From: Jan Kiszka <jan.kiszka@siemens.com>
To: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>,
cip-dev@lists.cip-project.org, johnxw@amazon.com,
felix.moessbauer@siemens.com
Subject: Re: [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs
Date: Fri, 3 May 2024 09:24:30 +0200 [thread overview]
Message-ID: <0f2f4e54-db09-496d-9223-94fe108f104f@siemens.com> (raw)
In-Reply-To: <20240502093240.364093-1-Quirin.Gylstorff@siemens.com>
On 02.05.24 11:31, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> This adds the option to encrypt both root file system partitions.
> The encrypted partition can be updated with SWUpdate.
>
> The disk encryption is indepented of the selected boot method and
> could also be used to encrypt a single writable root file system.
>
> To simplify the handling of the swupdate the encrypted partition use
> the uuid as the device mapper name.
>
>
> If all partitions are encrypted the partition layout looks similar to
> this:
>
> ```
> root@demo:~# lsblk
> NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
> sda 8:0 0 5.4G 0 disk
> ├─sda1 8:1 0 16.1M 0 part
> ├─sda2 8:2 0 42M 0 part
> ├─sda3 8:3 0 42M 0 part
> ├─sda4 8:4 0 1G 0 part
> │ └─fedcba98-7654-3210-cafe-5e0710000001 252:0 0 1008M 0 crypt
> ├─sda5 8:5 0 1G 0 part
> │ └─fedcba98-7654-3210-cafe-5e0710000002 252:1 0 1008M 0 crypt
> │ └─verityroot 252:4 0 115.3M 1 crypt /
> ├─sda6 8:6 0 1.3G 0 part
> │ └─encrypted_home 252:2 0 1.3G 0 crypt /home
> └─sda7 8:7 0 2G 0 part
> └─encrypted_var 252:3 0 2G 0 crypt /var
> ```
> Changes v4:
> - Clarify that only non-boot partitions are encrypted
> - Fix typos
> - Add note for encryptition in secure environment
>
> Changes v3:
> - Update the encrypted partition instead of the underling device
> - Use uuids instead of labels for the partitions.
> - Allow uuids and absolute path to select the partition to be
> encrypted.
> - Add Readme for partition selection.
>
> Changes v2:
> - Rewrite commit messages
> - Rename kas/opt/encrypt-partitions.yml to kas/opt/encrypt-data.yml
> - Rename kas/opt/encrypt-rootfs.yml to kas/opt/encrypt-all.yml
> - Fix assignment of CRYPT_PARTITIONS
>
> Changes from https://lists.cip-project.org/g/cip-dev/message/15512:
> - add partition labels for a/b partitions
> - use a/b rootfs configuration instead seperate wks file
>
>
> Quirin Gylstorff (9):
> wic/*: Add part-labels to system partition
> initramfs: allow empty mountpoint for crypt hooks
> initramfs-crypt: Only resize partition if ext* formatted
> fix: use luks2 to identify encrypted partition
> Rename encrypt-partitions to encrypt-data
> Kconfig: Add option to encrypt the rootfs
> crypt-hook: Extend partition selection
> README: Add rootfs encryption
> README.swupdate: Add section about partition selection
>
> .gitlab-ci.yml | 2 +-
> Kconfig | 24 +++++++--
> doc/README.swupdate.md | 16 ++++++
> doc/README.tpm2.encryption.md | 22 +++++++--
> kas/opt/encrypt-all.yml | 23 +++++++++
> ...ncrypt-partitions.yml => encrypt-data.yml} | 0
> kas/opt/security.yml | 2 +-
> .../files/encrypt_partition.clevis.hook | 2 +
> .../files/encrypt_partition.script | 49 ++++++++++++++-----
> .../files/encrypt_partition.systemd.hook | 2 +
> .../files/mount_crypt_partitions.script | 24 +++++++--
> .../initramfs-crypt-hook_0.2.bb | 3 +-
> wic/bbb-efibootguard.wks.in | 4 +-
> wic/hihope-rzg2m-efibootguard.wks.in | 4 +-
> wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 +-
> wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 +-
> wic/qemu-arm64-efibootguard.wks.in | 4 +-
> wic/qemu-riscv64-efibootguard.wks.in | 4 +-
> wic/x86-efibootguard.wks.in | 4 +-
> 19 files changed, 157 insertions(+), 40 deletions(-)
> create mode 100644 kas/opt/encrypt-all.yml
> rename kas/opt/{encrypt-partitions.yml => encrypt-data.yml} (100%)
>
Just tested in qemu-amd64. It works, but there are many suspicious
warnings and messages during first boot:
Warning: keyslot operation could fail as it requires more than available memory.
Progress: 52.4%, ETA 00m06s, 528 MiB written, speed 78.8 MiB/s
Finished, time 00m11s, 1008 MiB written, speed 83.5 MiB/s
New TPM2 token enrolled as key slot 1.
/scripts/local-top/encrypt_partition: 55: /scripts/local-top/encrypt_partition: -: not found
Device /dev/sda5 is not a valid LUKS device.
skip disk resize as it not support or unnecessary for fstype: ''
Warning: keyslot operation could fail as it requires more than available memory.
Finished, time 00m11s, 1008 MiB written, speed 83.7 MiB/s
New TPM2 token enrolled as key slot 1.
/scripts/local-top/encrypt_partition: 55: /scripts/local-top/encrypt_partition: -: not found
Device /dev/sda6 is not a valid LUKS device.
Jan
--
Siemens AG, Technology
Linux Expert Center
next prev parent reply other threads:[~2024-05-03 7:24 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-02 9:31 [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs Quirin Gylstorff
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 1/9] wic/*: Add part-labels to system partition Quirin Gylstorff
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 2/9] initramfs: allow empty mountpoint for crypt hooks Quirin Gylstorff
2024-05-03 11:07 ` MOESSBAUER, Felix
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 3/9] initramfs-crypt: Only resize partition if ext* formatted Quirin Gylstorff
2024-05-03 11:07 ` MOESSBAUER, Felix
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 4/9] fix: use luks2 to identify encrypted partition Quirin Gylstorff
2024-05-03 11:09 ` MOESSBAUER, Felix
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 5/9] Rename encrypt-partitions to encrypt-data Quirin Gylstorff
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 6/9] Kconfig: Add option to encrypt the rootfs Quirin Gylstorff
2024-05-03 6:33 ` Jan Kiszka
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 7/9] crypt-hook: Extend partition selection Quirin Gylstorff
2024-05-03 11:11 ` MOESSBAUER, Felix
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 8/9] README: Add rootfs encryption Quirin Gylstorff
2024-05-03 11:14 ` MOESSBAUER, Felix
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 9/9] README.swupdate: Add section about partition selection Quirin Gylstorff
2024-05-03 11:18 ` MOESSBAUER, Felix
2024-05-03 7:24 ` Jan Kiszka [this message]
2024-05-03 11:20 ` [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs MOESSBAUER, Felix
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0f2f4e54-db09-496d-9223-94fe108f104f@siemens.com \
--to=jan.kiszka@siemens.com \
--cc=Quirin.Gylstorff@siemens.com \
--cc=cip-dev@lists.cip-project.org \
--cc=felix.moessbauer@siemens.com \
--cc=johnxw@amazon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox