -0,0 +1,3 @@
> +Package: *
> +Pin: release n=bullseye-backports
> +Pin-Priority: 801

This does not look right. By that, we take ANY available package from
bpo. For systemd backports, we usually use:

Package: libnss-myhostname libnss-mymachines libnss-resolve libnss-
systemd libpam-systemd libudev1 libsystemd0 systemd systemd-* udev

Felix

> diff --git a/kas/opt/tpm.yml b/kas/opt/tpm.yml
> new file mode 100644
> index 0000000..0e4dc95
> --- /dev/null
> +++ b/kas/opt/tpm.yml
> @@ -0,0 +1,20 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2022
> +#
> +# Authors:
> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +header:
> +  version: 12
> +
> +local_conf_header:
> +  systemd-cryptenroll: |
> +    DISTRO_APT_SOURCES:append:bullseye = " conf/distro/debian-
> bullseye-backports.list"
> +    DISTRO_APT_PREFERENCES:append:bullseye = "
> conf/distro/preferences.bullseye-backports.tpm.conf"
> +  image-option-tpm: |
> +    INITRAMFS_INSTALL += " initramfs-crypt-hook"
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#10715): 
> https://lists.cip-project.org/g/cip-dev/message/10715
> Mute This Topic: https://lists.cip-project.org/mt/97027310/6879696
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: 
> https://lists.cip-project.org/g/cip-dev/leave/12054225/6879696/632350479/xyzzy
>  [felix.moessbauer@siemens.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [cip-dev][isar-cip-core][RFC v2 4/7] Add initramfs hook to encrypt a partition

[Moessbauer, Felix]

On Fri, 2023-02-17 at 14:05 +0100, Quirin Gylstorff via lists.cip-
project.org wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This creates a new luks encrypted ext4 partition with a the
> key stored in the tpm2.
> 
> The initial key is randomly generated and removed from the
> LUKS partition. Therefore a new key cannot be added by the user
> and if the LUKS header is corrupted the data is no longer readable.
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  .../files/encrypt_partition.env.tmpl          |   2 +
>  .../files/encrypt_partition.hook              |  49 +++++++
>  .../files/encrypt_partition.script            | 135
> ++++++++++++++++++
>  .../initramfs-crypt-hook_0.1.bb               |  37 +++++
>  wic/x86-efibootguard.wks.in                   |   4 +-

Does this - in theory - also work with systemd-boot or grub? Currently
we have ISAR bugs that prevent us from using sd-boot or grub with a
custom initramfs, but once that is fixed, this could be an option.

Not directly related:
As we put more-and-more features into the cip initramfs: Is there
actually a need to use a custom one, or can we simply add these
packages to the image and use its initrd? What is the benefit of having
the custom initrd?

