* [cip-dev][isar-cip-core][PATCH v3 00/15] Rework disk encryption
@ 2024-04-09 13:05 Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 01/15] initramfs-crypt-hook: Allow switching between clevis and systemd Quirin Gylstorff
` (14 more replies)
0 siblings, 15 replies; 16+ messages in thread
From: Quirin Gylstorff @ 2024-04-09 13:05 UTC (permalink / raw)
To: jan.kiszka, cip-dev, johnxw
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This patchset is a cleanup of the initramfs-crypt-hook:
- Aligns the systemd and clevis implementation
- consolidate script in a main, clevis and systemd part
- split clevis hook for readability
- Adds some checks for TPM parameter
- Remove the dependency in the overlay
- Adds an example to encrypt the rootfs
- Add readme to switch from clevis based encryption to systemd
Changes v3:
- Add Kconfig entry for encrypted rootfs
- Adapt start-qemu.sh for a encrypted rootfs
- Add the missing initramfs-hook for the encrypted rootfs example
Changes v2:
- fix typos in commit messages
- some fixes for Debian buster
- split clevis hook for readability
- consolidate script in a main, clevis and systemd part
- Add readme to switch from clevis based encryption to systemd
- Increase version of the hook
- The disk encryption now sets the root mount if necessary
Quirin Gylstorff (15):
initramfs-crypt-hook: Allow switching between clevis and systemd
initramfs-crypt-hook: Align systemd encryption and clevis encryption
initramfs-crypt-hook: move the mounting of encrypted disks in a
seperate function
initramfs-crypt-hook: Check if the TPM device fulfills the given
requirements
initramfs-crypt-hook: add flag to make encryption optional
initramfs-crypt-hook: add e2fsck to avoid resize error
initramfs-crypt-hook: split encryption and mounting
initramfs-crypt-hook: Add check if root is part of the mountpoints
initramfs-crypt-hook: split hook in multiple files
initramfs-crypt-hook: Consolidate clevis and systemd scripts
initramfs-crypt-hook: Increase version
README.tpm2.encryption: Add section to switch from clevis to systemd
Add example to encrypt the rootfs
Kconfig: Add option to encrypt the rootfs
start-qemu.sh: Support encrypted rootfs
Kconfig | 14 ++
doc/README.tpm2.encryption.md | 20 +++
kas/opt/encrypt_rootfs.yml | 25 +++
...pt_partition.clevis.bullseye_or_later.hook | 34 ++++
.../encrypt_partition.clevis.buster.hook | 30 ++++
.../files/encrypt_partition.clevis.hook | 20 +--
.../files/encrypt_partition.clevis.script | 157 +++--------------
.../files/encrypt_partition.env.tmpl | 4 +-
.../files/encrypt_partition.script | 164 ++++++++++++++++++
.../files/encrypt_partition.systemd.hook | 5 +-
.../files/encrypt_partition.systemd.script | 152 +++-------------
.../files/mount_crypt_partitions.script | 61 +++++++
...ook_0.1.bb => initramfs-crypt-hook_0.2.bb} | 49 +++++-
.../files/overlay.script.tmpl | 2 +-
start-qemu.sh | 7 +-
wic/x86_64-encryption.wks.in | 16 ++
16 files changed, 463 insertions(+), 297 deletions(-)
create mode 100644 kas/opt/encrypt_rootfs.yml
create mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook
create mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook
create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt-hook_0.1.bb => initramfs-crypt-hook_0.2.bb} (54%)
create mode 100644 wic/x86_64-encryption.wks.in
--
2.43.0
^ permalink raw reply [flat|nested] 16+ messages in thread
* [cip-dev][isar-cip-core][PATCH v3 01/15] initramfs-crypt-hook: Allow switching between clevis and systemd
2024-04-09 13:05 [cip-dev][isar-cip-core][PATCH v3 00/15] Rework disk encryption Quirin Gylstorff
@ 2024-04-09 13:05 ` Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 02/15] initramfs-crypt-hook: Align systemd encryption and clevis encryption Quirin Gylstorff
` (13 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Quirin Gylstorff @ 2024-04-09 13:05 UTC (permalink / raw)
To: jan.kiszka, cip-dev, johnxw
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This allows device which started on Debian 11 to continue using
clevis for encryption and decryption.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../initramfs-crypt-hook_0.1.bb | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
index b275c0f..317ea12 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -1,7 +1,7 @@
#
# CIP Core, generic profile
#
-# Copyright (c) Siemens AG, 2020-2023
+# Copyright (c) Siemens AG, 2020-2024
#
# Authors:
# Quirin Gylstorff <quirin.gylstorff@siemens.com>
@@ -17,7 +17,17 @@ CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools"
DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}, libgcc-7-dev"
DEBIAN_DEPENDS:append:bullseye = "${CLEVIS_DEPEND}"
-DEBIAN_DEPENDS:append = ", systemd (>= 251) | clevis-tpm2"
+DEBIAN_DEPENDS:append = "${@encryption_dependency(d)}"
+
+def encryption_dependency(d):
+ crypt_backend = d.getVar('CRYPT_BACKEND')
+ if crypt_backend == 'clevis':
+ clevis_depends= d.getVar('CLEVIS_DEPEND')
+ return f"{clevis_depends}, clevis-tpm2"
+ elif crypt_backend == 'systemd':
+ return ", systemd (>= 251)"
+ else:
+ bb.error("unkown cryptbackend defined")
CRYPT_BACKEND:buster = "clevis"
CRYPT_BACKEND:bullseye = "clevis"
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [cip-dev][isar-cip-core][PATCH v3 02/15] initramfs-crypt-hook: Align systemd encryption and clevis encryption
2024-04-09 13:05 [cip-dev][isar-cip-core][PATCH v3 00/15] Rework disk encryption Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 01/15] initramfs-crypt-hook: Allow switching between clevis and systemd Quirin Gylstorff
@ 2024-04-09 13:05 ` Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 03/15] initramfs-crypt-hook: move the mounting of encrypted disks in a seperate function Quirin Gylstorff
` (12 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Quirin Gylstorff @ 2024-04-09 13:05 UTC (permalink / raw)
To: jan.kiszka, cip-dev, johnxw
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
The following changes were copied from systemd to clevis:
- check return of resize command
The following changes were copied form clevis to systemd:
- check if create_filesystem command is empty
- use part_device(/dev/*) instead of disk
label(/dev/disk/by-partlabel/*)
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../files/encrypt_partition.clevis.script | 6 ++++--
.../files/encrypt_partition.systemd.script | 21 +++++++++++--------
2 files changed, 16 insertions(+), 11 deletions(-)
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index 0318966..4e76c44 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -2,7 +2,7 @@
#
# CIP Core, generic profile
#
-# Copyright (c) Siemens AG, 2023
+# Copyright (c) Siemens AG, 2023-2024
#
# Authors:
# Quirin Gylstorff <quirin.gylstorff@siemens.com>
@@ -82,7 +82,9 @@ reencrypt_existing_partition() {
reduced_size="$(expr "$part_size_blocks" - 65536 )"
reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
- resize2fs "$1" "${reduced_size_in_kb}"
+ if ! resize2fs "$1" "${reduced_size_in_kb}"; then
+ panic "reencryption of filesystem $1 cannot continue!"
+ fi
if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
/usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2"
else
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index eeeb55a..f97a461 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -2,7 +2,7 @@
#
# CIP Core, generic profile
#
-# Copyright (c) Siemens AG, 2023
+# Copyright (c) Siemens AG, 2023-2024
#
# Authors:
# Quirin Gylstorff <quirin.gylstorff@siemens.com>
@@ -47,6 +47,9 @@ modprobe loop
tpm_device=/dev/tpmrm0
partition_sets="$PARTITIONS"
create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
+if [ -z "${create_file_system_cmd}" ]; then
+ create_file_system_cmd="mke2fs -t ext4"
+fi
service_watchdog() {
for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
@@ -83,8 +86,7 @@ enroll_tpm2_token() {
}
reencrypt_existing_partition() {
- part_device="$(readlink -f "$partition")"
- part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$part_device" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)"
+ part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)"
# reduce the filesystem and partition by 32M to fit the LUKS header
reduce_device_size=32768
reduced_size="$(expr "$part_size_blocks" - 65536 )"
@@ -111,15 +113,16 @@ for partition_set in $partition_sets; do
partition=/dev/disk/by-partlabel/"$partition_label"
crypt_mount_name="encrypted_$partition_label"
decrypted_part=/dev/mapper/"$crypt_mount_name"
+ part_device=$(readlink -f "$partition")
# check if partition is already encrypted with systemd-tpm2
if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
| grep -q "systemd-tpm2"; then
- open_tpm2_partition "$partition"
if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \
"${rootmnt}${partition_mountpoint}"; then
panic "Can't mount encrypted partition '${decrypted_part}'!"
