* [cip-dev][isar-cip-core][PATCH 0/7] Add option to encrypt the rootfs
@ 2024-04-19 8:20 Quirin Gylstorff
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 1/7] wic/*: Add part-labels to system partition Quirin Gylstorff
` (6 more replies)
0 siblings, 7 replies; 12+ messages in thread
From: Quirin Gylstorff @ 2024-04-19 8:20 UTC (permalink / raw)
To: johnxw, cip-dev, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This adds the option to encrypt both root file system partions(systema
and systemb). The encrypted partition can be updated with SWUpdate.
Currently an update will lead to a reencryption of the update partition as
the underlying device(/dev/sdaX) is written instead of the device mapper
partition.
Changes from https://lists.cip-project.org/g/cip-dev/message/15512:
- add partition labels for a/b partitions
- use a/b rootfs configuration instead seperate wks file
Quirin Gylstorff (7):
wic/*: Add part-labels to system partition
initramfs: allow empty mountpoint for crypt hooks
fix: disk formatting
initramfs-crypt: Only resize partition if ext* formatted
use luks2 to identify encrypted partition
Kconfig: Add option to encrypt the rootfs
README: Add rootfs encryption
Kconfig | 20 ++++++++++++++--
doc/README.tpm2.encryption.md | 12 +++++++++-
kas/opt/encrypt-rootfs.yml | 22 +++++++++++++++++
.../files/encrypt_partition.script | 24 ++++++++++++++-----
.../files/mount_crypt_partitions.script | 4 +++-
wic/bbb-efibootguard.wks.in | 4 ++--
wic/hihope-rzg2m-efibootguard.wks.in | 4 ++--
wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 ++--
wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 ++--
wic/qemu-arm64-efibootguard.wks.in | 4 ++--
wic/qemu-riscv64-efibootguard.wks.in | 4 ++--
wic/x86-efibootguard.wks.in | 4 ++--
12 files changed, 86 insertions(+), 24 deletions(-)
create mode 100644 kas/opt/encrypt-rootfs.yml
--
2.43.0
^ permalink raw reply [flat|nested] 12+ messages in thread
* [cip-dev][isar-cip-core][PATCH 1/7] wic/*: Add part-labels to system partition
2024-04-19 8:20 [cip-dev][isar-cip-core][PATCH 0/7] Add option to encrypt the rootfs Quirin Gylstorff
@ 2024-04-19 8:20 ` Quirin Gylstorff
2024-04-19 16:29 ` Jan Kiszka
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 2/7] initramfs: allow empty mountpoint for crypt hooks Quirin Gylstorff
` (5 subsequent siblings)
6 siblings, 1 reply; 12+ messages in thread
From: Quirin Gylstorff @ 2024-04-19 8:20 UTC (permalink / raw)
To: johnxw, cip-dev, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
wic/bbb-efibootguard.wks.in | 4 ++--
wic/hihope-rzg2m-efibootguard.wks.in | 4 ++--
wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 ++--
wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 ++--
wic/qemu-arm64-efibootguard.wks.in | 4 ++--
wic/qemu-riscv64-efibootguard.wks.in | 4 ++--
wic/x86-efibootguard.wks.in | 4 ++--
7 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/wic/bbb-efibootguard.wks.in b/wic/bbb-efibootguard.wks.in
index e9c04b9..b5772c2 100644
--- a/wic/bbb-efibootguard.wks.in
+++ b/wic/bbb-efibootguard.wks.in
@@ -11,8 +11,8 @@ part --source rawcopy --sourceparams "file=/usr/lib/u-boot/bbb/u-boot.img" --no-
include ebg-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
# home and var are extra partitions
part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
diff --git a/wic/hihope-rzg2m-efibootguard.wks.in b/wic/hihope-rzg2m-efibootguard.wks.in
index 9227a71..164e8a9 100644
--- a/wic/hihope-rzg2m-efibootguard.wks.in
+++ b/wic/hihope-rzg2m-efibootguard.wks.in
@@ -3,8 +3,8 @@
include ebg-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
# home and var are extra partitions
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index ef40d70..0f4d637 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -1,7 +1,7 @@
include ebg-signed-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
# home and var are extra partitions
part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
diff --git a/wic/qemu-arm64-efibootguard-secureboot.wks.in b/wic/qemu-arm64-efibootguard-secureboot.wks.in
index 01f395d..00d627d 100644
--- a/wic/qemu-arm64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-arm64-efibootguard-secureboot.wks.in
@@ -1,7 +1,7 @@
include ebg-signed-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
# home and var are extra partitions
part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