Felix

>  5 files changed, 225 insertions(+), 2 deletions(-)
>  create mode 100644 recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.env.tmpl
>  create mode 100644 recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.hook
>  create mode 100644 recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script
>  create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-
> crypt-hook_0.1.bb
> 
> diff --git a/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-
> crypt-hook/files/encrypt_partition.env.tmpl
> new file mode 100644
> index 0000000..943fe4b
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.env.tmpl
> @@ -0,0 +1,2 @@
> +PARTITIONS="${CRYPT_PARTITIONS}"
> +REDUDUCE_DEVICE_SIZE="${CRYPT_REDUDUCE_DEVICE_SIZE}"
> diff --git a/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.hook b/recipes-initramfs/initramfs-
> crypt-hook/files/encrypt_partition.hook
> new file mode 100644
> index 0000000..96e084a
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.hook
> @@ -0,0 +1,49 @@
> +#!/bin/sh
> +# Copyright (C) Siemens AG, 2020-2022
> +#
> +# SPDX-License-Identifier: MIT
> +
> +PREREQ=""
> +
> +prereqs()
> +{
> +     echo "$PREREQ"
> +}
> +
> +case $1 in
> +prereqs)
> +     prereqs
> +     exit 0
> +     ;;
> +esac
> +
> +. /usr/share/initramfs-tools/scripts/functions
> +. /usr/share/initramfs-tools/hook-functions
> +
> +manual_add_modules tpm
> +manual_add_modules tpm_tis_core
> +manual_add_modules tpm_tis
> +manual_add_modules tpm_crb
> +manual_add_modules dm_mod
> +manual_add_modules dm_crypt
> +
> +copy_exec /usr/bin/openssl
> +copy_exec /usr/sbin/mke2fs
> +copy_exec /usr/bin/grep
> +copy_exec /usr/bin/awk
> +copy_exec /usr/bin/expr
> +copy_exec /usr/sbin/e2fsck
> +copy_exec /usr/sbin/resize2fs
> +copy_exec /usr/sbin/cryptsetup
> +copy_exec /usr/bin/systemd-cryptenroll
> +copy_exec /usr/lib/systemd/systemd-cryptsetup
> +
> +if [ -x cryptsetup-reencrypt ]; then
> +    copy_exec /usr/sbin/cryptsetup-reencrypt
> +fi
> +
> +for _LIBRARY in /usr/lib/*/libtss2*; do
> +    copy_exec "$_LIBRARY"
> +done
> +
> +copy_file library /usr/share/encrypt_partition/encrypt_partition.env
> /usr/share/encrypt_partition/encrypt_partition.env
> diff --git a/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-
> crypt-hook/files/encrypt_partition.script
> new file mode 100644
> index 0000000..e58794e
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script
> @@ -0,0 +1,135 @@
> +#!/bin/sh
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +prereqs()
> +{
> +       # Make sure that this script is run last in local-top
> +       local req
> +       for req in "${0%/*}"/*; do
> +               script="${req##*/}"
> +               if [ "$script" != "${0##*/}" ]; then
> +                       printf '%s\n' "$script"
> +               fi
> +       done
> +}
> +case $1 in
> +prereqs)
> +       prereqs
> +       exit 0
> +       ;;
> +esac
> +
> +. /scripts/functions
> +
> +# get configuration variables
> +. /usr/share/encrypt_partition/encrypt_partition.env
> +
> +# load necessary kernel modules:
> +modprobe tpm_tis
> +modprobe tpm_crb
> +
> +# fixed tpm device or do we need to find it
> +tpm_device=/dev/tpmrm0
> +partition_sets="$PARTITIONS"
> +
> +open_tpm2_partition() {
> +       if ! /usr/lib/systemd/systemd-cryptsetup attach
> "$crypt_mount_name" \
> +                "$1" - tpm2-device="$tpm_device"; then
> +               panic "Can't decrypt '$1' !"
> +       fi
> +}
> +
> +enroll_tpm2_token() {
> +       #check systemd version and export password if necessary
> +       if [ -x /usr/bin/systemd-cryptenroll ]; then
> +               systemd_version=$(systemd-cryptenroll --version | \
> +                                                         awk -F " "
> 'NR==1{print $2 }')
> +               #check systemd version and export password if
> necessary
> +               if [ "$systemd_version" -ge "251" ]; then
> +                       PASSWORD=$(cat "$2" )
> +                       export PASSWORD
> +                       /usr/bin/systemd-cryptenroll --tpm2-
> device="$tpm_device" \
> +                                                                    
>             --tpm2-pcrs=7 "$1"
> +                       PASSWORD=
> +               else
> +                       panic "Unknown systemd version:
> '$systemd_version'!"
> +               fi
> +       fi
> +}
> +
> +reencrypt_existing_partition() {
> +       part_device=$(readlink -f "$partition")
> +       part_size_blocks=$(cat /sys/class/block/"$(awk -v
> dev=$part_device 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)
> +       reduced_size=$(expr $part_size_blocks - 65536 )
> +       reduced_size_in_byte=$(expr $reduced_size \* 512)
> +       reduced_size_in_kb=$(expr $reduced_size_in_byte / 1024)K
> +       resize2fs "$1" "$reduced_size_in_kb"
> +       if [ -x cryptsetup-reencrypt ]; then
> +               /usr/sbin/cryptsetup-reencrypt --new --reduce-device-
> size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
> +       else
> +               /usr/sbin/cryptsetup reencrypt --encrypt --reduce-
> device-size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
> +       fi
> +
> +}
> +
> +
> +if [ ! -e "$tpm_device" ]; then
> +       panic "tpm device '$tpm_device' does not exists - cannot
> create a encrypted device!"
> +fi
> +
> +for partition_set in $partition_sets; do
> +       partition_label=$(awk -v var=$partition_set
