* [cip-dev][isar-cip-core][RFC v2 0/7] Encrypt Partition in initramfs
@ 2023-02-17 13:05 Quirin Gylstorff
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 1/7] linux-cip: update kernel configuration for tpm2 support Quirin Gylstorff
` (6 more replies)
0 siblings, 7 replies; 19+ messages in thread
From: Quirin Gylstorff @ 2023-02-17 13:05 UTC (permalink / raw)
To: cip-dev, christian.storm, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This encrypts a partition with LUKS and uses the TPM2 to unlock the partition during
boot.
Adapt start-qemu to support tpm2.
Changes v2:
- rewrite for multiple partition
- add rencrypt for populated partitions
- encrypt /var and /home
Quirin Gylstorff (7):
linux-cip: update kernel configuration for tpm2 support
use bullseye backports for systemd-cryptenroll
start-qemu: If swtpm is available create a tpm2 device
Add initramfs hook to encrypt a partition
overlay: add prerequisite 'encrypt_partition'
KConfig: add tpm option
.gitlabci: Add ci build
.gitlab-ci.yml | 13 ++
Kconfig | 8 ++
conf/distro/debian-bullseye-backports.list | 1 +
.../preferences.bullseye-backports.tpm.conf | 3 +
kas/opt/tpm.yml | 20 +++
.../files/encrypt_partition.env.tmpl | 2 +
.../files/encrypt_partition.hook | 49 +++++++
.../files/encrypt_partition.script | 135 ++++++++++++++++++
.../initramfs-crypt-hook_0.1.bb | 37 +++++
.../initramfs-overlay-hook/files/overlay.hook | 1 +
.../files/overlay.script.tmpl | 12 +-
recipes-kernel/linux/linux-cip-common.inc | 2 +-
start-qemu.sh | 23 ++-
wic/x86-efibootguard.wks.in | 4 +-
14 files changed, 297 insertions(+), 13 deletions(-)
create mode 100644 conf/distro/debian-bullseye-backports.list
create mode 100644 conf/distro/preferences.bullseye-backports.tpm.conf
create mode 100644 kas/opt/tpm.yml
create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
--
2.39.1
^ permalink raw reply [flat|nested] 19+ messages in thread
* [cip-dev][isar-cip-core][RFC v2 1/7] linux-cip: update kernel configuration for tpm2 support
2023-02-17 13:05 [cip-dev][isar-cip-core][RFC v2 0/7] Encrypt Partition in initramfs Quirin Gylstorff
@ 2023-02-17 13:05 ` Quirin Gylstorff
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 2/7] use bullseye backports for systemd-cryptenroll Quirin Gylstorff
` (5 subsequent siblings)
6 siblings, 0 replies; 19+ messages in thread
From: Quirin Gylstorff @ 2023-02-17 13:05 UTC (permalink / raw)
To: cip-dev, christian.storm, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
recipes-kernel/linux/linux-cip-common.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc
index 7148a98..6dda973 100644
--- a/recipes-kernel/linux/linux-cip-common.inc
+++ b/recipes-kernel/linux/linux-cip-common.inc
@@ -23,6 +23,6 @@ SRC_URI:append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-confi
if d.getVar('USE_CIP_KERNEL_CONFIG') == '1' else '' \
}"
-SRCREV_cip-kernel-config ?= "ce52837418aea714e780e0cbc8afb9515c12cc1b"
+SRCREV_cip-kernel-config ?= "351538952cfa7c6336e83bf66ca4f3bbdc06f89b"
S = "${WORKDIR}/linux-cip-${PV}"
--
2.39.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [cip-dev][isar-cip-core][RFC v2 2/7] use bullseye backports for systemd-cryptenroll
2023-02-17 13:05 [cip-dev][isar-cip-core][RFC v2 0/7] Encrypt Partition in initramfs Quirin Gylstorff
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 1/7] linux-cip: update kernel configuration for tpm2 support Quirin Gylstorff
@ 2023-02-17 13:05 ` Quirin Gylstorff
2023-02-18 8:04 ` Moessbauer, Felix
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 3/7] start-qemu: If swtpm is available create a tpm2 device Quirin Gylstorff
` (4 subsequent siblings)
6 siblings, 1 reply; 19+ messages in thread
From: Quirin Gylstorff @ 2023-02-17 13:05 UTC (permalink / raw)
To: cip-dev, christian.storm, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Systemd >= 251 is required for systemd-cryptenroll. This version
is part of backports.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
conf/distro/debian-bullseye-backports.list | 1 +
.../preferences.bullseye-backports.tpm.conf | 3 +++
kas/opt/tpm.yml | 20 +++++++++++++++++++
3 files changed, 24 insertions(+)
create mode 100644 conf/distro/debian-bullseye-backports.list
create mode 100644 conf/distro/preferences.bullseye-backports.tpm.conf
create mode 100644 kas/opt/tpm.yml
diff --git a/conf/distro/debian-bullseye-backports.list b/conf/distro/debian-bullseye-backports.list
new file mode 100644
index 0000000..3a55e4c
--- /dev/null
+++ b/conf/distro/debian-bullseye-backports.list
@@ -0,0 +1 @@
+deb http://ftp.us.debian.org/debian bullseye-backports main contrib non-free
diff --git a/conf/distro/preferences.bullseye-backports.tpm.conf b/conf/distro/preferences.bullseye-backports.tpm.conf
new file mode 100644
index 0000000..0905fbf
--- /dev/null
+++ b/conf/distro/preferences.bullseye-backports.tpm.conf
@@ -0,0 +1,3 @@
+Package: *
+Pin: release n=bullseye-backports
+Pin-Priority: 801
diff --git a/kas/opt/tpm.yml b/kas/opt/tpm.yml
new file mode 100644
index 0000000..0e4dc95
--- /dev/null
+++ b/kas/opt/tpm.yml
@@ -0,0 +1,20 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 12
+
+local_conf_header:
+ systemd-cryptenroll: |
+ DISTRO_APT_SOURCES:append:bullseye = " conf/distro/debian-bullseye-backports.list"
+ DISTRO_APT_PREFERENCES:append:bullseye = " conf/distro/preferences.bullseye-backports.tpm.conf"
+ image-option-tpm: |
+ INITRAMFS_INSTALL += " initramfs-crypt-hook"
--
2.39.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [cip-dev][isar-cip-core][RFC v2 3/7] start-qemu: If swtpm is available create a tpm2 device
2023-02-17 13:05 [cip-dev][isar-cip-core][RFC v2 0/7] Encrypt Partition in initramfs Quirin Gylstorff
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 1/7] linux-cip: update kernel configuration for tpm2 support Quirin Gylstorff
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 2/7] use bullseye backports for systemd-cryptenroll Quirin Gylstorff
@ 2023-02-17 13:05 ` Quirin Gylstorff
2023-02-17 14:49 ` Jan Kiszka
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 4/7] Add initramfs hook to encrypt a partition Quirin Gylstorff
` (3 subsequent siblings)
6 siblings, 1 reply; 19+ messages in thread
From: Quirin Gylstorff @ 2023-02-17 13:05 UTC (permalink / raw)
To: cip-dev, christian.storm, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This allows testing the tpm2 encryption with qemu.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
start-qemu.sh | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/start-qemu.sh b/start-qemu.sh
index dd16aed..3ef2acc 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -139,11 +139,24 @@ QEMU_COMMON_OPTIONS=" \
-m 1G \
-serial mon:stdio \
-netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \
- ${QEMU_EXTRA_ARGS}"
+ "
if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
case "${arch}" in
x86|x86_64|amd64)
+ if [ -x /usr/bin/swtpm ]; then
+ swtpm_dir="/tmp/qemu-swtpm"
+ mkdir -p ${swtpm_dir}
+ rm ${swtpm_dir}/*
+ if swtpm socket -d --tpmstate dir=${swtpm_dir} \
+ --ctrl type=unixio,path=${swtpm_dir}/sock \
+ --tpm2; then
+ QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \
+ -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \
+ -tpmdev emulator,id=tpm0,chardev=chrtpm \
+ -device tpm-tis,tpmdev=tpm0"
+ fi
+ fi
if [ -n "${SECURE_BOOT}" ]; then
ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secboot.fd}
ovmf_vars=${OVMF_VARS:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_VARS_4M.snakeoil.fd}
@@ -154,14 +167,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
-drive if=pflash,format=raw,file=${ovmf_vars} \
-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
- ${QEMU_COMMON_OPTIONS} "$@"
+ ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
else
ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd}
${QEMU_PATH}${QEMU} \
-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
- ${QEMU_COMMON_OPTIONS} "$@"
+ ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
fi
;;
arm64|aarch64|arm|armhf)
@@ -170,7 +183,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
${QEMU_PATH}${QEMU} \
-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
-bios ${u_boot_bin} \
- ${QEMU_COMMON_OPTIONS} "$@"
+ ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
;;
*)
echo "Unsupported architecture: ${arch}"
@@ -187,5 +200,5 @@ else
-drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \
-kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \
-initrd ${INITRD_FILE} \
- ${QEMU_COMMON_OPTIONS} "$@"
+ ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
fi
--
2.39.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [cip-dev][isar-cip-core][RFC v2 4/7] Add initramfs hook to encrypt a partition
2023-02-17 13:05 [cip-dev][isar-cip-core][RFC v2 0/7] Encrypt Partition in initramfs Quirin Gylstorff
` (2 preceding siblings ...)
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 3/7] start-qemu: If swtpm is available create a tpm2 device Quirin Gylstorff
@ 2023-02-17 13:05 ` Quirin Gylstorff
2023-02-17 14:53 ` Jan Kiszka
2023-02-18 8:10 ` Moessbauer, Felix
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 5/7] overlay: add prerequisite 'encrypt_partition' Quirin Gylstorff
` (2 subsequent siblings)
6 siblings, 2 replies; 19+ messages in thread
From: Quirin Gylstorff @ 2023-02-17 13:05 UTC (permalink / raw)
To: cip-dev, christian.storm, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This creates a new luks encrypted ext4 partition with a the
key stored in the tpm2.
The initial key is randomly generated and removed from the
LUKS partition. Therefore a new key cannot be added by the user
and if the LUKS header is corrupted the data is no longer readable.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../files/encrypt_partition.env.tmpl | 2 +
.../files/encrypt_partition.hook | 49 +++++++
.../files/encrypt_partition.script | 135 ++++++++++++++++++
.../initramfs-crypt-hook_0.1.bb | 37 +++++
wic/x86-efibootguard.wks.in | 4 +-
5 files changed, 225 insertions(+), 2 deletions(-)
create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
new file mode 100644
index 0000000..943fe4b
--- /dev/null
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
@@ -0,0 +1,2 @@
+PARTITIONS="${CRYPT_PARTITIONS}"
+REDUDUCE_DEVICE_SIZE="${CRYPT_REDUDUCE_DEVICE_SIZE}"
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
new file mode 100644
index 0000000..96e084a
--- /dev/null
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
@@ -0,0 +1,49 @@
+#!/bin/sh
+# Copyright (C) Siemens AG, 2020-2022
+#
+# SPDX-License-Identifier: MIT
+
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/scripts/functions
+. /usr/share/initramfs-tools/hook-functions
+
+manual_add_modules tpm
+manual_add_modules tpm_tis_core
+manual_add_modules tpm_tis
+manual_add_modules tpm_crb
+manual_add_modules dm_mod
+manual_add_modules dm_crypt
+
+copy_exec /usr/bin/openssl
+copy_exec /usr/sbin/mke2fs
+copy_exec /usr/bin/grep
+copy_exec /usr/bin/awk
+copy_exec /usr/bin/expr
+copy_exec /usr/sbin/e2fsck
+copy_exec /usr/sbin/resize2fs
+copy_exec /usr/sbin/cryptsetup
+copy_exec /usr/bin/systemd-cryptenroll
+copy_exec /usr/lib/systemd/systemd-cryptsetup
+
+if [ -x cryptsetup-reencrypt ]; then
+ copy_exec /usr/sbin/cryptsetup-reencrypt
+fi
+
+for _LIBRARY in /usr/lib/*/libtss2*; do
+ copy_exec "$_LIBRARY"
+done
+
+copy_file library /usr/share/encrypt_partition/encrypt_partition.env /usr/share/encrypt_partition/encrypt_partition.env
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
new file mode 100644
index 0000000..e58794e
--- /dev/null
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
@@ -0,0 +1,135 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+prereqs()
+{
+ # Make sure that this script is run last in local-top
+ local req
+ for req in "${0%/*}"/*; do
+ script="${req##*/}"
+ if [ "$script" != "${0##*/}" ]; then
+ printf '%s\n' "$script"
+ fi
+ done
+}
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /scripts/functions
+
+# get configuration variables
+. /usr/share/encrypt_partition/encrypt_partition.env
+
+# load necessary kernel modules:
+modprobe tpm_tis
+modprobe tpm_crb
+
+# fixed tpm device or do we need to find it
+tpm_device=/dev/tpmrm0
+partition_sets="$PARTITIONS"
+
+open_tpm2_partition() {
+ if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \
+ "$1" - tpm2-device="$tpm_device"; then
+ panic "Can't decrypt '$1' !"
+ fi
+}
+
+enroll_tpm2_token() {
+ #check systemd version and export password if necessary
+ if [ -x /usr/bin/systemd-cryptenroll ]; then
+ systemd_version=$(systemd-cryptenroll --version | \
+ awk -F " " 'NR==1{print $2 }')
+ #check systemd version and export password if necessary
+ if [ "$systemd_version" -ge "251" ]; then
+ PASSWORD=$(cat "$2" )
+ export PASSWORD
+ /usr/bin/systemd-cryptenroll --tpm2-device="$tpm_device" \
+ --tpm2-pcrs=7 "$1"
+ PASSWORD=
+ else
+ panic "Unknown systemd version: '$systemd_version'!"
+ fi
+ fi
+}
+
+reencrypt_existing_partition() {
+ part_device=$(readlink -f "$partition")
+ part_size_blocks=$(cat /sys/class/block/"$(awk -v dev=$part_device 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)
+ reduced_size=$(expr $part_size_blocks - 65536 )
+ reduced_size_in_byte=$(expr $reduced_size \* 512)
+ reduced_size_in_kb=$(expr $reduced_size_in_byte / 1024)K
+ resize2fs "$1" "$reduced_size_in_kb"
+ if [ -x cryptsetup-reencrypt ]; then
+ /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
+ else
+ /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
+ fi
+
+}
+
+
+if [ ! -e "$tpm_device" ]; then
+ panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
+fi
+
+for partition_set in $partition_sets; do
+ partition_label=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[1]}')
+ partition_mountpoint=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[2]}')
+ partition_format=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[3]}')
+ partition=/dev/disk/by-partlabel/$partition_label
+ crypt_mount_name="encrypted_$partition_label"
+ decrypted_part=/dev/mapper/"$crypt_mount_name"
+
+ # check if partition is already encrypted with systemd-tpm2
+ if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
+ | grep -q "systemd-tpm2"; then
+ open_tpm2_partition "$partition"
+ if ! mount -t $(get_fstype "${decrypted_part}") "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
+ panic "Can't mount encrypted partition '${decrypted_part}'!"
+ fi
+ continue
+ fi
+
+ # create random password for initial encryption
+ # this will be dropped after reboot
+ tmp_key=/tmp/"$partition_label-lukskey"
+ openssl rand -base64 32 > "$tmp_key"
+
+ case "${partition_format}" in
+ "reencrypt")
+ reencrypt_existing_partition "$partition" "$tmp_key"
+ enroll_tpm2_token "$partition" "$tmp_key"
+ open_tpm2_partition "$partition"
+ ;;
+ "format")
+ /usr/sbin/cryptsetup luksFormat --batch-mode \
+ --type luks2 "$partition" < "$tmp_key"
+ enroll_tpm2_token "$partition" "$tmp_key"
+ open_tpm2_partition_tpm2_partition "$partition"
+ mke2fs -t ext4 "${decrypted_part}"
+ ;;
+ *)
+ panic "Unknown value ${partition_format}. Cannot create a encrypted partition !"
+ ;;
+ esac
+
+ if ! mount -t $(get_fstype "${decrypted_part}") "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
+ panic "Can't mount encrypted partition '${decrypted_part}'!"
+ fi
+
+ # delete initial key
+ # afterwards no new keys can be enrolled
+ /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
+done
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
new file mode 100644
index 0000000..ba2b884
--- /dev/null
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -0,0 +1,37 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020-2022
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+
+inherit dpkg-raw
+
+DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, systemd(>= 251), \
+ awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0, e2fsprogs"
+
+SRC_URI += "file://encrypt_partition.hook \
+ file://encrypt_partition.script \
+ file://encrypt_partition.env.tmpl"
+
+CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
+CRYPT_REDUDUCE_DEVICE_SIZE="32M"
+
+TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_REDUDUCE_DEVICE_SIZE"
+TEMPLATE_FILES = "encrypt_partition.env.tmpl"
+
+do_install[cleandirs] += " \
+ ${D}/usr/share/initramfs-tools/hooks \
+ ${D}/usr/share/encrypt_partition \
+ ${D}/usr/share/initramfs-tools/scripts/local-bottom"
+do_install() {
+ install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env"
+ install -m 0755 "${WORKDIR}/encrypt_partition.script" \
+ "${D}/usr/share/initramfs-tools/scripts/local-bottom/encrypt_partition"
+ install -m 0755 "${WORKDIR}/encrypt_partition.hook" \
+ "${D}/usr/share/initramfs-tools/hooks/encrypt_partition"
+}
diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
index b635a8b..1d29583 100644
--- a/wic/x86-efibootguard.wks.in
+++ b/wic/x86-efibootguard.wks.in
@@ -7,7 +7,7 @@ part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1
part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}"
# home and var are extra partitions
-part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
-part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024 --size 2G
+part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G --extra-space=100M
+part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024 --size 2G --extra-space=100M
bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
--
2.39.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [cip-dev][isar-cip-core][RFC v2 5/7] overlay: add prerequisite 'encrypt_partition'
2023-02-17 13:05 [cip-dev][isar-cip-core][RFC v2 0/7] Encrypt Partition in initramfs Quirin Gylstorff
` (3 preceding siblings ...)
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 4/7] Add initramfs hook to encrypt a partition Quirin Gylstorff
@ 2023-02-17 13:05 ` Quirin Gylstorff
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 6/7] KConfig: add tpm option Quirin Gylstorff
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 7/7] .gitlabci: Add ci build Quirin Gylstorff
6 siblings, 0 replies; 19+ messages in thread
From: Quirin Gylstorff @ 2023-02-17 13:05 UTC (permalink / raw)
To: cip-dev, christian.storm, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
If /var shall be encrypted encrypt_partition needs to be executed
before the overlay script.
If the prerequisite is not available the overlay script will be executed.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../initramfs-overlay-hook/files/overlay.hook | 1 +
.../initramfs-overlay-hook/files/overlay.script.tmpl | 12 +++++++-----
2 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook b/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook
index 5bec258..bc6a682 100644
--- a/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook
+++ b/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook
@@ -23,4 +23,5 @@ esac
. /usr/share/initramfs-tools/hook-functions
manual_add_modules overlay
+copy_exec /usr/bin/grep
copy_exec /usr/bin/awk
diff --git a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl
index 87ec72f..9739197 100644
--- a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl
+++ b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl
@@ -9,7 +9,7 @@
# Quirin Gylstorff <quirin.gylstorff@siemens.com>
#
-PREREQ=""
+PREREQ="encrypt_partition"
prereqs()
{
@@ -33,10 +33,12 @@ ovl_lower_dirs="${INITRAMFS_OVERLAY_PATHS}"
root_mount_storage=${rootmnt}${ovl_storage_path}
-if ! mount -t $(get_fstype /dev/disk/by-label/${ovl_partition_label}) \
- /dev/disk/by-label/${ovl_partition_label} \
- ${rootmnt}/${ovl_partition_label}; then
- panic "Can't mount /${ovl_partition_label} partition - overlay will not work!"
+if ! grep -q "${rootmnt}/${ovl_partition_label}" /proc/mounts ; then
+ if ! mount -t $(get_fstype /dev/disk/by-label/${ovl_partition_label}) \
+ /dev/disk/by-label/${ovl_partition_label} \
+ ${rootmnt}/${ovl_partition_label}; then
+ panic "Can't mount /${ovl_partition_label} partition - overlay will not work!"
+ fi
fi
for ovl_lower_dir in ${ovl_lower_dirs}; do
--
2.39.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [cip-dev][isar-cip-core][RFC v2 6/7] KConfig: add tpm option
2023-02-17 13:05 [cip-dev][isar-cip-core][RFC v2 0/7] Encrypt Partition in initramfs Quirin Gylstorff
` (4 preceding siblings ...)
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 5/7] overlay: add prerequisite 'encrypt_partition' Quirin Gylstorff
@ 2023-02-17 13:05 ` Quirin Gylstorff
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 7/7] .gitlabci: Add ci build Quirin Gylstorff
6 siblings, 0 replies; 19+ messages in thread
From: Quirin Gylstorff @ 2023-02-17 13:05 UTC (permalink / raw)
To: cip-dev, christian.storm, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Kconfig | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/Kconfig b/Kconfig
index cd24ce2..d976e5b 100644
--- a/Kconfig
+++ b/Kconfig
@@ -189,4 +189,12 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT
default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
+config IMAGE_TPM2_ENCRYPTION
+ bool "Encrypt partitions on first boot with TPM2"
+ depends on TARGET_QEMU_AMD64
+
+config KAS_IMAGE_TPM2_ENCRYPTION
+ string
+ default "kas/opt/tpm.yml" if IMAGE_TPM2_ENCRYPTION
+
endif
--
2.39.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [cip-dev][isar-cip-core][RFC v2 7/7] .gitlabci: Add ci build
2023-02-17 13:05 [cip-dev][isar-cip-core][RFC v2 0/7] Encrypt Partition in initramfs Quirin Gylstorff
` (5 preceding siblings ...)
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 6/7] KConfig: add tpm option Quirin Gylstorff
@ 2023-02-17 13:05 ` Quirin Gylstorff
2023-02-17 14:55 ` Jan Kiszka
6 siblings, 1 reply; 19+ messages in thread
From: Quirin Gylstorff @ 2023-02-17 13:05 UTC (permalink / raw)
To: cip-dev, christian.storm, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.gitlab-ci.yml | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index f7c8c88..c6dcab6 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -5,6 +5,7 @@ variables:
release: bullseye
extension: none
use_rt: enable
+ tpm: disable
wic_targz: enable
targz: disable
dtb: none
@@ -37,6 +38,7 @@ default:
- if [ "${targz}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/targz-img.yml"; fi
- if [ "${release}" = "buster" ]; then base_yaml="${base_yaml}:kas/opt/buster.yml"; fi
- if [ "${release}" = "bullseye" ]; then base_yaml="${base_yaml}:kas/opt/bullseye.yml"; fi
+ - if [ "${tpm}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/tpm.yml"; fi
- echo "Building ${base_yaml}"
- kas build ${base_yaml}
- if [ "${deploy}" = "enable" ]; then scripts/deploy-cip-core.sh ${release} ${target} ${extension} ${dtb} ${CI_COMMIT_REF_SLUG}; fi
@@ -206,6 +208,17 @@ build:qemu-amd64-secure-boot:
wic_targz: disable
deploy: disable
+build:qemu-amd64-secure-boot-tpm:
+ extends:
+ - .build_base
+ variables:
+ target: qemu-amd64
+ extension: ebg-secure-boot-snakeoil
+ use_rt: disable
+ wic_targz: disable
+ deploy: disable
+ tpm: enable
+
build:qemu-amd64-swupdate:
extends:
- .build_base
--
2.39.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [cip-dev][isar-cip-core][RFC v2 3/7] start-qemu: If swtpm is available create a tpm2 device
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 3/7] start-qemu: If swtpm is available create a tpm2 device Quirin Gylstorff
@ 2023-02-17 14:49 ` Jan Kiszka
2023-02-17 15:11 ` Gylstorff Quirin
0 siblings, 1 reply; 19+ messages in thread
From: Jan Kiszka @ 2023-02-17 14:49 UTC (permalink / raw)
To: Quirin Gylstorff, cip-dev, christian.storm
On 17.02.23 14:05, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> This allows testing the tpm2 encryption with qemu.
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> start-qemu.sh | 23 ++++++++++++++++++-----
> 1 file changed, 18 insertions(+), 5 deletions(-)
>
> diff --git a/start-qemu.sh b/start-qemu.sh
> index dd16aed..3ef2acc 100755
> --- a/start-qemu.sh
> +++ b/start-qemu.sh
> @@ -139,11 +139,24 @@ QEMU_COMMON_OPTIONS=" \
> -m 1G \
> -serial mon:stdio \
> -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \
> - ${QEMU_EXTRA_ARGS}"
> + "
>
> if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
> case "${arch}" in
> x86|x86_64|amd64)
> + if [ -x /usr/bin/swtpm ]; then
> + swtpm_dir="/tmp/qemu-swtpm"
> + mkdir -p ${swtpm_dir}
> + rm ${swtpm_dir}/*
> + if swtpm socket -d --tpmstate dir=${swtpm_dir} \
> + --ctrl type=unixio,path=${swtpm_dir}/sock \
> + --tpm2; then
> + QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \
> + -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \
> + -tpmdev emulator,id=tpm0,chardev=chrtpm \
> + -device tpm-tis,tpmdev=tpm0"
> + fi
> + fi
There are some space-based indentions in this block, messing things up
visually.
Jan
> if [ -n "${SECURE_BOOT}" ]; then
> ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secboot.fd}
> ovmf_vars=${OVMF_VARS:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_VARS_4M.snakeoil.fd}
> @@ -154,14 +167,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
> -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
> -drive if=pflash,format=raw,file=${ovmf_vars} \
> -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
> - ${QEMU_COMMON_OPTIONS} "$@"
> + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
> else
> ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd}
>
> ${QEMU_PATH}${QEMU} \
> -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
> -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
> - ${QEMU_COMMON_OPTIONS} "$@"
> + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
> fi
> ;;
> arm64|aarch64|arm|armhf)
> @@ -170,7 +183,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
> ${QEMU_PATH}${QEMU} \
> -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
> -bios ${u_boot_bin} \
> - ${QEMU_COMMON_OPTIONS} "$@"
> + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
> ;;
> *)
> echo "Unsupported architecture: ${arch}"
> @@ -187,5 +200,5 @@ else
> -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \
> -kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \
> -initrd ${INITRD_FILE} \
> - ${QEMU_COMMON_OPTIONS} "$@"
> + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
> fi
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [cip-dev][isar-cip-core][RFC v2 4/7] Add initramfs hook to encrypt a partition
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 4/7] Add initramfs hook to encrypt a partition Quirin Gylstorff
@ 2023-02-17 14:53 ` Jan Kiszka
2023-02-17 15:06 ` Gylstorff Quirin
2023-02-18 8:10 ` Moessbauer, Felix
1 sibling, 1 reply; 19+ messages in thread
From: Jan Kiszka @ 2023-02-17 14:53 UTC (permalink / raw)
To: Quirin Gylstorff, cip-dev, christian.storm
On 17.02.23 14:05, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> This creates a new luks encrypted ext4 partition with a the
> key stored in the tpm2.
>
> The initial key is randomly generated and removed from the
> LUKS partition. Therefore a new key cannot be added by the user
> and if the LUKS header is corrupted the data is no longer readable.
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> .../files/encrypt_partition.env.tmpl | 2 +
> .../files/encrypt_partition.hook | 49 +++++++
> .../files/encrypt_partition.script | 135 ++++++++++++++++++
> .../initramfs-crypt-hook_0.1.bb | 37 +++++
> wic/x86-efibootguard.wks.in | 4 +-
> 5 files changed, 225 insertions(+), 2 deletions(-)
> create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
> create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
> create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> new file mode 100644
> index 0000000..943fe4b
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> @@ -0,0 +1,2 @@
> +PARTITIONS="${CRYPT_PARTITIONS}"
> +REDUDUCE_DEVICE_SIZE="${CRYPT_REDUDUCE_DEVICE_SIZE}"
Did you mean "REDUCE"?
And what is this variable for?
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
> new file mode 100644
> index 0000000..96e084a
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
> @@ -0,0 +1,49 @@
> +#!/bin/sh
> +# Copyright (C) Siemens AG, 2020-2022
> +#
> +# SPDX-License-Identifier: MIT
> +
> +PREREQ=""
> +
> +prereqs()
> +{
> + echo "$PREREQ"
> +}
> +
> +case $1 in
> +prereqs)
> + prereqs
> + exit 0
> + ;;
> +esac
> +
> +. /usr/share/initramfs-tools/scripts/functions
> +. /usr/share/initramfs-tools/hook-functions
> +
> +manual_add_modules tpm
> +manual_add_modules tpm_tis_core
> +manual_add_modules tpm_tis
> +manual_add_modules tpm_crb
> +manual_add_modules dm_mod
> +manual_add_modules dm_crypt
> +
> +copy_exec /usr/bin/openssl
> +copy_exec /usr/sbin/mke2fs
> +copy_exec /usr/bin/grep
> +copy_exec /usr/bin/awk
> +copy_exec /usr/bin/expr
> +copy_exec /usr/sbin/e2fsck
> +copy_exec /usr/sbin/resize2fs
> +copy_exec /usr/sbin/cryptsetup
> +copy_exec /usr/bin/systemd-cryptenroll
> +copy_exec /usr/lib/systemd/systemd-cryptsetup
> +
> +if [ -x cryptsetup-reencrypt ]; then
> + copy_exec /usr/sbin/cryptsetup-reencrypt
> +fi
> +
> +for _LIBRARY in /usr/lib/*/libtss2*; do
> + copy_exec "$_LIBRARY"
> +done
> +
> +copy_file library /usr/share/encrypt_partition/encrypt_partition.env /usr/share/encrypt_partition/encrypt_partition.env
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
> new file mode 100644
> index 0000000..e58794e
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
> @@ -0,0 +1,135 @@
> +#!/bin/sh
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +prereqs()
> +{
> + # Make sure that this script is run last in local-top
> + local req
> + for req in "${0%/*}"/*; do
> + script="${req##*/}"
> + if [ "$script" != "${0##*/}" ]; then
> + printf '%s\n' "$script"
> + fi
> + done
> +}
> +case $1 in
> +prereqs)
> + prereqs
> + exit 0
> + ;;
> +esac
> +
> +. /scripts/functions
> +
> +# get configuration variables
> +. /usr/share/encrypt_partition/encrypt_partition.env
> +
> +# load necessary kernel modules:
> +modprobe tpm_tis
> +modprobe tpm_crb
> +
> +# fixed tpm device or do we need to find it
> +tpm_device=/dev/tpmrm0
> +partition_sets="$PARTITIONS"
> +
> +open_tpm2_partition() {
> + if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \
> + "$1" - tpm2-device="$tpm_device"; then
> + panic "Can't decrypt '$1' !"
> + fi
> +}
> +
> +enroll_tpm2_token() {
> + #check systemd version and export password if necessary
> + if [ -x /usr/bin/systemd-cryptenroll ]; then
And if that file does not exist? No error? No bail-out?
> + systemd_version=$(systemd-cryptenroll --version | \
> + awk -F " " 'NR==1{print $2 }')
> + #check systemd version and export password if necessary
> + if [ "$systemd_version" -ge "251" ]; then
> + PASSWORD=$(cat "$2" )
> + export PASSWORD
> + /usr/bin/systemd-cryptenroll --tpm2-device="$tpm_device" \
> + --tpm2-pcrs=7 "$1"
> + PASSWORD=
> + else
> + panic "Unknown systemd version: '$systemd_version'!"
> + fi
> + fi
> +}
> +
> +reencrypt_existing_partition() {
> + part_device=$(readlink -f "$partition")
> + part_size_blocks=$(cat /sys/class/block/"$(awk -v dev=$part_device 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)
> + reduced_size=$(expr $part_size_blocks - 65536 )
> + reduced_size_in_byte=$(expr $reduced_size \* 512)
> + reduced_size_in_kb=$(expr $reduced_size_in_byte / 1024)K
> + resize2fs "$1" "$reduced_size_in_kb"
> + if [ -x cryptsetup-reencrypt ]; then
> + /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
> + else
> + /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
> + fi
> +
> +}
> +
> +
One newline should be enough here.
> +if [ ! -e "$tpm_device" ]; then
> + panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
> +fi
> +
> +for partition_set in $partition_sets; do
> + partition_label=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[1]}')
> + partition_mountpoint=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[2]}')
> + partition_format=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[3]}')
> + partition=/dev/disk/by-partlabel/$partition_label
> + crypt_mount_name="encrypted_$partition_label"
> + decrypted_part=/dev/mapper/"$crypt_mount_name"
> +
> + # check if partition is already encrypted with systemd-tpm2
> + if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
> + | grep -q "systemd-tpm2"; then
> + open_tpm2_partition "$partition"
> + if ! mount -t $(get_fstype "${decrypted_part}") "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
> + panic "Can't mount encrypted partition '${decrypted_part}'!"
> + fi
> + continue
> + fi
> +
> + # create random password for initial encryption
> + # this will be dropped after reboot
> + tmp_key=/tmp/"$partition_label-lukskey"
> + openssl rand -base64 32 > "$tmp_key"
> +
> + case "${partition_format}" in
> + "reencrypt")
> + reencrypt_existing_partition "$partition" "$tmp_key"
> + enroll_tpm2_token "$partition" "$tmp_key"
> + open_tpm2_partition "$partition"
> + ;;
> + "format")
> + /usr/sbin/cryptsetup luksFormat --batch-mode \
> + --type luks2 "$partition" < "$tmp_key"
> + enroll_tpm2_token "$partition" "$tmp_key"
> + open_tpm2_partition_tpm2_partition "$partition"
> + mke2fs -t ext4 "${decrypted_part}"
We likely want to make this line configurable at recipe-level, both
regarding fs options as well as the fs type itself.
> + ;;
> + *)
> + panic "Unknown value ${partition_format}. Cannot create a encrypted partition !"
> + ;;
> + esac
> +
> + if ! mount -t $(get_fstype "${decrypted_part}") "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
> + panic "Can't mount encrypted partition '${decrypted_part}'!"
> + fi
> +
> + # delete initial key
> + # afterwards no new keys can be enrolled
> + /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
> +done
> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
> new file mode 100644
> index 0000000..ba2b884
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
> @@ -0,0 +1,37 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2020-2022
> +#
> +# Authors:
> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +
> +
> +inherit dpkg-raw
> +
> +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, systemd(>= 251), \
> + awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0, e2fsprogs"
> +
> +SRC_URI += "file://encrypt_partition.hook \
> + file://encrypt_partition.script \
> + file://encrypt_partition.env.tmpl"
> +
> +CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
> +CRYPT_REDUDUCE_DEVICE_SIZE="32M"
> +
> +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_REDUDUCE_DEVICE_SIZE"
> +TEMPLATE_FILES = "encrypt_partition.env.tmpl"
> +
> +do_install[cleandirs] += " \
> + ${D}/usr/share/initramfs-tools/hooks \
> + ${D}/usr/share/encrypt_partition \
> + ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> +do_install() {
> + install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env"
> + install -m 0755 "${WORKDIR}/encrypt_partition.script" \
> + "${D}/usr/share/initramfs-tools/scripts/local-bottom/encrypt_partition"
> + install -m 0755 "${WORKDIR}/encrypt_partition.hook" \
> + "${D}/usr/share/initramfs-tools/hooks/encrypt_partition"
> +}
> diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
> index b635a8b..1d29583 100644
> --- a/wic/x86-efibootguard.wks.in
> +++ b/wic/x86-efibootguard.wks.in
> @@ -7,7 +7,7 @@ part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1
> part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}"
>
> # home and var are extra partitions
> -part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
> -part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024 --size 2G
> +part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G --extra-space=100M
> +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024 --size 2G --extra-space=100M
>
> bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
Jan
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [cip-dev][isar-cip-core][RFC v2 7/7] .gitlabci: Add ci build
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 7/7] .gitlabci: Add ci build Quirin Gylstorff
@ 2023-02-17 14:55 ` Jan Kiszka
2023-02-17 14:59 ` Gylstorff Quirin
0 siblings, 1 reply; 19+ messages in thread
From: Jan Kiszka @ 2023-02-17 14:55 UTC (permalink / raw)
To: Quirin Gylstorff, cip-dev, christian.storm
On 17.02.23 14:05, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> .gitlab-ci.yml | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
> index f7c8c88..c6dcab6 100644
> --- a/.gitlab-ci.yml
> +++ b/.gitlab-ci.yml
> @@ -5,6 +5,7 @@ variables:
> release: bullseye
> extension: none
> use_rt: enable
> + tpm: disable
> wic_targz: enable
> targz: disable
> dtb: none
> @@ -37,6 +38,7 @@ default:
> - if [ "${targz}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/targz-img.yml"; fi
> - if [ "${release}" = "buster" ]; then base_yaml="${base_yaml}:kas/opt/buster.yml"; fi
> - if [ "${release}" = "bullseye" ]; then base_yaml="${base_yaml}:kas/opt/bullseye.yml"; fi
> + - if [ "${tpm}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/tpm.yml"; fi
> - echo "Building ${base_yaml}"
> - kas build ${base_yaml}
> - if [ "${deploy}" = "enable" ]; then scripts/deploy-cip-core.sh ${release} ${target} ${extension} ${dtb} ${CI_COMMIT_REF_SLUG}; fi
> @@ -206,6 +208,17 @@ build:qemu-amd64-secure-boot:
> wic_targz: disable
> deploy: disable
>
> +build:qemu-amd64-secure-boot-tpm:
> + extends:
> + - .build_base
> + variables:
> + target: qemu-amd64
> + extension: ebg-secure-boot-snakeoil
> + use_rt: disable
> + wic_targz: disable
> + deploy: disable
> + tpm: enable
> +
Do we then still need to build-test the non-tpm swupdate variant of
qemu-amd64?
Jan
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [cip-dev][isar-cip-core][RFC v2 7/7] .gitlabci: Add ci build
2023-02-17 14:55 ` Jan Kiszka
@ 2023-02-17 14:59 ` Gylstorff Quirin
0 siblings, 0 replies; 19+ messages in thread
From: Gylstorff Quirin @ 2023-02-17 14:59 UTC (permalink / raw)
To: Jan Kiszka, cip-dev, christian.storm
[-- Attachment #1: Type: text/plain, Size: 1838 bytes --]
On 2/17/23 15:55, Jan Kiszka wrote:
> On 17.02.23 14:05, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>> .gitlab-ci.yml | 13 +++++++++++++
>> 1 file changed, 13 insertions(+)
>>
>> diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
>> index f7c8c88..c6dcab6 100644
>> --- a/.gitlab-ci.yml
>> +++ b/.gitlab-ci.yml
>> @@ -5,6 +5,7 @@ variables:
>> release: bullseye
>> extension: none
>> use_rt: enable
>> + tpm: disable
>> wic_targz: enable
>> targz: disable
>> dtb: none
>> @@ -37,6 +38,7 @@ default:
>> - if [ "${targz}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/targz-img.yml"; fi
>> - if [ "${release}" = "buster" ]; then base_yaml="${base_yaml}:kas/opt/buster.yml"; fi
>> - if [ "${release}" = "bullseye" ]; then base_yaml="${base_yaml}:kas/opt/bullseye.yml"; fi
>> + - if [ "${tpm}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/tpm.yml"; fi
>> - echo "Building ${base_yaml}"
>> - kas build ${base_yaml}
>> - if [ "${deploy}" = "enable" ]; then scripts/deploy-cip-core.sh ${release} ${target} ${extension} ${dtb} ${CI_COMMIT_REF_SLUG}; fi
>> @@ -206,6 +208,17 @@ build:qemu-amd64-secure-boot:
>> wic_targz: disable
>> deploy: disable
>>
>> +build:qemu-amd64-secure-boot-tpm:
>> + extends:
>> + - .build_base
>> + variables:
>> + target: qemu-amd64
>> + extension: ebg-secure-boot-snakeoil
>> + use_rt: disable
>> + wic_targz: disable
>> + deploy: disable
>> + tpm: enable
>> +
>
> Do we then still need to build-test the non-tpm swupdate variant of
> qemu-amd64?
I currently use the non-tpm swupdate build as a check that adding the
tpm didn't break anything. But we can remove it.
Quirin
>
> Jan
>
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 7613 bytes --]
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [cip-dev][isar-cip-core][RFC v2 4/7] Add initramfs hook to encrypt a partition
2023-02-17 14:53 ` Jan Kiszka
@ 2023-02-17 15:06 ` Gylstorff Quirin
2023-02-17 15:10 ` Jan Kiszka
0 siblings, 1 reply; 19+ messages in thread
From: Gylstorff Quirin @ 2023-02-17 15:06 UTC (permalink / raw)
To: Jan Kiszka, cip-dev, christian.storm
[-- Attachment #1: Type: text/plain, Size: 11626 bytes --]
On 2/17/23 15:53, Jan Kiszka wrote:
> On 17.02.23 14:05, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This creates a new luks encrypted ext4 partition with a the
>> key stored in the tpm2.
>>
>> The initial key is randomly generated and removed from the
>> LUKS partition. Therefore a new key cannot be added by the user
>> and if the LUKS header is corrupted the data is no longer readable.
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>> .../files/encrypt_partition.env.tmpl | 2 +
>> .../files/encrypt_partition.hook | 49 +++++++
>> .../files/encrypt_partition.script | 135 ++++++++++++++++++
>> .../initramfs-crypt-hook_0.1.bb | 37 +++++
>> wic/x86-efibootguard.wks.in | 4 +-
>> 5 files changed, 225 insertions(+), 2 deletions(-)
>> create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>> create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>> create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>> create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>
>> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>> new file mode 100644
>> index 0000000..943fe4b
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>> @@ -0,0 +1,2 @@
>> +PARTITIONS="${CRYPT_PARTITIONS}"
>> +REDUDUCE_DEVICE_SIZE="${CRYPT_REDUDUCE_DEVICE_SIZE}"
>
> Did you mean "REDUCE"?
