[cip-dev][isar-cip-core][PATCH v2 00/13] Rework disk encryption

[cip-dev][isar-cip-core][PATCH v2 00/13] Rework disk encryption

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This patchset is a cleanup of the initramfs-crypt-hook:
 - Aligns the systemd and clevis implementation
 - consolidate script in a main, clevis and systemd part
 - split clevis hook for readability
 - Adds some checks for TPM parameter
 - Remove the dependency in the overlay
 - Adds an example to encrypt the rootfs
 - Add readme to switch from clevis based encryption to systemd


Changes v2:
 - fix typos in commit messages
 - some fixes for Debian buster
 - split clevis hook for readability
 - consolidate script in a main, clevis and systemd part
 - Add readme to switch from clevis based encryption to systemd
 - Increase version of the hook
 - The disk encryption now sets the root mount if necessary


Quirin Gylstorff (13):
  initramfs-crypt-hook: Allow switching between clevis and systemd
  initramfs-crypt-hook: Align systemd encryption and clevis encryption
  initramfs-crypt-hook: move the mounting of encrypted disks in a
    seperate function
  initramfs-crypt-hook: Check if the TPM device fulfills the given
    requirements
  initramfs-crypt-hook: add flag to make encryption optional
  initramfs-crypt-hook: add e2fsck to avoid resize error
  initramfs-crypt-hook: split encryption and mounting
  initramfs-crypt-hook: Add check if root is part of the mountpoints
  initramfs-crypt-hook: split hook in multiple files
  initramfs-crypt-hook: Consolidate clevis and systemd scripts
  initramfs-crypt-hook: Increase version
  README.tpm2.encryption: Add section to switch from clevis to systemd
  Add example to encrypt the rootfs

 doc/README.tpm2.encryption.md                 |  20 +++
 kas/opt/encrypt_rootfs.yml                    |  24 +++
 ...pt_partition.clevis.bullseye_or_later.hook |  34 ++++
 .../encrypt_partition.clevis.buster.hook      |  30 ++++
 .../files/encrypt_partition.clevis.hook       |  20 +--
 .../files/encrypt_partition.clevis.script     | 157 +++--------------
 .../files/encrypt_partition.env.tmpl          |   4 +-
 .../files/encrypt_partition.script            | 164 ++++++++++++++++++
 .../files/encrypt_partition.systemd.hook      |   5 +-
 .../files/encrypt_partition.systemd.script    | 152 +++-------------
 .../files/mount_crypt_partitions.script       |  61 +++++++
 ...ook_0.1.bb => initramfs-crypt-hook_0.2.bb} |  49 +++++-
 .../files/overlay.script.tmpl                 |   2 +-
 wic/x86_64-encryption.wks.in                  |  16 ++
 14 files changed, 442 insertions(+), 296 deletions(-)
 create mode 100644 kas/opt/encrypt_rootfs.yml
 create mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook
 create mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook
 create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
 create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
 rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt-hook_0.1.bb => initramfs-crypt-hook_0.2.bb} (54%)
 create mode 100644 wic/x86_64-encryption.wks.in

-- 
2.43.0

[cip-dev][isar-cip-core][PATCH v2 01/13] initramfs-crypt-hook: Allow switching between clevis and systemd

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This allows device which started on Debian 11 to continue using
clevis for encryption and decryption.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../initramfs-crypt-hook_0.1.bb                    | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
index b275c0f..317ea12 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -1,7 +1,7 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2020-2023
+# Copyright (c) Siemens AG, 2020-2024
 #
 # Authors:
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
@@ -17,7 +17,17 @@ CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools"
 
 DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}, libgcc-7-dev"
 DEBIAN_DEPENDS:append:bullseye = "${CLEVIS_DEPEND}"
-DEBIAN_DEPENDS:append = ", systemd (>= 251) | clevis-tpm2"
+DEBIAN_DEPENDS:append = "${@encryption_dependency(d)}"
+
+def encryption_dependency(d):
+    crypt_backend = d.getVar('CRYPT_BACKEND')
+    if crypt_backend == 'clevis':
+        clevis_depends= d.getVar('CLEVIS_DEPEND')
+        return f"{clevis_depends}, clevis-tpm2"
+    elif crypt_backend == 'systemd':
+        return ", systemd (>= 251)"
+    else:
+        bb.error("unkown cryptbackend defined")
 
 CRYPT_BACKEND:buster = "clevis"
 CRYPT_BACKEND:bullseye = "clevis"
-- 
2.43.0

[cip-dev][isar-cip-core][PATCH v2 02/13] initramfs-crypt-hook: Align systemd encryption and clevis encryption

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

The following changes were copied from systemd to clevis:
 - check return of resize command
The following changes were copied form clevis to systemd:
 - check if create_filesystem command is empty
 - use part_device(/dev/*) instead of disk
   label(/dev/disk/by-partlabel/*)

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../files/encrypt_partition.clevis.script     |  6 ++++--
 .../files/encrypt_partition.systemd.script    | 21 +++++++++++--------
 2 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index 0318966..4e76c44 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -2,7 +2,7 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2023
+# Copyright (c) Siemens AG, 2023-2024
 #
 # Authors:
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
@@ -82,7 +82,9 @@ reencrypt_existing_partition() {
 	reduced_size="$(expr "$part_size_blocks" - 65536 )"
 	reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
 	reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
-	resize2fs "$1" "${reduced_size_in_kb}"
+	if ! resize2fs "$1" "${reduced_size_in_kb}"; then
+		panic "reencryption of filesystem $1 cannot continue!"
+	fi
 	if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
 		/usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2"
 	else
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index eeeb55a..f97a461 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -2,7 +2,7 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2023
+# Copyright (c) Siemens AG, 2023-2024
 #
 # Authors:
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
@@ -47,6 +47,9 @@ modprobe loop
 tpm_device=/dev/tpmrm0
 partition_sets="$PARTITIONS"
 create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
+if [ -z "${create_file_system_cmd}" ]; then
+	create_file_system_cmd="mke2fs -t ext4"
+fi
 
 service_watchdog() {
 	for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
@@ -83,8 +86,7 @@ enroll_tpm2_token() {
 }
 
 reencrypt_existing_partition() {
-	part_device="$(readlink -f "$partition")"
-	part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$part_device" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)"
+	part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)"
 	# reduce the filesystem and partition by 32M to fit the LUKS header
 	reduce_device_size=32768
 	reduced_size="$(expr "$part_size_blocks" - 65536 )"
@@ -111,15 +113,16 @@ for partition_set in $partition_sets; do
 	partition=/dev/disk/by-partlabel/"$partition_label"
 	crypt_mount_name="encrypted_$partition_label"
 	decrypted_part=/dev/mapper/"$crypt_mount_name"
+	part_device=$(readlink -f "$partition")
 
 	# check if partition is already encrypted with systemd-tpm2
 	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
 			| grep -q "systemd-tpm2"; then
-		open_tpm2_partition "$partition"
 		if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \
 			 "${rootmnt}${partition_mountpoint}"; then
 			panic "Can't mount encrypted partition '${decrypted_part}'!"
 		fi
+		open_tpm2_partition "$part_device"
 		continue
 	fi
 
@@ -136,15 +139,15 @@ for partition_set in $partition_sets; do
 
 	case "${partition_format}" in
 		"reencrypt")
-			reencrypt_existing_partition "$partition" "$tmp_key"
-			enroll_tpm2_token "$partition" "$tmp_key"
-			open_tpm2_partition "$partition"
+			reencrypt_existing_partition "$part_device" "$tmp_key"
+			enroll_tpm2_token "$part_device" "$tmp_key"
+			open_tpm2_partition "$part_device"
 		;;
 		"format")
 			/usr/sbin/cryptsetup luksFormat --batch-mode \
 				 --type luks2 "$partition" < "$tmp_key"
-			enroll_tpm2_token "$partition" "$tmp_key"
-			open_tpm2_partition "$partition"
+			enroll_tpm2_token "$part_device" "$tmp_key"
+			open_tpm2_partition "$part_device"
 			eval "${create_file_system_cmd} ${decrypted_part}"
 		;;
 		*)
-- 
2.43.0

[cip-dev][isar-cip-core][PATCH v2 03/13] initramfs-crypt-hook: move the mounting of encrypted disks in a seperate function

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This increase the maintainability and avoids missing checks.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../files/encrypt_partition.clevis.script     | 20 +++++++++++--------
 .../files/encrypt_partition.systemd.script    | 20 +++++++++++--------
 2 files changed, 24 insertions(+), 16 deletions(-)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index 4e76c44..0f82c1a 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -92,6 +92,16 @@ reencrypt_existing_partition() {
 	fi
 }
 
