* [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs
@ 2024-05-02 9:31 Quirin Gylstorff
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 1/9] wic/*: Add part-labels to system partition Quirin Gylstorff
` (9 more replies)
0 siblings, 10 replies; 19+ messages in thread
From: Quirin Gylstorff @ 2024-05-02 9:31 UTC (permalink / raw)
To: cip-dev, jan.kiszka, johnxw, felix.moessbauer
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This adds the option to encrypt both root file system partitions.
The encrypted partition can be updated with SWUpdate.
The disk encryption is indepented of the selected boot method and
could also be used to encrypt a single writable root file system.
To simplify the handling of the swupdate the encrypted partition use
the uuid as the device mapper name.
If all partitions are encrypted the partition layout looks similar to
this:
```
root@demo:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 5.4G 0 disk
├─sda1 8:1 0 16.1M 0 part
├─sda2 8:2 0 42M 0 part
├─sda3 8:3 0 42M 0 part
├─sda4 8:4 0 1G 0 part
│ └─fedcba98-7654-3210-cafe-5e0710000001 252:0 0 1008M 0 crypt
├─sda5 8:5 0 1G 0 part
│ └─fedcba98-7654-3210-cafe-5e0710000002 252:1 0 1008M 0 crypt
│ └─verityroot 252:4 0 115.3M 1 crypt /
├─sda6 8:6 0 1.3G 0 part
│ └─encrypted_home 252:2 0 1.3G 0 crypt /home
└─sda7 8:7 0 2G 0 part
└─encrypted_var 252:3 0 2G 0 crypt /var
```
Changes v4:
- Clarify that only non-boot partitions are encrypted
- Fix typos
- Add note for encryptition in secure environment
Changes v3:
- Update the encrypted partition instead of the underling device
- Use uuids instead of labels for the partitions.
- Allow uuids and absolute path to select the partition to be
encrypted.
- Add Readme for partition selection.
Changes v2:
- Rewrite commit messages
- Rename kas/opt/encrypt-partitions.yml to kas/opt/encrypt-data.yml
- Rename kas/opt/encrypt-rootfs.yml to kas/opt/encrypt-all.yml
- Fix assignment of CRYPT_PARTITIONS
Changes from https://lists.cip-project.org/g/cip-dev/message/15512:
- add partition labels for a/b partitions
- use a/b rootfs configuration instead seperate wks file
Quirin Gylstorff (9):
wic/*: Add part-labels to system partition
initramfs: allow empty mountpoint for crypt hooks
initramfs-crypt: Only resize partition if ext* formatted
fix: use luks2 to identify encrypted partition
Rename encrypt-partitions to encrypt-data
Kconfig: Add option to encrypt the rootfs
crypt-hook: Extend partition selection
README: Add rootfs encryption
README.swupdate: Add section about partition selection
.gitlab-ci.yml | 2 +-
Kconfig | 24 +++++++--
doc/README.swupdate.md | 16 ++++++
doc/README.tpm2.encryption.md | 22 +++++++--
kas/opt/encrypt-all.yml | 23 +++++++++
...ncrypt-partitions.yml => encrypt-data.yml} | 0
kas/opt/security.yml | 2 +-
.../files/encrypt_partition.clevis.hook | 2 +
.../files/encrypt_partition.script | 49 ++++++++++++++-----
.../files/encrypt_partition.systemd.hook | 2 +
.../files/mount_crypt_partitions.script | 24 +++++++--
.../initramfs-crypt-hook_0.2.bb | 3 +-
wic/bbb-efibootguard.wks.in | 4 +-
wic/hihope-rzg2m-efibootguard.wks.in | 4 +-
wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 +-
wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 +-
wic/qemu-arm64-efibootguard.wks.in | 4 +-
wic/qemu-riscv64-efibootguard.wks.in | 4 +-
wic/x86-efibootguard.wks.in | 4 +-
19 files changed, 157 insertions(+), 40 deletions(-)
create mode 100644 kas/opt/encrypt-all.yml
rename kas/opt/{encrypt-partitions.yml => encrypt-data.yml} (100%)
--
2.43.0
^ permalink raw reply [flat|nested] 19+ messages in thread
* [cip-dev][isar-cip-core][PATCH v4 1/9] wic/*: Add part-labels to system partition
2024-05-02 9:31 [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs Quirin Gylstorff
@ 2024-05-02 9:31 ` Quirin Gylstorff
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 2/9] initramfs: allow empty mountpoint for crypt hooks Quirin Gylstorff
` (8 subsequent siblings)
9 siblings, 0 replies; 19+ messages in thread
From: Quirin Gylstorff @ 2024-05-02 9:31 UTC (permalink / raw)
To: cip-dev, jan.kiszka, johnxw, felix.moessbauer
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This allows to use the part-label for encryptition or