That was my intenion will fix it in v3.
>
> And what is this variable for?
If you use online reencryption on a populated partition you need to
create the space for the LUKS header. The necessary minimum size is 32MB.
As an alternative you can detach the LUKS header.
>
>> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>> new file mode 100644
>> index 0000000..96e084a
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>> @@ -0,0 +1,49 @@
>> +#!/bin/sh
>> +# Copyright (C) Siemens AG, 2020-2022
>> +#
>> +# SPDX-License-Identifier: MIT
>> +
>> +PREREQ=""
>> +
>> +prereqs()
>> +{
>> + echo "$PREREQ"
>> +}
>> +
>> +case $1 in
>> +prereqs)
>> + prereqs
>> + exit 0
>> + ;;
>> +esac
>> +
>> +. /usr/share/initramfs-tools/scripts/functions
>> +. /usr/share/initramfs-tools/hook-functions
>> +
>> +manual_add_modules tpm
>> +manual_add_modules tpm_tis_core
>> +manual_add_modules tpm_tis
>> +manual_add_modules tpm_crb
>> +manual_add_modules dm_mod
>> +manual_add_modules dm_crypt
>> +
>> +copy_exec /usr/bin/openssl
>> +copy_exec /usr/sbin/mke2fs
>> +copy_exec /usr/bin/grep
>> +copy_exec /usr/bin/awk
>> +copy_exec /usr/bin/expr
>> +copy_exec /usr/sbin/e2fsck
>> +copy_exec /usr/sbin/resize2fs
>> +copy_exec /usr/sbin/cryptsetup
>> +copy_exec /usr/bin/systemd-cryptenroll
>> +copy_exec /usr/lib/systemd/systemd-cryptsetup
>> +
>> +if [ -x cryptsetup-reencrypt ]; then
>> + copy_exec /usr/sbin/cryptsetup-reencrypt
>> +fi
>> +
>> +for _LIBRARY in /usr/lib/*/libtss2*; do
>> + copy_exec "$_LIBRARY"
>> +done
>> +
>> +copy_file library /usr/share/encrypt_partition/encrypt_partition.env /usr/share/encrypt_partition/encrypt_partition.env
>> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>> new file mode 100644
>> index 0000000..e58794e
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>> @@ -0,0 +1,135 @@
>> +#!/bin/sh
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2023
>> +#
>> +# Authors:
>> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +prereqs()
>> +{
>> + # Make sure that this script is run last in local-top
>> + local req
>> + for req in "${0%/*}"/*; do
>> + script="${req##*/}"
>> + if [ "$script" != "${0##*/}" ]; then
>> + printf '%s\n' "$script"
>> + fi
>> + done
>> +}
>> +case $1 in
>> +prereqs)
>> + prereqs
>> + exit 0
>> + ;;
>> +esac
>> +
>> +. /scripts/functions
>> +
>> +# get configuration variables
>> +. /usr/share/encrypt_partition/encrypt_partition.env
>> +
>> +# load necessary kernel modules:
>> +modprobe tpm_tis
>> +modprobe tpm_crb
>> +
>> +# fixed tpm device or do we need to find it
>> +tpm_device=/dev/tpmrm0
>> +partition_sets="$PARTITIONS"
>> +
>> +open_tpm2_partition() {
>> + if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \
>> + "$1" - tpm2-device="$tpm_device"; then
>> + panic "Can't decrypt '$1' !"
>> + fi
>> +}
>> +
>> +enroll_tpm2_token() {
>> + #check systemd version and export password if necessary
>> + if [ -x /usr/bin/systemd-cryptenroll ]; then
>
> And if that file does not exist? No error? No bail-out?
>
I will remove that check and move it to the hook and fail during build
time. Is that better?
>> + systemd_version=$(systemd-cryptenroll --version | \
>> + awk -F " " 'NR==1{print $2 }')
>> + #check systemd version and export password if necessary
>> + if [ "$systemd_version" -ge "251" ]; then
>> + PASSWORD=$(cat "$2" )
>> + export PASSWORD
>> + /usr/bin/systemd-cryptenroll --tpm2-device="$tpm_device" \
>> + --tpm2-pcrs=7 "$1"
>> + PASSWORD=
>> + else
>> + panic "Unknown systemd version: '$systemd_version'!"
>> + fi
>> + fi
>> +}
>> +
>> +reencrypt_existing_partition() {
>> + part_device=$(readlink -f "$partition")
>> + part_size_blocks=$(cat /sys/class/block/"$(awk -v dev=$part_device 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)
>> + reduced_size=$(expr $part_size_blocks - 65536 )
>> + reduced_size_in_byte=$(expr $reduced_size \* 512)
>> + reduced_size_in_kb=$(expr $reduced_size_in_byte / 1024)K
>> + resize2fs "$1" "$reduced_size_in_kb"
>> + if [ -x cryptsetup-reencrypt ]; then
>> + /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
>> + else
>> + /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
>> + fi
>> +
>> +}
>> +
>> +
>
> One newline should be enough here.
Will fix in v3.
>
>> +if [ ! -e "$tpm_device" ]; then
>> + panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
>> +fi
>> +
>> +for partition_set in $partition_sets; do
>> + partition_label=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[1]}')
>> + partition_mountpoint=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[2]}')
>> + partition_format=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[3]}')
>> + partition=/dev/disk/by-partlabel/$partition_label
>> + crypt_mount_name="encrypted_$partition_label"
>> + decrypted_part=/dev/mapper/"$crypt_mount_name"
>> +
>> + # check if partition is already encrypted with systemd-tpm2
>> + if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
>> + | grep -q "systemd-tpm2"; then
>> + open_tpm2_partition "$partition"
>> + if ! mount -t $(get_fstype "${decrypted_part}") "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
>> + panic "Can't mount encrypted partition '${decrypted_part}'!"
>> + fi
>> + continue
>> + fi
>> +
>> + # create random password for initial encryption
>> + # this will be dropped after reboot
>> + tmp_key=/tmp/"$partition_label-lukskey"
>> + openssl rand -base64 32 > "$tmp_key"
>> +
>> + case "${partition_format}" in
>> + "reencrypt")
>> + reencrypt_existing_partition "$partition" "$tmp_key"
>> + enroll_tpm2_token "$partition" "$tmp_key"
>> + open_tpm2_partition "$partition"
>> + ;;
>> + "format")
>> + /usr/sbin/cryptsetup luksFormat --batch-mode \
>> + --type luks2 "$partition" < "$tmp_key"
>> + enroll_tpm2_token "$partition" "$tmp_key"
>> + open_tpm2_partition_tpm2_partition "$partition"
>> + mke2fs -t ext4 "${decrypted_part}"
>
> We likely want to make this line configurable at recipe-level, both
> regarding fs options as well as the fs type itself.
I will add an additional field to the configuration string.
>
>> + ;;
>> + *)
>> + panic "Unknown value ${partition_format}. Cannot create a encrypted partition !"
>> + ;;
>> + esac
>> +
>> + if ! mount -t $(get_fstype "${decrypted_part}") "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
>> + panic "Can't mount encrypted partition '${decrypted_part}'!"
>> + fi
>> +
>> + # delete initial key
>> + # afterwards no new keys can be enrolled
>> + /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
>> +done
>> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>> new file mode 100644
>> index 0000000..ba2b884
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>> @@ -0,0 +1,37 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2020-2022
>> +#
>> +# Authors:
>> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +
>> +
>> +inherit dpkg-raw
>> +
>> +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, systemd(>= 251), \
>> + awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0, e2fsprogs"
>> +
>> +SRC_URI += "file://encrypt_partition.hook \
>> + file://encrypt_partition.script \
>> + file://encrypt_partition.env.tmpl"
>> +
>> +CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
>> +CRYPT_REDUDUCE_DEVICE_SIZE="32M"
>> +
>> +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_REDUDUCE_DEVICE_SIZE"
>> +TEMPLATE_FILES = "encrypt_partition.env.tmpl"
>> +
>> +do_install[cleandirs] += " \
>> + ${D}/usr/share/initramfs-tools/hooks \
>> + ${D}/usr/share/encrypt_partition \
>> + ${D}/usr/share/initramfs-tools/scripts/local-bottom"
>> +do_install() {
>> + install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env"
>> + install -m 0755 "${WORKDIR}/encrypt_partition.script" \
>> + "${D}/usr/share/initramfs-tools/scripts/local-bottom/encrypt_partition"
>> + install -m 0755 "${WORKDIR}/encrypt_partition.hook" \
>> + "${D}/usr/share/initramfs-tools/hooks/encrypt_partition"
>> +}
>> diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
>> index b635a8b..1d29583 100644
>> --- a/wic/x86-efibootguard.wks.in
>> +++ b/wic/x86-efibootguard.wks.in
>> @@ -7,7 +7,7 @@ part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1
>> part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}"
>>
>> # home and var are extra partitions
>> -part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
>> -part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024 --size 2G
>> +part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G --extra-space=100M
>> +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024 --size 2G --extra-space=100M
>>
>> bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
>
> Jan
>
Thanks for the review
Quirin
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 7613 bytes --]
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [cip-dev][isar-cip-core][RFC v2 4/7] Add initramfs hook to encrypt a partition
2023-02-17 15:06 ` Gylstorff Quirin
@ 2023-02-17 15:10 ` Jan Kiszka
2023-02-17 15:20 ` Gylstorff Quirin
0 siblings, 1 reply; 19+ messages in thread
From: Jan Kiszka @ 2023-02-17 15:10 UTC (permalink / raw)
To: Gylstorff Quirin, cip-dev, christian.storm
On 17.02.23 16:06, Gylstorff Quirin wrote:
>
>
> On 2/17/23 15:53, Jan Kiszka wrote:
>> On 17.02.23 14:05, Quirin Gylstorff wrote:
>>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>
>>> This creates a new luks encrypted ext4 partition with a the
>>> key stored in the tpm2.
>>>
>>> The initial key is randomly generated and removed from the
>>> LUKS partition. Therefore a new key cannot be added by the user
>>> and if the LUKS header is corrupted the data is no longer readable.
>>>
>>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>> ---
>>> .../files/encrypt_partition.env.tmpl | 2 +
>>> .../files/encrypt_partition.hook | 49 +++++++
>>> .../files/encrypt_partition.script | 135 ++++++++++++++++++
>>> .../initramfs-crypt-hook_0.1.bb | 37 +++++
>>> wic/x86-efibootguard.wks.in | 4 +-
>>> 5 files changed, 225 insertions(+), 2 deletions(-)
>>> create mode 100644
>>> recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>>> create mode 100644
>>> recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>>> create mode 100644
>>> recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>>> create mode 100644
>>> recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>>
>>> diff --git
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>>> new file mode 100644
>>> index 0000000..943fe4b
>>> --- /dev/null
>>> +++
>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>>> @@ -0,0 +1,2 @@
>>> +PARTITIONS="${CRYPT_PARTITIONS}"
>>> +REDUDUCE_DEVICE_SIZE="${CRYPT_REDUDUCE_DEVICE_SIZE}"
>>
>> Did you mean "REDUCE"?
> That was my intenion will fix it in v3.
>>
>> And what is this variable for?
>
> If you use online reencryption on a populated partition you need to
> create the space for the LUKS header. The necessary minimum size is 32MB.
> As an alternative you can detach the LUKS header.
>
And what does this variable contribute to that?
>
>>
>>> diff --git
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>>> new file mode 100644
>>> index 0000000..96e084a
>>> --- /dev/null
>>> +++
>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>>> @@ -0,0 +1,49 @@
>>> +#!/bin/sh
>>> +# Copyright (C) Siemens AG, 2020-2022
>>> +#
>>> +# SPDX-License-Identifier: MIT
>>> +
>>> +PREREQ=""
>>> +
>>> +prereqs()
>>> +{
>>> + echo "$PREREQ"
>>> +}
>>> +
>>> +case $1 in
>>> +prereqs)
>>> + prereqs
>>> + exit 0
>>> + ;;
>>> +esac
>>> +
>>> +. /usr/share/initramfs-tools/scripts/functions
>>> +. /usr/share/initramfs-tools/hook-functions
>>> +
>>> +manual_add_modules tpm
>>> +manual_add_modules tpm_tis_core
>>> +manual_add_modules tpm_tis
>>> +manual_add_modules tpm_crb
>>> +manual_add_modules dm_mod
>>> +manual_add_modules dm_crypt
>>> +
>>> +copy_exec /usr/bin/openssl
>>> +copy_exec /usr/sbin/mke2fs
>>> +copy_exec /usr/bin/grep
>>> +copy_exec /usr/bin/awk
>>> +copy_exec /usr/bin/expr
>>> +copy_exec /usr/sbin/e2fsck
>>> +copy_exec /usr/sbin/resize2fs
>>> +copy_exec /usr/sbin/cryptsetup
>>> +copy_exec /usr/bin/systemd-cryptenroll
>>> +copy_exec /usr/lib/systemd/systemd-cryptsetup
>>> +
>>> +if [ -x cryptsetup-reencrypt ]; then
>>> + copy_exec /usr/sbin/cryptsetup-reencrypt
>>> +fi
>>> +
>>> +for _LIBRARY in /usr/lib/*/libtss2*; do
>>> + copy_exec "$_LIBRARY"
>>> +done
>>> +
>>> +copy_file library /usr/share/encrypt_partition/encrypt_partition.env
>>> /usr/share/encrypt_partition/encrypt_partition.env
>>> diff --git
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>>> new file mode 100644
>>> index 0000000..e58794e
>>> --- /dev/null
>>> +++
>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>>> @@ -0,0 +1,135 @@
>>> +#!/bin/sh
>>> +#
>>> +# CIP Core, generic profile
>>> +#
>>> +# Copyright (c) Siemens AG, 2023
>>> +#
>>> +# Authors:
>>> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>> +#
>>> +# SPDX-License-Identifier: MIT
>>> +prereqs()
>>> +{
>>> + # Make sure that this script is run last in local-top
>>> + local req
>>> + for req in "${0%/*}"/*; do
>>> + script="${req##*/}"
>>> + if [ "$script" != "${0##*/}" ]; then
>>> + printf '%s\n' "$script"
>>> + fi
>>> + done
>>> +}
>>> +case $1 in
>>> +prereqs)
>>> + prereqs
>>> + exit 0
>>> + ;;
>>> +esac
>>> +
>>> +. /scripts/functions
>>> +
>>> +# get configuration variables
>>> +. /usr/share/encrypt_partition/encrypt_partition.env
>>> +
>>> +# load necessary kernel modules:
>>> +modprobe tpm_tis
>>> +modprobe tpm_crb
>>> +
>>> +# fixed tpm device or do we need to find it
>>> +tpm_device=/dev/tpmrm0
>>> +partition_sets="$PARTITIONS"
>>> +
>>> +open_tpm2_partition() {
>>> + if ! /usr/lib/systemd/systemd-cryptsetup attach
>>> "$crypt_mount_name" \
>>> + "$1" - tpm2-device="$tpm_device"; then
>>> + panic "Can't decrypt '$1' !"