+mount_partition() {
+	partition_dev_path=$1
+	partition_mountpoint=$2
+	echo "mount device: '$partition' to '$partition_mountpoint'"
+	if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \
+		 "${partition_mountpoint}"; then
+		panic "Can't mount encrypted partition '${partition_dev_path}'!"
+	fi
+}
+
 if [ ! -e "$tpm_device" ]; then
 	panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
 fi
@@ -114,10 +124,7 @@ for partition_set in $partition_sets; do
 	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
 			| grep -q "clevis"; then
 		open_tpm2_partition "$part_device"
-		if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \
-			 "${rootmnt}${partition_mountpoint}"; then
-			panic "Can't mount encrypted partition '${decrypted_part}'!"
-		fi
+		mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
 		continue
 	fi
 
@@ -150,10 +157,7 @@ for partition_set in $partition_sets; do
 		 ;;
 	esac
 
-	if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \
-		 "${rootmnt}${partition_mountpoint}"; then
-		panic "Can't mount encrypted partition '${decrypted_part}'!"
-	fi
+	mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
 
 	# delete initial key
 	# afterwards no new keys can be enrolled
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index f97a461..6c6d22e 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -102,6 +102,16 @@ reencrypt_existing_partition() {
 	fi
 }
 
+mount_partition() {
+	partition_dev_path=$1
+	partition_mountpoint=$2
+	echo "mount device: '$partition' to '$partition_mountpoint'"
+	if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \
+		 "${partition_mountpoint}"; then
+		panic "Can't mount encrypted partition '${partition_dev_path}'!"
+	fi
+}
+
 if [ ! -e "$tpm_device" ]; then
 	panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
 fi
@@ -118,11 +128,8 @@ for partition_set in $partition_sets; do
 	# check if partition is already encrypted with systemd-tpm2
 	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
 			| grep -q "systemd-tpm2"; then
-		if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \
-			 "${rootmnt}${partition_mountpoint}"; then
-			panic "Can't mount encrypted partition '${decrypted_part}'!"
-		fi
 		open_tpm2_partition "$part_device"
+		mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
 		continue
 	fi
 
@@ -155,10 +162,7 @@ for partition_set in $partition_sets; do
 		 ;;
 	esac
 
-	if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \
-		 "${rootmnt}${partition_mountpoint}"; then
-		panic "Can't mount encrypted partition '${decrypted_part}'!"
-	fi
+	mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
 
 	# delete initial key
 	# afterwards no new keys can be enrolled
-- 
2.43.0

[cip-dev][isar-cip-core][PATCH v2 04/13] initramfs-crypt-hook: Check if the TPM device fulfills the given requirements

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This also adds the Crypt hash and Crypt algorithm parameter and avoids
errors on missmatches between Hardware and software.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../files/encrypt_partition.clevis.hook       |  7 ++---
 .../files/encrypt_partition.clevis.script     | 28 +++++++++++++++----
 .../files/encrypt_partition.env.tmpl          |  3 +-
 .../files/encrypt_partition.systemd.hook      |  4 ++-
 .../files/encrypt_partition.systemd.script    | 15 ++++++++--
 .../initramfs-crypt-hook_0.1.bb               |  7 +++--
 6 files changed, 48 insertions(+), 16 deletions(-)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
index d08594c..347551a 100755
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
@@ -66,9 +66,10 @@ copy_exec /usr/bin/tpm2_create || hook_error "Unable to copy /usr/bin/tpm2_creat
 copy_exec /usr/bin/tpm2_load || hook_error "Unable to copy /usr/bin/tpm2_load"
 if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/tpm2_pcrread ]; then
     copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread"
+    copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms"
 fi
 if [ "$VERSION_CODENAME" = "buster" ] && [ -x /usr/bin/tpm2_pcrlist ]; then
-    copy_exec /usr/bin/tpm2_pcrlist || hook_error "Unable to copy /usr/bin/tpm2_pcrread"
+    copy_exec /usr/bin/tpm2_pcrlist || hook_error "Unable to copy /usr/bin/tpm2_pcrlist"
 fi
 copy_exec /usr/bin/tpm2_createpolicy || hook_error "Unable to copy /usr/bin/tpm2_createpolicy"
 if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/tpm2_flushcontext ]; then
@@ -86,9 +87,7 @@ copy_exec /usr/bin/basename || hook_error "Unable to copy /usr/bin/basename"
 copy_exec /usr/bin/seq || hook_error "Unable to copy /usr/bin/seq"
 copy_exec /usr/bin/pwmake || hook_error "Unable to copy /usr/bin/pwmake"
 copy_exec /usr/bin/file || hook_error "Unable to copy /usr/bin/file "
-if [ "$VERSION_CODENAME" = "buster" ]; then
-    copy_exec /usr/lib/*/libgcc_s.so.1 || hook_error "Unable to copy /usr/lib/*/libgcc_s.so.1 "
-fi
+copy_exec /usr/lib/*/libgcc_s.so.1 || hook_error "Unable to copy /usr/lib/*/libgcc_s.so.1 "
 if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
     copy_exec /usr/sbin/cryptsetup-reencrypt
 fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index 0f82c1a..8de8015 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -43,12 +43,10 @@ modprobe xts
 # this needs to be probed particularly for re-encryption
 modprobe loop
 
-# fixed tpm device or do we need to find it
-tpm_device=/dev/tpmrm0
 partition_sets="$PARTITIONS"
 create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
-hash_type="$HASH_TYPE"
-
+pcr_bank_hash_type="$HASH_TYPE"
+tpm_key_algorithm="$KEY_ALGORITHM"
 if [ -z "${create_file_system_cmd}" ]; then
 	create_file_system_cmd="mke2fs -t ext4"
 fi
@@ -69,7 +67,7 @@ open_tpm2_partition() {
 
 enroll_tpm2_token() {
 	if [ -x /usr/bin/clevis ]; then
-		clevis luks bind -d "$1" tpm2 '{"pcr_bank":"'"$hash_type"'","pcr_ids":"7"}' < "$2"
+		clevis luks bind -d "$1" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$2"
 	else
 		panic "clevis not available cannot enroll tpm2 key!"
 	fi
@@ -102,6 +100,26 @@ mount_partition() {
 	fi
 }
 
+for candidate in /dev/tpm*; do
+	if [ -x /usr/bin/tpm2_pcrread ]; then
+		if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet ; then
+			continue
+		fi
+	elif [ -x /usr/bin/tpm2_pcrlist ]; then
+		export TPM2TOOLS_DEVICE_FILE="$candidate"
+		if ! tpm2_pcrlist -L "$pcr_bank_hash_type":7 > /dev/null; then
+			continue
+		fi
+	fi
+	# Debian buster does not have tpm_testparms
+	if [ -x /usr/bin/tpm2_testparms ]; then
+		if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet; then
+			continue
+		fi
+	fi
+	tpm_device=$candidate
+done
+
 if [ ! -e "$tpm_device" ]; then
 	panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
 fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
index bcc57be..5d28dc5 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
@@ -2,4 +2,5 @@ PARTITIONS="${CRYPT_PARTITIONS}"
 CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}"
 SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}"
 WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}"
-HASH_TYPE="${CRYPT_HASH_TYPE}"
\ No newline at end of file
+HASH_TYPE="${CRYPT_HASH_TYPE}"
+KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}"
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
index c3b31d6..6e2a211 100755
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
@@ -1,5 +1,5 @@
 #!/bin/sh
-# Copyright (C) Siemens AG, 2020-2023
+# Copyright (C) Siemens AG, 2020-2024
 #
 # SPDX-License-Identifier: MIT
 
@@ -49,6 +49,8 @@ copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found"
 copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found"
 copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenroll not found"
 copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found"
+copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread"
+copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms"
 
 copy_exec /usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so || hook_error "/usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so not found"
 if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index 6c6d22e..ea267ac 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -43,10 +43,10 @@ modprobe xts
 # this needs to be probed particularly for re-encryption
 modprobe loop
 
-# fixed tpm device or do we need to find it
-tpm_device=/dev/tpmrm0
 partition_sets="$PARTITIONS"
 create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
+pcr_bank_hash_type="$HASH_TYPE"
+tpm_key_algorithm="$KEY_ALGORITHM"
 if [ -z "${create_file_system_cmd}" ]; then
 	create_file_system_cmd="mke2fs -t ext4"
 fi
@@ -71,6 +71,7 @@ enroll_tpm2_token() {
 		systemd_version=$(systemd-cryptenroll --version | \
 			  awk -F " " 'NR==1{print $2 }')
 		# check systemd version and export password if necessary
+		# systemd version 251 does not suport hash_types
 		if [ "$systemd_version" -ge "251" ]; then
 			PASSWORD=$(cat "$2" )
 			export PASSWORD
@@ -112,6 +113,16 @@ mount_partition() {
 	fi
 }
 