fi
+ open_tpm2_partition "$part_device"
continue
fi
@@ -136,15 +139,15 @@ for partition_set in $partition_sets; do
case "${partition_format}" in
"reencrypt")
- reencrypt_existing_partition "$partition" "$tmp_key"
- enroll_tpm2_token "$partition" "$tmp_key"
- open_tpm2_partition "$partition"
+ reencrypt_existing_partition "$part_device" "$tmp_key"
+ enroll_tpm2_token "$part_device" "$tmp_key"
+ open_tpm2_partition "$part_device"
;;
"format")
/usr/sbin/cryptsetup luksFormat --batch-mode \
--type luks2 "$partition" < "$tmp_key"
- enroll_tpm2_token "$partition" "$tmp_key"
- open_tpm2_partition "$partition"
+ enroll_tpm2_token "$part_device" "$tmp_key"
+ open_tpm2_partition "$part_device"
eval "${create_file_system_cmd} ${decrypted_part}"
;;
*)
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [cip-dev][isar-cip-core][PATCH v3 03/15] initramfs-crypt-hook: move the mounting of encrypted disks in a seperate function
2024-04-09 13:05 [cip-dev][isar-cip-core][PATCH v3 00/15] Rework disk encryption Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 01/15] initramfs-crypt-hook: Allow switching between clevis and systemd Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 02/15] initramfs-crypt-hook: Align systemd encryption and clevis encryption Quirin Gylstorff
@ 2024-04-09 13:05 ` Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 04/15] initramfs-crypt-hook: Check if the TPM device fulfills the given requirements Quirin Gylstorff
` (11 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Quirin Gylstorff @ 2024-04-09 13:05 UTC (permalink / raw)
To: jan.kiszka, cip-dev, johnxw
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This increase the maintainability and avoids missing checks.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../files/encrypt_partition.clevis.script | 20 +++++++++++--------
.../files/encrypt_partition.systemd.script | 20 +++++++++++--------
2 files changed, 24 insertions(+), 16 deletions(-)
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index 4e76c44..0f82c1a 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -92,6 +92,16 @@ reencrypt_existing_partition() {
fi
}
+mount_partition() {
+ partition_dev_path=$1
+ partition_mountpoint=$2
+ echo "mount device: '$partition' to '$partition_mountpoint'"
+ if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \
+ "${partition_mountpoint}"; then
+ panic "Can't mount encrypted partition '${partition_dev_path}'!"
+ fi
+}
+
if [ ! -e "$tpm_device" ]; then
panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
fi
@@ -114,10 +124,7 @@ for partition_set in $partition_sets; do
if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
| grep -q "clevis"; then
open_tpm2_partition "$part_device"
- if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \
- "${rootmnt}${partition_mountpoint}"; then
- panic "Can't mount encrypted partition '${decrypted_part}'!"
- fi
+ mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
continue
fi
@@ -150,10 +157,7 @@ for partition_set in $partition_sets; do
;;
esac
- if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \
- "${rootmnt}${partition_mountpoint}"; then
- panic "Can't mount encrypted partition '${decrypted_part}'!"
- fi
+ mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
# delete initial key
# afterwards no new keys can be enrolled
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index f97a461..6c6d22e 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -102,6 +102,16 @@ reencrypt_existing_partition() {
fi
}
+mount_partition() {
+ partition_dev_path=$1
+ partition_mountpoint=$2
+ echo "mount device: '$partition' to '$partition_mountpoint'"
+ if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \
+ "${partition_mountpoint}"; then
+ panic "Can't mount encrypted partition '${partition_dev_path}'!"
+ fi
+}
+
if [ ! -e "$tpm_device" ]; then
panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
fi
@@ -118,11 +128,8 @@ for partition_set in $partition_sets; do
# check if partition is already encrypted with systemd-tpm2
if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
| grep -q "systemd-tpm2"; then
- if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \
- "${rootmnt}${partition_mountpoint}"; then
- panic "Can't mount encrypted partition '${decrypted_part}'!"
- fi
open_tpm2_partition "$part_device"
+ mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
continue
fi
@@ -155,10 +162,7 @@ for partition_set in $partition_sets; do
;;
esac
- if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \
- "${rootmnt}${partition_mountpoint}"; then
- panic "Can't mount encrypted partition '${decrypted_part}'!"
- fi
+ mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
# delete initial key
# afterwards no new keys can be enrolled
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [cip-dev][isar-cip-core][PATCH v3 04/15] initramfs-crypt-hook: Check if the TPM device fulfills the given requirements
2024-04-09 13:05 [cip-dev][isar-cip-core][PATCH v3 00/15] Rework disk encryption Quirin Gylstorff
` (2 preceding siblings ...)
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 03/15] initramfs-crypt-hook: move the mounting of encrypted disks in a seperate function Quirin Gylstorff
@ 2024-04-09 13:05 ` Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 05/15] initramfs-crypt-hook: add flag to make encryption optional Quirin Gylstorff
` (10 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Quirin Gylstorff @ 2024-04-09 13:05 UTC (permalink / raw)
To: jan.kiszka, cip-dev, johnxw
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This also adds the Crypt hash and Crypt algorithm parameter and avoids
errors on missmatches between Hardware and software.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../files/encrypt_partition.clevis.hook | 7 ++---
.../files/encrypt_partition.clevis.script | 28 +++++++++++++++----
.../files/encrypt_partition.env.tmpl | 3 +-
.../files/encrypt_partition.systemd.hook | 4 ++-
.../files/encrypt_partition.systemd.script | 15 ++++++++--
.../initramfs-crypt-hook_0.1.bb | 7 +++--
6 files changed, 48 insertions(+), 16 deletions(-)
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
index d08594c..347551a 100755
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
@@ -66,9 +66,10 @@ copy_exec /usr/bin/tpm2_create || hook_error "Unable to copy /usr/bin/tpm2_creat
copy_exec /usr/bin/tpm2_load || hook_error "Unable to copy /usr/bin/tpm2_load"
if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/tpm2_pcrread ]; then
copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread"
+ copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms"
fi
if [ "$VERSION_CODENAME" = "buster" ] && [ -x /usr/bin/tpm2_pcrlist ]; then
- copy_exec /usr/bin/tpm2_pcrlist || hook_error "Unable to copy /usr/bin/tpm2_pcrread"
+ copy_exec /usr/bin/tpm2_pcrlist || hook_error "Unable to copy /usr/bin/tpm2_pcrlist"
fi
copy_exec /usr/bin/tpm2_createpolicy || hook_error "Unable to copy /usr/bin/tpm2_createpolicy"
if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/tpm2_flushcontext ]; then
@@ -86,9 +87,7 @@ copy_exec /usr/bin/basename || hook_error "Unable to copy /usr/bin/basename"
copy_exec /usr/bin/seq || hook_error "Unable to copy /usr/bin/seq"
copy_exec /usr/bin/pwmake || hook_error "Unable to copy /usr/bin/pwmake"
copy_exec /usr/bin/file || hook_error "Unable to copy /usr/bin/file "
-if [ "$VERSION_CODENAME" = "buster" ]; then
- copy_exec /usr/lib/*/libgcc_s.so.1 || hook_error "Unable to copy /usr/lib/*/libgcc_s.so.1 "
-fi
+copy_exec /usr/lib/*/libgcc_s.so.1 || hook_error "Unable to copy /usr/lib/*/libgcc_s.so.1 "
if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
copy_exec /usr/sbin/cryptsetup-reencrypt
fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index 0f82c1a..8de8015 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -43,12 +43,10 @@ modprobe xts
# this needs to be probed particularly for re-encryption
modprobe loop
-# fixed tpm device or do we need to find it
-tpm_device=/dev/tpmrm0
partition_sets="$PARTITIONS"
create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
-hash_type="$HASH_TYPE"
-
+pcr_bank_hash_type="$HASH_TYPE"
+tpm_key_algorithm="$KEY_ALGORITHM"
if [ -z "${create_file_system_cmd}" ]; then
create_file_system_cmd="mke2fs -t ext4"
fi
@@ -69,7 +67,7 @@ open_tpm2_partition() {
enroll_tpm2_token() {
if [ -x /usr/bin/clevis ]; then
- clevis luks bind -d "$1" tpm2 '{"pcr_bank":"'"$hash_type"'","pcr_ids":"7"}' < "$2"
+ clevis luks bind -d "$1" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$2"
else
panic "clevis not available cannot enroll tpm2 key!"