>>> + fi
>>> +}
>>> +
>>> +enroll_tpm2_token() {
>>> + #check systemd version and export password if necessary
>>> + if [ -x /usr/bin/systemd-cryptenroll ]; then
>>
>> And if that file does not exist? No error? No bail-out?
>>
>
> I will remove that check and move it to the hook and fail during build
> time. Is that better?
I just want to avoid that a realistic error leads to improper error
handling. Even worse if that could lead to a usable but unencrypted
partition.
>
>>> + systemd_version=$(systemd-cryptenroll --version | \
>>> + awk -F " " 'NR==1{print $2 }')
>>> + #check systemd version and export password if necessary
>>> + if [ "$systemd_version" -ge "251" ]; then
>>> + PASSWORD=$(cat "$2" )
>>> + export PASSWORD
>>> + /usr/bin/systemd-cryptenroll --tpm2-device="$tpm_device" \
>>> + --tpm2-pcrs=7 "$1"
>>> + PASSWORD=
>>> + else
>>> + panic "Unknown systemd version: '$systemd_version'!"
>>> + fi
>>> + fi
>>> +}
>>> +
>>> +reencrypt_existing_partition() {
>>> + part_device=$(readlink -f "$partition")
>>> + part_size_blocks=$(cat /sys/class/block/"$(awk -v
>>> dev=$part_device 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)
>>> + reduced_size=$(expr $part_size_blocks - 65536 )
>>> + reduced_size_in_byte=$(expr $reduced_size \* 512)
>>> + reduced_size_in_kb=$(expr $reduced_size_in_byte / 1024)K
>>> + resize2fs "$1" "$reduced_size_in_kb"
>>> + if [ -x cryptsetup-reencrypt ]; then
>>> + /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size
>>> "${REDUDUCE_DEVICE_SIZE}" $1 < $2
>>> + else
>>> + /usr/sbin/cryptsetup reencrypt --encrypt
>>> --reduce-device-size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
>>> + fi
>>> +
>>> +}
>>> +
>>> +
>>
>> One newline should be enough here.
> Will fix in v3.
>
>>
>>> +if [ ! -e "$tpm_device" ]; then
>>> + panic "tpm device '$tpm_device' does not exists - cannot create
>>> a encrypted device!"
>>> +fi
>>> +
>>> +for partition_set in $partition_sets; do
>>> + partition_label=$(awk -v var=$partition_set
>>> 'BEGIN{split(var,a,":"); print a[1]}')
>>> + partition_mountpoint=$(awk -v var=$partition_set
>>> 'BEGIN{split(var,a,":"); print a[2]}')
>>> + partition_format=$(awk -v var=$partition_set
>>> 'BEGIN{split(var,a,":"); print a[3]}')
>>> + partition=/dev/disk/by-partlabel/$partition_label
>>> + crypt_mount_name="encrypted_$partition_label"
>>> + decrypted_part=/dev/mapper/"$crypt_mount_name"
>>> +
>>> + # check if partition is already encrypted with systemd-tpm2
>>> + if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
>>> + | grep -q "systemd-tpm2"; then
>>> + open_tpm2_partition "$partition"
>>> + if ! mount -t $(get_fstype "${decrypted_part}")
>>> "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
>>> + panic "Can't mount encrypted partition
>>> '${decrypted_part}'!"
>>> + fi
>>> + continue
>>> + fi
>>> +
>>> + # create random password for initial encryption
>>> + # this will be dropped after reboot
>>> + tmp_key=/tmp/"$partition_label-lukskey"
>>> + openssl rand -base64 32 > "$tmp_key"
>>> +
>>> + case "${partition_format}" in
>>> + "reencrypt")
>>> + reencrypt_existing_partition "$partition" "$tmp_key"
>>> + enroll_tpm2_token "$partition" "$tmp_key"
>>> + open_tpm2_partition "$partition"
>>> + ;;
>>> + "format")
>>> + /usr/sbin/cryptsetup luksFormat --batch-mode \
>>> + --type luks2 "$partition" < "$tmp_key"
>>> + enroll_tpm2_token "$partition" "$tmp_key"
>>> + open_tpm2_partition_tpm2_partition "$partition"
>>> + mke2fs -t ext4 "${decrypted_part}"
>>
>> We likely want to make this line configurable at recipe-level, both
>> regarding fs options as well as the fs type itself.
>
> I will add an additional field to the configuration string.
>
>>
>>> + ;;
>>> + *)
>>> + panic "Unknown value ${partition_format}. Cannot create
>>> a encrypted partition !"
>>> + ;;
>>> + esac
>>> +
>>> + if ! mount -t $(get_fstype "${decrypted_part}")
>>> "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
>>> + panic "Can't mount encrypted partition '${decrypted_part}'!"
>>> + fi
>>> +
>>> + # delete initial key
>>> + # afterwards no new keys can be enrolled
>>> + /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
>>> +done
>>> diff --git
>>> a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>> b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>> new file mode 100644
>>> index 0000000..ba2b884
>>> --- /dev/null
>>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>> @@ -0,0 +1,37 @@
>>> +#
>>> +# CIP Core, generic profile
>>> +#
>>> +# Copyright (c) Siemens AG, 2020-2022
>>> +#
>>> +# Authors:
>>> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>> +#
>>> +# SPDX-License-Identifier: MIT
>>> +
>>> +
>>> +inherit dpkg-raw
>>> +
>>> +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, systemd(>= 251), \
>>> + awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0,
>>> e2fsprogs"
>>> +
>>> +SRC_URI += "file://encrypt_partition.hook \
>>> + file://encrypt_partition.script \
>>> + file://encrypt_partition.env.tmpl"
>>> +
>>> +CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
>>> +CRYPT_REDUDUCE_DEVICE_SIZE="32M"
>>> +
>>> +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_REDUDUCE_DEVICE_SIZE"
>>> +TEMPLATE_FILES = "encrypt_partition.env.tmpl"
>>> +
>>> +do_install[cleandirs] += " \
>>> + ${D}/usr/share/initramfs-tools/hooks \
>>> + ${D}/usr/share/encrypt_partition \
>>> + ${D}/usr/share/initramfs-tools/scripts/local-bottom"
>>> +do_install() {
>>> + install -m 0600 "${WORKDIR}/encrypt_partition.env"
>>> "${D}/usr/share/encrypt_partition/encrypt_partition.env"
>>> + install -m 0755 "${WORKDIR}/encrypt_partition.script" \
>>> +
>>> "${D}/usr/share/initramfs-tools/scripts/local-bottom/encrypt_partition"
>>> + install -m 0755 "${WORKDIR}/encrypt_partition.hook" \
>>> + "${D}/usr/share/initramfs-tools/hooks/encrypt_partition"
>>> +}
>>> diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
>>> index b635a8b..1d29583 100644
>>> --- a/wic/x86-efibootguard.wks.in
>>> +++ b/wic/x86-efibootguard.wks.in
>>> @@ -7,7 +7,7 @@ part --source rawcopy --sourceparams
>>> "file=${IMAGE_FULLNAME}.squashfs" --align 1
>>> part --source empty --align 1024 --fixed-size 1G --uuid
>>> "${ABROOTFS_PART_UUID_B}"
>>> # home and var are extra partitions
>>> -part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home
>>> --fstype=ext4 --label home --align 1024 --size 1G
>>> -part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var
>>> --fstype=ext4 --label var --align 1024 --size 2G
>>> +part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home
>>> --fstype=ext4 --label home --align 1024 --size 1G --extra-space=100M
>>> +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var
>>> --fstype=ext4 --label var --align 1024 --size 2G --extra-space=100M
>>> bootloader --ptable gpt --append="console=tty0
>>> console=ttyS0,115200 rootwait earlyprintk"
>>
>> Jan
>>
> Thanks for the review
> Quirin
Jan
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [cip-dev][isar-cip-core][RFC v2 3/7] start-qemu: If swtpm is available create a tpm2 device
2023-02-17 14:49 ` Jan Kiszka
@ 2023-02-17 15:11 ` Gylstorff Quirin
0 siblings, 0 replies; 19+ messages in thread
From: Gylstorff Quirin @ 2023-02-17 15:11 UTC (permalink / raw)
To: Jan Kiszka, cip-dev, christian.storm
[-- Attachment #1: Type: text/plain, Size: 3254 bytes --]
On 2/17/23 15:49, Jan Kiszka wrote:
> On 17.02.23 14:05, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This allows testing the tpm2 encryption with qemu.
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>> start-qemu.sh | 23 ++++++++++++++++++-----
>> 1 file changed, 18 insertions(+), 5 deletions(-)
>>
>> diff --git a/start-qemu.sh b/start-qemu.sh
>> index dd16aed..3ef2acc 100755
>> --- a/start-qemu.sh
>> +++ b/start-qemu.sh
>> @@ -139,11 +139,24 @@ QEMU_COMMON_OPTIONS=" \
>> -m 1G \
>> -serial mon:stdio \
>> -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \
>> - ${QEMU_EXTRA_ARGS}"
>> + "
>>
>> if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
>> case "${arch}" in
>> x86|x86_64|amd64)
>> + if [ -x /usr/bin/swtpm ]; then
>> + swtpm_dir="/tmp/qemu-swtpm"
>> + mkdir -p ${swtpm_dir}
>> + rm ${swtpm_dir}/*
>> + if swtpm socket -d --tpmstate dir=${swtpm_dir} \
>> + --ctrl type=unixio,path=${swtpm_dir}/sock \
>> + --tpm2; then
>> + QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \
>> + -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \
>> + -tpmdev emulator,id=tpm0,chardev=chrtpm \
>> + -device tpm-tis,tpmdev=tpm0"
>> + fi
>> + fi
>
> There are some space-based indentions in this block, messing things up
> visually.
>
> Jan
I will fix that in v3 and add a check if if TPM2 is requested by KConfig.
Quirin
>
>> if [ -n "${SECURE_BOOT}" ]; then
>> ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secboot.fd}
>> ovmf_vars=${OVMF_VARS:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_VARS_4M.snakeoil.fd}
>> @@ -154,14 +167,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
>> -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
>> -drive if=pflash,format=raw,file=${ovmf_vars} \
>> -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
>> - ${QEMU_COMMON_OPTIONS} "$@"
>> + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
>> else
>> ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd}
>>
>> ${QEMU_PATH}${QEMU} \
>> -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
>> -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
>> - ${QEMU_COMMON_OPTIONS} "$@"
>> + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
>> fi
>> ;;
>> arm64|aarch64|arm|armhf)
>> @@ -170,7 +183,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
>> ${QEMU_PATH}${QEMU} \
>> -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
>> -bios ${u_boot_bin} \
>> - ${QEMU_COMMON_OPTIONS} "$@"
>> + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
>> ;;
>> *)
>> echo "Unsupported architecture: ${arch}"
>> @@ -187,5 +200,5 @@ else
>> -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \
>> -kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \
>> -initrd ${INITRD_FILE} \
>> - ${QEMU_COMMON_OPTIONS} "$@"
>> + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
>> fi
>
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 7613 bytes --]
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [cip-dev][isar-cip-core][RFC v2 4/7] Add initramfs hook to encrypt a partition
2023-02-17 15:10 ` Jan Kiszka
@ 2023-02-17 15:20 ` Gylstorff Quirin
0 siblings, 0 replies; 19+ messages in thread
From: Gylstorff Quirin @ 2023-02-17 15:20 UTC (permalink / raw)
To: Jan Kiszka, cip-dev, christian.storm
[-- Attachment #1: Type: text/plain, Size: 14082 bytes --]
On 2/17/23 16:10, Jan Kiszka wrote:
> On 17.02.23 16:06, Gylstorff Quirin wrote:
>>
>>
>> On 2/17/23 15:53, Jan Kiszka wrote:
>>> On 17.02.23 14:05, Quirin Gylstorff wrote:
>>>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>>
>>>> This creates a new luks encrypted ext4 partition with a the
>>>> key stored in the tpm2.
>>>>
>>>> The initial key is randomly generated and removed from the
>>>> LUKS partition. Therefore a new key cannot be added by the user
>>>> and if the LUKS header is corrupted the data is no longer readable.
>>>>
>>>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>> ---
>>>> .../files/encrypt_partition.env.tmpl | 2 +
>>>> .../files/encrypt_partition.hook | 49 +++++++
>>>> .../files/encrypt_partition.script | 135 ++++++++++++++++++
>>>> .../initramfs-crypt-hook_0.1.bb | 37 +++++
>>>> wic/x86-efibootguard.wks.in | 4 +-
>>>> 5 files changed, 225 insertions(+), 2 deletions(-)
>>>> create mode 100644
>>>> recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>>>> create mode 100644
>>>> recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>>>> create mode 100644
>>>> recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>>>> create mode 100644
>>>> recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>>>
>>>> diff --git
>>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>>>> new file mode 100644
>>>> index 0000000..943fe4b
>>>> --- /dev/null
>>>> +++
>>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>>>> @@ -0,0 +1,2 @@
>>>> +PARTITIONS="${CRYPT_PARTITIONS}"
>>>> +REDUDUCE_DEVICE_SIZE="${CRYPT_REDUDUCE_DEVICE_SIZE}"
>>>
>>> Did you mean "REDUCE"?