+for candidate in /dev/tpm*; do
+	if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then
+		continue
+	fi
+	if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet 2>/dev/null; then
+		continue
+	fi
+	tpm_device=$candidate
+done
+
 if [ ! -e "$tpm_device" ]; then
 	panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
 fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
index 317ea12..7f732cf 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -11,7 +11,7 @@
 inherit dpkg-raw
 DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \
     awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \
-    libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs"
+    libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs, tpm2-tools"
 
 CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools"
 
@@ -49,10 +49,11 @@ CRYPT_SETUP_TIMEOUT ??= "600"
 INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog"
 # clevis needs tpm hash algorithm type
 CRYPT_HASH_TYPE ??= "sha256"
-
+CRYPT_KEY_ALGORITHM ??= "ecc"
 
 TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
-    CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE"
+    CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \
+    CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL"
 TEMPLATE_FILES = "encrypt_partition.env.tmpl"
 
 do_install[cleandirs] += " \
-- 
2.43.0

[cip-dev][isar-cip-core][PATCH v2 05/13] initramfs-crypt-hook: add flag to make encryption optional

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This allows to use same image on devices with and without TPM.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../files/encrypt_partition.clevis.script     | 20 ++++++++++++++++++-
 .../files/encrypt_partition.env.tmpl          |  1 +
 .../files/encrypt_partition.systemd.script    | 20 ++++++++++++++++++-
 .../initramfs-crypt-hook_0.1.bb               |  1 +
 4 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index 8de8015..e0fcbf4 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -47,6 +47,7 @@ partition_sets="$PARTITIONS"
 create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
 pcr_bank_hash_type="$HASH_TYPE"
 tpm_key_algorithm="$KEY_ALGORITHM"
+tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL"
 if [ -z "${create_file_system_cmd}" ]; then
 	create_file_system_cmd="mke2fs -t ext4"
 fi
@@ -121,7 +122,24 @@ for candidate in /dev/tpm*; do
 done
 
 if [ ! -e "$tpm_device" ]; then
-	panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
+	if [ "$tpm_encryption_optional" = "true" ]; then
+		echo "No tpm_device exists abort optional encryption"
+		for partition_set in $partition_sets; do
+			partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+			partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
+			partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
+			partition=/dev/disk/by-partlabel/"$partition_label"
+			case "${partition_format}" in
+			"reencrypt")
+				mount_partition "$partition" "$rootmnt""$partition_mountpoint"
+				;;
+			*)
+				echo "cannot mount partition '$partition' as it is marked for formatting."
+			esac
+		done
+		exit 0
+	fi
+	panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!"
 fi
 
 # clevis needs /dev/fd create it in the initramfs
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
index 5d28dc5..bb93361 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
@@ -4,3 +4,4 @@ SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}"
 WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}"
 HASH_TYPE="${CRYPT_HASH_TYPE}"
 KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}"
+ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}"
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index ea267ac..48ce999 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -47,6 +47,7 @@ partition_sets="$PARTITIONS"
 create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
 pcr_bank_hash_type="$HASH_TYPE"
 tpm_key_algorithm="$KEY_ALGORITHM"
+tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL"
 if [ -z "${create_file_system_cmd}" ]; then
 	create_file_system_cmd="mke2fs -t ext4"
 fi
@@ -124,7 +125,24 @@ for candidate in /dev/tpm*; do
 done
 
 if [ ! -e "$tpm_device" ]; then
-	panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
+	if [ "$tpm_encryption_optional" = "true" ]; then
+		echo "No tpm_device exists abort optional encryption"
+		for partition_set in $partition_sets; do
+			partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+			partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
+			partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
+			partition=/dev/disk/by-partlabel/"$partition_label"
+			case "${partition_format}" in
+			"reencrypt")
+				mount_partition "$partition" "$rootmnt""$partition_mountpoint"
+				;;
+			*)
+				echo "cannot mount partition '$partition' as it is marked for formatting."
+			esac
+		done
+		exit 0
+	fi
+	panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!"
 fi
 
 for partition_set in $partition_sets; do
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
index 7f732cf..54c91fd 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -50,6 +50,7 @@ INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog"
 # clevis needs tpm hash algorithm type
 CRYPT_HASH_TYPE ??= "sha256"
 CRYPT_KEY_ALGORITHM ??= "ecc"
+CRYPT_ENCRYPTION_OPTIONAL ??= "false"
 
 TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
     CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \
-- 
2.43.0

[cip-dev][isar-cip-core][PATCH v2 06/13] initramfs-crypt-hook: add e2fsck to avoid resize error

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This avoids the following error during resizing a file system:
`Please run ‘e2fsck -f /dev/<disk>’ first`

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../initramfs-crypt-hook/files/encrypt_partition.clevis.script   | 1 +
 .../initramfs-crypt-hook/files/encrypt_partition.systemd.script  | 1 +
 2 files changed, 2 insertions(+)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index e0fcbf4..22caa46 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -81,6 +81,7 @@ reencrypt_existing_partition() {
 	reduced_size="$(expr "$part_size_blocks" - 65536 )"
 	reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
 	reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
+	e2fsck -f "$1"
 	if ! resize2fs "$1" "${reduced_size_in_kb}"; then
 		panic "reencryption of filesystem $1 cannot continue!"
 	fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index 48ce999..85b4fbc 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -94,6 +94,7 @@ reencrypt_existing_partition() {
 	reduced_size="$(expr "$part_size_blocks" - 65536 )"
 	reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
 	reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
+	e2fsck -f "$1"
 	if ! resize2fs "$1" "${reduced_size_in_kb}"; then
 		panic "reencryption of filesystem $1 cannot continue!"
 	fi
-- 
2.43.0

[cip-dev][isar-cip-core][PATCH v2 07/13] initramfs-crypt-hook: split encryption and mounting

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

The encryption now occurs before the rootfs is mounted.
The file system is mounted after the rootfs.

This removes the required order between overlay and disk encryption.
Also it allows the encryption of the rootfs.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../files/encrypt_partition.clevis.script     | 27 --------
 .../files/encrypt_partition.systemd.script    | 27 --------
 .../files/mount_crypt_partitions.script       | 61 +++++++++++++++++++
 .../initramfs-crypt-hook_0.1.bb               |  6 +-
 .../files/overlay.script.tmpl                 |  2 +-
 5 files changed, 67 insertions(+), 56 deletions(-)
 create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index 22caa46..6aec7b8 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -92,16 +92,6 @@ reencrypt_existing_partition() {
 	fi
 }
 
-mount_partition() {
-	partition_dev_path=$1
-	partition_mountpoint=$2
-	echo "mount device: '$partition' to '$partition_mountpoint'"
-	if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \
-		 "${partition_mountpoint}"; then
-		panic "Can't mount encrypted partition '${partition_dev_path}'!"
-	fi
-}
-
 for candidate in /dev/tpm*; do
 	if [ -x /usr/bin/tpm2_pcrread ]; then
 		if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet ; then
@@ -125,19 +115,6 @@ done
 if [ ! -e "$tpm_device" ]; then
 	if [ "$tpm_encryption_optional" = "true" ]; then
 		echo "No tpm_device exists abort optional encryption"
-		for partition_set in $partition_sets; do
-			partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
-			partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
-			partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
-			partition=/dev/disk/by-partlabel/"$partition_label"
-			case "${partition_format}" in
-			"reencrypt")
-				mount_partition "$partition" "$rootmnt""$partition_mountpoint"
-				;;
-			*)
-				echo "cannot mount partition '$partition' as it is marked for formatting."
-			esac
-		done
 		exit 0
 	fi
 	panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!"
@@ -150,7 +127,6 @@ fi
 
 for partition_set in $partition_sets; do
 	partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
-	partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
 	partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
 	partition=/dev/disk/by-partlabel/"$partition_label"
 	crypt_mount_name="encrypted_$partition_label"
@@ -161,7 +137,6 @@ for partition_set in $partition_sets; do
 	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
 			| grep -q "clevis"; then
 		open_tpm2_partition "$part_device"
-		mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
 		continue
 	fi
 
@@ -194,8 +169,6 @@ for partition_set in $partition_sets; do
 		 ;;
 	esac
 
-	mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
-
 	# delete initial key
 	# afterwards no new keys can be enrolled
 	cryptsetup -v luksKillSlot -q  "$part_device" 0
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index 85b4fbc..7f2a6e3 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -105,16 +105,6 @@ reencrypt_existing_partition() {
 	fi
 }
 