> 'BEGIN{split(var,a,":"); print a[1]}')
> +       partition_mountpoint=$(awk -v var=$partition_set
> 'BEGIN{split(var,a,":"); print a[2]}')
> +       partition_format=$(awk -v var=$partition_set
> 'BEGIN{split(var,a,":"); print a[3]}')
> +       partition=/dev/disk/by-partlabel/$partition_label
> +       crypt_mount_name="encrypted_$partition_label"
> +       decrypted_part=/dev/mapper/"$crypt_mount_name"
> +
> +       # check if partition is already encrypted with systemd-tpm2
> +       if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
> +                       | grep -q "systemd-tpm2"; then
> +               open_tpm2_partition "$partition"
> +               if ! mount -t $(get_fstype "${decrypted_part}")
> "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
> +                   panic "Can't mount encrypted partition
> '${decrypted_part}'!"
> +               fi
> +               continue
> +       fi
> +
> +       # create random password for initial encryption
> +       # this will be dropped after reboot
> +       tmp_key=/tmp/"$partition_label-lukskey"
> +       openssl rand -base64 32 > "$tmp_key"
> +
> +       case "${partition_format}" in
> +        "reencrypt")
> +                   reencrypt_existing_partition "$partition"
> "$tmp_key"
> +                   enroll_tpm2_token "$partition" "$tmp_key"
> +                   open_tpm2_partition "$partition"
> +        ;;
> +        "format")
> +                   /usr/sbin/cryptsetup luksFormat --batch-mode \
> +                                                            --type
> luks2 "$partition" < "$tmp_key"
> +                   enroll_tpm2_token "$partition" "$tmp_key"
> +                   open_tpm2_partition_tpm2_partition "$partition"
> +                   mke2fs -t ext4 "${decrypted_part}"
> +        ;;
> +        *)
> +                   panic "Unknown value ${partition_format}. Cannot
> create a encrypted partition !"
> +         ;;
> +       esac
> +
> +       if ! mount -t $(get_fstype "${decrypted_part}")
> "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
> +               panic "Can't mount encrypted partition
> '${decrypted_part}'!"
> +       fi
> +
> +       # delete initial key
> +       # afterwards no new keys can be enrolled
> +       /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
> +done
> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
> hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
> hook_0.1.bb
> new file mode 100644
> index 0000000..ba2b884
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
> hook_0.1.bb
> @@ -0,0 +1,37 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2020-2022
> +#
> +# Authors:
> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +
> +
> +inherit dpkg-raw
> +
> +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, systemd(>= 251), \
> +    awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0,
> e2fsprogs"
> +
> +SRC_URI += "file://encrypt_partition.hook \
> +            file://encrypt_partition.script \
> +    file://encrypt_partition.env.tmpl"
> +
> +CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
> +CRYPT_REDUDUCE_DEVICE_SIZE="32M"
> +
> +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_REDUDUCE_DEVICE_SIZE"
> +TEMPLATE_FILES = "encrypt_partition.env.tmpl"
> +
> +do_install[cleandirs] += " \
> +    ${D}/usr/share/initramfs-tools/hooks \
> +    ${D}/usr/share/encrypt_partition \
> +    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> +do_install() {
> +    install -m 0600 "${WORKDIR}/encrypt_partition.env"
> "${D}/usr/share/encrypt_partition/encrypt_partition.env"
> +    install -m 0755 "${WORKDIR}/encrypt_partition.script" \
> +        "${D}/usr/share/initramfs-tools/scripts/local-
> bottom/encrypt_partition"
> +    install -m 0755 "${WORKDIR}/encrypt_partition.hook" \
> +        "${D}/usr/share/initramfs-tools/hooks/encrypt_partition"
> +}
> diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-
> efibootguard.wks.in
> index b635a8b..1d29583 100644
> --- a/wic/x86-efibootguard.wks.in
> +++ b/wic/x86-efibootguard.wks.in
> @@ -7,7 +7,7 @@ part --source rawcopy --sourceparams
> "file=${IMAGE_FULLNAME}.squashfs" --align 1
>  part --source empty --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_B}"
>  
>  # home and var are extra partitions
> -part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --
> fstype=ext4 --label home --align 1024  --size 1G
> -part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --
> fstype=ext4 --label var --align 1024  --size 2G
> +part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --
> fstype=ext4 --label home --align 1024  --size 1G --extra-space=100M 
> +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --
> fstype=ext4 --label var --align 1024  --size 2G --extra-space=100M
>  
>  bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200
> rootwait earlyprintk"
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#10716): 
> https://lists.cip-project.org/g/cip-dev/message/10716
> Mute This Topic: https://lists.cip-project.org/mt/97027311/6879696
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: 
> https://lists.cip-project.org/g/cip-dev/leave/12054225/6879696/632350479/xyzzy
>  [felix.moessbauer@siemens.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [cip-dev][isar-cip-core][RFC v2 4/7] Add initramfs hook to encrypt a partition