fi
@@ -102,6 +100,26 @@ mount_partition() {
fi
}
+for candidate in /dev/tpm*; do
+ if [ -x /usr/bin/tpm2_pcrread ]; then
+ if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet ; then
+ continue
+ fi
+ elif [ -x /usr/bin/tpm2_pcrlist ]; then
+ export TPM2TOOLS_DEVICE_FILE="$candidate"
+ if ! tpm2_pcrlist -L "$pcr_bank_hash_type":7 > /dev/null; then
+ continue
+ fi
+ fi
+ # Debian buster does not have tpm_testparms
+ if [ -x /usr/bin/tpm2_testparms ]; then
+ if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet; then
+ continue
+ fi
+ fi
+ tpm_device=$candidate
+done
+
if [ ! -e "$tpm_device" ]; then
panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
index bcc57be..5d28dc5 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
@@ -2,4 +2,5 @@ PARTITIONS="${CRYPT_PARTITIONS}"
CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}"
SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}"
WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}"
-HASH_TYPE="${CRYPT_HASH_TYPE}"
\ No newline at end of file
+HASH_TYPE="${CRYPT_HASH_TYPE}"
+KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}"
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
index c3b31d6..6e2a211 100755
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
@@ -1,5 +1,5 @@
#!/bin/sh
-# Copyright (C) Siemens AG, 2020-2023
+# Copyright (C) Siemens AG, 2020-2024
#
# SPDX-License-Identifier: MIT
@@ -49,6 +49,8 @@ copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found"
copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found"
copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenroll not found"
copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found"
+copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread"
+copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms"
copy_exec /usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so || hook_error "/usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so not found"
if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index 6c6d22e..ea267ac 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -43,10 +43,10 @@ modprobe xts
# this needs to be probed particularly for re-encryption
modprobe loop
-# fixed tpm device or do we need to find it
-tpm_device=/dev/tpmrm0
partition_sets="$PARTITIONS"
create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
+pcr_bank_hash_type="$HASH_TYPE"
+tpm_key_algorithm="$KEY_ALGORITHM"
if [ -z "${create_file_system_cmd}" ]; then
create_file_system_cmd="mke2fs -t ext4"
fi
@@ -71,6 +71,7 @@ enroll_tpm2_token() {
systemd_version=$(systemd-cryptenroll --version | \
awk -F " " 'NR==1{print $2 }')
# check systemd version and export password if necessary
+ # systemd version 251 does not suport hash_types
if [ "$systemd_version" -ge "251" ]; then
PASSWORD=$(cat "$2" )
export PASSWORD
@@ -112,6 +113,16 @@ mount_partition() {
fi
}
+for candidate in /dev/tpm*; do
+ if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then
+ continue
+ fi
+ if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet 2>/dev/null; then
+ continue
+ fi
+ tpm_device=$candidate
+done
+
if [ ! -e "$tpm_device" ]; then
panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
index 317ea12..7f732cf 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -11,7 +11,7 @@
inherit dpkg-raw
DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \
awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \
- libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs"
+ libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs, tpm2-tools"
CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools"
@@ -49,10 +49,11 @@ CRYPT_SETUP_TIMEOUT ??= "600"
INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog"
# clevis needs tpm hash algorithm type
CRYPT_HASH_TYPE ??= "sha256"
-
+CRYPT_KEY_ALGORITHM ??= "ecc"
TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
- CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE"
+ CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \
+ CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL"
TEMPLATE_FILES = "encrypt_partition.env.tmpl"
do_install[cleandirs] += " \
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [cip-dev][isar-cip-core][PATCH v3 05/15] initramfs-crypt-hook: add flag to make encryption optional
2024-04-09 13:05 [cip-dev][isar-cip-core][PATCH v3 00/15] Rework disk encryption Quirin Gylstorff
` (3 preceding siblings ...)
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 04/15] initramfs-crypt-hook: Check if the TPM device fulfills the given requirements Quirin Gylstorff
@ 2024-04-09 13:05 ` Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 06/15] initramfs-crypt-hook: add e2fsck to avoid resize error Quirin Gylstorff
` (9 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Quirin Gylstorff @ 2024-04-09 13:05 UTC (permalink / raw)
To: jan.kiszka, cip-dev, johnxw
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This allows to use same image on devices with and without TPM.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../files/encrypt_partition.clevis.script | 20 ++++++++++++++++++-
.../files/encrypt_partition.env.tmpl | 1 +
.../files/encrypt_partition.systemd.script | 20 ++++++++++++++++++-
.../initramfs-crypt-hook_0.1.bb | 1 +
4 files changed, 40 insertions(+), 2 deletions(-)
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index 8de8015..e0fcbf4 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -47,6 +47,7 @@ partition_sets="$PARTITIONS"
create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
pcr_bank_hash_type="$HASH_TYPE"
tpm_key_algorithm="$KEY_ALGORITHM"
+tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL"
if [ -z "${create_file_system_cmd}" ]; then
create_file_system_cmd="mke2fs -t ext4"
fi
@@ -121,7 +122,24 @@ for candidate in /dev/tpm*; do
done
if [ ! -e "$tpm_device" ]; then
- panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
+ if [ "$tpm_encryption_optional" = "true" ]; then
+ echo "No tpm_device exists abort optional encryption"
+ for partition_set in $partition_sets; do
+ partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+ partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
+ partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
+ partition=/dev/disk/by-partlabel/"$partition_label"
+ case "${partition_format}" in
+ "reencrypt")
+ mount_partition "$partition" "$rootmnt""$partition_mountpoint"
+ ;;
+ *)
+ echo "cannot mount partition '$partition' as it is marked for formatting."
+ esac
+ done
+ exit 0
+ fi
+ panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!"
fi
# clevis needs /dev/fd create it in the initramfs
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
index 5d28dc5..bb93361 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
@@ -4,3 +4,4 @@ SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}"
WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}"
HASH_TYPE="${CRYPT_HASH_TYPE}"
KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}"
+ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}"
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index ea267ac..48ce999 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -47,6 +47,7 @@ partition_sets="$PARTITIONS"
create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
pcr_bank_hash_type="$HASH_TYPE"
tpm_key_algorithm="$KEY_ALGORITHM"
+tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL"
if [ -z "${create_file_system_cmd}" ]; then
create_file_system_cmd="mke2fs -t ext4"
fi
@@ -124,7 +125,24 @@ for candidate in /dev/tpm*; do
done
if [ ! -e "$tpm_device" ]; then
- panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!"
+ if [ "$tpm_encryption_optional" = "true" ]; then
+ echo "No tpm_device exists abort optional encryption"
+ for partition_set in $partition_sets; do
+ partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+ partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
+ partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
+ partition=/dev/disk/by-partlabel/"$partition_label"
+ case "${partition_format}" in
+ "reencrypt")
+ mount_partition "$partition" "$rootmnt""$partition_mountpoint"
+ ;;
+ *)
+ echo "cannot mount partition '$partition' as it is marked for formatting."
+ esac
+ done
+ exit 0
+ fi
+ panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!"
fi
for partition_set in $partition_sets; do
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
index 7f732cf..54c91fd 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -50,6 +50,7 @@ INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog"
# clevis needs tpm hash algorithm type
CRYPT_HASH_TYPE ??= "sha256"
CRYPT_KEY_ALGORITHM ??= "ecc"
+CRYPT_ENCRYPTION_OPTIONAL ??= "false"
TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [cip-dev][isar-cip-core][PATCH v3 06/15] initramfs-crypt-hook: add e2fsck to avoid resize error
2024-04-09 13:05 [cip-dev][isar-cip-core][PATCH v3 00/15] Rework disk encryption Quirin Gylstorff
` (4 preceding siblings ...)
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 05/15] initramfs-crypt-hook: add flag to make encryption optional Quirin Gylstorff
@ 2024-04-09 13:05 ` Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 07/15] initramfs-crypt-hook: split encryption and mounting Quirin Gylstorff
` (8 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Quirin Gylstorff @ 2024-04-09 13:05 UTC (permalink / raw)
To: jan.kiszka, cip-dev, johnxw
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This avoids the following error during resizing a file system:
`Please run ‘e2fsck -f /dev/<disk>’ first`
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../initramfs-crypt-hook/files/encrypt_partition.clevis.script | 1 +
.../initramfs-crypt-hook/files/encrypt_partition.systemd.script | 1 +
2 files changed, 2 insertions(+)
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index e0fcbf4..22caa46 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -81,6 +81,7 @@ reencrypt_existing_partition() {
reduced_size="$(expr "$part_size_blocks" - 65536 )"
reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
+ e2fsck -f "$1"
if ! resize2fs "$1" "${reduced_size_in_kb}"; then
panic "reencryption of filesystem $1 cannot continue!"
fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index 48ce999..85b4fbc 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -94,6 +94,7 @@ reencrypt_existing_partition() {
reduced_size="$(expr "$part_size_blocks" - 65536 )"
reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
+ e2fsck -f "$1"
if ! resize2fs "$1" "${reduced_size_in_kb}"; then
panic "reencryption of filesystem $1 cannot continue!"
fi
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [cip-dev][isar-cip-core][PATCH v3 07/15] initramfs-crypt-hook: split encryption and mounting
2024-04-09 13:05 [cip-dev][isar-cip-core][PATCH v3 00/15] Rework disk encryption Quirin Gylstorff
` (5 preceding siblings ...)
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 06/15] initramfs-crypt-hook: add e2fsck to avoid resize error Quirin Gylstorff
@ 2024-04-09 13:05 ` Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 08/15] initramfs-crypt-hook: Add check if root is part of the mountpoints Quirin Gylstorff
` (7 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Quirin Gylstorff @ 2024-04-09 13:05 UTC (permalink / raw)
To: jan.kiszka, cip-dev, johnxw
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
The encryption now occurs before the rootfs is mounted.
The file system is mounted after the rootfs.
This removes the required order between overlay and disk encryption.
Also it allows the encryption of the rootfs.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../files/encrypt_partition.clevis.script | 27 --------
.../files/encrypt_partition.systemd.script | 27 --------
.../files/mount_crypt_partitions.script | 61 +++++++++++++++++++
.../initramfs-crypt-hook_0.1.bb | 6 +-
.../files/overlay.script.tmpl | 2 +-
5 files changed, 67 insertions(+), 56 deletions(-)
create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index 22caa46..6aec7b8 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -92,16 +92,6 @@ reencrypt_existing_partition() {
fi
}
-mount_partition() {
- partition_dev_path=$1
- partition_mountpoint=$2
- echo "mount device: '$partition' to '$partition_mountpoint'"
- if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \
- "${partition_mountpoint}"; then
- panic "Can't mount encrypted partition '${partition_dev_path}'!"