-mount_partition() {
-	partition_dev_path=$1
-	partition_mountpoint=$2
-	echo "mount device: '$partition' to '$partition_mountpoint'"
-	if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \
-		 "${partition_mountpoint}"; then
-		panic "Can't mount encrypted partition '${partition_dev_path}'!"
-	fi
-}
-
 for candidate in /dev/tpm*; do
 	if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then
 		continue
@@ -128,19 +118,6 @@ done
 if [ ! -e "$tpm_device" ]; then
 	if [ "$tpm_encryption_optional" = "true" ]; then
 		echo "No tpm_device exists abort optional encryption"
-		for partition_set in $partition_sets; do
-			partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
-			partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
-			partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
-			partition=/dev/disk/by-partlabel/"$partition_label"
-			case "${partition_format}" in
-			"reencrypt")
-				mount_partition "$partition" "$rootmnt""$partition_mountpoint"
-				;;
-			*)
-				echo "cannot mount partition '$partition' as it is marked for formatting."
-			esac
-		done
 		exit 0
 	fi
 	panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!"
@@ -148,7 +125,6 @@ fi
 
 for partition_set in $partition_sets; do
 	partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
-	partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
 	partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
 	partition=/dev/disk/by-partlabel/"$partition_label"
 	crypt_mount_name="encrypted_$partition_label"
@@ -159,7 +135,6 @@ for partition_set in $partition_sets; do
 	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
 			| grep -q "systemd-tpm2"; then
 		open_tpm2_partition "$part_device"
-		mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
 		continue
 	fi
 
@@ -192,8 +167,6 @@ for partition_set in $partition_sets; do
 		 ;;
 	esac
 
-	mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
-
 	# delete initial key
 	# afterwards no new keys can be enrolled
 	/usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
new file mode 100644
index 0000000..3411e70
--- /dev/null
+++ b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
@@ -0,0 +1,61 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+prereqs()
+{
+	# Make sure that this script is run last in local-top
+	local req
+	for req in "${0%/*}"/*; do
+		script="${req##*/}"
+		if [ "$script" != "${0##*/}" ]; then
+			printf '%s\n' "$script"
+		fi
+	done
+}
+case $1 in
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+. /scripts/functions
+
+# get configuration variables
+. /usr/share/encrypt_partition/encrypt_partition.env
+
+mount_partition() {
+	partition_dev_path=$1
+	partition_mountpoint=$2
+	echo "mount device: '$partition_dev_path' to '$partition_mountpoint'"
+	if ! mountpoint -q "${partition_mountpoint}"; then
+		if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \
+			 "${partition_mountpoint}"; then
+			panic "Can't mount partition '${partition_dev_path}'!"
+		fi
+	fi
+}
+partition_sets="$PARTITIONS"
+for partition_set in $partition_sets; do
+	partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+	partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
+	partition=/dev/disk/by-partlabel/"$partition_label"
+	part_device=$(readlink -f "$partition")
+	crypt_mount_name="encrypted_$partition_label"
+	decrypted_part=/dev/mapper/"$crypt_mount_name"
+
+	if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \
+			| grep -q "luks2"; then
+		mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
+	else
+		mount_partition "$part_device" "$rootmnt""$partition_mountpoint"
+	fi
+done
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
index 54c91fd..4e60c10 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -35,6 +35,7 @@ CRYPT_BACKEND = "systemd"
 
 SRC_URI += "file://encrypt_partition.env.tmpl \
             file://encrypt_partition.${CRYPT_BACKEND}.script \
+            file://mount_crypt_partitions.script \
             file://encrypt_partition.${CRYPT_BACKEND}.hook \
             file://pwquality.conf"
 
@@ -60,12 +61,15 @@ TEMPLATE_FILES = "encrypt_partition.env.tmpl"
 do_install[cleandirs] += " \
     ${D}/usr/share/initramfs-tools/hooks \
     ${D}/usr/share/encrypt_partition \
+    ${D}/usr/share/initramfs-tools/scripts/local-top \
     ${D}/usr/share/initramfs-tools/scripts/local-bottom"
 
 do_install() {
     install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env"
     install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.script" \
-        "${D}/usr/share/initramfs-tools/scripts/local-bottom/encrypt_partition"
+        "${D}/usr/share/initramfs-tools/scripts/local-top/encrypt_partition"
+    install -m 0755 "${WORKDIR}/mount_crypt_partitions.script" \
+        "${D}/usr/share/initramfs-tools/scripts/local-bottom/mount_decrypted_partition"
     install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.hook" \
         "${D}/usr/share/initramfs-tools/hooks/encrypt_partition"
     install -m 0644 "${WORKDIR}/pwquality.conf" "${D}/usr/share/encrypt_partition/pwquality.conf"
diff --git a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl
index a321490..2563dfd 100644
--- a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl
+++ b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl
@@ -9,7 +9,7 @@
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
 #
 
-PREREQ="encrypt_partition"
+PREREQ=""
 
 prereqs()
 {
-- 
2.43.0

[cip-dev][isar-cip-core][PATCH v2 08/13] initramfs-crypt-hook: Add check if root is part of the mountpoints

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

If root will be encrypted the ROOT mountpoint will be set to
'/dev/mapper/encrypted_<partition_label>'.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../files/encrypt_partition.clevis.script                   | 6 ++++++
 .../files/encrypt_partition.systemd.script                  | 5 +++++
 2 files changed, 11 insertions(+)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index 6aec7b8..fdbd9b5 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -127,12 +127,17 @@ fi
 
 for partition_set in $partition_sets; do
 	partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+	partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
 	partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
 	partition=/dev/disk/by-partlabel/"$partition_label"
 	crypt_mount_name="encrypted_$partition_label"
 	decrypted_part=/dev/mapper/"$crypt_mount_name"
 	# clevis does not work with links in /dev/disk*
 	part_device=$(readlink -f "$partition")
+	# check if we are trying to mount root
+	if [ "$partition_mountpoint" = "/" ]; then
+		echo "ROOT=$decrypted_part" >/conf/param.conf
+	fi
 
 	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
 			| grep -q "clevis"; then
@@ -169,6 +174,7 @@ for partition_set in $partition_sets; do
 		 ;;
 	esac
 
+
 	# delete initial key
 	# afterwards no new keys can be enrolled
 	cryptsetup -v luksKillSlot -q  "$part_device" 0
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index 7f2a6e3..e0c84ce 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -125,12 +125,17 @@ fi
 
 for partition_set in $partition_sets; do
 	partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+	partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
 	partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
 	partition=/dev/disk/by-partlabel/"$partition_label"
 	crypt_mount_name="encrypted_$partition_label"
 	decrypted_part=/dev/mapper/"$crypt_mount_name"
 	part_device=$(readlink -f "$partition")
 
+	# check if we are trying to mount root
+	if [ "$partition_mountpoint" = "/" ]; then
+		echo "ROOT=$decrypted_part" >/conf/param.conf
+	fi
 	# check if partition is already encrypted with systemd-tpm2
 	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
 			| grep -q "systemd-tpm2"; then
-- 
2.43.0

[cip-dev][isar-cip-core][PATCH v2 09/13] initramfs-crypt-hook: split hook in multiple files