boot selection.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
wic/bbb-efibootguard.wks.in | 4 ++--
wic/hihope-rzg2m-efibootguard.wks.in | 4 ++--
wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 ++--
wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 ++--
wic/qemu-arm64-efibootguard.wks.in | 4 ++--
wic/qemu-riscv64-efibootguard.wks.in | 4 ++--
wic/x86-efibootguard.wks.in | 4 ++--
7 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/wic/bbb-efibootguard.wks.in b/wic/bbb-efibootguard.wks.in
index e9c04b9..b5772c2 100644
--- a/wic/bbb-efibootguard.wks.in
+++ b/wic/bbb-efibootguard.wks.in
@@ -11,8 +11,8 @@ part --source rawcopy --sourceparams "file=/usr/lib/u-boot/bbb/u-boot.img" --no-
include ebg-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
# home and var are extra partitions
part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
diff --git a/wic/hihope-rzg2m-efibootguard.wks.in b/wic/hihope-rzg2m-efibootguard.wks.in
index 9227a71..164e8a9 100644
--- a/wic/hihope-rzg2m-efibootguard.wks.in
+++ b/wic/hihope-rzg2m-efibootguard.wks.in
@@ -3,8 +3,8 @@
include ebg-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
# home and var are extra partitions
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index ef40d70..0f4d637 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -1,7 +1,7 @@
include ebg-signed-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
# home and var are extra partitions
part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
diff --git a/wic/qemu-arm64-efibootguard-secureboot.wks.in b/wic/qemu-arm64-efibootguard-secureboot.wks.in
index 01f395d..00d627d 100644
--- a/wic/qemu-arm64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-arm64-efibootguard-secureboot.wks.in
@@ -1,7 +1,7 @@
include ebg-signed-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
# home and var are extra partitions
part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
diff --git a/wic/qemu-arm64-efibootguard.wks.in b/wic/qemu-arm64-efibootguard.wks.in
index 942c3e1..6f03420 100644
--- a/wic/qemu-arm64-efibootguard.wks.in
+++ b/wic/qemu-arm64-efibootguard.wks.in
@@ -3,8 +3,8 @@
include ebg-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
# home and var are extra partitions
part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
diff --git a/wic/qemu-riscv64-efibootguard.wks.in b/wic/qemu-riscv64-efibootguard.wks.in
index 6934977..1704ded 100644
--- a/wic/qemu-riscv64-efibootguard.wks.in
+++ b/wic/qemu-riscv64-efibootguard.wks.in
@@ -3,8 +3,8 @@
include ebg-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
# home and var are extra partitions
part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
index 6382ff7..4c0484f 100644
--- a/wic/x86-efibootguard.wks.in
+++ b/wic/x86-efibootguard.wks.in
@@ -3,8 +3,8 @@
include ebg-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
# home and var are extra partitions
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [cip-dev][isar-cip-core][PATCH v4 2/9] initramfs: allow empty mountpoint for crypt hooks
2024-05-02 9:31 [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs Quirin Gylstorff
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 1/9] wic/*: Add part-labels to system partition Quirin Gylstorff
@ 2024-05-02 9:31 ` Quirin Gylstorff
2024-05-03 11:07 ` MOESSBAUER, Felix
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 3/9] initramfs-crypt: Only resize partition if ext* formatted Quirin Gylstorff
` (7 subsequent siblings)
9 siblings, 1 reply; 19+ messages in thread
From: Quirin Gylstorff @ 2024-05-02 9:31 UTC (permalink / raw)
To: cip-dev, jan.kiszka, johnxw, felix.moessbauer
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This allows to encrypt partition which have as seperate mount
script like verity and abrootfs
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../initramfs-crypt-hook/files/mount_crypt_partitions.script | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
index 3411e70..b72323f 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
@@ -51,7 +51,9 @@ for partition_set in $partition_sets; do
part_device=$(readlink -f "$partition")
crypt_mount_name="encrypted_$partition_label"