- fi
-}
-
for candidate in /dev/tpm*; do
if [ -x /usr/bin/tpm2_pcrread ]; then
if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet ; then
@@ -125,19 +115,6 @@ done
if [ ! -e "$tpm_device" ]; then
if [ "$tpm_encryption_optional" = "true" ]; then
echo "No tpm_device exists abort optional encryption"
- for partition_set in $partition_sets; do
- partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
- partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
- partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
- partition=/dev/disk/by-partlabel/"$partition_label"
- case "${partition_format}" in
- "reencrypt")
- mount_partition "$partition" "$rootmnt""$partition_mountpoint"
- ;;
- *)
- echo "cannot mount partition '$partition' as it is marked for formatting."
- esac
- done
exit 0
fi
panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!"
@@ -150,7 +127,6 @@ fi
for partition_set in $partition_sets; do
partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
- partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
partition=/dev/disk/by-partlabel/"$partition_label"
crypt_mount_name="encrypted_$partition_label"
@@ -161,7 +137,6 @@ for partition_set in $partition_sets; do
if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
| grep -q "clevis"; then
open_tpm2_partition "$part_device"
- mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
continue
fi
@@ -194,8 +169,6 @@ for partition_set in $partition_sets; do
;;
esac
- mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
-
# delete initial key
# afterwards no new keys can be enrolled
cryptsetup -v luksKillSlot -q "$part_device" 0
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index 85b4fbc..7f2a6e3 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -105,16 +105,6 @@ reencrypt_existing_partition() {
fi
}
-mount_partition() {
- partition_dev_path=$1
- partition_mountpoint=$2
- echo "mount device: '$partition' to '$partition_mountpoint'"
- if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \
- "${partition_mountpoint}"; then
- panic "Can't mount encrypted partition '${partition_dev_path}'!"
- fi
-}
-
for candidate in /dev/tpm*; do
if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then
continue
@@ -128,19 +118,6 @@ done
if [ ! -e "$tpm_device" ]; then
if [ "$tpm_encryption_optional" = "true" ]; then
echo "No tpm_device exists abort optional encryption"
- for partition_set in $partition_sets; do
- partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
- partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
- partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
- partition=/dev/disk/by-partlabel/"$partition_label"
- case "${partition_format}" in
- "reencrypt")
- mount_partition "$partition" "$rootmnt""$partition_mountpoint"
- ;;
- *)
- echo "cannot mount partition '$partition' as it is marked for formatting."
- esac
- done
exit 0
fi
panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!"
@@ -148,7 +125,6 @@ fi
for partition_set in $partition_sets; do
partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
- partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
partition=/dev/disk/by-partlabel/"$partition_label"
crypt_mount_name="encrypted_$partition_label"
@@ -159,7 +135,6 @@ for partition_set in $partition_sets; do
if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
| grep -q "systemd-tpm2"; then
open_tpm2_partition "$part_device"
- mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
continue
fi
@@ -192,8 +167,6 @@ for partition_set in $partition_sets; do
;;
esac
- mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
-
# delete initial key
# afterwards no new keys can be enrolled
/usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
new file mode 100644
index 0000000..3411e70
--- /dev/null
+++ b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
@@ -0,0 +1,61 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+prereqs()
+{
+ # Make sure that this script is run last in local-top
+ local req
+ for req in "${0%/*}"/*; do
+ script="${req##*/}"
+ if [ "$script" != "${0##*/}" ]; then
+ printf '%s\n' "$script"
+ fi
+ done
+}
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /scripts/functions
+
+# get configuration variables
+. /usr/share/encrypt_partition/encrypt_partition.env
+
+mount_partition() {
+ partition_dev_path=$1
+ partition_mountpoint=$2
+ echo "mount device: '$partition_dev_path' to '$partition_mountpoint'"
+ if ! mountpoint -q "${partition_mountpoint}"; then
+ if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \
+ "${partition_mountpoint}"; then
+ panic "Can't mount partition '${partition_dev_path}'!"
+ fi
+ fi
+}
+partition_sets="$PARTITIONS"
+for partition_set in $partition_sets; do
+ partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+ partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
+ partition=/dev/disk/by-partlabel/"$partition_label"
+ part_device=$(readlink -f "$partition")
+ crypt_mount_name="encrypted_$partition_label"
+ decrypted_part=/dev/mapper/"$crypt_mount_name"
+
+ if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \
+ | grep -q "luks2"; then
+ mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
+ else
+ mount_partition "$part_device" "$rootmnt""$partition_mountpoint"
+ fi
+done
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
index 54c91fd..4e60c10 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -35,6 +35,7 @@ CRYPT_BACKEND = "systemd"
SRC_URI += "file://encrypt_partition.env.tmpl \
file://encrypt_partition.${CRYPT_BACKEND}.script \
+ file://mount_crypt_partitions.script \
file://encrypt_partition.${CRYPT_BACKEND}.hook \
file://pwquality.conf"
@@ -60,12 +61,15 @@ TEMPLATE_FILES = "encrypt_partition.env.tmpl"
do_install[cleandirs] += " \
${D}/usr/share/initramfs-tools/hooks \
${D}/usr/share/encrypt_partition \
+ ${D}/usr/share/initramfs-tools/scripts/local-top \
${D}/usr/share/initramfs-tools/scripts/local-bottom"
do_install() {
install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env"
install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.script" \
- "${D}/usr/share/initramfs-tools/scripts/local-bottom/encrypt_partition"
+ "${D}/usr/share/initramfs-tools/scripts/local-top/encrypt_partition"
+ install -m 0755 "${WORKDIR}/mount_crypt_partitions.script" \
+ "${D}/usr/share/initramfs-tools/scripts/local-bottom/mount_decrypted_partition"
install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.hook" \
"${D}/usr/share/initramfs-tools/hooks/encrypt_partition"
install -m 0644 "${WORKDIR}/pwquality.conf" "${D}/usr/share/encrypt_partition/pwquality.conf"
diff --git a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl
index a321490..2563dfd 100644
--- a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl
+++ b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl
@@ -9,7 +9,7 @@
# Quirin Gylstorff <quirin.gylstorff@siemens.com>
#
-PREREQ="encrypt_partition"
+PREREQ=""
prereqs()
{
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [cip-dev][isar-cip-core][PATCH v3 08/15] initramfs-crypt-hook: Add check if root is part of the mountpoints
2024-04-09 13:05 [cip-dev][isar-cip-core][PATCH v3 00/15] Rework disk encryption Quirin Gylstorff
` (6 preceding siblings ...)
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 07/15] initramfs-crypt-hook: split encryption and mounting Quirin Gylstorff
@ 2024-04-09 13:05 ` Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 09/15] initramfs-crypt-hook: split hook in multiple files Quirin Gylstorff
` (6 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Quirin Gylstorff @ 2024-04-09 13:05 UTC (permalink / raw)
To: jan.kiszka, cip-dev, johnxw
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
If root will be encrypted the ROOT mountpoint will be set to
'/dev/mapper/encrypted_<partition_label>'.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../files/encrypt_partition.clevis.script | 6 ++++++
.../files/encrypt_partition.systemd.script | 5 +++++
2 files changed, 11 insertions(+)
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index 6aec7b8..fdbd9b5 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -127,12 +127,17 @@ fi
for partition_set in $partition_sets; do
partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+ partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
partition=/dev/disk/by-partlabel/"$partition_label"
crypt_mount_name="encrypted_$partition_label"
decrypted_part=/dev/mapper/"$crypt_mount_name"
# clevis does not work with links in /dev/disk*
part_device=$(readlink -f "$partition")
+ # check if we are trying to mount root
+ if [ "$partition_mountpoint" = "/" ]; then
+ echo "ROOT=$decrypted_part" >/conf/param.conf
+ fi
if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
| grep -q "clevis"; then
@@ -169,6 +174,7 @@ for partition_set in $partition_sets; do
;;
esac
+
# delete initial key
# afterwards no new keys can be enrolled
cryptsetup -v luksKillSlot -q "$part_device" 0
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index 7f2a6e3..e0c84ce 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -125,12 +125,17 @@ fi
for partition_set in $partition_sets; do
partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+ partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
partition=/dev/disk/by-partlabel/"$partition_label"
crypt_mount_name="encrypted_$partition_label"
decrypted_part=/dev/mapper/"$crypt_mount_name"
part_device=$(readlink -f "$partition")
+ # check if we are trying to mount root
+ if [ "$partition_mountpoint" = "/" ]; then
+ echo "ROOT=$decrypted_part" >/conf/param.conf
+ fi
# check if partition is already encrypted with systemd-tpm2
if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
| grep -q "systemd-tpm2"; then
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [cip-dev][isar-cip-core][PATCH v3 09/15] initramfs-crypt-hook: split hook in multiple files
2024-04-09 13:05 [cip-dev][isar-cip-core][PATCH v3 00/15] Rework disk encryption Quirin Gylstorff
` (7 preceding siblings ...)