>> That was my intenion will fix it in v3.
>>>
>>> And what is this variable for?
>>
>> If you use online reencryption on a populated partition you need to
>> create the space for the LUKS header. The necessary minimum size is 32MB.
>> As an alternative you can detach the LUKS header.
>>
>
> And what does this variable contribute to that?
This variable is used to set the size by with cryptsetup reencrypt
reduces the partition size.
Currently I am not sure if we need to adjust this size during the build
or not.
Quirin
>
>>
>>>
>>>> diff --git
>>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>>>> new file mode 100644
>>>> index 0000000..96e084a
>>>> --- /dev/null
>>>> +++
>>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook
>>>> @@ -0,0 +1,49 @@
>>>> +#!/bin/sh
>>>> +# Copyright (C) Siemens AG, 2020-2022
>>>> +#
>>>> +# SPDX-License-Identifier: MIT
>>>> +
>>>> +PREREQ=""
>>>> +
>>>> +prereqs()
>>>> +{
>>>> + echo "$PREREQ"
>>>> +}
>>>> +
>>>> +case $1 in
>>>> +prereqs)
>>>> + prereqs
>>>> + exit 0
>>>> + ;;
>>>> +esac
>>>> +
>>>> +. /usr/share/initramfs-tools/scripts/functions
>>>> +. /usr/share/initramfs-tools/hook-functions
>>>> +
>>>> +manual_add_modules tpm
>>>> +manual_add_modules tpm_tis_core
>>>> +manual_add_modules tpm_tis
>>>> +manual_add_modules tpm_crb
>>>> +manual_add_modules dm_mod
>>>> +manual_add_modules dm_crypt
>>>> +
>>>> +copy_exec /usr/bin/openssl
>>>> +copy_exec /usr/sbin/mke2fs
>>>> +copy_exec /usr/bin/grep
>>>> +copy_exec /usr/bin/awk
>>>> +copy_exec /usr/bin/expr
>>>> +copy_exec /usr/sbin/e2fsck
>>>> +copy_exec /usr/sbin/resize2fs
>>>> +copy_exec /usr/sbin/cryptsetup
>>>> +copy_exec /usr/bin/systemd-cryptenroll
>>>> +copy_exec /usr/lib/systemd/systemd-cryptsetup
>>>> +
>>>> +if [ -x cryptsetup-reencrypt ]; then
>>>> + copy_exec /usr/sbin/cryptsetup-reencrypt
>>>> +fi
>>>> +
>>>> +for _LIBRARY in /usr/lib/*/libtss2*; do
>>>> + copy_exec "$_LIBRARY"
>>>> +done
>>>> +
>>>> +copy_file library /usr/share/encrypt_partition/encrypt_partition.env
>>>> /usr/share/encrypt_partition/encrypt_partition.env
>>>> diff --git
>>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>>>> new file mode 100644
>>>> index 0000000..e58794e
>>>> --- /dev/null
>>>> +++
>>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>>>> @@ -0,0 +1,135 @@
>>>> +#!/bin/sh
>>>> +#
>>>> +# CIP Core, generic profile
>>>> +#
>>>> +# Copyright (c) Siemens AG, 2023
>>>> +#
>>>> +# Authors:
>>>> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>> +#
>>>> +# SPDX-License-Identifier: MIT
>>>> +prereqs()
>>>> +{
>>>> + # Make sure that this script is run last in local-top
>>>> + local req
>>>> + for req in "${0%/*}"/*; do
>>>> + script="${req##*/}"
>>>> + if [ "$script" != "${0##*/}" ]; then
>>>> + printf '%s\n' "$script"
>>>> + fi
>>>> + done
>>>> +}
>>>> +case $1 in
>>>> +prereqs)
>>>> + prereqs
>>>> + exit 0
>>>> + ;;
>>>> +esac
>>>> +
>>>> +. /scripts/functions
>>>> +
>>>> +# get configuration variables
>>>> +. /usr/share/encrypt_partition/encrypt_partition.env
>>>> +
>>>> +# load necessary kernel modules:
>>>> +modprobe tpm_tis
>>>> +modprobe tpm_crb
>>>> +
>>>> +# fixed tpm device or do we need to find it
>>>> +tpm_device=/dev/tpmrm0
>>>> +partition_sets="$PARTITIONS"
>>>> +
>>>> +open_tpm2_partition() {
>>>> + if ! /usr/lib/systemd/systemd-cryptsetup attach
>>>> "$crypt_mount_name" \
>>>> + "$1" - tpm2-device="$tpm_device"; then
>>>> + panic "Can't decrypt '$1' !"
>>>> + fi
>>>> +}
>>>> +
>>>> +enroll_tpm2_token() {
>>>> + #check systemd version and export password if necessary
>>>> + if [ -x /usr/bin/systemd-cryptenroll ]; then
>>>
>>> And if that file does not exist? No error? No bail-out?
>>>
>>
>> I will remove that check and move it to the hook and fail during build
>> time. Is that better?
>
> I just want to avoid that a realistic error leads to improper error
> handling. Even worse if that could lead to a usable but unencrypted
> partition.
>
>>
>>>> + systemd_version=$(systemd-cryptenroll --version | \
>>>> + awk -F " " 'NR==1{print $2 }')
>>>> + #check systemd version and export password if necessary
>>>> + if [ "$systemd_version" -ge "251" ]; then
>>>> + PASSWORD=$(cat "$2" )
>>>> + export PASSWORD
>>>> + /usr/bin/systemd-cryptenroll --tpm2-device="$tpm_device" \
>>>> + --tpm2-pcrs=7 "$1"
>>>> + PASSWORD=
>>>> + else
>>>> + panic "Unknown systemd version: '$systemd_version'!"
>>>> + fi
>>>> + fi
>>>> +}
>>>> +
>>>> +reencrypt_existing_partition() {
>>>> + part_device=$(readlink -f "$partition")
>>>> + part_size_blocks=$(cat /sys/class/block/"$(awk -v
>>>> dev=$part_device 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)
>>>> + reduced_size=$(expr $part_size_blocks - 65536 )
>>>> + reduced_size_in_byte=$(expr $reduced_size \* 512)
>>>> + reduced_size_in_kb=$(expr $reduced_size_in_byte / 1024)K
>>>> + resize2fs "$1" "$reduced_size_in_kb"
>>>> + if [ -x cryptsetup-reencrypt ]; then
>>>> + /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size
>>>> "${REDUDUCE_DEVICE_SIZE}" $1 < $2
>>>> + else
>>>> + /usr/sbin/cryptsetup reencrypt --encrypt
>>>> --reduce-device-size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
>>>> + fi
>>>> +
>>>> +}
>>>> +
>>>> +
>>>
>>> One newline should be enough here.
>> Will fix in v3.
>>
>>>
>>>> +if [ ! -e "$tpm_device" ]; then
>>>> + panic "tpm device '$tpm_device' does not exists - cannot create
>>>> a encrypted device!"
>>>> +fi
>>>> +
>>>> +for partition_set in $partition_sets; do
>>>> + partition_label=$(awk -v var=$partition_set
>>>> 'BEGIN{split(var,a,":"); print a[1]}')
>>>> + partition_mountpoint=$(awk -v var=$partition_set
>>>> 'BEGIN{split(var,a,":"); print a[2]}')
>>>> + partition_format=$(awk -v var=$partition_set
>>>> 'BEGIN{split(var,a,":"); print a[3]}')
>>>> + partition=/dev/disk/by-partlabel/$partition_label
>>>> + crypt_mount_name="encrypted_$partition_label"
>>>> + decrypted_part=/dev/mapper/"$crypt_mount_name"
>>>> +
>>>> + # check if partition is already encrypted with systemd-tpm2
>>>> + if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
>>>> + | grep -q "systemd-tpm2"; then
>>>> + open_tpm2_partition "$partition"
>>>> + if ! mount -t $(get_fstype "${decrypted_part}")
>>>> "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
>>>> + panic "Can't mount encrypted partition
>>>> '${decrypted_part}'!"
>>>> + fi
>>>> + continue
>>>> + fi
>>>> +
>>>> + # create random password for initial encryption
>>>> + # this will be dropped after reboot
>>>> + tmp_key=/tmp/"$partition_label-lukskey"
>>>> + openssl rand -base64 32 > "$tmp_key"
>>>> +
>>>> + case "${partition_format}" in
>>>> + "reencrypt")
>>>> + reencrypt_existing_partition "$partition" "$tmp_key"
>>>> + enroll_tpm2_token "$partition" "$tmp_key"
>>>> + open_tpm2_partition "$partition"
>>>> + ;;
>>>> + "format")
>>>> + /usr/sbin/cryptsetup luksFormat --batch-mode \
>>>> + --type luks2 "$partition" < "$tmp_key"
>>>> + enroll_tpm2_token "$partition" "$tmp_key"
>>>> + open_tpm2_partition_tpm2_partition "$partition"
>>>> + mke2fs -t ext4 "${decrypted_part}"
>>>
>>> We likely want to make this line configurable at recipe-level, both
>>> regarding fs options as well as the fs type itself.
>>
>> I will add an additional field to the configuration string.
>>
>>>
>>>> + ;;
>>>> + *)
>>>> + panic "Unknown value ${partition_format}. Cannot create
>>>> a encrypted partition !"
>>>> + ;;
>>>> + esac
>>>> +
>>>> + if ! mount -t $(get_fstype "${decrypted_part}")
>>>> "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
>>>> + panic "Can't mount encrypted partition '${decrypted_part}'!"
>>>> + fi
>>>> +
>>>> + # delete initial key
>>>> + # afterwards no new keys can be enrolled
>>>> + /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
>>>> +done
>>>> diff --git
>>>> a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>>> b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>>> new file mode 100644
>>>> index 0000000..ba2b884
>>>> --- /dev/null
>>>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>>> @@ -0,0 +1,37 @@
>>>> +#
>>>> +# CIP Core, generic profile
>>>> +#
>>>> +# Copyright (c) Siemens AG, 2020-2022
>>>> +#
>>>> +# Authors:
>>>> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>> +#
>>>> +# SPDX-License-Identifier: MIT
>>>> +
>>>> +
>>>> +inherit dpkg-raw
>>>> +
>>>> +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, systemd(>= 251), \
>>>> + awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0,
>>>> e2fsprogs"
>>>> +
>>>> +SRC_URI += "file://encrypt_partition.hook \
>>>> + file://encrypt_partition.script \
>>>> + file://encrypt_partition.env.tmpl"
>>>> +
>>>> +CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
>>>> +CRYPT_REDUDUCE_DEVICE_SIZE="32M"
>>>> +
>>>> +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_REDUDUCE_DEVICE_SIZE"
>>>> +TEMPLATE_FILES = "encrypt_partition.env.tmpl"
>>>> +
>>>> +do_install[cleandirs] += " \
>>>> + ${D}/usr/share/initramfs-tools/hooks \
>>>> + ${D}/usr/share/encrypt_partition \
>>>> + ${D}/usr/share/initramfs-tools/scripts/local-bottom"
>>>> +do_install() {
>>>> + install -m 0600 "${WORKDIR}/encrypt_partition.env"
>>>> "${D}/usr/share/encrypt_partition/encrypt_partition.env"
>>>> + install -m 0755 "${WORKDIR}/encrypt_partition.script" \
>>>> +
>>>> "${D}/usr/share/initramfs-tools/scripts/local-bottom/encrypt_partition"
>>>> + install -m 0755 "${WORKDIR}/encrypt_partition.hook" \
>>>> + "${D}/usr/share/initramfs-tools/hooks/encrypt_partition"
>>>> +}
>>>> diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
>>>> index b635a8b..1d29583 100644
>>>> --- a/wic/x86-efibootguard.wks.in
>>>> +++ b/wic/x86-efibootguard.wks.in
>>>> @@ -7,7 +7,7 @@ part --source rawcopy --sourceparams
>>>> "file=${IMAGE_FULLNAME}.squashfs" --align 1
>>>> part --source empty --align 1024 --fixed-size 1G --uuid
>>>> "${ABROOTFS_PART_UUID_B}"
>>>> # home and var are extra partitions
>>>> -part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home
>>>> --fstype=ext4 --label home --align 1024 --size 1G
>>>> -part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var
>>>> --fstype=ext4 --label var --align 1024 --size 2G
>>>> +part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home
>>>> --fstype=ext4 --label home --align 1024 --size 1G --extra-space=100M
>>>> +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var
>>>> --fstype=ext4 --label var --align 1024 --size 2G --extra-space=100M
>>>> bootloader --ptable gpt --append="console=tty0
>>>> console=ttyS0,115200 rootwait earlyprintk"
>>>
>>> Jan
>>>
>> Thanks for the review
>> Quirin
>
> Jan
>
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 7613 bytes --]
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [cip-dev][isar-cip-core][RFC v2 2/7] use bullseye backports for systemd-cryptenroll
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 2/7] use bullseye backports for systemd-cryptenroll Quirin Gylstorff
@ 2023-02-18 8:04 ` Moessbauer, Felix
0 siblings, 0 replies; 19+ messages in thread
From: Moessbauer, Felix @ 2023-02-18 8:04 UTC (permalink / raw)
To: cip-dev, Storm, Christian, Kiszka, Jan
On Fri, 2023-02-17 at 14:05 +0100, Quirin Gylstorff via lists.cip-
project.org wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> Systemd >= 251 is required for systemd-cryptenroll. This version
> is part of backports.