decrypted_part=/dev/mapper/"$crypt_mount_name"
-
+ if [ -z "$partition_mountpoint" ]; then
+ continue
+ fi
if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \
| grep -q "luks2"; then
mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [cip-dev][isar-cip-core][PATCH v4 3/9] initramfs-crypt: Only resize partition if ext* formatted
2024-05-02 9:31 [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs Quirin Gylstorff
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 1/9] wic/*: Add part-labels to system partition Quirin Gylstorff
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 2/9] initramfs: allow empty mountpoint for crypt hooks Quirin Gylstorff
@ 2024-05-02 9:31 ` Quirin Gylstorff
2024-05-03 11:07 ` MOESSBAUER, Felix
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 4/9] fix: use luks2 to identify encrypted partition Quirin Gylstorff
` (6 subsequent siblings)
9 siblings, 1 reply; 19+ messages in thread
From: Quirin Gylstorff @ 2024-05-02 9:31 UTC (permalink / raw)
To: cip-dev, jan.kiszka, johnxw, felix.moessbauer
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
squashfs or empty partition cannot be resized with resize2fs.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../files/encrypt_partition.script | 20 +++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
index 8f6cbf6..51c81f3 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
@@ -64,14 +64,26 @@ service_watchdog() {
reencrypt_existing_partition() {
part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)"
# reduce the filesystem and partition by 32M to fit the LUKS header
+ partition_fstype=$(get_fstype "${1}")
reduce_device_size=32768
reduced_size="$(expr "$part_size_blocks" - 65536 )"
reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
- e2fsck -f "$1"
- if ! resize2fs "$1" "${reduced_size_in_kb}"; then
- panic "reencryption of filesystem $1 cannot continue!"
- fi
+ case $partition_fstype in
+ ext*)
+ # reduce the filesystem and partition by 32M to fit the LUKS header
+ e2fsck -f "$1"
+ if ! resize2fs "$1" "${reduced_size_in_kb}"; then
+ panic "reencryption of filesystem $1 cannot continue!"
+ fi
+ ;;
+ squashfs|"")
+ echo "skip disk resize as it not support or unnecessary for fstype: '$partition_fstype'"
+ ;;
+ *)
+ panic "cannot resize parition. unsupport fstype: $partition_fstype"
+ ;;
+ esac
if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
/usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2"
else
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [cip-dev][isar-cip-core][PATCH v4 4/9] fix: use luks2 to identify encrypted partition
2024-05-02 9:31 [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs Quirin Gylstorff
` (2 preceding siblings ...)
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 3/9] initramfs-crypt: Only resize partition if ext* formatted Quirin Gylstorff
@ 2024-05-02 9:31 ` Quirin Gylstorff
2024-05-03 11:09 ` MOESSBAUER, Felix
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 5/9] Rename encrypt-partitions to encrypt-data Quirin Gylstorff
` (5 subsequent siblings)
9 siblings, 1 reply; 19+ messages in thread
From: Quirin Gylstorff @ 2024-05-02 9:31 UTC (permalink / raw)
To: cip-dev, jan.kiszka, johnxw, felix.moessbauer
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This fixes an issue with encrypted rootfs during system reboot.
With the token option it can happen that during reboot the no
valid Luks partition is found and the boot up fails in the initrd.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../initramfs-crypt-hook/files/encrypt_partition.script | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
index 51c81f3..685d882 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
@@ -134,7 +134,7 @@ for partition_set in $partition_sets; do
fi
if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
- | grep -q "token"; then
+ | grep -q "luks2"; then
open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
continue
fi
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [cip-dev][isar-cip-core][PATCH v4 5/9] Rename encrypt-partitions to encrypt-data
2024-05-02 9:31 [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs Quirin Gylstorff
` (3 preceding siblings ...)