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 08/15] initramfs-crypt-hook: Add check if root is part of the mountpoints Quirin Gylstorff
@ 2024-04-09 13:05 ` Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 10/15] initramfs-crypt-hook: Consolidate clevis and systemd scripts Quirin Gylstorff
` (5 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Quirin Gylstorff @ 2024-04-09 13:05 UTC (permalink / raw)
To: jan.kiszka, cip-dev, johnxw
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Split the clevis hook in Distro specific files to increase
the readability.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
...pt_partition.clevis.bullseye_or_later.hook | 34 +++++++++++++++++++
.../encrypt_partition.clevis.buster.hook | 30 ++++++++++++++++
.../files/encrypt_partition.clevis.hook | 16 ---------
.../initramfs-crypt-hook_0.1.bb | 18 +++++++++-
4 files changed, 81 insertions(+), 17 deletions(-)
create mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook
create mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook
new file mode 100755
index 0000000..b244d45
--- /dev/null
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook
@@ -0,0 +1,34 @@
+#!/bin/sh
+# Copyright (C) Siemens AG, 2020-2023
+#
+# SPDX-License-Identifier: MIT
+
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+if [ -f /etc/os-release ]; then
+ . /etc/os-release
+fi
+hook_error() {
+ echo "(ERROR): $1" >&2
+ exit 1
+}
+
+copy_exec /usr/bin/clevis-luks-list || hook_error "/usr/bin/clevis-luks-list not found"
+copy_exec /usr/bin/clevis-luks-common-functions || hook_error "/usr/bin/clevis-luks-common-functions not found"
+copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread"
+copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms"
+copy_exec /usr/bin/tpm2_flushcontext || hook_error "Unable to copy /usr/bin/tpm2_flushcontext"
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook
new file mode 100755
index 0000000..fd39c34
--- /dev/null
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook
@@ -0,0 +1,30 @@
+#!/bin/sh
+# Copyright (C) Siemens AG, 2020-2023
+#
+# SPDX-License-Identifier: MIT
+
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+if [ -f /etc/os-release ]; then
+ . /etc/os-release
+fi
+hook_error() {
+ echo "(ERROR): $1" >&2
+ exit 1
+}
+copy_exec /usr/bin/tpm2_pcrlist || hook_error "Unable to copy /usr/bin/tpm2_pcrlist"
+
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
index 347551a..1921aba 100755
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
@@ -54,27 +54,11 @@ copy_exec /usr/bin/clevis-encrypt-tpm2 || hook_error "/usr/bin/clevis-encrypt-tp
copy_exec /usr/bin/clevis-decrypt-tpm2 || hook_error "/usr/bin/clevis-decrypt-tpm2 not found"
copy_exec /usr/bin/clevis-luks-bind || hook_error "/usr/bin/clevis-luks-bind not found"
copy_exec /usr/bin/clevis-luks-unlock || hook_error "/usr/bin/clevis-luks-unlock not found"
-if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/clevis-luks-list ]; then
- copy_exec /usr/bin/clevis-luks-list || hook_error "/usr/bin/clevis-luks-list not found"
-fi
-if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/clevis-luks-common-functions ]; then
- copy_exec /usr/bin/clevis-luks-common-functions || hook_error "/usr/bin/clevis-luks-common-functions not found"
-fi
copy_exec /usr/bin/tpm2_createprimary || hook_error "Unable to copy /usr/bin/tpm2_createprimary"
copy_exec /usr/bin/tpm2_unseal || hook_error "Unable to copy /usr/bin/tpm2_unseal"
copy_exec /usr/bin/tpm2_create || hook_error "Unable to copy /usr/bin/tpm2_create"
copy_exec /usr/bin/tpm2_load || hook_error "Unable to copy /usr/bin/tpm2_load"
-if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/tpm2_pcrread ]; then
- copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread"
- copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms"
-fi
-if [ "$VERSION_CODENAME" = "buster" ] && [ -x /usr/bin/tpm2_pcrlist ]; then
- copy_exec /usr/bin/tpm2_pcrlist || hook_error "Unable to copy /usr/bin/tpm2_pcrlist"
-fi
copy_exec /usr/bin/tpm2_createpolicy || hook_error "Unable to copy /usr/bin/tpm2_createpolicy"
-if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/tpm2_flushcontext ]; then
- copy_exec /usr/bin/tpm2_flushcontext || hook_error "Unable to copy /usr/bin/tpm2_flushcontext"
-fi
copy_exec /usr/bin/bash || hook_error "Unable to copy /usr/bin/bash"
copy_exec /usr/bin/luksmeta || hook_error "Unable to copy /usr/bin/luksmeta"
copy_exec /usr/bin/jose || hook_error "Unable to copy /usr/bin/jose"
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
index 4e60c10..dc46ff8 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -29,6 +29,16 @@ def encryption_dependency(d):
else:
bb.error("unkown cryptbackend defined")
+def add_additional_clevis_hooks(d):
+ base_distro_code_name = d.getVar('BASE_DISTRO_CODENAME') or ""
+ crypt_backend = d.getVar('CRYPT_BACKEND') or ""
+ if crypt_backend != 'clevis':
+ return ""
+ if base_distro_code_name == "buster":
+ return f"encrypt_partition.{crypt_backend}.buster.hook"
+ else:
+ return f"encrypt_partition.{crypt_backend}.bullseye_or_later.hook"
+
CRYPT_BACKEND:buster = "clevis"
CRYPT_BACKEND:bullseye = "clevis"
CRYPT_BACKEND = "systemd"
@@ -38,7 +48,8 @@ SRC_URI += "file://encrypt_partition.env.tmpl \
file://mount_crypt_partitions.script \
file://encrypt_partition.${CRYPT_BACKEND}.hook \
file://pwquality.conf"
-
+ADDITIONAL_CLEVIS_HOOK = "${@add_additional_clevis_hooks(d)}"
+SRC_URI += "${@ 'file://' + d.getVar('ADDITIONAL_CLEVIS_HOOK') if d.getVar('ADDITIONAL_CLEVIS_HOOK')else ''}"
# CRYPT_PARTITIONS elements are <partition-label>:<mountpoint>:<reencrypt or format>
CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
# CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem
@@ -72,5 +83,10 @@ do_install() {
"${D}/usr/share/initramfs-tools/scripts/local-bottom/mount_decrypted_partition"
install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.hook" \
"${D}/usr/share/initramfs-tools/hooks/encrypt_partition"
+ if [ -f "${WORKDIR}"/"${ADDITIONAL_CLEVIS_HOOK}" ]; then
+ install -m 0755 "${WORKDIR}"/"${ADDITIONAL_CLEVIS_HOOK}" \
+ "${D}/usr/share/initramfs-tools/hooks/encrypt_partition.${BASE_DISTRO_CODENAME}"
+ fi
+
install -m 0644 "${WORKDIR}/pwquality.conf" "${D}/usr/share/encrypt_partition/pwquality.conf"
}
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [cip-dev][isar-cip-core][PATCH v3 10/15] initramfs-crypt-hook: Consolidate clevis and systemd scripts
2024-04-09 13:05 [cip-dev][isar-cip-core][PATCH v3 00/15] Rework disk encryption Quirin Gylstorff
` (8 preceding siblings ...)
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 09/15] initramfs-crypt-hook: split hook in multiple files Quirin Gylstorff
@ 2024-04-09 13:05 ` Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 11/15] initramfs-crypt-hook: Increase version Quirin Gylstorff
` (4 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Quirin Gylstorff @ 2024-04-09 13:05 UTC (permalink / raw)
To: jan.kiszka, cip-dev, johnxw
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This reduce the maintaince as the common code is only maintained
once.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../files/encrypt_partition.clevis.hook | 1 +
.../files/encrypt_partition.clevis.script | 177 ++----------------
.../files/encrypt_partition.script | 164 ++++++++++++++++
.../files/encrypt_partition.systemd.hook | 1 +
.../files/encrypt_partition.systemd.script | 163 ++--------------
.../initramfs-crypt-hook_0.1.bb | 5 +-
6 files changed, 208 insertions(+), 303 deletions(-)
create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
index 1921aba..0bb8ce6 100755
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
@@ -81,4 +81,5 @@ for _LIBRARY in /usr/lib/*/libtss2*; do
done
copy_file library /usr/share/encrypt_partition/encrypt_partition.env /usr/share/encrypt_partition/encrypt_partition.env
+copy_file library /usr/share/encrypt_partition/encrypt_partition_tpm2 /usr/share/encrypt_partition/encrypt_partition_tpm2
copy_file pwmake-config /usr/share/encrypt_partition/pwquality.conf /etc/security/pwquality.conf
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index fdbd9b5..ddb3eab 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -9,177 +9,38 @@
#
# SPDX-License-Identifier: MIT
-prereqs()
-{
- # Make sure that this script is run last in local-top
- local req
- for req in "${0%/*}"/*; do
- script="${req##*/}"
- if [ "$script" != "${0##*/}" ]; then
- printf '%s\n' "$script"
- fi
- done
-}
-case $1 in
-prereqs)
- prereqs
- exit 0
- ;;
-esac
-
-. /scripts/functions
-
-# get configuration variables
-. /usr/share/encrypt_partition/encrypt_partition.env
-
-# load necessary kernel modules:
-modprobe tpm_tis
-modprobe tpm_crb
-
-modprobe ecb
-modprobe aes_generic
-modprobe xts
-
-# this needs to be probed particularly for re-encryption
-modprobe loop
-
-partition_sets="$PARTITIONS"
-create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
-pcr_bank_hash_type="$HASH_TYPE"
-tpm_key_algorithm="$KEY_ALGORITHM"
-tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL"
-if [ -z "${create_file_system_cmd}" ]; then
- create_file_system_cmd="mke2fs -t ext4"
-fi
-
-service_watchdog() {
- for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
- printf '\0'
- sleep 10
- done > "$WATCHDOG_DEV"
-}
open_tpm2_partition() {
+ partition_device="$1"
+ crypt_mount_name="$2"
+ #tpm_device="$3"
if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \
- -d "$1"; then
- panic "Can't decrypt '$1' !"