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> conf/distro/debian-bullseye-backports.list | 1 +
> .../preferences.bullseye-backports.tpm.conf | 3 +++
> kas/opt/tpm.yml | 20
> +++++++++++++++++++
> 3 files changed, 24 insertions(+)
> create mode 100644 conf/distro/debian-bullseye-backports.list
> create mode 100644 conf/distro/preferences.bullseye-
> backports.tpm.conf
> create mode 100644 kas/opt/tpm.yml
>
> diff --git a/conf/distro/debian-bullseye-backports.list
> b/conf/distro/debian-bullseye-backports.list
> new file mode 100644
> index 0000000..3a55e4c
> --- /dev/null
> +++ b/conf/distro/debian-bullseye-backports.list
> @@ -0,0 +1 @@
> +deb http://ftp.us.debian.org/debian bullseye-backports main contrib
> non-free
> diff --git a/conf/distro/preferences.bullseye-backports.tpm.conf
> b/conf/distro/preferences.bullseye-backports.tpm.conf
> new file mode 100644
> index 0000000..0905fbf
> --- /dev/null
> +++ b/conf/distro/preferences.bullseye-backports.tpm.conf
> @@ -0,0 +1,3 @@
> +Package: *
> +Pin: release n=bullseye-backports
> +Pin-Priority: 801
This does not look right. By that, we take ANY available package from
bpo. For systemd backports, we usually use:
Package: libnss-myhostname libnss-mymachines libnss-resolve libnss-
systemd libpam-systemd libudev1 libsystemd0 systemd systemd-* udev
Felix
> diff --git a/kas/opt/tpm.yml b/kas/opt/tpm.yml
> new file mode 100644
> index 0000000..0e4dc95
> --- /dev/null
> +++ b/kas/opt/tpm.yml
> @@ -0,0 +1,20 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2022
> +#
> +# Authors:
> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +header:
> + version: 12
> +
> +local_conf_header:
> + systemd-cryptenroll: |
> + DISTRO_APT_SOURCES:append:bullseye = " conf/distro/debian-
> bullseye-backports.list"
> + DISTRO_APT_PREFERENCES:append:bullseye = "
> conf/distro/preferences.bullseye-backports.tpm.conf"
> + image-option-tpm: |
> + INITRAMFS_INSTALL += " initramfs-crypt-hook"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#10715):
> https://lists.cip-project.org/g/cip-dev/message/10715
> Mute This Topic: https://lists.cip-project.org/mt/97027310/6879696
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe:
> https://lists.cip-project.org/g/cip-dev/leave/12054225/6879696/632350479/xyzzy
> [felix.moessbauer@siemens.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [cip-dev][isar-cip-core][RFC v2 4/7] Add initramfs hook to encrypt a partition
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 4/7] Add initramfs hook to encrypt a partition Quirin Gylstorff
2023-02-17 14:53 ` Jan Kiszka
@ 2023-02-18 8:10 ` Moessbauer, Felix
2023-02-22 16:30 ` Gylstorff Quirin
1 sibling, 1 reply; 19+ messages in thread
From: Moessbauer, Felix @ 2023-02-18 8:10 UTC (permalink / raw)
To: cip-dev, Storm, Christian, Kiszka, Jan
On Fri, 2023-02-17 at 14:05 +0100, Quirin Gylstorff via lists.cip-
project.org wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> This creates a new luks encrypted ext4 partition with a the
> key stored in the tpm2.
>
> The initial key is randomly generated and removed from the
> LUKS partition. Therefore a new key cannot be added by the user
> and if the LUKS header is corrupted the data is no longer readable.
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> .../files/encrypt_partition.env.tmpl | 2 +
> .../files/encrypt_partition.hook | 49 +++++++
> .../files/encrypt_partition.script | 135
> ++++++++++++++++++
> .../initramfs-crypt-hook_0.1.bb | 37 +++++
> wic/x86-efibootguard.wks.in | 4 +-
Does this - in theory - also work with systemd-boot or grub? Currently
we have ISAR bugs that prevent us from using sd-boot or grub with a
custom initramfs, but once that is fixed, this could be an option.
Not directly related:
As we put more-and-more features into the cip initramfs: Is there
actually a need to use a custom one, or can we simply add these
packages to the image and use its initrd? What is the benefit of having
the custom initrd?
Felix
> 5 files changed, 225 insertions(+), 2 deletions(-)
> create mode 100644 recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.env.tmpl
> create mode 100644 recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.hook
> create mode 100644 recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script
> create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-
> crypt-hook_0.1.bb
>
> diff --git a/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-
> crypt-hook/files/encrypt_partition.env.tmpl
> new file mode 100644
> index 0000000..943fe4b
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.env.tmpl
> @@ -0,0 +1,2 @@
> +PARTITIONS="${CRYPT_PARTITIONS}"
> +REDUDUCE_DEVICE_SIZE="${CRYPT_REDUDUCE_DEVICE_SIZE}"
> diff --git a/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.hook b/recipes-initramfs/initramfs-
> crypt-hook/files/encrypt_partition.hook
> new file mode 100644
> index 0000000..96e084a
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.hook
> @@ -0,0 +1,49 @@
> +#!/bin/sh
> +# Copyright (C) Siemens AG, 2020-2022
> +#
> +# SPDX-License-Identifier: MIT
> +
> +PREREQ=""
> +
> +prereqs()
> +{
> + echo "$PREREQ"
> +}
> +
> +case $1 in
> +prereqs)
> + prereqs
> + exit 0
> + ;;
> +esac
> +
> +. /usr/share/initramfs-tools/scripts/functions
> +. /usr/share/initramfs-tools/hook-functions
> +
> +manual_add_modules tpm
> +manual_add_modules tpm_tis_core
> +manual_add_modules tpm_tis
> +manual_add_modules tpm_crb
> +manual_add_modules dm_mod
> +manual_add_modules dm_crypt
> +
> +copy_exec /usr/bin/openssl
> +copy_exec /usr/sbin/mke2fs
> +copy_exec /usr/bin/grep
> +copy_exec /usr/bin/awk
> +copy_exec /usr/bin/expr
> +copy_exec /usr/sbin/e2fsck
> +copy_exec /usr/sbin/resize2fs
> +copy_exec /usr/sbin/cryptsetup
> +copy_exec /usr/bin/systemd-cryptenroll
> +copy_exec /usr/lib/systemd/systemd-cryptsetup
> +
> +if [ -x cryptsetup-reencrypt ]; then
> + copy_exec /usr/sbin/cryptsetup-reencrypt
> +fi
> +
> +for _LIBRARY in /usr/lib/*/libtss2*; do
> + copy_exec "$_LIBRARY"
> +done
> +
> +copy_file library /usr/share/encrypt_partition/encrypt_partition.env
> /usr/share/encrypt_partition/encrypt_partition.env
> diff --git a/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-
> crypt-hook/files/encrypt_partition.script
> new file mode 100644
> index 0000000..e58794e
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script
> @@ -0,0 +1,135 @@
> +#!/bin/sh
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +prereqs()
> +{
> + # Make sure that this script is run last in local-top
> + local req
> + for req in "${0%/*}"/*; do
> + script="${req##*/}"
> + if [ "$script" != "${0##*/}" ]; then
> + printf '%s\n' "$script"
> + fi
> + done
> +}
> +case $1 in
> +prereqs)
> + prereqs
> + exit 0
> + ;;
> +esac
> +
> +. /scripts/functions
> +
> +# get configuration variables
> +. /usr/share/encrypt_partition/encrypt_partition.env
> +
> +# load necessary kernel modules:
> +modprobe tpm_tis
> +modprobe tpm_crb
> +
> +# fixed tpm device or do we need to find it
> +tpm_device=/dev/tpmrm0
> +partition_sets="$PARTITIONS"
> +
> +open_tpm2_partition() {
> + if ! /usr/lib/systemd/systemd-cryptsetup attach
> "$crypt_mount_name" \
> + "$1" - tpm2-device="$tpm_device"; then
> + panic "Can't decrypt '$1' !"
> + fi
> +}
> +
> +enroll_tpm2_token() {
> + #check systemd version and export password if necessary
> + if [ -x /usr/bin/systemd-cryptenroll ]; then
> + systemd_version=$(systemd-cryptenroll --version | \
> + awk -F " "
> 'NR==1{print $2 }')
> + #check systemd version and export password if
> necessary
> + if [ "$systemd_version" -ge "251" ]; then
> + PASSWORD=$(cat "$2" )
> + export PASSWORD
> + /usr/bin/systemd-cryptenroll --tpm2-
> device="$tpm_device" \
> +
> --tpm2-pcrs=7 "$1"
> + PASSWORD=
> + else
> + panic "Unknown systemd version:
> '$systemd_version'!"
> + fi
> + fi
> +}
> +
> +reencrypt_existing_partition() {
> + part_device=$(readlink -f "$partition")
> + part_size_blocks=$(cat /sys/class/block/"$(awk -v
> dev=$part_device 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)
> + reduced_size=$(expr $part_size_blocks - 65536 )
> + reduced_size_in_byte=$(expr $reduced_size \* 512)
> + reduced_size_in_kb=$(expr $reduced_size_in_byte / 1024)K
> + resize2fs "$1" "$reduced_size_in_kb"
> + if [ -x cryptsetup-reencrypt ]; then
> + /usr/sbin/cryptsetup-reencrypt --new --reduce-device-
> size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
> + else
> + /usr/sbin/cryptsetup reencrypt --encrypt --reduce-
> device-size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
> + fi
> +
> +}
> +
> +
> +if [ ! -e "$tpm_device" ]; then
> + panic "tpm device '$tpm_device' does not exists - cannot
> create a encrypted device!"
> +fi
> +
> +for partition_set in $partition_sets; do
> + partition_label=$(awk -v var=$partition_set
> 'BEGIN{split(var,a,":"); print a[1]}')
> + partition_mountpoint=$(awk -v var=$partition_set
> 'BEGIN{split(var,a,":"); print a[2]}')
> + partition_format=$(awk -v var=$partition_set
> 'BEGIN{split(var,a,":"); print a[3]}')
> + partition=/dev/disk/by-partlabel/$partition_label
> + crypt_mount_name="encrypted_$partition_label"
> + decrypted_part=/dev/mapper/"$crypt_mount_name"
> +
> + # check if partition is already encrypted with systemd-tpm2
> + if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
> + | grep -q "systemd-tpm2"; then
> + open_tpm2_partition "$partition"
> + if ! mount -t $(get_fstype "${decrypted_part}")
> "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
> + panic "Can't mount encrypted partition
> '${decrypted_part}'!"
> + fi
> + continue
> + fi
> +
> + # create random password for initial encryption
> + # this will be dropped after reboot
> + tmp_key=/tmp/"$partition_label-lukskey"
> + openssl rand -base64 32 > "$tmp_key"
> +
> + case "${partition_format}" in
> + "reencrypt")
> + reencrypt_existing_partition "$partition"
> "$tmp_key"
> + enroll_tpm2_token "$partition" "$tmp_key"
> + open_tpm2_partition "$partition"
> + ;;
> + "format")
> + /usr/sbin/cryptsetup luksFormat --batch-mode \
> + --type
> luks2 "$partition" < "$tmp_key"
> + enroll_tpm2_token "$partition" "$tmp_key"
> + open_tpm2_partition_tpm2_partition "$partition"
> + mke2fs -t ext4 "${decrypted_part}"
> + ;;
> + *)
> + panic "Unknown value ${partition_format}. Cannot
> create a encrypted partition !"
> + ;;
> + esac
> +
> + if ! mount -t $(get_fstype "${decrypted_part}")
> "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
> + panic "Can't mount encrypted partition
> '${decrypted_part}'!"
> + fi
> +
> + # delete initial key
> + # afterwards no new keys can be enrolled
> + /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
> +done
> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
> hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
> hook_0.1.bb
> new file mode 100644
> index 0000000..ba2b884
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
> hook_0.1.bb
> @@ -0,0 +1,37 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2020-2022
> +#
> +# Authors:
> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +
> +
> +inherit dpkg-raw
> +
> +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, systemd(>= 251), \
> + awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0,
> e2fsprogs"
> +
> +SRC_URI += "file://encrypt_partition.hook \
> + file://encrypt_partition.script \
> + file://encrypt_partition.env.tmpl"
> +
> +CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
> +CRYPT_REDUDUCE_DEVICE_SIZE="32M"
> +
> +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_REDUDUCE_DEVICE_SIZE"
> +TEMPLATE_FILES = "encrypt_partition.env.tmpl"
> +
> +do_install[cleandirs] += " \
> + ${D}/usr/share/initramfs-tools/hooks \
> + ${D}/usr/share/encrypt_partition \
> + ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> +do_install() {
> + install -m 0600 "${WORKDIR}/encrypt_partition.env"
> "${D}/usr/share/encrypt_partition/encrypt_partition.env"
> + install -m 0755 "${WORKDIR}/encrypt_partition.script" \
> + "${D}/usr/share/initramfs-tools/scripts/local-
> bottom/encrypt_partition"
> + install -m 0755 "${WORKDIR}/encrypt_partition.hook" \
> + "${D}/usr/share/initramfs-tools/hooks/encrypt_partition"
> +}
> diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-
> efibootguard.wks.in
> index b635a8b..1d29583 100644
> --- a/wic/x86-efibootguard.wks.in
> +++ b/wic/x86-efibootguard.wks.in
> @@ -7,7 +7,7 @@ part --source rawcopy --sourceparams
> "file=${IMAGE_FULLNAME}.squashfs" --align 1
> part --source empty --align 1024 --fixed-size 1G --uuid
> "${ABROOTFS_PART_UUID_B}"
>
> # home and var are extra partitions
> -part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --
> fstype=ext4 --label home --align 1024 --size 1G
> -part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --
> fstype=ext4 --label var --align 1024 --size 2G
> +part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --
> fstype=ext4 --label home --align 1024 --size 1G --extra-space=100M
> +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --
> fstype=ext4 --label var --align 1024 --size 2G --extra-space=100M
>
> bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200
> rootwait earlyprintk"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#10716):
> https://lists.cip-project.org/g/cip-dev/message/10716
> Mute This Topic: https://lists.cip-project.org/mt/97027311/6879696
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe:
> https://lists.cip-project.org/g/cip-dev/leave/12054225/6879696/632350479/xyzzy
> [felix.moessbauer@siemens.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [cip-dev][isar-cip-core][RFC v2 4/7] Add initramfs hook to encrypt a partition
2023-02-18 8:10 ` Moessbauer, Felix
@ 2023-02-22 16:30 ` Gylstorff Quirin
0 siblings, 0 replies; 19+ messages in thread
From: Gylstorff Quirin @ 2023-02-22 16:30 UTC (permalink / raw)
To: cip-dev, Storm, Christian, Kiszka, Jan
On 2/18/23 09:10, Felix Moessbauer via lists.cip-project.org wrote:
> On Fri, 2023-02-17 at 14:05 +0100, Quirin Gylstorff via lists.cip-
> project.org wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This creates a new luks encrypted ext4 partition with a the
>> key stored in the tpm2.