[Gylstorff Quirin]

On 2/18/23 09:10, Felix Moessbauer via lists.cip-project.org wrote:
> On Fri, 2023-02-17 at 14:05 +0100, Quirin Gylstorff via lists.cip-
> project.org wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This creates a new luks encrypted ext4 partition with a the
>> key stored in the tpm2.
>>
>> The initial key is randomly generated and removed from the
>> LUKS partition. Therefore a new key cannot be added by the user
>> and if the LUKS header is corrupted the data is no longer readable.
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>   .../files/encrypt_partition.env.tmpl          |   2 +
>>   .../files/encrypt_partition.hook              |  49 +++++++
>>   .../files/encrypt_partition.script            | 135
>> ++++++++++++++++++
>>   .../initramfs-crypt-hook_0.1.bb               |  37 +++++
>>   wic/x86-efibootguard.wks.in                   |   4 +-
> 
> Does this - in theory - also work with systemd-boot or grub? Currently
> we have ISAR bugs that prevent us from using sd-boot or grub with a
> custom initramfs, but once that is fixed, this could be an option.
> 
> Not directly related:
> As we put more-and-more features into the cip initramfs: Is there
> actually a need to use a custom one, or can we simply add these
> packages to the image and use its initrd? What is the benefit of having
> the custom initrd?

The initramfs could be stored in the image but as we implement an image 
based update process and the user should not exchange the UKI - 
especially in the secure boot usecase - it makes no sense to store the 
initramfs recipes in the image.

Also this will add all the dependencies which often are not necessary to 
the image.