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Split the clevis hook in Distro specific files to increase
the readability.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 ...pt_partition.clevis.bullseye_or_later.hook | 34 +++++++++++++++++++
 .../encrypt_partition.clevis.buster.hook      | 30 ++++++++++++++++
 .../files/encrypt_partition.clevis.hook       | 16 ---------
 .../initramfs-crypt-hook_0.1.bb               | 18 +++++++++-
 4 files changed, 81 insertions(+), 17 deletions(-)
 create mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook
 create mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook
new file mode 100755
index 0000000..b244d45
--- /dev/null
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook
@@ -0,0 +1,34 @@
+#!/bin/sh
+# Copyright (C) Siemens AG, 2020-2023
+#
+# SPDX-License-Identifier: MIT
+
+PREREQ=""
+
+prereqs()
+{
+     echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+     prereqs
+     exit 0
+     ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+if [ -f /etc/os-release ]; then
+    . /etc/os-release
+fi
+hook_error() {
+    echo "(ERROR): $1" >&2
+    exit 1
+}
+
+copy_exec /usr/bin/clevis-luks-list || hook_error "/usr/bin/clevis-luks-list not found"
+copy_exec /usr/bin/clevis-luks-common-functions || hook_error "/usr/bin/clevis-luks-common-functions not found"
+copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread"
+copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms"
+copy_exec /usr/bin/tpm2_flushcontext || hook_error "Unable to copy /usr/bin/tpm2_flushcontext"
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook
new file mode 100755
index 0000000..fd39c34
--- /dev/null
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook
@@ -0,0 +1,30 @@
+#!/bin/sh
+# Copyright (C) Siemens AG, 2020-2023
+#
+# SPDX-License-Identifier: MIT
+
+PREREQ=""
+
+prereqs()
+{
+     echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+     prereqs
+     exit 0
+     ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+if [ -f /etc/os-release ]; then
+    . /etc/os-release
+fi
+hook_error() {
+    echo "(ERROR): $1" >&2
+    exit 1
+}
+copy_exec /usr/bin/tpm2_pcrlist || hook_error "Unable to copy /usr/bin/tpm2_pcrlist"
+
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
index 347551a..1921aba 100755
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
@@ -54,27 +54,11 @@ copy_exec /usr/bin/clevis-encrypt-tpm2 || hook_error "/usr/bin/clevis-encrypt-tp
 copy_exec /usr/bin/clevis-decrypt-tpm2 || hook_error "/usr/bin/clevis-decrypt-tpm2 not found"
 copy_exec /usr/bin/clevis-luks-bind || hook_error "/usr/bin/clevis-luks-bind not found"
 copy_exec /usr/bin/clevis-luks-unlock || hook_error "/usr/bin/clevis-luks-unlock not found"
-if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/clevis-luks-list ]; then
-    copy_exec /usr/bin/clevis-luks-list || hook_error "/usr/bin/clevis-luks-list not found"
-fi
-if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/clevis-luks-common-functions  ]; then
-    copy_exec /usr/bin/clevis-luks-common-functions || hook_error "/usr/bin/clevis-luks-common-functions not found"
-fi
 copy_exec /usr/bin/tpm2_createprimary || hook_error "Unable to copy /usr/bin/tpm2_createprimary"
 copy_exec /usr/bin/tpm2_unseal || hook_error "Unable to copy /usr/bin/tpm2_unseal"
 copy_exec /usr/bin/tpm2_create || hook_error "Unable to copy /usr/bin/tpm2_create"
 copy_exec /usr/bin/tpm2_load || hook_error "Unable to copy /usr/bin/tpm2_load"
-if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/tpm2_pcrread ]; then
-    copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread"
-    copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms"
-fi
-if [ "$VERSION_CODENAME" = "buster" ] && [ -x /usr/bin/tpm2_pcrlist ]; then
-    copy_exec /usr/bin/tpm2_pcrlist || hook_error "Unable to copy /usr/bin/tpm2_pcrlist"
-fi
 copy_exec /usr/bin/tpm2_createpolicy || hook_error "Unable to copy /usr/bin/tpm2_createpolicy"
-if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/tpm2_flushcontext ]; then
-    copy_exec /usr/bin/tpm2_flushcontext || hook_error "Unable to copy /usr/bin/tpm2_flushcontext"
-fi
 copy_exec /usr/bin/bash || hook_error "Unable to copy /usr/bin/bash"
 copy_exec /usr/bin/luksmeta || hook_error "Unable to copy /usr/bin/luksmeta"
 copy_exec /usr/bin/jose || hook_error "Unable to copy /usr/bin/jose"
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
index 4e60c10..dc46ff8 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -29,6 +29,16 @@ def encryption_dependency(d):
     else:
         bb.error("unkown cryptbackend defined")
 
+def add_additional_clevis_hooks(d):
+    base_distro_code_name = d.getVar('BASE_DISTRO_CODENAME') or ""
+    crypt_backend = d.getVar('CRYPT_BACKEND') or ""
+    if crypt_backend != 'clevis':
+        return ""
+    if base_distro_code_name == "buster":
+        return f"encrypt_partition.{crypt_backend}.buster.hook"
+    else:
+        return f"encrypt_partition.{crypt_backend}.bullseye_or_later.hook"
+
 CRYPT_BACKEND:buster = "clevis"
 CRYPT_BACKEND:bullseye = "clevis"
 CRYPT_BACKEND = "systemd"
@@ -38,7 +48,8 @@ SRC_URI += "file://encrypt_partition.env.tmpl \
             file://mount_crypt_partitions.script \
             file://encrypt_partition.${CRYPT_BACKEND}.hook \
             file://pwquality.conf"
-
+ADDITIONAL_CLEVIS_HOOK = "${@add_additional_clevis_hooks(d)}"
+SRC_URI += "${@ 'file://' + d.getVar('ADDITIONAL_CLEVIS_HOOK') if d.getVar('ADDITIONAL_CLEVIS_HOOK')else ''}"
 # CRYPT_PARTITIONS elements are <partition-label>:<mountpoint>:<reencrypt or format>
 CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
 # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem
@@ -72,5 +83,10 @@ do_install() {
         "${D}/usr/share/initramfs-tools/scripts/local-bottom/mount_decrypted_partition"
     install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.hook" \
         "${D}/usr/share/initramfs-tools/hooks/encrypt_partition"
+    if [ -f "${WORKDIR}"/"${ADDITIONAL_CLEVIS_HOOK}" ]; then
+        install -m 0755 "${WORKDIR}"/"${ADDITIONAL_CLEVIS_HOOK}" \
+            "${D}/usr/share/initramfs-tools/hooks/encrypt_partition.${BASE_DISTRO_CODENAME}"
+    fi
+
     install -m 0644 "${WORKDIR}/pwquality.conf" "${D}/usr/share/encrypt_partition/pwquality.conf"
 }
-- 
2.43.0

[cip-dev][isar-cip-core][PATCH v2 10/13] initramfs-crypt-hook: Consolidate clevis and systemd scripts

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This reduce the maintaince as the common code is only maintained
once.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../files/encrypt_partition.clevis.hook       |   1 +
 .../files/encrypt_partition.clevis.script     | 177 ++----------------
 .../files/encrypt_partition.script            | 164 ++++++++++++++++
 .../files/encrypt_partition.systemd.hook      |   1 +
 .../files/encrypt_partition.systemd.script    | 163 ++--------------
 .../initramfs-crypt-hook_0.1.bb               |   5 +-
 6 files changed, 208 insertions(+), 303 deletions(-)
 create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
index 1921aba..0bb8ce6 100755
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
@@ -81,4 +81,5 @@ for _LIBRARY in /usr/lib/*/libtss2*; do
 done
 
 copy_file library /usr/share/encrypt_partition/encrypt_partition.env /usr/share/encrypt_partition/encrypt_partition.env
+copy_file library /usr/share/encrypt_partition/encrypt_partition_tpm2 /usr/share/encrypt_partition/encrypt_partition_tpm2
 copy_file pwmake-config /usr/share/encrypt_partition/pwquality.conf /etc/security/pwquality.conf
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index fdbd9b5..ddb3eab 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -9,177 +9,38 @@
 #
 # SPDX-License-Identifier: MIT
 
-prereqs()
-{
-	# Make sure that this script is run last in local-top
-	local req
-	for req in "${0%/*}"/*; do
-		script="${req##*/}"
-		if [ "$script" != "${0##*/}" ]; then
-			printf '%s\n' "$script"
-		fi
-	done
-}
-case $1 in
-prereqs)
-	prereqs
-	exit 0
-	;;
-esac
-
-. /scripts/functions
-
-# get configuration variables
-. /usr/share/encrypt_partition/encrypt_partition.env
-
-# load necessary kernel modules:
-modprobe tpm_tis
-modprobe tpm_crb
-
-modprobe ecb
-modprobe aes_generic
-modprobe xts
-
-# this needs to be probed particularly for re-encryption
-modprobe loop
-
-partition_sets="$PARTITIONS"
-create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
-pcr_bank_hash_type="$HASH_TYPE"
-tpm_key_algorithm="$KEY_ALGORITHM"
-tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL"
-if [ -z "${create_file_system_cmd}" ]; then
-	create_file_system_cmd="mke2fs -t ext4"
-fi
-
-service_watchdog() {
-	for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
-		printf '\0'
-		sleep 10
-	done > "$WATCHDOG_DEV"
-}
 
 open_tpm2_partition() {
+	partition_device="$1"
+	crypt_mount_name="$2"
+	#tpm_device="$3"
 	if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \
-		 -d "$1"; then
-		panic "Can't decrypt '$1' !"
+		 -d "$partition_device"; then
+		panic "Can't decrypt '$partition_device' !"
 	fi
 }
 
 enroll_tpm2_token() {
+	partition_device="$1"
+	passphrase="$2"
+	#tpm_device="$3"
+	tpm_key_algorithm="$4"
+	pcr_bank_hash_type="$5"
 	if [ -x /usr/bin/clevis ]; then
-		clevis luks bind -d "$1" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$2"
+		clevis luks bind -d "$partition_device" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$passphrase"
 	else
 		panic "clevis not available cannot enroll tpm2 key!"
 	fi
 }
 