+ -d "$partition_device"; then
+ panic "Can't decrypt '$partition_device' !"
fi
}
enroll_tpm2_token() {
+ partition_device="$1"
+ passphrase="$2"
+ #tpm_device="$3"
+ tpm_key_algorithm="$4"
+ pcr_bank_hash_type="$5"
if [ -x /usr/bin/clevis ]; then
- clevis luks bind -d "$1" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$2"
+ clevis luks bind -d "$partition_device" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$passphrase"
else
panic "clevis not available cannot enroll tpm2 key!"
fi
}
-reencrypt_existing_partition() {
- part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)"
- # reduce the filesystem and partition by 32M to fit the LUKS header
- reduce_device_size=32768
- reduced_size="$(expr "$part_size_blocks" - 65536 )"
- reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
- reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
- e2fsck -f "$1"
- if ! resize2fs "$1" "${reduced_size_in_kb}"; then
- panic "reencryption of filesystem $1 cannot continue!"
- fi
- if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
- /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2"
- else
- /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2"
+prepare_for_encryption() {
+ # clevis needs /dev/fd create it in the initramfs
+ if [ ! -e /dev/fd ]; then
+ ln -s /proc/self/fd /dev/fd
fi
}
-for candidate in /dev/tpm*; do
- if [ -x /usr/bin/tpm2_pcrread ]; then
- if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet ; then
- continue
- fi
- elif [ -x /usr/bin/tpm2_pcrlist ]; then
- export TPM2TOOLS_DEVICE_FILE="$candidate"
- if ! tpm2_pcrlist -L "$pcr_bank_hash_type":7 > /dev/null; then
- continue
- fi
- fi
- # Debian buster does not have tpm_testparms
- if [ -x /usr/bin/tpm2_testparms ]; then
- if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet; then
- continue
- fi
- fi
- tpm_device=$candidate
-done
-
-if [ ! -e "$tpm_device" ]; then
- if [ "$tpm_encryption_optional" = "true" ]; then
- echo "No tpm_device exists abort optional encryption"
- exit 0
- fi
- panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!"
-fi
-
-# clevis needs /dev/fd create it in the initramfs
-if [ ! -e /dev/fd ]; then
- ln -s /proc/self/fd /dev/fd
-fi
-
-for partition_set in $partition_sets; do
- partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
- partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
- partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
- partition=/dev/disk/by-partlabel/"$partition_label"
- crypt_mount_name="encrypted_$partition_label"
- decrypted_part=/dev/mapper/"$crypt_mount_name"
- # clevis does not work with links in /dev/disk*
- part_device=$(readlink -f "$partition")
- # check if we are trying to mount root
- if [ "$partition_mountpoint" = "/" ]; then
- echo "ROOT=$decrypted_part" >/conf/param.conf
- fi
-
- if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
- | grep -q "clevis"; then
- open_tpm2_partition "$part_device"
- continue
- fi
-
- # service watchdog in the background during lengthy re-encryption
- if [ -z "$watchdog_pid" ]; then
- service_watchdog &
- watchdog_pid=$!
- fi
-
- # create random password for initial encryption
- # this will be dropped after reboot
- tmp_key=/tmp/"$partition_label-lukskey"
- openssl rand -base64 32 > "$tmp_key"
-
- case "${partition_format}" in
- "reencrypt")
- reencrypt_existing_partition "$part_device" "$tmp_key"
- enroll_tpm2_token "$part_device" "$tmp_key"
- open_tpm2_partition "$part_device"
- ;;
- "format")
- /usr/sbin/cryptsetup luksFormat --batch-mode \
- --type luks2 "$partition" < "$tmp_key"
- enroll_tpm2_token "$part_device" "$tmp_key"
- open_tpm2_partition "$part_device"
- eval "${create_file_system_cmd} ${decrypted_part}"
- ;;
- *)
- panic "Unknown value ${partition_format}. Cannot create a encrypted partition !"
- ;;
- esac
-
-
- # delete initial key
- # afterwards no new keys can be enrolled
- cryptsetup -v luksKillSlot -q "$part_device" 0
-done
-
-if [ -n "$watchdog_pid" ]; then
- kill "$watchdog_pid"
-fi
+finalize_tpm2_encryption() {
+ partition_device="$1"
+ cryptsetup -v luksKillSlot -q "$partition_device" 0
+}
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
new file mode 100644
index 0000000..8763f69
--- /dev/null
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
@@ -0,0 +1,164 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2023-2024
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+prereqs()
+{
+ # Make sure that this script is run last in local-top
+ local req
+ for req in "${0%/*}"/*; do
+ script="${req##*/}"
+ if [ "$script" != "${0##*/}" ]; then
+ printf '%s\n' "$script"
+ fi
+ done
+}
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /scripts/functions
+
+# get configuration variables
+. /usr/share/encrypt_partition/encrypt_partition.env
+
+# get the implementation
+. /usr/share/encrypt_partition/encrypt_partition_tpm2
+# load necessary kernel modules:
+modprobe tpm_tis
+modprobe tpm_crb
+
+modprobe ecb
+modprobe aes_generic
+modprobe xts
+
+# this needs to be probed particularly for re-encryption
+modprobe loop
+
+partition_sets="$PARTITIONS"
+create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
+pcr_bank_hash_type="$HASH_TYPE"
+tpm_key_algorithm="$KEY_ALGORITHM"
+tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL"
+if [ -z "${create_file_system_cmd}" ]; then
+ create_file_system_cmd="mke2fs -t ext4"
+fi
+
+service_watchdog() {
+ for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
+ printf '\0'
+ sleep 10
+ done > "$WATCHDOG_DEV"
+}
+
+reencrypt_existing_partition() {
+ part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)"
+ # reduce the filesystem and partition by 32M to fit the LUKS header
+ reduce_device_size=32768
+ reduced_size="$(expr "$part_size_blocks" - 65536 )"
+ reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
+ reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
+ e2fsck -f "$1"
+ if ! resize2fs "$1" "${reduced_size_in_kb}"; then
+ panic "reencryption of filesystem $1 cannot continue!"
+ fi
+ if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
+ /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2"
+ else
+ /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2"
+ fi
+}
+for candidate in /dev/tpm*; do
+ if [ -x /usr/bin/tpm2_pcrread ]; then
+ if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet ; then
+ continue
+ fi
+ elif [ -x /usr/bin/tpm2_pcrlist ]; then
+ export TPM2TOOLS_DEVICE_FILE="$candidate"
+ if ! tpm2_pcrlist -L "$pcr_bank_hash_type":7 > /dev/null; then
+ continue
+ fi
+ fi
+ # Debian buster does not have tpm_testparms
+ if [ -x /usr/bin/tpm2_testparms ]; then
+ if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet; then
+ continue
+ fi
+ fi
+ tpm_device=$candidate
+done
+
+if [ ! -e "$tpm_device" ]; then
+ if [ "$tpm_encryption_optional" = "true" ]; then
+ echo "No tpm_device exists abort optional encryption"
+ exit 0
+ fi
+ panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!"
+fi
+
+prepare_for_encryption
+
+for partition_set in $partition_sets; do
+ partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+ partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
+ partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
+ partition=/dev/disk/by-partlabel/"$partition_label"
+ crypt_mount_name="encrypted_$partition_label"
+ decrypted_part=/dev/mapper/"$crypt_mount_name"
+ part_device=$(readlink -f "$partition")
+ # check if we are trying to mount root
+ if [ "$partition_mountpoint" = "/" ]; then
+ echo "ROOT=$decrypted_part" >/conf/param.conf
+ fi
+
+ if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
+ | grep -q "token"; then
+ open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
+ continue
+ fi
+
+ # service watchdog in the background during lengthy re-encryption
+ if [ -z "$watchdog_pid" ]; then
+ service_watchdog &
+ watchdog_pid=$!
+ fi
+
+ # create random password for initial encryption
+ # this will be dropped after reboot
+ tmp_key=/tmp/"$partition_label-lukskey"
+ openssl rand -base64 32 > "$tmp_key"
+
+ case "${partition_format}" in
+ "reencrypt")
+ reencrypt_existing_partition "$part_device" "$tmp_key"
+ enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type"
+ open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
+ ;;
+ "format")
+ /usr/sbin/cryptsetup luksFormat --batch-mode \
+ --type luks2 "$partition" < "$tmp_key"
+ enroll_tpm2_token "$part_device" "$tmp_key"
+ open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
+ eval "${create_file_system_cmd} ${decrypted_part}"
+ ;;
+ *)
+ panic "Unknown value ${partition_format}. Cannot create a encrypted partition !"