diff --git a/wic/qemu-arm64-efibootguard.wks.in b/wic/qemu-arm64-efibootguard.wks.in
index 942c3e1..6f03420 100644
--- a/wic/qemu-arm64-efibootguard.wks.in
+++ b/wic/qemu-arm64-efibootguard.wks.in
@@ -3,8 +3,8 @@
include ebg-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
# home and var are extra partitions
part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
diff --git a/wic/qemu-riscv64-efibootguard.wks.in b/wic/qemu-riscv64-efibootguard.wks.in
index 6934977..1704ded 100644
--- a/wic/qemu-riscv64-efibootguard.wks.in
+++ b/wic/qemu-riscv64-efibootguard.wks.in
@@ -3,8 +3,8 @@
include ebg-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
# home and var are extra partitions
part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
index 6382ff7..4c0484f 100644
--- a/wic/x86-efibootguard.wks.in
+++ b/wic/x86-efibootguard.wks.in
@@ -3,8 +3,8 @@
include ebg-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
# home and var are extra partitions
--
2.43.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [cip-dev][isar-cip-core][PATCH 2/7] initramfs: allow empty mountpoint for crypt hooks
2024-04-19 8:20 [cip-dev][isar-cip-core][PATCH 0/7] Add option to encrypt the rootfs Quirin Gylstorff
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 1/7] wic/*: Add part-labels to system partition Quirin Gylstorff
@ 2024-04-19 8:20 ` Quirin Gylstorff
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 3/7] fix: disk formatting Quirin Gylstorff
` (4 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: Quirin Gylstorff @ 2024-04-19 8:20 UTC (permalink / raw)
To: johnxw, cip-dev, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This allows to encrypt partition which have as seperate mount
script like verity and abrootfs
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../initramfs-crypt-hook/files/mount_crypt_partitions.script | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
index 3411e70..b72323f 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
@@ -51,7 +51,9 @@ for partition_set in $partition_sets; do
part_device=$(readlink -f "$partition")
crypt_mount_name="encrypted_$partition_label"
decrypted_part=/dev/mapper/"$crypt_mount_name"
-
+ if [ -z "$partition_mountpoint" ]; then
+ continue
+ fi
if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \
| grep -q "luks2"; then
mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
--
2.43.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [cip-dev][isar-cip-core][PATCH 3/7] fix: disk formatting
2024-04-19 8:20 [cip-dev][isar-cip-core][PATCH 0/7] Add option to encrypt the rootfs Quirin Gylstorff
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 1/7] wic/*: Add part-labels to system partition Quirin Gylstorff
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 2/7] initramfs: allow empty mountpoint for crypt hooks Quirin Gylstorff
@ 2024-04-19 8:20 ` Quirin Gylstorff
2024-04-19 16:29 ` Jan Kiszka
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 4/7] initramfs-crypt: Only resize partition if ext* formatted Quirin Gylstorff
` (3 subsequent siblings)
6 siblings, 1 reply; 12+ messages in thread
From: Quirin Gylstorff @ 2024-04-19 8:20 UTC (permalink / raw)
To: johnxw, cip-dev, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This fixes an regression from cfef8103a0385c0d6c4631f23aabcdf65de4efba.
As the format path was not update to the new function arguments.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../initramfs-crypt-hook/files/encrypt_partition.script | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
index 8763f69..8f6cbf6 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
@@ -147,7 +147,7 @@ for partition_set in $partition_sets; do
"format")
/usr/sbin/cryptsetup luksFormat --batch-mode \
--type luks2 "$partition" < "$tmp_key"
- enroll_tpm2_token "$part_device" "$tmp_key"
+ enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type"
open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
eval "${create_file_system_cmd} ${decrypted_part}"
;;
--
2.43.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [cip-dev][isar-cip-core][PATCH 4/7] initramfs-crypt: Only resize partition if ext* formatted
2024-04-19 8:20 [cip-dev][isar-cip-core][PATCH 0/7] Add option to encrypt the rootfs Quirin Gylstorff
` (2 preceding siblings ...)
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 3/7] fix: disk formatting Quirin Gylstorff
@ 2024-04-19 8:20 ` Quirin Gylstorff
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 5/7] use luks2 to identify encrypted partition Quirin Gylstorff
` (2 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: Quirin Gylstorff @ 2024-04-19 8:20 UTC (permalink / raw)
To: johnxw, cip-dev, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
squashfs or empty partition cannot be resized with resize2fs.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../files/encrypt_partition.script | 20 +++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
index 8f6cbf6..51c81f3 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
@@ -64,14 +64,26 @@ service_watchdog() {
reencrypt_existing_partition() {
part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)"
# reduce the filesystem and partition by 32M to fit the LUKS header
+ partition_fstype=$(get_fstype "${1}")
reduce_device_size=32768
reduced_size="$(expr "$part_size_blocks" - 65536 )"
reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
- e2fsck -f "$1"
- if ! resize2fs "$1" "${reduced_size_in_kb}"; then
- panic "reencryption of filesystem $1 cannot continue!"
- fi
+ case $partition_fstype in
+ ext*)
+ # reduce the filesystem and partition by 32M to fit the LUKS header
+ e2fsck -f "$1"
+ if ! resize2fs "$1" "${reduced_size_in_kb}"; then
+ panic "reencryption of filesystem $1 cannot continue!"
+ fi
+ ;;
+ squashfs|"")
+ echo "skip disk resize as it not support or unnecessary for fstype: '$partition_fstype'"
+ ;;
+ *)
+ panic "cannot resize parition. unsupport fstype: $partition_fstype"
+ ;;
+ esac
if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
/usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2"
else
--
2.43.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [cip-dev][isar-cip-core][PATCH 5/7] use luks2 to identify encrypted partition
2024-04-19 8:20 [cip-dev][isar-cip-core][PATCH 0/7] Add option to encrypt the rootfs Quirin Gylstorff
` (3 preceding siblings ...)
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 4/7] initramfs-crypt: Only resize partition if ext* formatted Quirin Gylstorff
@ 2024-04-19 8:20 ` Quirin Gylstorff
2024-04-19 16:29 ` Jan Kiszka
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 6/7] Kconfig: Add option to encrypt the rootfs Quirin Gylstorff
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 7/7] README: Add rootfs encryption Quirin Gylstorff
6 siblings, 1 reply; 12+ messages in thread
From: Quirin Gylstorff @ 2024-04-19 8:20 UTC (permalink / raw)
To: johnxw, cip-dev, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This fixes an issue with encrypted rootfs during system reboot.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../initramfs-crypt-hook/files/encrypt_partition.script | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
index 51c81f3..685d882 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
@@ -134,7 +134,7 @@ for partition_set in $partition_sets; do
fi
if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
- | grep -q "token"; then
+ | grep -q "luks2"; then
open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
continue
fi
--
2.43.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [cip-dev][isar-cip-core][PATCH 6/7] Kconfig: Add option to encrypt the rootfs
2024-04-19 8:20 [cip-dev][isar-cip-core][PATCH 0/7] Add option to encrypt the rootfs Quirin Gylstorff
` (4 preceding siblings ...)
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 5/7] use luks2 to identify encrypted partition Quirin Gylstorff
@ 2024-04-19 8:20 ` Quirin Gylstorff
2024-04-19 16:34 ` Jan Kiszka
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 7/7] README: Add rootfs encryption Quirin Gylstorff
6 siblings, 1 reply; 12+ messages in thread
From: Quirin Gylstorff @ 2024-04-19 8:20 UTC (permalink / raw)
To: johnxw, cip-dev, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Kconfig | 20 ++++++++++++++++++--
kas/opt/encrypt-rootfs.yml | 22 ++++++++++++++++++++++
2 files changed, 40 insertions(+), 2 deletions(-)
create mode 100644 kas/opt/encrypt-rootfs.yml
diff --git a/Kconfig b/Kconfig
index 7c19640..e657a22 100644
--- a/Kconfig
+++ b/Kconfig
@@ -202,15 +202,31 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT
default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
+
+menuconfig DISK_ENCRYPTION
+ bool
+ prompt "disk encryption"
+ select IMAGE_SECURE_BOOT
+
config IMAGE_DATA_ENCRYPTION
bool "Encrypt data partitions on first boot"
- depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM
- select IMAGE_SECURE_BOOT
+ depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
help
This enables LUKS encryption for the partitions /var and /home.
+config IMAGE_FULL_ENCRYPTION
+ bool "Encrypt rootfs and data partitions"
+ depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
+ select IMAGE_DATA_ENCRYPTION
+ help
+ This enables LUKS encryption for all partitions.
+
config KAS_INCLUDE_DATA_ENCRYPTION
string
default "kas/opt/encrypt-partitions.yml" if IMAGE_DATA_ENCRYPTION
+config KAS_INCLUDE_ROOTFS_ENCRYPTION
+ string
+ default "kas/opt/encrypt-rootfs.yml" if IMAGE_FULL_ENCRYPTION
+
endif
diff --git a/kas/opt/encrypt-rootfs.yml b/kas/opt/encrypt-rootfs.yml
new file mode 100644
index 0000000..f273b65
--- /dev/null
+++ b/kas/opt/encrypt-rootfs.yml
@@ -0,0 +1,22 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 14
+ includes:
+ - kas/opt/encrypt-partitions.yml
+local_conf_header:
+ encrypted_root: |
+ # Do not set mount points for systema and systemb as they are mounted by the
+ # abrootfs/verity initramfs
+ # As we use a weak default assignment in the intramfs-crypt-hook recipe we need
+ # to set all partitions
+ CRYPT_PARTITIONS:append = "systema::reencrypt systemb::reencrypt home:/home:reencrypt var:/var:rueencrypt"
--
2.43.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [cip-dev][isar-cip-core][PATCH 7/7] README: Add rootfs encryption
2024-04-19 8:20 [cip-dev][isar-cip-core][PATCH 0/7] Add option to encrypt the rootfs Quirin Gylstorff
` (5 preceding siblings ...)
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 6/7] Kconfig: Add option to encrypt the rootfs Quirin Gylstorff
@ 2024-04-19 8:20 ` Quirin Gylstorff
6 siblings, 0 replies; 12+ messages in thread
From: Quirin Gylstorff @ 2024-04-19 8:20 UTC (permalink / raw)
To: johnxw, cip-dev, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
doc/README.tpm2.encryption.md | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md
index 69a18dd..a0a78d2 100644
--- a/doc/README.tpm2.encryption.md
+++ b/doc/README.tpm2.encryption.md
@@ -44,6 +44,16 @@ Each entry uses the schema `<partition-label>:<mountpoint>:<reencrypt or format>
- `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount
- `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD`
+#### Encrypted root file system
+
+To encrypt the root file system the variable `CRYPT_PARTITIONS` needs to be set to:
+```
+CRYPT_PARTITIONS = "systema::reencrypt systemb::reencrypt"
+```
+The mountpoint is empty as the root partition is mounted by another initramfs service.
+Both partitions are encrypted during first boot. The initramfs opens systema and systemb
+during boot.
+
### CRYPT_CREATE_FILE_SYSTEM_CMD
The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly
@@ -59,7 +69,7 @@ based encryption:
- jq
## steps to convert clevis to systemd
-The following script shows how to enroll a systemd-tpm2 token with a existinng clevis based encryption:
+The following script shows how to enroll a systemd-tpm2 token with a existing clevis based encryption:
```bash
export device=/dev/sda6
export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots | first' | head -n1)
--
2.43.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH 1/7] wic/*: Add part-labels to system partition
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 1/7] wic/*: Add part-labels to system partition Quirin Gylstorff
@ 2024-04-19 16:29 ` Jan Kiszka
0 siblings, 0 replies; 12+ messages in thread
From: Jan Kiszka @ 2024-04-19 16:29 UTC (permalink / raw)
To: Quirin Gylstorff, johnxw, cip-dev
On 19.04.24 10:20, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
Reasoning missing.