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 4/9] fix: use luks2 to identify encrypted partition Quirin Gylstorff
@ 2024-05-02 9:31 ` Quirin Gylstorff
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 6/9] Kconfig: Add option to encrypt the rootfs Quirin Gylstorff
` (4 subsequent siblings)
9 siblings, 0 replies; 19+ messages in thread
From: Quirin Gylstorff @ 2024-05-02 9:31 UTC (permalink / raw)
To: cip-dev, jan.kiszka, johnxw, felix.moessbauer
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This makes the purpose of this option more clear.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.gitlab-ci.yml | 2 +-
Kconfig | 2 +-
doc/README.tpm2.encryption.md | 2 +-
kas/opt/{encrypt-partitions.yml => encrypt-data.yml} | 0
kas/opt/security.yml | 2 +-
5 files changed, 4 insertions(+), 4 deletions(-)
rename kas/opt/{encrypt-partitions.yml => encrypt-data.yml} (100%)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index bd34c82..aab55be 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -64,7 +64,7 @@ default:
- if [ "${release}" = "bullseye" ]; then base_yaml="${base_yaml}:kas/opt/bullseye.yml"; fi
- if [ "${release}" = "bookworm" ]; then base_yaml="${base_yaml}:kas/opt/bookworm.yml"; fi
- if [ "${release}" = "sid" ]; then base_yaml="${base_yaml}:kas/opt/sid.yml"; fi
- - if [ "${encrypt}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/encrypt-partitions.yml"; fi
+ - if [ "${encrypt}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/encrypt-data.yml"; fi
- if [ "${swupdate_version}" = "2022.12" ]; then base_yaml="${base_yaml}:kas/opt/swupdate-2022.12.yaml"; fi
- echo "Building ${base_yaml}"
- kas build ${base_yaml}
diff --git a/Kconfig b/Kconfig
index 7c19640..9478a06 100644
--- a/Kconfig
+++ b/Kconfig
@@ -211,6 +211,6 @@ config IMAGE_DATA_ENCRYPTION
config KAS_INCLUDE_DATA_ENCRYPTION
string
- default "kas/opt/encrypt-partitions.yml" if IMAGE_DATA_ENCRYPTION
+ default "kas/opt/encrypt-data.yml" if IMAGE_DATA_ENCRYPTION
endif
diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md
index 69a18dd..c5ac6c4 100644
--- a/doc/README.tpm2.encryption.md
+++ b/doc/README.tpm2.encryption.md
@@ -27,7 +27,7 @@ An example for qemu-amd64 can be build with by selecting the option after callin
or by adding using the following command line build:
```
-./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/encrypt-partitions.yml
+./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/encrypt-data.yml
```
## initramfs-crypt-hook configuration
diff --git a/kas/opt/encrypt-partitions.yml b/kas/opt/encrypt-data.yml
similarity index 100%
rename from kas/opt/encrypt-partitions.yml
rename to kas/opt/encrypt-data.yml
diff --git a/kas/opt/security.yml b/kas/opt/security.yml
index 000c522..4aa40e0 100644
--- a/kas/opt/security.yml
+++ b/kas/opt/security.yml
@@ -11,7 +11,7 @@
header:
version: 14
includes:
- - kas/opt/encrypt-partitions.yml
+ - kas/opt/encrypt-data.yml
- kas/opt/ebg-secure-boot-snakeoil.yml
target: cip-core-image-security
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [cip-dev][isar-cip-core][PATCH v4 6/9] Kconfig: Add option to encrypt the rootfs
2024-05-02 9:31 [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs Quirin Gylstorff
` (4 preceding siblings ...)
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 5/9] Rename encrypt-partitions to encrypt-data Quirin Gylstorff
@ 2024-05-02 9:31 ` Quirin Gylstorff
2024-05-03 6:33 ` Jan Kiszka
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 7/9] crypt-hook: Extend partition selection Quirin Gylstorff
` (3 subsequent siblings)
9 siblings, 1 reply; 19+ messages in thread
From: Quirin Gylstorff @ 2024-05-02 9:31 UTC (permalink / raw)
To: cip-dev, jan.kiszka, johnxw, felix.moessbauer
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This allows to setup a system with all non-boot partitions encrypted.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Kconfig | 22 ++++++++++++++++++++--
kas/opt/encrypt-all.yml | 23 +++++++++++++++++++++++
2 files changed, 43 insertions(+), 2 deletions(-)
create mode 100644 kas/opt/encrypt-all.yml
diff --git a/Kconfig b/Kconfig
index 9478a06..d0a9bea 100644
--- a/Kconfig
+++ b/Kconfig
@@ -202,15 +202,33 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT
default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
+
+menuconfig DISK_ENCRYPTION
+ bool
+ prompt "disk encryption"
+ select IMAGE_SECURE_BOOT
+
config IMAGE_DATA_ENCRYPTION
bool "Encrypt data partitions on first boot"
- depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM
- select IMAGE_SECURE_BOOT
+ depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
help
This enables LUKS encryption for the partitions /var and /home.
+config IMAGE_FULL_ENCRYPTION
+ bool "Encrypt rootfs and data partitions"
+ depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
+ select IMAGE_DATA_ENCRYPTION
+ help
+ This enables LUKS encryption for all non-boot partitions on first boot.