+ ;;
+ esac
+
+ finalize_tpm2_encryption
+done
+
+if [ -n "$watchdog_pid" ]; then
+ kill "$watchdog_pid"
+fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
index 6e2a211..941f0b1 100755
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
@@ -61,4 +61,5 @@ for _LIBRARY in /usr/lib/*/libtss2* /usr/lib/*/libgcc_s.so.1; do
copy_exec "$_LIBRARY"
done
+copy_file library /usr/share/encrypt_partition/encrypt_partition_tpm2 /usr/share/encrypt_partition/encrypt_partition_tpm2
copy_file library /usr/share/encrypt_partition/encrypt_partition.env /usr/share/encrypt_partition/encrypt_partition.env
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index e0c84ce..611f9cf 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -9,64 +9,23 @@
#
# SPDX-License-Identifier: MIT
-prereqs()
-{
- # Make sure that this script is run last in local-top
- local req
- for req in "${0%/*}"/*; do
- script="${req##*/}"
- if [ "$script" != "${0##*/}" ]; then
- printf '%s\n' "$script"
- fi
- done
-}
-case $1 in
-prereqs)
- prereqs
- exit 0
- ;;
-esac
-
-. /scripts/functions
-
-# get configuration variables
-. /usr/share/encrypt_partition/encrypt_partition.env
-
-# load necessary kernel modules:
-modprobe tpm_tis
-modprobe tpm_crb
-
-modprobe ecb
-modprobe aes_generic
-modprobe xts
-
-# this needs to be probed particularly for re-encryption
-modprobe loop
-
-partition_sets="$PARTITIONS"
-create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
-pcr_bank_hash_type="$HASH_TYPE"
-tpm_key_algorithm="$KEY_ALGORITHM"
-tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL"
-if [ -z "${create_file_system_cmd}" ]; then
- create_file_system_cmd="mke2fs -t ext4"
-fi
-
-service_watchdog() {
- for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
- printf '\0'
- sleep 10
- done > "$WATCHDOG_DEV"
-}
-
open_tpm2_partition() {
+ partition_device="$1"
+ crypt_mount_name="$2"
+ tpm_device="$3"
if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \
- "$1" - tpm2-device="$tpm_device"; then
- panic "Can't decrypt '$1' !"
+ "$partition_device" - tpm2-device="$tpm_device"; then
+ panic "Can't decrypt '$partition_device' !"
fi
}
enroll_tpm2_token() {
+ partition_device="$1"
+ passphrase="$2"
+ tpm_device="$3"
+ #tpm_key_algorithm="$4"
+ #pcr_bank_hash_type="$5"
+
# check systemd version and export password if necessary
if [ -x /usr/bin/systemd-cryptenroll ]; then
systemd_version=$(systemd-cryptenroll --version | \
@@ -74,10 +33,10 @@ enroll_tpm2_token() {
# check systemd version and export password if necessary
# systemd version 251 does not suport hash_types
if [ "$systemd_version" -ge "251" ]; then
- PASSWORD=$(cat "$2" )
+ PASSWORD=$(cat "$passphrase" )
export PASSWORD
/usr/bin/systemd-cryptenroll --tpm2-device="$tpm_device" \
- --tpm2-pcrs=7 "$1"
+ --tpm2-pcrs=7 "$partition_device"
PASSWORD=
else
panic "Unknown systemd version: '$systemd_version'!"
@@ -87,96 +46,12 @@ enroll_tpm2_token() {
fi
}
-reencrypt_existing_partition() {
- part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)"
- # reduce the filesystem and partition by 32M to fit the LUKS header
- reduce_device_size=32768
- reduced_size="$(expr "$part_size_blocks" - 65536 )"
- reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
- reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
- e2fsck -f "$1"
- if ! resize2fs "$1" "${reduced_size_in_kb}"; then
- panic "reencryption of filesystem $1 cannot continue!"
- fi
- if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
- /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2"
- else
- /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2"
- fi
+prepare_for_encryption() {
+ true
}
-for candidate in /dev/tpm*; do
- if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then
- continue
- fi
- if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet 2>/dev/null; then
- continue
- fi
- tpm_device=$candidate
-done
-
-if [ ! -e "$tpm_device" ]; then
- if [ "$tpm_encryption_optional" = "true" ]; then
- echo "No tpm_device exists abort optional encryption"
- exit 0
- fi
- panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!"
-fi
-
-for partition_set in $partition_sets; do
- partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
- partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
- partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
- partition=/dev/disk/by-partlabel/"$partition_label"
- crypt_mount_name="encrypted_$partition_label"
- decrypted_part=/dev/mapper/"$crypt_mount_name"
- part_device=$(readlink -f "$partition")
-
- # check if we are trying to mount root
- if [ "$partition_mountpoint" = "/" ]; then
- echo "ROOT=$decrypted_part" >/conf/param.conf
- fi
- # check if partition is already encrypted with systemd-tpm2
- if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
- | grep -q "systemd-tpm2"; then
- open_tpm2_partition "$part_device"
- continue
- fi
-
- # service watchdog in the background during lengthy re-encryption
- if [ -z "$watchdog_pid" ]; then
- service_watchdog &
- watchdog_pid=$!
- fi
-
- # create random password for initial encryption
- # this will be dropped after reboot
- tmp_key=/tmp/"$partition_label-lukskey"
- openssl rand -base64 32 > "$tmp_key"
-
- case "${partition_format}" in
- "reencrypt")
- reencrypt_existing_partition "$part_device" "$tmp_key"
- enroll_tpm2_token "$part_device" "$tmp_key"
- open_tpm2_partition "$part_device"
- ;;
- "format")
- /usr/sbin/cryptsetup luksFormat --batch-mode \
- --type luks2 "$partition" < "$tmp_key"
- enroll_tpm2_token "$part_device" "$tmp_key"
- open_tpm2_partition "$part_device"
- eval "${create_file_system_cmd} ${decrypted_part}"
- ;;
- *)
- panic "Unknown value ${partition_format}. Cannot create a encrypted partition !"
- ;;
- esac
-
- # delete initial key
- # afterwards no new keys can be enrolled
- /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
-done
+finalize_tpm2_encryption() {
+ partition_device="$1"
+- /usr/bin/systemd-cryptenroll --wipe-slot=0 "$partition_device"
+}
-if [ -n "$watchdog_pid" ]; then
- kill "$watchdog_pid"
-fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
index dc46ff8..1d5a4a7 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -44,6 +44,7 @@ CRYPT_BACKEND:bullseye = "clevis"
CRYPT_BACKEND = "systemd"
SRC_URI += "file://encrypt_partition.env.tmpl \
+ file://encrypt_partition.script \
file://encrypt_partition.${CRYPT_BACKEND}.script \
file://mount_crypt_partitions.script \
file://encrypt_partition.${CRYPT_BACKEND}.hook \
@@ -77,8 +78,10 @@ do_install[cleandirs] += " \
do_install() {
install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env"
- install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.script" \
+ install -m 0755 "${WORKDIR}/encrypt_partition.script" \
"${D}/usr/share/initramfs-tools/scripts/local-top/encrypt_partition"
+ install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.script" \
+ "${D}/usr/share/encrypt_partition/encrypt_partition_tpm2"
install -m 0755 "${WORKDIR}/mount_crypt_partitions.script" \
"${D}/usr/share/initramfs-tools/scripts/local-bottom/mount_decrypted_partition"
install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.hook" \
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [cip-dev][isar-cip-core][PATCH v3 11/15] initramfs-crypt-hook: Increase version
2024-04-09 13:05 [cip-dev][isar-cip-core][PATCH v3 00/15] Rework disk encryption Quirin Gylstorff
` (9 preceding siblings ...)
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 10/15] initramfs-crypt-hook: Consolidate clevis and systemd scripts Quirin Gylstorff
@ 2024-04-09 13:05 ` Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 12/15] README.tpm2.encryption: Add section to switch from clevis to systemd Quirin Gylstorff
` (3 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Quirin Gylstorff @ 2024-04-09 13:05 UTC (permalink / raw)
To: jan.kiszka, cip-dev, johnxw
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This package had significate changes
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../{initramfs-crypt-hook_0.1.bb => initramfs-crypt-hook_0.2.bb} | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt-hook_0.1.bb => initramfs-crypt-hook_0.2.bb} (100%)
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb
similarity index 100%
rename from recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
rename to recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb
--
2.43.0
^ permalink raw reply [flat|nested] 16+ messages in thread
* [cip-dev][isar-cip-core][PATCH v3 12/15] README.tpm2.encryption: Add section to switch from clevis to systemd
2024-04-09 13:05 [cip-dev][isar-cip-core][PATCH v3 00/15] Rework disk encryption Quirin Gylstorff
` (10 preceding siblings ...)