Jan
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> wic/bbb-efibootguard.wks.in | 4 ++--
> wic/hihope-rzg2m-efibootguard.wks.in | 4 ++--
> wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 ++--
> wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 ++--
> wic/qemu-arm64-efibootguard.wks.in | 4 ++--
> wic/qemu-riscv64-efibootguard.wks.in | 4 ++--
> wic/x86-efibootguard.wks.in | 4 ++--
> 7 files changed, 14 insertions(+), 14 deletions(-)
>
> diff --git a/wic/bbb-efibootguard.wks.in b/wic/bbb-efibootguard.wks.in
> index e9c04b9..b5772c2 100644
> --- a/wic/bbb-efibootguard.wks.in
> +++ b/wic/bbb-efibootguard.wks.in
> @@ -11,8 +11,8 @@ part --source rawcopy --sourceparams "file=/usr/lib/u-boot/bbb/u-boot.img" --no-
>
> include ebg-sysparts.inc
>
> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
>
> # home and var are extra partitions
> part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
> diff --git a/wic/hihope-rzg2m-efibootguard.wks.in b/wic/hihope-rzg2m-efibootguard.wks.in
> index 9227a71..164e8a9 100644
> --- a/wic/hihope-rzg2m-efibootguard.wks.in
> +++ b/wic/hihope-rzg2m-efibootguard.wks.in
> @@ -3,8 +3,8 @@
>
> include ebg-sysparts.inc
>
> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
>
> # home and var are extra partitions
>
> diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
> index ef40d70..0f4d637 100644
> --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
> +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
> @@ -1,7 +1,7 @@
> include ebg-signed-sysparts.inc
>
> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
>
> # home and var are extra partitions
> part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
> diff --git a/wic/qemu-arm64-efibootguard-secureboot.wks.in b/wic/qemu-arm64-efibootguard-secureboot.wks.in
> index 01f395d..00d627d 100644
> --- a/wic/qemu-arm64-efibootguard-secureboot.wks.in
> +++ b/wic/qemu-arm64-efibootguard-secureboot.wks.in
> @@ -1,7 +1,7 @@
> include ebg-signed-sysparts.inc
>
> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
>
> # home and var are extra partitions
> part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
> diff --git a/wic/qemu-arm64-efibootguard.wks.in b/wic/qemu-arm64-efibootguard.wks.in
> index 942c3e1..6f03420 100644
> --- a/wic/qemu-arm64-efibootguard.wks.in
> +++ b/wic/qemu-arm64-efibootguard.wks.in
> @@ -3,8 +3,8 @@
>
> include ebg-sysparts.inc
>
> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
>
> # home and var are extra partitions
> part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
> diff --git a/wic/qemu-riscv64-efibootguard.wks.in b/wic/qemu-riscv64-efibootguard.wks.in
> index 6934977..1704ded 100644
> --- a/wic/qemu-riscv64-efibootguard.wks.in
> +++ b/wic/qemu-riscv64-efibootguard.wks.in
> @@ -3,8 +3,8 @@
>
> include ebg-sysparts.inc
>
> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
>
> # home and var are extra partitions
> part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
> diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
> index 6382ff7..4c0484f 100644
> --- a/wic/x86-efibootguard.wks.in
> +++ b/wic/x86-efibootguard.wks.in
> @@ -3,8 +3,8 @@
>
> include ebg-sysparts.inc
>
> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
>
> # home and var are extra partitions
>
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH 5/7] use luks2 to identify encrypted partition
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 5/7] use luks2 to identify encrypted partition Quirin Gylstorff
@ 2024-04-19 16:29 ` Jan Kiszka
0 siblings, 0 replies; 12+ messages in thread
From: Jan Kiszka @ 2024-04-19 16:29 UTC (permalink / raw)
To: Quirin Gylstorff, johnxw, cip-dev
On 19.04.24 10:20, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> This fixes an issue with encrypted rootfs during system reboot.
>
And what was that issue?
Jan
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> .../initramfs-crypt-hook/files/encrypt_partition.script | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
> index 51c81f3..685d882 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
> @@ -134,7 +134,7 @@ for partition_set in $partition_sets; do
> fi
>
> if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
> - | grep -q "token"; then
> + | grep -q "luks2"; then
> open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
> continue
> fi
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH 3/7] fix: disk formatting
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 3/7] fix: disk formatting Quirin Gylstorff
@ 2024-04-19 16:29 ` Jan Kiszka
0 siblings, 0 replies; 12+ messages in thread
From: Jan Kiszka @ 2024-04-19 16:29 UTC (permalink / raw)
To: Quirin Gylstorff, johnxw, cip-dev
On 19.04.24 10:20, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> This fixes an regression from cfef8103a0385c0d6c4631f23aabcdf65de4efba.
> As the format path was not update to the new function arguments.
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> .../initramfs-crypt-hook/files/encrypt_partition.script | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
> index 8763f69..8f6cbf6 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
> @@ -147,7 +147,7 @@ for partition_set in $partition_sets; do
> "format")
> /usr/sbin/cryptsetup luksFormat --batch-mode \
> --type luks2 "$partition" < "$tmp_key"
> - enroll_tpm2_token "$part_device" "$tmp_key"
> + enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type"
> open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
> eval "${create_file_system_cmd} ${decrypted_part}"
> ;;
Merging this one as fix already.