+ If the partitions contain secrets the first boot must occur in a secure
+ location.
+
config KAS_INCLUDE_DATA_ENCRYPTION
string
default "kas/opt/encrypt-data.yml" if IMAGE_DATA_ENCRYPTION
+config KAS_INCLUDE_FULL_ENCRYPTION
+ string
+ default "kas/opt/encrypt-all.yml" if IMAGE_FULL_ENCRYPTION
+
endif
diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml
new file mode 100644
index 0000000..b6d4041
--- /dev/null
+++ b/kas/opt/encrypt-all.yml
@@ -0,0 +1,23 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 14
+ includes:
+ - kas/opt/encrypt-data.yml
+local_conf_header:
+ encrypted_root: |
+ # Do not set mount points for systema and systemb as they are mounted by the
+ # abrootfs/verity initramfs
+ # As we use a weak default assignment in the intramfs-crypt-hook recipe we need
+ # to set all partitions
+ CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt ${ABROOTFS_PART_UUID_B}::reencrypt \
+ home:/home:reencrypt var:/var:reencrypt"
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [cip-dev][isar-cip-core][PATCH v4 7/9] crypt-hook: Extend partition selection
2024-05-02 9:31 [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs Quirin Gylstorff
` (5 preceding siblings ...)
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 6/9] Kconfig: Add option to encrypt the rootfs Quirin Gylstorff
@ 2024-05-02 9:31 ` Quirin Gylstorff
2024-05-03 11:11 ` MOESSBAUER, Felix
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 8/9] README: Add rootfs encryption Quirin Gylstorff
` (2 subsequent siblings)
9 siblings, 1 reply; 19+ messages in thread
From: Quirin Gylstorff @ 2024-05-02 9:31 UTC (permalink / raw)
To: cip-dev, jan.kiszka, johnxw, felix.moessbauer
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This adds the possiblity to select to partition to be encrypted
by UUID or absolute path.
If used with an UUID the uuid is used as the name of the device
mapper. With this change the swupdate-handler-roundrobin selects
the /dev/mapper/<PARTUUID> device for the update instead of the
underling partition.
This allows to update encrpyted partition without triggering a
reencryption.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../files/encrypt_partition.clevis.hook | 2 ++
.../files/encrypt_partition.script | 27 ++++++++++++++-----
.../files/encrypt_partition.systemd.hook | 2 ++
.../files/mount_crypt_partitions.script | 20 +++++++++++---
.../initramfs-crypt-hook_0.2.bb | 3 ++-
5 files changed, 43 insertions(+), 11 deletions(-)
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
index 0bb8ce6..0644eab 100755
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
@@ -72,6 +72,8 @@ copy_exec /usr/bin/seq || hook_error "Unable to copy /usr/bin/seq"
copy_exec /usr/bin/pwmake || hook_error "Unable to copy /usr/bin/pwmake"
copy_exec /usr/bin/file || hook_error "Unable to copy /usr/bin/file "
copy_exec /usr/lib/*/libgcc_s.so.1 || hook_error "Unable to copy /usr/lib/*/libgcc_s.so.1 "
+copy_exec /usr/bin/uuidparse || hook_error "Unable to copy /usr/bin/uuidparse"
+
if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
copy_exec /usr/sbin/cryptsetup-reencrypt
fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
index 685d882..293bfb1 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
@@ -121,19 +121,34 @@ fi
prepare_for_encryption
for partition_set in $partition_sets; do
- partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+ partition="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
- partition=/dev/disk/by-partlabel/"$partition_label"
- crypt_mount_name="encrypted_$partition_label"
+ case "$partition" in
+ /*)
+ part_device=$(readlink -f "$partition")
+ crypt_mount_name="$( basename "$partition")"
+ ;;
+ *)
+ if uuidparse "$partition" -n -o TYPE | grep -q invalid; then
+ part_device=$(readlink -f /dev/disk/by-partlabel/"$partition")
+ crypt_mount_name="encrypted_${partition}"
+ else
+ part_device=$(readlink -f /dev/disk/by-partuuid/"$partition")
+ crypt_mount_name="${partition}"
+ fi
+ ;;
+ esac
+ if [ ! -e "$part_device" ]; then
+ panic "Could not find device mapped to '$partition' cannot be encrypted!"
+ fi
decrypted_part=/dev/mapper/"$crypt_mount_name"
- part_device=$(readlink -f "$partition")
# check if we are trying to mount root
if [ "$partition_mountpoint" = "/" ]; then
echo "ROOT=$decrypted_part" >/conf/param.conf
fi
- if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
+ if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \
| grep -q "luks2"; then
open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
continue
@@ -147,7 +162,7 @@ for partition_set in $partition_sets; do
# create random password for initial encryption
# this will be dropped after reboot
- tmp_key=/tmp/"$partition_label-lukskey"
+ tmp_key=/tmp/"$(basename "$part_device")-lukskey"
openssl rand -base64 32 > "$tmp_key"
case "${partition_format}" in
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
index 941f0b1..19e0fe4 100755
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
@@ -51,6 +51,8 @@ copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenro
copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found"
copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread"
copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms"
+copy_exec /usr/bin/basename || hook_error "Unable to copy /usr/bin/basename"
+copy_exec /usr/bin/uuidparse || hook_error "Unable to copy /usr/bin/uuidparse"
copy_exec /usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so || hook_error "/usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so not found"
if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
index b72323f..f35685e 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
@@ -45,11 +45,23 @@ mount_partition() {
}
partition_sets="$PARTITIONS"
for partition_set in $partition_sets; do
- partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+ partition="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
- partition=/dev/disk/by-partlabel/"$partition_label"
- part_device=$(readlink -f "$partition")
- crypt_mount_name="encrypted_$partition_label"
+ case "$partition" in
+ /*)
+ part_device=$(readlink -f "$partition")
+ crypt_mount_name="$( basename "$partition")"
+ ;;
+ *)
+ if uuidparse "$partition" -n -o TYPE | grep -q invalid; then
+ part_device=$(readlink -f /dev/disk/by-partlabel/"$partition")
+ crypt_mount_name="encrypted_${partition}"
+ else
+ part_device=$(readlink -f /dev/disk/by-partuuid/"$partition")
+ crypt_mount_name="${partition}"
+ fi
+ ;;
+ esac
decrypted_part=/dev/mapper/"$crypt_mount_name"
if [ -z "$partition_mountpoint" ]; then
continue
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb
index 1d5a4a7..72de5b6 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb
@@ -11,7 +11,8 @@
inherit dpkg-raw
DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \
awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \
- libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs, tpm2-tools"
+ libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, \
+ e2fsprogs, tpm2-tools, coreutils, uuid-runtime"
CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools"
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [cip-dev][isar-cip-core][PATCH v4 8/9] README: Add rootfs encryption
2024-05-02 9:31 [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs Quirin Gylstorff
` (6 preceding siblings ...)
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 7/9] crypt-hook: Extend partition selection Quirin Gylstorff
@ 2024-05-02 9:31 ` Quirin Gylstorff
2024-05-03 11:14 ` MOESSBAUER, Felix
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 9/9] README.swupdate: Add section about partition selection Quirin Gylstorff
2024-05-03 7:24 ` [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs Jan Kiszka
9 siblings, 1 reply; 19+ messages in thread
From: Quirin Gylstorff @ 2024-05-02 9:31 UTC (permalink / raw)
To: cip-dev, jan.kiszka, johnxw, felix.moessbauer
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
doc/README.tpm2.encryption.md | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md
index c5ac6c4..889c3ca 100644
--- a/doc/README.tpm2.encryption.md
+++ b/doc/README.tpm2.encryption.md
@@ -4,6 +4,10 @@ By adding the recipe `initramfs-crypt-hook` to the initramfs build user defined
encrypted during first boot. The encrypted partition is a LUKS partition and uses a TPM to secure the
passphrase on the device.
+> :exclamation:**IMPORTANT**
+> All selected partition are encrypted on first boot. In order to avoid the leakage of secrets
+> the disk encryption should occur in a secure environment.
+
## Requirements
Testing with qemu-amd64 requires the package `swtpm`. Under Debian/Ubuntu this can be installed
@@ -38,12 +42,22 @@ The initramfs-crypt-hook recipe has the following variables which can be overwri
### CRYPT_PARTITIONS
The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount it.
-Each entry uses the schema `<partition-label>:<mountpoint>:<reencrypt or format>`.
-- The `partition-label` is used to identify the partition on the disk
+Each entry uses the schema `<partition-identifier>:<mountpoint>:<reencrypt or format>`.
+- The `partition-idenitifer` is used to identify the partition on the disk, it can contain a partition label, partition UUID or absolute path to the partition device, e.g. `/dev/sda`.