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 11/15] initramfs-crypt-hook: Increase version Quirin Gylstorff
@ 2024-04-09 13:05 ` Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 13/15] Add example to encrypt the rootfs Quirin Gylstorff
` (2 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Quirin Gylstorff @ 2024-04-09 13:05 UTC (permalink / raw)
To: jan.kiszka, cip-dev, johnxw
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
doc/README.tpm2.encryption.md | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md
index cb3f640..69a18dd 100644
--- a/doc/README.tpm2.encryption.md
+++ b/doc/README.tpm2.encryption.md
@@ -48,3 +48,23 @@ Each entry uses the schema `<partition-label>:<mountpoint>:<reencrypt or format>
The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly
encrypted partition. The Default (`mke2fs -t ext4`) creates an ext4 partition.
+
+# Convert clevis based encryption to systemd-cryptenroll
+## Prerequisites
+The following packages are necessary to convert a clevis based encryption to a systemd-cryptenroll
+based encryption:
+ - clevis-luks
+ - clevis-tpm2
+ - cryptsetup
+ - jq
+
+## steps to convert clevis to systemd
+The following script shows how to enroll a systemd-tpm2 token with a existinng clevis based encryption:
+```bash
+export device=/dev/sda6
+export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots | first' | head -n1)
+if [ -n "$keyslot" ]; then
+ export PASSWORD=$(clevis luks pass -d "$device" -s"$keyslot")
+ systemd-cryptenroll --tpm2-device="$tpm_device" --tpm2-pcrs=7 "$device"
+fi
+```
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [cip-dev][isar-cip-core][PATCH v3 13/15] Add example to encrypt the rootfs
2024-04-09 13:05 [cip-dev][isar-cip-core][PATCH v3 00/15] Rework disk encryption Quirin Gylstorff
` (11 preceding siblings ...)
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 12/15] README.tpm2.encryption: Add section to switch from clevis to systemd Quirin Gylstorff
@ 2024-04-09 13:05 ` Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 14/15] Kconfig: Add option " Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 15/15] start-qemu.sh: Support encrypted rootfs Quirin Gylstorff
14 siblings, 0 replies; 16+ messages in thread
From: Quirin Gylstorff @ 2024-04-09 13:05 UTC (permalink / raw)
To: jan.kiszka, cip-dev, johnxw
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
kas/opt/encrypt_rootfs.yml | 25 +++++++++++++++++++++++++
wic/x86_64-encryption.wks.in | 16 ++++++++++++++++
2 files changed, 41 insertions(+)
create mode 100644 kas/opt/encrypt_rootfs.yml
create mode 100644 wic/x86_64-encryption.wks.in
diff --git a/kas/opt/encrypt_rootfs.yml b/kas/opt/encrypt_rootfs.yml
new file mode 100644
index 0000000..9e284b4
--- /dev/null
+++ b/kas/opt/encrypt_rootfs.yml
@@ -0,0 +1,25 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 14
+
+local_conf_header:
+ encrypted_root: |
+ WKS_FILE = "x86_64-encryption.wks.in"
+ CRYPT_PARTITIONS = "platform:/:reencrypt home:/home:reencrypt var:/var:reencrypt"
+ IMAGE_FSTYPES = "wic"
+ IMAGER_INSTALL:wic += "systemd-boot"
+ CIP_IMAGE_OPTIONS:append:qemu-amd64 = " recipes-core/images/deploy-ovmf.inc"
+ INITRAMFS_RECIPE ?= "cip-core-initramfs"
+ INITRAMFS_INSTALL:append = " initramfs-crypt-hook"
+ INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
+ do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build"
diff --git a/wic/x86_64-encryption.wks.in b/wic/x86_64-encryption.wks.in
new file mode 100644
index 0000000..800b56d
--- /dev/null
+++ b/wic/x86_64-encryption.wks.in
@@ -0,0 +1,16 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# SPDX-License-Identifier: MIT
+#
+
+part /boot --source bootimg-efi-isar --sourceparams "loader=systemd-boot,initrd=${INITRD_IMAGE}" --label efi --part-type EF00 --align 1024 --fsuuid 0x4321dcba --uuid cf142945-6fa1-4945-b0f2-b8d6226298c0
+
+part / --source rootfs --fstype ext4 --mkfs-extraopts "-T default" --label platform --align 1024 --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid f225331b-2d9c-45a2-bcfe-4a6e86287dfb
+# home and var are extra partitions
+part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --extra-space=100M --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
+part /var --fstype=ext4 --label var --align 1024 --fixed-size 2G --fsuuid 96be3374-4258-11ee-be56-0242ac120002
+
+bootloader --ptable gpt --timeout 2 --append "console=ttyS0,115200"
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [cip-dev][isar-cip-core][PATCH v3 14/15] Kconfig: Add option to encrypt the rootfs
2024-04-09 13:05 [cip-dev][isar-cip-core][PATCH v3 00/15] Rework disk encryption Quirin Gylstorff
` (12 preceding siblings ...)
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 13/15] Add example to encrypt the rootfs Quirin Gylstorff
@ 2024-04-09 13:05 ` Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 15/15] start-qemu.sh: Support encrypted rootfs Quirin Gylstorff
14 siblings, 0 replies; 16+ messages in thread
From: Quirin Gylstorff @ 2024-04-09 13:05 UTC (permalink / raw)
To: jan.kiszka, cip-dev, johnxw
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Kconfig | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/Kconfig b/Kconfig
index 7c19640..8e96865 100644
--- a/Kconfig
+++ b/Kconfig
@@ -212,5 +212,19 @@ config IMAGE_DATA_ENCRYPTION
config KAS_INCLUDE_DATA_ENCRYPTION
string
default "kas/opt/encrypt-partitions.yml" if IMAGE_DATA_ENCRYPTION
+endif
+
+if IMAGE_FLASH && !IMAGE_DATA_ENCRYPTION && !IMAGE_SECURE_BOOT && !IMAGE_SWUPDATE
+
+config IMAGE_ROOTFS_ENCRYPTION
+ bool "Encrypt rootfs and data partitions"
+ depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || !IMAGE_SWUPDATE || !IMAGE_SECURE_BOOT
+ help
+ This enables LUKS encryption for all partition. This is currently incompatible
+ with efibootguard, secure boot and SWUpdate.
+
+config KAS_INCLUDE_ROOTFS_ENCRYPTION
+ string
+ default "kas/opt/encrypt_rootfs.yml" if IMAGE_ROOTFS_ENCRYPTION
endif
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [cip-dev][isar-cip-core][PATCH v3 15/15] start-qemu.sh: Support encrypted rootfs
2024-04-09 13:05 [cip-dev][isar-cip-core][PATCH v3 00/15] Rework disk encryption Quirin Gylstorff
` (13 preceding siblings ...)
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 14/15] Kconfig: Add option " Quirin Gylstorff
@ 2024-04-09 13:05 ` Quirin Gylstorff
14 siblings, 0 replies; 16+ messages in thread
From: Quirin Gylstorff @ 2024-04-09 13:05 UTC (permalink / raw)
To: jan.kiszka, cip-dev, johnxw
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
start-qemu.sh | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/start-qemu.sh b/start-qemu.sh
index 9ec0f1c..83d1274 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -21,6 +21,7 @@ usage()
echo " QEMU_PATH use a locally built QEMU version"
echo " SWUPDATE_BOOT boot swupdate image"
echo " SECURE_BOOT start a secure boot environment"
+ echo " TPM2_ENCRYPTION starts swtpm to encrypt the disk partitions"
echo " DISTRO_RELEASE select a specific Debian release"
echo " TARGET_IMAGE select a specific image type"
exit 1
@@ -35,6 +36,10 @@ if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then
TPM2_ENCRYPTION="true"
fi
+if grep -s -q "IMAGE_ROOTFS_ENCRYPTION: true" .config.yaml; then
+ TPM2_ENCRYPTION="true"
+fi
+
if [ -n "${QEMU_PATH}" ]; then
QEMU_PATH="${QEMU_PATH}/"
fi
@@ -187,7 +192,7 @@ QEMU_COMMON_OPTIONS=" \
${QEMU_EXTRA_ARGS} \
"
-if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
+if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}${TPM2_ENCRYPTION}" ]; then
case "${arch}" in
x86|x86_64|amd64)
if [ -n "${SECURE_BOOT}" ]; then
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
end of thread, other threads:[~2024-04-09 13:06 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-09 13:05 [cip-dev][isar-cip-core][PATCH v3 00/15] Rework disk encryption Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 01/15] initramfs-crypt-hook: Allow switching between clevis and systemd Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 02/15] initramfs-crypt-hook: Align systemd encryption and clevis encryption Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 03/15] initramfs-crypt-hook: move the mounting of encrypted disks in a seperate function Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 04/15] initramfs-crypt-hook: Check if the TPM device fulfills the given requirements Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 05/15] initramfs-crypt-hook: add flag to make encryption optional Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 06/15] initramfs-crypt-hook: add e2fsck to avoid resize error Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 07/15] initramfs-crypt-hook: split encryption and mounting Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 08/15] initramfs-crypt-hook: Add check if root is part of the mountpoints Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 09/15] initramfs-crypt-hook: split hook in multiple files Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 10/15] initramfs-crypt-hook: Consolidate clevis and systemd scripts Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 11/15] initramfs-crypt-hook: Increase version Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 12/15] README.tpm2.encryption: Add section to switch from clevis to systemd Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 13/15] Add example to encrypt the rootfs Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 14/15] Kconfig: Add option " Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 15/15] start-qemu.sh: Support encrypted rootfs Quirin Gylstorff
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).