-reencrypt_existing_partition() {
-	part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)"
-	# reduce the filesystem and partition by 32M to fit the LUKS header
-	reduce_device_size=32768
-	reduced_size="$(expr "$part_size_blocks" - 65536 )"
-	reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
-	reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
-	e2fsck -f "$1"
-	if ! resize2fs "$1" "${reduced_size_in_kb}"; then
-		panic "reencryption of filesystem $1 cannot continue!"
-	fi
-	if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
-		/usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2"
-	else
-		/usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2"
+prepare_for_encryption() {
+	# clevis needs /dev/fd create it in the initramfs
+	if [ ! -e /dev/fd ]; then
+		ln -s /proc/self/fd /dev/fd
 	fi
 }
 
-for candidate in /dev/tpm*; do
-	if [ -x /usr/bin/tpm2_pcrread ]; then
-		if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet ; then
-			continue
-		fi
-	elif [ -x /usr/bin/tpm2_pcrlist ]; then
-		export TPM2TOOLS_DEVICE_FILE="$candidate"
-		if ! tpm2_pcrlist -L "$pcr_bank_hash_type":7 > /dev/null; then
-			continue
-		fi
-	fi
-	# Debian buster does not have tpm_testparms
-	if [ -x /usr/bin/tpm2_testparms ]; then
-		if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet; then
-			continue
-		fi
-	fi
-	tpm_device=$candidate
-done
-
-if [ ! -e "$tpm_device" ]; then
-	if [ "$tpm_encryption_optional" = "true" ]; then
-		echo "No tpm_device exists abort optional encryption"
-		exit 0
-	fi
-	panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!"
-fi
-
-# clevis needs /dev/fd create it in the initramfs
-if [ ! -e /dev/fd ]; then
-	ln -s /proc/self/fd /dev/fd
-fi
-
-for partition_set in $partition_sets; do
-	partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
-	partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
-	partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
-	partition=/dev/disk/by-partlabel/"$partition_label"
-	crypt_mount_name="encrypted_$partition_label"
-	decrypted_part=/dev/mapper/"$crypt_mount_name"
-	# clevis does not work with links in /dev/disk*
-	part_device=$(readlink -f "$partition")
-	# check if we are trying to mount root
-	if [ "$partition_mountpoint" = "/" ]; then
-		echo "ROOT=$decrypted_part" >/conf/param.conf
-	fi
-
-	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
-			| grep -q "clevis"; then
-		open_tpm2_partition "$part_device"
-		continue
-	fi
-
-	# service watchdog in the background during lengthy re-encryption
-	if [ -z "$watchdog_pid" ]; then
-		service_watchdog &
-		watchdog_pid=$!
-	fi
-
-	# create random password for initial encryption
-	# this will be dropped after reboot
-	tmp_key=/tmp/"$partition_label-lukskey"
-	openssl rand -base64 32 > "$tmp_key"
-
-	case "${partition_format}" in
-		"reencrypt")
-			reencrypt_existing_partition "$part_device" "$tmp_key"
-			enroll_tpm2_token "$part_device" "$tmp_key"
-			open_tpm2_partition "$part_device"
-		;;
-		"format")
-			/usr/sbin/cryptsetup luksFormat --batch-mode \
-				 --type luks2 "$partition" < "$tmp_key"
-			enroll_tpm2_token "$part_device" "$tmp_key"
-			open_tpm2_partition "$part_device"
-			eval "${create_file_system_cmd} ${decrypted_part}"
-		;;
-		*)
-			panic "Unknown value ${partition_format}. Cannot create a encrypted partition !"
-		 ;;
-	esac
-
-
-	# delete initial key
-	# afterwards no new keys can be enrolled
-	cryptsetup -v luksKillSlot -q  "$part_device" 0
-done
-
-if [ -n "$watchdog_pid" ]; then
-	kill "$watchdog_pid"
-fi
+finalize_tpm2_encryption() {
+	partition_device="$1"
+	cryptsetup -v luksKillSlot -q  "$partition_device" 0
+}
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
new file mode 100644
index 0000000..8763f69
--- /dev/null
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
@@ -0,0 +1,164 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2023-2024
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+prereqs()
+{
+	# Make sure that this script is run last in local-top
+	local req
+	for req in "${0%/*}"/*; do
+		script="${req##*/}"
+		if [ "$script" != "${0##*/}" ]; then
+			printf '%s\n' "$script"
+		fi
+	done
+}
+case $1 in
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+. /scripts/functions
+
+# get configuration variables
+. /usr/share/encrypt_partition/encrypt_partition.env
+
+# get the implementation
+. /usr/share/encrypt_partition/encrypt_partition_tpm2
+# load necessary kernel modules:
+modprobe tpm_tis
+modprobe tpm_crb
+
+modprobe ecb
+modprobe aes_generic
+modprobe xts
+
+# this needs to be probed particularly for re-encryption
+modprobe loop
+
+partition_sets="$PARTITIONS"
+create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
+pcr_bank_hash_type="$HASH_TYPE"
+tpm_key_algorithm="$KEY_ALGORITHM"
+tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL"
+if [ -z "${create_file_system_cmd}" ]; then
+	create_file_system_cmd="mke2fs -t ext4"
+fi
+
+service_watchdog() {
+	for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
+		printf '\0'
+		sleep 10
+	done > "$WATCHDOG_DEV"
+}
+
+reencrypt_existing_partition() {
+	part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)"
+	# reduce the filesystem and partition by 32M to fit the LUKS header
+	reduce_device_size=32768
+	reduced_size="$(expr "$part_size_blocks" - 65536 )"
+	reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
+	reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
+	e2fsck -f "$1"
+	if ! resize2fs "$1" "${reduced_size_in_kb}"; then
+		panic "reencryption of filesystem $1 cannot continue!"
+	fi
+	if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
+		/usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2"
+	else
+		/usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2"
+	fi
+}
+for candidate in /dev/tpm*; do
+	if [ -x /usr/bin/tpm2_pcrread ]; then
+		if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet ; then
+			continue
+		fi
+	elif [ -x /usr/bin/tpm2_pcrlist ]; then
+		export TPM2TOOLS_DEVICE_FILE="$candidate"
+		if ! tpm2_pcrlist -L "$pcr_bank_hash_type":7 > /dev/null; then
+			continue
+		fi
+	fi
+	# Debian buster does not have tpm_testparms
+	if [ -x /usr/bin/tpm2_testparms ]; then
+		if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet; then
+			continue
+		fi
+	fi
+	tpm_device=$candidate
+done
+
+if [ ! -e "$tpm_device" ]; then
+	if [ "$tpm_encryption_optional" = "true" ]; then
+		echo "No tpm_device exists abort optional encryption"
+		exit 0
+	fi
+	panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!"
+fi
+
+prepare_for_encryption
+
+for partition_set in $partition_sets; do
+	partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+	partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
+	partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
+	partition=/dev/disk/by-partlabel/"$partition_label"
+	crypt_mount_name="encrypted_$partition_label"
+	decrypted_part=/dev/mapper/"$crypt_mount_name"
+	part_device=$(readlink -f "$partition")
+	# check if we are trying to mount root
+	if [ "$partition_mountpoint" = "/" ]; then
+		echo "ROOT=$decrypted_part" >/conf/param.conf
+	fi
+
+	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
+			| grep -q "token"; then
+		open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
+		continue
+	fi
+
+	# service watchdog in the background during lengthy re-encryption
+	if [ -z "$watchdog_pid" ]; then
+		service_watchdog &
+		watchdog_pid=$!
+	fi
+
+	# create random password for initial encryption
+	# this will be dropped after reboot
+	tmp_key=/tmp/"$partition_label-lukskey"
+	openssl rand -base64 32 > "$tmp_key"
+
+	case "${partition_format}" in
+		"reencrypt")
+			reencrypt_existing_partition "$part_device" "$tmp_key"
+			enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type"
+			open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
+		;;
+		"format")
+			/usr/sbin/cryptsetup luksFormat --batch-mode \
+				 --type luks2 "$partition" < "$tmp_key"
+			enroll_tpm2_token "$part_device" "$tmp_key"
+			open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
+			eval "${create_file_system_cmd} ${decrypted_part}"
+		;;
+		*)
+			panic "Unknown value ${partition_format}. Cannot create a encrypted partition !"
+		 ;;
+	esac
+
+	finalize_tpm2_encryption
+done
+
+if [ -n "$watchdog_pid" ]; then
+	kill "$watchdog_pid"
+fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
index 6e2a211..941f0b1 100755
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
@@ -61,4 +61,5 @@ for _LIBRARY in /usr/lib/*/libtss2* /usr/lib/*/libgcc_s.so.1; do
     copy_exec "$_LIBRARY"
 done
 
+copy_file library /usr/share/encrypt_partition/encrypt_partition_tpm2 /usr/share/encrypt_partition/encrypt_partition_tpm2
 copy_file library /usr/share/encrypt_partition/encrypt_partition.env /usr/share/encrypt_partition/encrypt_partition.env
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index e0c84ce..611f9cf 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -9,64 +9,23 @@
 #
 # SPDX-License-Identifier: MIT
 