- The `mountpoint` is used mount the decrypted partition in the root file system
- `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount
- `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD`
+#### Encrypted root file system
+
+To encrypt the root file system the variable `CRYPT_PARTITIONS` needs to be set to:
+```
+CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt ${ABROOTFS_PART_UUID_B}::reencrypt"
+```
+The mountpoint is empty as the root partition is mounted by another initramfs service.
+Both partitions are encrypted during first boot. The initramfs opens `${ABROOTFS_PART_UUID_A}` and `${ABROOTFS_PART_UUID_B}`
+during boot.
+
### CRYPT_CREATE_FILE_SYSTEM_CMD
The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly
@@ -59,7 +73,7 @@ based encryption:
- jq
## steps to convert clevis to systemd
-The following script shows how to enroll a systemd-tpm2 token with a existinng clevis based encryption:
+The following script shows how to enroll a systemd-tpm2 token with a existing clevis based encryption:
```bash
export device=/dev/sda6
export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots | first' | head -n1)
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [cip-dev][isar-cip-core][PATCH v4 9/9] README.swupdate: Add section about partition selection
2024-05-02 9:31 [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs Quirin Gylstorff
` (7 preceding siblings ...)
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 8/9] README: Add rootfs encryption Quirin Gylstorff
@ 2024-05-02 9:31 ` Quirin Gylstorff
2024-05-03 11:18 ` MOESSBAUER, Felix
2024-05-03 7:24 ` [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs Jan Kiszka
9 siblings, 1 reply; 19+ messages in thread
From: Quirin Gylstorff @ 2024-05-02 9:31 UTC (permalink / raw)
To: cip-dev, jan.kiszka, johnxw, felix.moessbauer
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
doc/README.swupdate.md | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md
index b7e13f7..fee695e 100644
--- a/doc/README.swupdate.md
+++ b/doc/README.swupdate.md
@@ -7,6 +7,22 @@ Start with cloning the isar-cip-core repository:
```
host$ git clone https://gitlab.com/cip-project/cip-core/isar-cip-core.git
```
+
+## Update Partition selector(swupdate-handler-roundrobin)
+
+SWUpdate uses the handler [swupdate-handler-roundrobin](https://gitlab.com/cip-project/cip-sw-updates/swupdate-handler-roundrobin) to select the update partition.
+The handler uses the label of the by efibootguard selected boot partition.
+In the cip-core provided images the boot partitions are labeled `BOOT0`
+and `BOOT1`, see [ebg-sysparts.inc](../wic/ebg-sysparts.inc).
+
+The [sw-description](recipes-core/images/swu/sw-description.tmpl) contains the mapping from boot
+partition to root file system partition, e.g.:
+```
+device = "C:BOOT0:linux.efi->${ABROOTFS_PART_UUID_A},C:BOOT1:linux.efi->${ABROOTFS_PART_UUID_B}";
+```
+The variables `ABROOTFS_PART_UUID_A` and `ABROOTFS_PART_UUID_B` contain partition uuids. The handler searches
+for the matching device and SWUpdate writes the image to the selected device.
+
## SWUpdate Efibootguard update
:warning: **If the efibootguard binary is corrupted the system can no longer boot**
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH v4 6/9] Kconfig: Add option to encrypt the rootfs
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 6/9] Kconfig: Add option to encrypt the rootfs Quirin Gylstorff
@ 2024-05-03 6:33 ` Jan Kiszka
0 siblings, 0 replies; 19+ messages in thread
From: Jan Kiszka @ 2024-05-03 6:33 UTC (permalink / raw)
To: Quirin Gylstorff, cip-dev, johnxw, felix.moessbauer
On 02.05.24 11:31, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> This allows to setup a system with all non-boot partitions encrypted.
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> Kconfig | 22 ++++++++++++++++++++--
> kas/opt/encrypt-all.yml | 23 +++++++++++++++++++++++
> 2 files changed, 43 insertions(+), 2 deletions(-)
> create mode 100644 kas/opt/encrypt-all.yml
>
> diff --git a/Kconfig b/Kconfig
> index 9478a06..d0a9bea 100644
> --- a/Kconfig
> +++ b/Kconfig
> @@ -202,15 +202,33 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT
> default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
> default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
>
> +
> +menuconfig DISK_ENCRYPTION
> + bool
> + prompt "disk encryption"
> + select IMAGE_SECURE_BOOT
> +
A menu is overkill here, specifically as...