Thanks,
Jan
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH 6/7] Kconfig: Add option to encrypt the rootfs
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 6/7] Kconfig: Add option to encrypt the rootfs Quirin Gylstorff
@ 2024-04-19 16:34 ` Jan Kiszka
0 siblings, 0 replies; 12+ messages in thread
From: Jan Kiszka @ 2024-04-19 16:34 UTC (permalink / raw)
To: Quirin Gylstorff, johnxw, cip-dev
On 19.04.24 10:20, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> Kconfig | 20 ++++++++++++++++++--
> kas/opt/encrypt-rootfs.yml | 22 ++++++++++++++++++++++
> 2 files changed, 40 insertions(+), 2 deletions(-)
> create mode 100644 kas/opt/encrypt-rootfs.yml
>
> diff --git a/Kconfig b/Kconfig
> index 7c19640..e657a22 100644
> --- a/Kconfig
> +++ b/Kconfig
> @@ -202,15 +202,31 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT
> default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
> default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
>
> +
> +menuconfig DISK_ENCRYPTION
> + bool
> + prompt "disk encryption"
> + select IMAGE_SECURE_BOOT
> +
> config IMAGE_DATA_ENCRYPTION
> bool "Encrypt data partitions on first boot"
> - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM
> - select IMAGE_SECURE_BOOT
> + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
> help
> This enables LUKS encryption for the partitions /var and /home.
>
> +config IMAGE_FULL_ENCRYPTION
> + bool "Encrypt rootfs and data partitions"
> + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
> + select IMAGE_DATA_ENCRYPTION
> + help
> + This enables LUKS encryption for all partitions.
> +
> config KAS_INCLUDE_DATA_ENCRYPTION
> string
> default "kas/opt/encrypt-partitions.yml" if IMAGE_DATA_ENCRYPTION
>
> +config KAS_INCLUDE_ROOTFS_ENCRYPTION
> + string
> + default "kas/opt/encrypt-rootfs.yml" if IMAGE_FULL_ENCRYPTION
We still have a logic flip in the name of the kas option files:
"encrypt-partitions" suggest "all partitions" while "encrypt-rootfs"
does not suggest that it actually means "(almost) all".
I would suggest:
encrypt-partitions.yml -> encrypt-data.yml
encrypt-rootfs.yml -> encrypt-all.yml
Jan
> +
> endif
> diff --git a/kas/opt/encrypt-rootfs.yml b/kas/opt/encrypt-rootfs.yml
> new file mode 100644
> index 0000000..f273b65
> --- /dev/null
> +++ b/kas/opt/encrypt-rootfs.yml
> @@ -0,0 +1,22 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2024
> +#
> +# Authors:
> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +header:
> + version: 14
> + includes:
> + - kas/opt/encrypt-partitions.yml
> +local_conf_header:
> + encrypted_root: |
> + # Do not set mount points for systema and systemb as they are mounted by the
> + # abrootfs/verity initramfs
> + # As we use a weak default assignment in the intramfs-crypt-hook recipe we need
> + # to set all partitions
> + CRYPT_PARTITIONS:append = "systema::reencrypt systemb::reencrypt home:/home:reencrypt var:/var:rueencrypt"
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2024-04-19 16:34 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-19 8:20 [cip-dev][isar-cip-core][PATCH 0/7] Add option to encrypt the rootfs Quirin Gylstorff
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 1/7] wic/*: Add part-labels to system partition Quirin Gylstorff
2024-04-19 16:29 ` Jan Kiszka
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 2/7] initramfs: allow empty mountpoint for crypt hooks Quirin Gylstorff
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 3/7] fix: disk formatting Quirin Gylstorff
2024-04-19 16:29 ` Jan Kiszka
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 4/7] initramfs-crypt: Only resize partition if ext* formatted Quirin Gylstorff
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 5/7] use luks2 to identify encrypted partition Quirin Gylstorff
2024-04-19 16:29 ` Jan Kiszka
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 6/7] Kconfig: Add option to encrypt the rootfs Quirin Gylstorff
2024-04-19 16:34 ` Jan Kiszka
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 7/7] README: Add rootfs encryption Quirin Gylstorff
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.