-prereqs()
-{
-	# Make sure that this script is run last in local-top
-	local req
-	for req in "${0%/*}"/*; do
-		script="${req##*/}"
-		if [ "$script" != "${0##*/}" ]; then
-			printf '%s\n' "$script"
-		fi
-	done
-}
-case $1 in
-prereqs)
-	prereqs
-	exit 0
-	;;
-esac
-
-. /scripts/functions
-
-# get configuration variables
-. /usr/share/encrypt_partition/encrypt_partition.env
-
-# load necessary kernel modules:
-modprobe tpm_tis
-modprobe tpm_crb
-
-modprobe ecb
-modprobe aes_generic
-modprobe xts
-
-# this needs to be probed particularly for re-encryption
-modprobe loop
-
-partition_sets="$PARTITIONS"
-create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
-pcr_bank_hash_type="$HASH_TYPE"
-tpm_key_algorithm="$KEY_ALGORITHM"
-tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL"
-if [ -z "${create_file_system_cmd}" ]; then
-	create_file_system_cmd="mke2fs -t ext4"
-fi
-
-service_watchdog() {
-	for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
-		printf '\0'
-		sleep 10
-	done > "$WATCHDOG_DEV"
-}
-
 open_tpm2_partition() {
+	partition_device="$1"
+	crypt_mount_name="$2"
+	tpm_device="$3"
 	if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \
-		 "$1" - tpm2-device="$tpm_device"; then
-		panic "Can't decrypt '$1' !"
+		 "$partition_device" - tpm2-device="$tpm_device"; then
+		panic "Can't decrypt '$partition_device' !"
 	fi
 }
 
 enroll_tpm2_token() {
+	partition_device="$1"
+	passphrase="$2"
+	tpm_device="$3"
+	#tpm_key_algorithm="$4"
+	#pcr_bank_hash_type="$5"
+
 	# check systemd version and export password if necessary
 	if [ -x /usr/bin/systemd-cryptenroll ]; then
 		systemd_version=$(systemd-cryptenroll --version | \
@@ -74,10 +33,10 @@ enroll_tpm2_token() {
 		# check systemd version and export password if necessary
 		# systemd version 251 does not suport hash_types
 		if [ "$systemd_version" -ge "251" ]; then
-			PASSWORD=$(cat "$2" )
+			PASSWORD=$(cat "$passphrase" )
 			export PASSWORD
 			/usr/bin/systemd-cryptenroll --tpm2-device="$tpm_device" \
-				 --tpm2-pcrs=7 "$1"
+				 --tpm2-pcrs=7 "$partition_device"
 			PASSWORD=
 		else
 			panic "Unknown systemd version: '$systemd_version'!"
@@ -87,96 +46,12 @@ enroll_tpm2_token() {
 	fi
 }
 
-reencrypt_existing_partition() {
-	part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)"
-	# reduce the filesystem and partition by 32M to fit the LUKS header
-	reduce_device_size=32768
-	reduced_size="$(expr "$part_size_blocks" - 65536 )"
-	reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
-	reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
-	e2fsck -f "$1"
-	if ! resize2fs "$1" "${reduced_size_in_kb}"; then
-		panic "reencryption of filesystem $1 cannot continue!"
-	fi
-	if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
-		/usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2"
-	else
-		/usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2"
-	fi
+prepare_for_encryption() {
+	true
 }
 
-for candidate in /dev/tpm*; do
-	if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then
-		continue
-	fi
-	if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet 2>/dev/null; then
-		continue
-	fi
-	tpm_device=$candidate
-done
-
-if [ ! -e "$tpm_device" ]; then
-	if [ "$tpm_encryption_optional" = "true" ]; then
-		echo "No tpm_device exists abort optional encryption"
-		exit 0
-	fi
-	panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!"
-fi
-
-for partition_set in $partition_sets; do
-	partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
-	partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
-	partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
-	partition=/dev/disk/by-partlabel/"$partition_label"
-	crypt_mount_name="encrypted_$partition_label"
-	decrypted_part=/dev/mapper/"$crypt_mount_name"
-	part_device=$(readlink -f "$partition")
-
-	# check if we are trying to mount root
-	if [ "$partition_mountpoint" = "/" ]; then
-		echo "ROOT=$decrypted_part" >/conf/param.conf
-	fi
-	# check if partition is already encrypted with systemd-tpm2
-	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
-			| grep -q "systemd-tpm2"; then
-		open_tpm2_partition "$part_device"
-		continue
-	fi
-
-	# service watchdog in the background during lengthy re-encryption
-	if [ -z "$watchdog_pid" ]; then
-		service_watchdog &
-		watchdog_pid=$!
-	fi
-
-	# create random password for initial encryption
-	# this will be dropped after reboot
-	tmp_key=/tmp/"$partition_label-lukskey"
-	openssl rand -base64 32 > "$tmp_key"
-
-	case "${partition_format}" in
-		"reencrypt")
-			reencrypt_existing_partition "$part_device" "$tmp_key"
-			enroll_tpm2_token "$part_device" "$tmp_key"
-			open_tpm2_partition "$part_device"
-		;;
-		"format")
-			/usr/sbin/cryptsetup luksFormat --batch-mode \
-				 --type luks2 "$partition" < "$tmp_key"
-			enroll_tpm2_token "$part_device" "$tmp_key"
-			open_tpm2_partition "$part_device"
-			eval "${create_file_system_cmd} ${decrypted_part}"
-		;;
-		*)
-			panic "Unknown value ${partition_format}. Cannot create a encrypted partition !"
-		 ;;
-	esac
-
-	# delete initial key
-	# afterwards no new keys can be enrolled
-	/usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
-done
+finalize_tpm2_encryption() {
+	partition_device="$1"
+-	/usr/bin/systemd-cryptenroll --wipe-slot=0 "$partition_device"
+}
 
-if [ -n "$watchdog_pid" ]; then
-	kill "$watchdog_pid"
-fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
index dc46ff8..1d5a4a7 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -44,6 +44,7 @@ CRYPT_BACKEND:bullseye = "clevis"
 CRYPT_BACKEND = "systemd"
 
 SRC_URI += "file://encrypt_partition.env.tmpl \
+            file://encrypt_partition.script \
             file://encrypt_partition.${CRYPT_BACKEND}.script \
             file://mount_crypt_partitions.script \
             file://encrypt_partition.${CRYPT_BACKEND}.hook \
@@ -77,8 +78,10 @@ do_install[cleandirs] += " \
 
 do_install() {
     install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env"
-    install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.script" \
+    install -m 0755 "${WORKDIR}/encrypt_partition.script" \
         "${D}/usr/share/initramfs-tools/scripts/local-top/encrypt_partition"
+    install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.script" \
+        "${D}/usr/share/encrypt_partition/encrypt_partition_tpm2"
     install -m 0755 "${WORKDIR}/mount_crypt_partitions.script" \
         "${D}/usr/share/initramfs-tools/scripts/local-bottom/mount_decrypted_partition"
     install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.hook" \
-- 
2.43.0

[cip-dev][isar-cip-core][PATCH v2 11/13] initramfs-crypt-hook: Increase version

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This package had significate changes

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../{initramfs-crypt-hook_0.1.bb => initramfs-crypt-hook_0.2.bb}  | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt-hook_0.1.bb => initramfs-crypt-hook_0.2.bb} (100%)

diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb
similarity index 100%
rename from recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
rename to recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb
-- 
2.43.0

[cip-dev][isar-cip-core][PATCH v2 12/13] README.tpm2.encryption: Add section to switch from clevis to systemd

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 doc/README.tpm2.encryption.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md
index cb3f640..69a18dd 100644
--- a/doc/README.tpm2.encryption.md
+++ b/doc/README.tpm2.encryption.md
@@ -48,3 +48,23 @@ Each entry uses the schema `<partition-label>:<mountpoint>:<reencrypt or format>
 
 The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly
 encrypted partition. The Default (`mke2fs -t ext4`) creates an ext4 partition.
+
+# Convert clevis based encryption to systemd-cryptenroll
+## Prerequisites
+The following packages are necessary to convert a clevis based encryption to a systemd-cryptenroll
+based encryption:
+ - clevis-luks
+ - clevis-tpm2
+ - cryptsetup
+ - jq
+
+## steps to convert clevis to systemd
+The following script shows how to enroll a systemd-tpm2 token with a existinng clevis based encryption:
+```bash
+export device=/dev/sda6
+export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots | first' | head -n1)
+if [ -n "$keyslot" ]; then
+  export PASSWORD=$(clevis luks pass -d "$device" -s"$keyslot")
+  systemd-cryptenroll --tpm2-device="$tpm_device" --tpm2-pcrs=7 "$device"
+fi
+```
-- 
2.43.0