>>
>> The initial key is randomly generated and removed from the
>> LUKS partition. Therefore a new key cannot be added by the user
>> and if the LUKS header is corrupted the data is no longer readable.
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>> .../files/encrypt_partition.env.tmpl | 2 +
>> .../files/encrypt_partition.hook | 49 +++++++
>> .../files/encrypt_partition.script | 135
>> ++++++++++++++++++
>> .../initramfs-crypt-hook_0.1.bb | 37 +++++
>> wic/x86-efibootguard.wks.in | 4 +-
>
> Does this - in theory - also work with systemd-boot or grub? Currently
> we have ISAR bugs that prevent us from using sd-boot or grub with a
> custom initramfs, but once that is fixed, this could be an option.
>
> Not directly related:
> As we put more-and-more features into the cip initramfs: Is there
> actually a need to use a custom one, or can we simply add these
> packages to the image and use its initrd? What is the benefit of having
> the custom initrd?
The initramfs could be stored in the image but as we implement an image
based update process and the user should not exchange the UKI -
especially in the secure boot usecase - it makes no sense to store the
initramfs recipes in the image.
Also this will add all the dependencies which often are not necessary to
the image.
Quirin
>
> Felix
>
>> 5 files changed, 225 insertions(+), 2 deletions(-)
>> create mode 100644 recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.env.tmpl
>> create mode 100644 recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.hook
>> create mode 100644 recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.script
>> create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-
>> crypt-hook_0.1.bb
>>
>> diff --git a/recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-
>> crypt-hook/files/encrypt_partition.env.tmpl
>> new file mode 100644
>> index 0000000..943fe4b
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.env.tmpl
>> @@ -0,0 +1,2 @@
>> +PARTITIONS="${CRYPT_PARTITIONS}"
>> +REDUDUCE_DEVICE_SIZE="${CRYPT_REDUDUCE_DEVICE_SIZE}"
>> diff --git a/recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.hook b/recipes-initramfs/initramfs-
>> crypt-hook/files/encrypt_partition.hook
>> new file mode 100644
>> index 0000000..96e084a
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.hook
>> @@ -0,0 +1,49 @@
>> +#!/bin/sh
>> +# Copyright (C) Siemens AG, 2020-2022
>> +#
>> +# SPDX-License-Identifier: MIT
>> +
>> +PREREQ=""
>> +
>> +prereqs()
>> +{
>> + echo "$PREREQ"
>> +}
>> +
>> +case $1 in
>> +prereqs)
>> + prereqs
>> + exit 0
>> + ;;
>> +esac
>> +
>> +. /usr/share/initramfs-tools/scripts/functions
>> +. /usr/share/initramfs-tools/hook-functions
>> +
>> +manual_add_modules tpm
>> +manual_add_modules tpm_tis_core
>> +manual_add_modules tpm_tis
>> +manual_add_modules tpm_crb
>> +manual_add_modules dm_mod
>> +manual_add_modules dm_crypt
>> +
>> +copy_exec /usr/bin/openssl
>> +copy_exec /usr/sbin/mke2fs
>> +copy_exec /usr/bin/grep
>> +copy_exec /usr/bin/awk
>> +copy_exec /usr/bin/expr
>> +copy_exec /usr/sbin/e2fsck
>> +copy_exec /usr/sbin/resize2fs
>> +copy_exec /usr/sbin/cryptsetup
>> +copy_exec /usr/bin/systemd-cryptenroll
>> +copy_exec /usr/lib/systemd/systemd-cryptsetup
>> +
>> +if [ -x cryptsetup-reencrypt ]; then
>> + copy_exec /usr/sbin/cryptsetup-reencrypt
>> +fi
>> +
>> +for _LIBRARY in /usr/lib/*/libtss2*; do
>> + copy_exec "$_LIBRARY"
>> +done
>> +
>> +copy_file library /usr/share/encrypt_partition/encrypt_partition.env
>> /usr/share/encrypt_partition/encrypt_partition.env
>> diff --git a/recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-
>> crypt-hook/files/encrypt_partition.script
>> new file mode 100644
>> index 0000000..e58794e
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.script
>> @@ -0,0 +1,135 @@
>> +#!/bin/sh
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2023
>> +#
>> +# Authors:
>> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +prereqs()
>> +{
>> + # Make sure that this script is run last in local-top
>> + local req
>> + for req in "${0%/*}"/*; do
>> + script="${req##*/}"
>> + if [ "$script" != "${0##*/}" ]; then
>> + printf '%s\n' "$script"
>> + fi
>> + done
>> +}
>> +case $1 in
>> +prereqs)
>> + prereqs
>> + exit 0
>> + ;;
>> +esac
>> +
>> +. /scripts/functions
>> +
>> +# get configuration variables
>> +. /usr/share/encrypt_partition/encrypt_partition.env
>> +
>> +# load necessary kernel modules:
>> +modprobe tpm_tis
>> +modprobe tpm_crb
>> +
>> +# fixed tpm device or do we need to find it
>> +tpm_device=/dev/tpmrm0
>> +partition_sets="$PARTITIONS"
>> +
>> +open_tpm2_partition() {
>> + if ! /usr/lib/systemd/systemd-cryptsetup attach
>> "$crypt_mount_name" \
>> + "$1" - tpm2-device="$tpm_device"; then
>> + panic "Can't decrypt '$1' !"
>> + fi
>> +}
>> +
>> +enroll_tpm2_token() {
>> + #check systemd version and export password if necessary
>> + if [ -x /usr/bin/systemd-cryptenroll ]; then
>> + systemd_version=$(systemd-cryptenroll --version | \
>> + awk -F " "
>> 'NR==1{print $2 }')
>> + #check systemd version and export password if
>> necessary
>> + if [ "$systemd_version" -ge "251" ]; then
>> + PASSWORD=$(cat "$2" )
>> + export PASSWORD
>> + /usr/bin/systemd-cryptenroll --tpm2-
>> device="$tpm_device" \
>> +
>> --tpm2-pcrs=7 "$1"
>> + PASSWORD=
>> + else
>> + panic "Unknown systemd version:
>> '$systemd_version'!"
>> + fi
>> + fi
>> +}
>> +
>> +reencrypt_existing_partition() {
>> + part_device=$(readlink -f "$partition")
>> + part_size_blocks=$(cat /sys/class/block/"$(awk -v
>> dev=$part_device 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)
>> + reduced_size=$(expr $part_size_blocks - 65536 )
>> + reduced_size_in_byte=$(expr $reduced_size \* 512)
>> + reduced_size_in_kb=$(expr $reduced_size_in_byte / 1024)K
>> + resize2fs "$1" "$reduced_size_in_kb"
>> + if [ -x cryptsetup-reencrypt ]; then
>> + /usr/sbin/cryptsetup-reencrypt --new --reduce-device-
>> size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
>> + else
>> + /usr/sbin/cryptsetup reencrypt --encrypt --reduce-
>> device-size "${REDUDUCE_DEVICE_SIZE}" $1 < $2
>> + fi
>> +
>> +}
>> +
>> +
>> +if [ ! -e "$tpm_device" ]; then
>> + panic "tpm device '$tpm_device' does not exists - cannot
>> create a encrypted device!"
>> +fi
>> +
>> +for partition_set in $partition_sets; do
>> + partition_label=$(awk -v var=$partition_set
>> 'BEGIN{split(var,a,":"); print a[1]}')
>> + partition_mountpoint=$(awk -v var=$partition_set
>> 'BEGIN{split(var,a,":"); print a[2]}')
>> + partition_format=$(awk -v var=$partition_set
>> 'BEGIN{split(var,a,":"); print a[3]}')
>> + partition=/dev/disk/by-partlabel/$partition_label
>> + crypt_mount_name="encrypted_$partition_label"
>> + decrypted_part=/dev/mapper/"$crypt_mount_name"
>> +
>> + # check if partition is already encrypted with systemd-tpm2
>> + if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
>> + | grep -q "systemd-tpm2"; then
>> + open_tpm2_partition "$partition"
>> + if ! mount -t $(get_fstype "${decrypted_part}")
>> "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
>> + panic "Can't mount encrypted partition
>> '${decrypted_part}'!"
>> + fi
>> + continue
>> + fi
>> +
>> + # create random password for initial encryption
>> + # this will be dropped after reboot
>> + tmp_key=/tmp/"$partition_label-lukskey"
>> + openssl rand -base64 32 > "$tmp_key"
>> +
>> + case "${partition_format}" in
>> + "reencrypt")
>> + reencrypt_existing_partition "$partition"
>> "$tmp_key"
>> + enroll_tpm2_token "$partition" "$tmp_key"
>> + open_tpm2_partition "$partition"
>> + ;;
>> + "format")
>> + /usr/sbin/cryptsetup luksFormat --batch-mode \
>> + --type
>> luks2 "$partition" < "$tmp_key"
>> + enroll_tpm2_token "$partition" "$tmp_key"
>> + open_tpm2_partition_tpm2_partition "$partition"
>> + mke2fs -t ext4 "${decrypted_part}"
>> + ;;
>> + *)
>> + panic "Unknown value ${partition_format}. Cannot
>> create a encrypted partition !"
>> + ;;
>> + esac
>> +
>> + if ! mount -t $(get_fstype "${decrypted_part}")
>> "${decrypted_part}" "${rootmnt}${partition_mountpoint}"; then
>> + panic "Can't mount encrypted partition
>> '${decrypted_part}'!"
>> + fi
>> +
>> + # delete initial key
>> + # afterwards no new keys can be enrolled
>> + /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
>> +done
>> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
>> hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
>> hook_0.1.bb
>> new file mode 100644
>> index 0000000..ba2b884
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
>> hook_0.1.bb
>> @@ -0,0 +1,37 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2020-2022
>> +#
>> +# Authors:
>> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +
>> +
>> +inherit dpkg-raw
>> +
>> +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, systemd(>= 251), \
>> + awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0,
>> e2fsprogs"
>> +
>> +SRC_URI += "file://encrypt_partition.hook \
>> + file://encrypt_partition.script \
>> + file://encrypt_partition.env.tmpl"
>> +
>> +CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
>> +CRYPT_REDUDUCE_DEVICE_SIZE="32M"
>> +
>> +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_REDUDUCE_DEVICE_SIZE"
>> +TEMPLATE_FILES = "encrypt_partition.env.tmpl"
>> +
>> +do_install[cleandirs] += " \
>> + ${D}/usr/share/initramfs-tools/hooks \
>> + ${D}/usr/share/encrypt_partition \
>> + ${D}/usr/share/initramfs-tools/scripts/local-bottom"
>> +do_install() {
>> + install -m 0600 "${WORKDIR}/encrypt_partition.env"
>> "${D}/usr/share/encrypt_partition/encrypt_partition.env"
>> + install -m 0755 "${WORKDIR}/encrypt_partition.script" \
>> + "${D}/usr/share/initramfs-tools/scripts/local-
>> bottom/encrypt_partition"
>> + install -m 0755 "${WORKDIR}/encrypt_partition.hook" \
>> + "${D}/usr/share/initramfs-tools/hooks/encrypt_partition"
>> +}
>> diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-
>> efibootguard.wks.in
>> index b635a8b..1d29583 100644
>> --- a/wic/x86-efibootguard.wks.in
>> +++ b/wic/x86-efibootguard.wks.in
>> @@ -7,7 +7,7 @@ part --source rawcopy --sourceparams
>> "file=${IMAGE_FULLNAME}.squashfs" --align 1
>> part --source empty --align 1024 --fixed-size 1G --uuid
>> "${ABROOTFS_PART_UUID_B}"
>>
>> # home and var are extra partitions
>> -part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --
>> fstype=ext4 --label home --align 1024 --size 1G
>> -part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --
>> fstype=ext4 --label var --align 1024 --size 2G
>> +part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --
>> fstype=ext4 --label home --align 1024 --size 1G --extra-space=100M
>> +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --
>> fstype=ext4 --label var --align 1024 --size 2G --extra-space=100M
>>
>> bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200
>> rootwait earlyprintk"
>>
>>
>>
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#10740): https://lists.cip-project.org/g/cip-dev/message/10740
> Mute This Topic: https://lists.cip-project.org/mt/97027311/1753640
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129121/1753640/1405269326/xyzzy [quirin.gylstorff@siemens.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2023-02-22 16:30 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-17 13:05 [cip-dev][isar-cip-core][RFC v2 0/7] Encrypt Partition in initramfs Quirin Gylstorff
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 1/7] linux-cip: update kernel configuration for tpm2 support Quirin Gylstorff
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 2/7] use bullseye backports for systemd-cryptenroll Quirin Gylstorff
2023-02-18 8:04 ` Moessbauer, Felix
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 3/7] start-qemu: If swtpm is available create a tpm2 device Quirin Gylstorff
2023-02-17 14:49 ` Jan Kiszka
2023-02-17 15:11 ` Gylstorff Quirin
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 4/7] Add initramfs hook to encrypt a partition Quirin Gylstorff
2023-02-17 14:53 ` Jan Kiszka
2023-02-17 15:06 ` Gylstorff Quirin
2023-02-17 15:10 ` Jan Kiszka
2023-02-17 15:20 ` Gylstorff Quirin
2023-02-18 8:10 ` Moessbauer, Felix
2023-02-22 16:30 ` Gylstorff Quirin
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 5/7] overlay: add prerequisite 'encrypt_partition' Quirin Gylstorff
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 6/7] KConfig: add tpm option Quirin Gylstorff
2023-02-17 13:05 ` [cip-dev][isar-cip-core][RFC v2 7/7] .gitlabci: Add ci build Quirin Gylstorff
2023-02-17 14:55 ` Jan Kiszka
2023-02-17 14:59 ` Gylstorff Quirin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.