Quirin
> 
> Felix
> 
>>   5 files changed, 225 insertions(+), 2 deletions(-)
>>   create mode 100644 recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.env.tmpl
>>   create mode 100644 recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.hook
>>   create mode 100644 recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.script
>>   create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-
>> crypt-hook_0.1.bb
>>
>> diff --git a/recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-
>> crypt-hook/files/encrypt_partition.env.tmpl
>> new file mode 100644
>> index 0000000..943fe4b
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.env.tmpl
>> @@ -0,0 +1,2 @@
>> +PARTITIONS="${CRYPT_PARTITIONS}"
>> +REDUDUCE_DEVICE_SIZE="${CRYPT_REDUDUCE_DEVICE_SIZE}"
>> diff --git a/recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.hook b/recipes-initramfs/initramfs-
>> crypt-hook/files/encrypt_partition.hook
>> new file mode 100644
>> index 0000000..96e084a
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.hook
>> @@ -0,0 +1,49 @@
>> +#!/bin/sh
>> +# Copyright (C) Siemens AG, 2020-2022
>> +#
>> +# SPDX-License-Identifier: MIT
>> +
>> +PREREQ=""
>> +
>> +prereqs()
>> +{
>> +     echo "$PREREQ"
>> +}
>> +
>> +case $1 in
>> +prereqs)
>> +     prereqs
>> +     exit 0
>> +     ;;
>> +esac
>> +
>> +. /usr/share/initramfs-tools/scripts/functions
>> +. /usr/share/initramfs-tools/hook-functions
>> +
>> +manual_add_modules tpm
>> +manual_add_modules tpm_tis_core
>> +manual_add_modules tpm_tis
>> +manual_add_modules tpm_crb
>> +manual_add_modules dm_mod
>> +manual_add_modules dm_crypt
>> +
>> +copy_exec /usr/bin/openssl
>> +copy_exec /usr/sbin/mke2fs
>> +copy_exec /usr/bin/grep
>> +copy_exec /usr/bin/awk
>> +copy_exec /usr/bin/expr
>> +copy_exec /usr/sbin/e2fsck
>> +copy_exec /usr/sbin/resize2fs
>> +copy_exec /usr/sbin/cryptsetup
>> +copy_exec /usr/bin/systemd-cryptenroll
>> +copy_exec /usr/lib/systemd/systemd-cryptsetup
>> +
>> +if [ -x cryptsetup-reencrypt ]; then
>> +    copy_exec /usr/sbin/cryptsetup-reencrypt
>> +fi
>> +
>> +for _LIBRARY in /usr/lib/*/libtss2*; do
>> +    copy_exec "$_LIBRARY"
>> +done
>> +
>> +copy_file library /usr/share/encrypt_partition/encrypt_partition.env
>> /usr/share/encrypt_partition/encrypt_partition.env
>> diff --git a/recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-
>> crypt-hook/files/encrypt_partition.script
>> new file mode 100644
>> index 0000000..e58794e
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.script
>> @@ -0,0 +1,135 @@
>> +#!/bin/sh
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2023
>> +#
>> +# Authors:
>> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +prereqs()
>> +{
>> +       # Make sure that this script is run last in local-top
>> +       local req
>> +       for req in "${0%/*}"/*; do
>> +               script="${req##*/}"
>> +               if [ "$script" != "${0##*/}" ]; then
>> +                       printf '%s\n' "$script"
>> +               fi
>> +       done
>> +}
>> +case $1 in
>> +prereqs)
>> +       prereqs
>> +       exit 0
>> +       ;;
>> +esac
>> +
>> +. /scripts/functions
>> +
>> +# get configuration variables
>> +. /usr/share/encrypt_partition/encrypt_partition.env
>> +
>> +# load necessary kernel modules:
>> +modprobe tpm_tis
>> +modprobe tpm_crb
>> +
>> +# fixed tpm device or do we need to find it
>> +tpm_device=/dev/tpmrm0
>> +partition_sets="$PARTITIONS"
>> +
>> +open_tpm2_partition() {
>> +       if ! /usr/lib/systemd/systemd-cryptsetup attach
>> "$crypt_mount_name" \
>> +                "$1" - tpm2-device="$tpm_device"; then
>> +               panic "Can't decrypt '$1' !"
>> +       fi
>> +}
>> +
>> +enroll_tpm2_token() {
>> +       #check systemd version and export password if necessary
>> +       if [ -x /usr/bin/systemd-cryptenroll ]; then
>> +               systemd_version=$(systemd-cryptenroll --version | \
>> +                                                         awk -F " "
>> 'NR==1{print $2 }')
>> +               #check systemd version and export password if
>> necessary
>> +               if [ "$systemd_version" -ge "251" ]; then
>> +                       PASSWORD=$(cat "$2" )
>> +                       export PASSWORD
>> +                       /usr/bin/systemd-cryptenroll --tpm2-
>> device="$tpm_device" \
>> +
>>              --tpm2-pcrs=7 "$1"
>> +                       PASSWORD=
>> +               else
>> +                       panic "Unknown systemd version:
>> '$systemd_version'!"
>> +               fi
>> +       fi
>> +}
>> +
>> +reencrypt_existing_partition() {
>> +       part_device=$(readlink -f "$partition")
>> +       part_size_blocks=$(cat /sys/class/block/"$(awk -v
>> dev=$part_device 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)
>> +       reduced_size=$(expr $part_size_blocks - 65536 )
>> +       reduced_size_in_byte=$(expr $reduced_size \* 512)
>> +       reduced_size_in_kb=$(expr $reduced_size_in_byte / 1024)K
>> +       resize2fs "$1" "$reduced_size_in_kb"
>> +       if [ -x cryptsetup-reencrypt ]; then
>> +               /usr/sbin/cryptsetup-reencrypt --new --reduce-device-
>> size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
>> +       else
>> +               /usr/sbin/cryptsetup reencrypt --encrypt --reduce-
>> device-size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
>> +       fi
>> +
>> +}
>> +
>> +
>> +if [ ! -e "$tpm_device" ]; then
>> +       panic "tpm device '$tpm_device' does not exists - cannot
>> create a encrypted device!"