[cip-dev][isar-cip-core][PATCH v2 13/13] Add example to encrypt the rootfs

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 kas/opt/encrypt_rootfs.yml   | 24 ++++++++++++++++++++++++
 wic/x86_64-encryption.wks.in | 16 ++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 kas/opt/encrypt_rootfs.yml
 create mode 100644 wic/x86_64-encryption.wks.in

diff --git a/kas/opt/encrypt_rootfs.yml b/kas/opt/encrypt_rootfs.yml
new file mode 100644
index 0000000..4001c75
--- /dev/null
+++ b/kas/opt/encrypt_rootfs.yml
@@ -0,0 +1,24 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+  version: 14
+
+local_conf_header:
+  encrypted_root: |
+    WKS_FILE = "x86_64-encryption.wks.in"
+    CRYPT_PARTITIONS = "platform:/:reencrypt home:/home:reencrypt var:/var:reencrypt"
+    IMAGE_FSTYPES = "wic"
+    IMAGER_INSTALL:wic += "systemd-boot"
+    CIP_IMAGE_OPTIONS:append:qemu-amd64 = " recipes-core/images/deploy-ovmf.inc"
+    INITRAMFS_RECIPE ?= "cip-core-initramfs"
+    INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
+    do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build"
diff --git a/wic/x86_64-encryption.wks.in b/wic/x86_64-encryption.wks.in
new file mode 100644
index 0000000..800b56d
--- /dev/null
+++ b/wic/x86_64-encryption.wks.in
@@ -0,0 +1,16 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# SPDX-License-Identifier: MIT
+#
+
+part /boot --source bootimg-efi-isar --sourceparams "loader=systemd-boot,initrd=${INITRD_IMAGE}" --label efi --part-type EF00 --align 1024 --fsuuid 0x4321dcba --uuid cf142945-6fa1-4945-b0f2-b8d6226298c0
+
+part / --source rootfs --fstype ext4  --mkfs-extraopts "-T default" --label platform --align 1024 --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid f225331b-2d9c-45a2-bcfe-4a6e86287dfb
+# home and var are extra partitions
+part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024  --size 1G --extra-space=100M --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
+part /var --fstype=ext4 --label var --align 1024 --fixed-size 2G --fsuuid 96be3374-4258-11ee-be56-0242ac120002
+
+bootloader --ptable gpt --timeout 2 --append "console=ttyS0,115200"
-- 
2.43.0

Re: [cip-dev][isar-cip-core][PATCH v2 00/13] Rework disk encryption

[Jan Kiszka]

On 22.03.24 11:05, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
> 
> This patchset is a cleanup of the initramfs-crypt-hook:
>  - Aligns the systemd and clevis implementation
>  - consolidate script in a main, clevis and systemd part
>  - split clevis hook for readability
>  - Adds some checks for TPM parameter
>  - Remove the dependency in the overlay
>  - Adds an example to encrypt the rootfs
>  - Add readme to switch from clevis based encryption to systemd
> 
> 
> Changes v2:
>  - fix typos in commit messages
>  - some fixes for Debian buster
>  - split clevis hook for readability
>  - consolidate script in a main, clevis and systemd part
>  - Add readme to switch from clevis based encryption to systemd
>  - Increase version of the hook
>  - The disk encryption now sets the root mount if necessary
> 
> 
> Quirin Gylstorff (13):
>   initramfs-crypt-hook: Allow switching between clevis and systemd
>   initramfs-crypt-hook: Align systemd encryption and clevis encryption
>   initramfs-crypt-hook: move the mounting of encrypted disks in a
>     seperate function
>   initramfs-crypt-hook: Check if the TPM device fulfills the given
>     requirements
>   initramfs-crypt-hook: add flag to make encryption optional
>   initramfs-crypt-hook: add e2fsck to avoid resize error
>   initramfs-crypt-hook: split encryption and mounting
>   initramfs-crypt-hook: Add check if root is part of the mountpoints
>   initramfs-crypt-hook: split hook in multiple files
>   initramfs-crypt-hook: Consolidate clevis and systemd scripts
>   initramfs-crypt-hook: Increase version
>   README.tpm2.encryption: Add section to switch from clevis to systemd
>   Add example to encrypt the rootfs
> 
>  doc/README.tpm2.encryption.md                 |  20 +++
>  kas/opt/encrypt_rootfs.yml                    |  24 +++
>  ...pt_partition.clevis.bullseye_or_later.hook |  34 ++++
>  .../encrypt_partition.clevis.buster.hook      |  30 ++++
>  .../files/encrypt_partition.clevis.hook       |  20 +--
>  .../files/encrypt_partition.clevis.script     | 157 +++--------------
>  .../files/encrypt_partition.env.tmpl          |   4 +-
>  .../files/encrypt_partition.script            | 164 ++++++++++++++++++
>  .../files/encrypt_partition.systemd.hook      |   5 +-
>  .../files/encrypt_partition.systemd.script    | 152 +++-------------
>  .../files/mount_crypt_partitions.script       |  61 +++++++
>  ...ook_0.1.bb => initramfs-crypt-hook_0.2.bb} |  49 +++++-
>  .../files/overlay.script.tmpl                 |   2 +-
>  wic/x86_64-encryption.wks.in                  |  16 ++
>  14 files changed, 442 insertions(+), 296 deletions(-)
>  create mode 100644 kas/opt/encrypt_rootfs.yml
>  create mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook
>  create mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook
>  create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>  create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
>  rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt-hook_0.1.bb => initramfs-crypt-hook_0.2.bb} (54%)
>  create mode 100644 wic/x86_64-encryption.wks.in
> 

I heard no further comments (but also no "works for me"), so I applied
this now.

Jan

-- 
Siemens AG, Technology
Linux Expert Center

Re: [cip-dev][isar-cip-core][PATCH v2 13/13] Add example to encrypt the rootfs

[Jan Kiszka]

On 22.03.24 11:05, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  kas/opt/encrypt_rootfs.yml   | 24 ++++++++++++++++++++++++
>  wic/x86_64-encryption.wks.in | 16 ++++++++++++++++
>  2 files changed, 40 insertions(+)
>  create mode 100644 kas/opt/encrypt_rootfs.yml
>  create mode 100644 wic/x86_64-encryption.wks.in
> 
> diff --git a/kas/opt/encrypt_rootfs.yml b/kas/opt/encrypt_rootfs.yml
> new file mode 100644
> index 0000000..4001c75
> --- /dev/null
> +++ b/kas/opt/encrypt_rootfs.yml
> @@ -0,0 +1,24 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2024
> +#
> +# Authors:
> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +header:
> +  version: 14
> +
> +local_conf_header:
> +  encrypted_root: |
> +    WKS_FILE = "x86_64-encryption.wks.in"
> +    CRYPT_PARTITIONS = "platform:/:reencrypt home:/home:reencrypt var:/var:reencrypt"
> +    IMAGE_FSTYPES = "wic"
> +    IMAGER_INSTALL:wic += "systemd-boot"
> +    CIP_IMAGE_OPTIONS:append:qemu-amd64 = " recipes-core/images/deploy-ovmf.inc"
> +    INITRAMFS_RECIPE ?= "cip-core-initramfs"
> +    INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
> +    do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build"
> diff --git a/wic/x86_64-encryption.wks.in b/wic/x86_64-encryption.wks.in
> new file mode 100644
> index 0000000..800b56d
> --- /dev/null
> +++ b/wic/x86_64-encryption.wks.in
> @@ -0,0 +1,16 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2024
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +part /boot --source bootimg-efi-isar --sourceparams "loader=systemd-boot,initrd=${INITRD_IMAGE}" --label efi --part-type EF00 --align 1024 --fsuuid 0x4321dcba --uuid cf142945-6fa1-4945-b0f2-b8d6226298c0
> +
> +part / --source rootfs --fstype ext4  --mkfs-extraopts "-T default" --label platform --align 1024 --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid f225331b-2d9c-45a2-bcfe-4a6e86287dfb
> +# home and var are extra partitions
> +part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024  --size 1G --extra-space=100M --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
> +part /var --fstype=ext4 --label var --align 1024 --fixed-size 2G --fsuuid 96be3374-4258-11ee-be56-0242ac120002
> +
> +bootloader --ptable gpt --timeout 2 --append "console=ttyS0,115200"

On second glance, this one confuses me. It comes with zero documentation
or at least some Kconfig entry to make clear in which context it can be
used. I bet it collides heavily when combined with the qemu-amd64 secure
boot example.

I'm taking this out again. Please clean up and provide a documented
example with at least Kconfig integration.

Jan

-- 
Siemens AG, Technology
Linux Expert Center