>> +fi
>> +
>> +for partition_set in $partition_sets; do
>> +       partition_label=$(awk -v var=$partition_set
>> 'BEGIN{split(var,a,":"); print a[1]}')
>> +       partition_mountpoint=$(awk -v var=$partition_set
>> 'BEGIN{split(var,a,":"); print a[2]}')
>> +       partition_format=$(awk -v var=$partition_set
>> 'BEGIN{split(var,a,":"); print a[3]}')
>> +       partition=/dev/disk/by-partlabel/$partition_label
>> +       crypt_mount_name="encrypted_$partition_label"
>> +       decrypted_part=/dev/mapper/"$crypt_mount_name"
>> +
>> +       # check if partition is already encrypted with systemd-tpm2
>> +       if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
>> +                       | grep -q "systemd-tpm2"; then
>> +               open_tpm2_partition "$partition"
>> +               if ! mount -t $(get_fstype "${decrypted_part}")
>> "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
>> +                   panic "Can't mount encrypted partition
>> '${decrypted_part}'!"
>> +               fi
>> +               continue
>> +       fi
>> +
>> +       # create random password for initial encryption
>> +       # this will be dropped after reboot
>> +       tmp_key=/tmp/"$partition_label-lukskey"
>> +       openssl rand -base64 32 > "$tmp_key"
>> +
>> +       case "${partition_format}" in
>> +        "reencrypt")
>> +                   reencrypt_existing_partition "$partition"
>> "$tmp_key"
>> +                   enroll_tpm2_token "$partition" "$tmp_key"
>> +                   open_tpm2_partition "$partition"
>> +        ;;
>> +        "format")
>> +                   /usr/sbin/cryptsetup luksFormat --batch-mode \
>> +                                                            --type
>> luks2 "$partition" < "$tmp_key"
>> +                   enroll_tpm2_token "$partition" "$tmp_key"
>> +                   open_tpm2_partition_tpm2_partition "$partition"
>> +                   mke2fs -t ext4 "${decrypted_part}"
>> +        ;;
>> +        *)
>> +                   panic "Unknown value ${partition_format}. Cannot
>> create a encrypted partition !"
>> +         ;;
>> +       esac
>> +
>> +       if ! mount -t $(get_fstype "${decrypted_part}")
>> "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
>> +               panic "Can't mount encrypted partition
>> '${decrypted_part}'!"
>> +       fi
>> +
>> +       # delete initial key
>> +       # afterwards no new keys can be enrolled
>> +       /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
>> +done
>> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
>> hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
>> hook_0.1.bb
>> new file mode 100644
>> index 0000000..ba2b884
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
>> hook_0.1.bb
>> @@ -0,0 +1,37 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2020-2022
>> +#
>> +# Authors:
>> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +
>> +
>> +inherit dpkg-raw
>> +
>> +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, systemd(>= 251), \
>> +    awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0,
>> e2fsprogs"
>> +
>> +SRC_URI += "file://encrypt_partition.hook \
>> +            file://encrypt_partition.script \
>> +    file://encrypt_partition.env.tmpl"
>> +
>> +CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
>> +CRYPT_REDUDUCE_DEVICE_SIZE="32M"
>> +
>> +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_REDUDUCE_DEVICE_SIZE"
>> +TEMPLATE_FILES = "encrypt_partition.env.tmpl"
>> +
>> +do_install[cleandirs] += " \
>> +    ${D}/usr/share/initramfs-tools/hooks \
>> +    ${D}/usr/share/encrypt_partition \
>> +    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
>> +do_install() {
>> +    install -m 0600 "${WORKDIR}/encrypt_partition.env"
>> "${D}/usr/share/encrypt_partition/encrypt_partition.env"
>> +    install -m 0755 "${WORKDIR}/encrypt_partition.script" \
>> +        "${D}/usr/share/initramfs-tools/scripts/local-
>> bottom/encrypt_partition"
>> +    install -m 0755 "${WORKDIR}/encrypt_partition.hook" \
>> +        "${D}/usr/share/initramfs-tools/hooks/encrypt_partition"
>> +}
>> diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-
>> efibootguard.wks.in
>> index b635a8b..1d29583 100644
>> --- a/wic/x86-efibootguard.wks.in
>> +++ b/wic/x86-efibootguard.wks.in
>> @@ -7,7 +7,7 @@ part --source rawcopy --sourceparams
>> "file=${IMAGE_FULLNAME}.squashfs" --align 1
>>   part --source empty --align 1024 --fixed-size 1G --uuid
>> "${ABROOTFS_PART_UUID_B}"
>>   
>>   # home and var are extra partitions
>> -part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --
>> fstype=ext4 --label home --align 1024  --size 1G
>> -part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --
>> fstype=ext4 --label var --align 1024  --size 2G
>> +part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --
>> fstype=ext4 --label home --align 1024  --size 1G --extra-space=100M
>> +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --
>> fstype=ext4 --label var --align 1024  --size 2G --extra-space=100M
>>   
>>   bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200
>> rootwait earlyprintk"
>>
>>
>>
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#10740): https://lists.cip-project.org/g/cip-dev/message/10740
> Mute This Topic: https://lists.cip-project.org/mt/97027311/1753640
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129121/1753640/1405269326/xyzzy [quirin.gylstorff@siemens.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>