> config IMAGE_DATA_ENCRYPTION
> bool "Encrypt data partitions on first boot"
> - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM
> - select IMAGE_SECURE_BOOT
> + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
> help
> This enables LUKS encryption for the partitions /var and /home.
>
> +config IMAGE_FULL_ENCRYPTION
> + bool "Encrypt rootfs and data partitions"
> + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
> + select IMAGE_DATA_ENCRYPTION
> + help
> + This enables LUKS encryption for all non-boot partitions on first boot.
> + If the partitions contain secrets the first boot must occur in a secure
> + location.
> +
...you can't select IMAGE_FULL_ENCRYPTION without IMAGE_DATA_ENCRYPTION
(for good reasons). It's also strange when one only selects the menu but
not any items of it. Therefore:
config IMAGE_DATA_ENCRYPTION
bool "Encrypt data partitions"
select IMAGE_SECURE_BOOT
depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM
help
This enables LUKS encryption for the partitions /var and /home.
Encryption is done with a device-specific key on first boot.
config IMAGE_FULL_ENCRYPTION
bool "Encrypt rootfs and data partitions"
depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM
select IMAGE_DATA_ENCRYPTION
help
This enables LUKS encryption for all non-boot partitions on first boot.
If the partitions contain secrets the first boot must occur in a secure
location.
Jan
> config KAS_INCLUDE_DATA_ENCRYPTION
> string
> default "kas/opt/encrypt-data.yml" if IMAGE_DATA_ENCRYPTION
>
> +config KAS_INCLUDE_FULL_ENCRYPTION
> + string
> + default "kas/opt/encrypt-all.yml" if IMAGE_FULL_ENCRYPTION
> +
> endif
> diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml
> new file mode 100644
> index 0000000..b6d4041
> --- /dev/null
> +++ b/kas/opt/encrypt-all.yml
> @@ -0,0 +1,23 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2024
> +#
> +# Authors:
> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +header:
> + version: 14
> + includes:
> + - kas/opt/encrypt-data.yml
> +local_conf_header:
> + encrypted_root: |
> + # Do not set mount points for systema and systemb as they are mounted by the
> + # abrootfs/verity initramfs
> + # As we use a weak default assignment in the intramfs-crypt-hook recipe we need
> + # to set all partitions
> + CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt ${ABROOTFS_PART_UUID_B}::reencrypt \
> + home:/home:reencrypt var:/var:reencrypt"
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs
2024-05-02 9:31 [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs Quirin Gylstorff
` (8 preceding siblings ...)
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 9/9] README.swupdate: Add section about partition selection Quirin Gylstorff
@ 2024-05-03 7:24 ` Jan Kiszka
2024-05-03 11:20 ` MOESSBAUER, Felix
9 siblings, 1 reply; 19+ messages in thread
From: Jan Kiszka @ 2024-05-03 7:24 UTC (permalink / raw)
To: Quirin Gylstorff, cip-dev, johnxw, felix.moessbauer
On 02.05.24 11:31, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> This adds the option to encrypt both root file system partitions.
> The encrypted partition can be updated with SWUpdate.
>
> The disk encryption is indepented of the selected boot method and
> could also be used to encrypt a single writable root file system.
>
> To simplify the handling of the swupdate the encrypted partition use
> the uuid as the device mapper name.
>
>
> If all partitions are encrypted the partition layout looks similar to
> this:
>
> ```
> root@demo:~# lsblk
> NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
> sda 8:0 0 5.4G 0 disk
> ├─sda1 8:1 0 16.1M 0 part
> ├─sda2 8:2 0 42M 0 part
> ├─sda3 8:3 0 42M 0 part
> ├─sda4 8:4 0 1G 0 part
> │ └─fedcba98-7654-3210-cafe-5e0710000001 252:0 0 1008M 0 crypt
> ├─sda5 8:5 0 1G 0 part
> │ └─fedcba98-7654-3210-cafe-5e0710000002 252:1 0 1008M 0 crypt
> │ └─verityroot 252:4 0 115.3M 1 crypt /
> ├─sda6 8:6 0 1.3G 0 part
> │ └─encrypted_home 252:2 0 1.3G 0 crypt /home
> └─sda7 8:7 0 2G 0 part
> └─encrypted_var 252:3 0 2G 0 crypt /var
> ```
> Changes v4:
> - Clarify that only non-boot partitions are encrypted
> - Fix typos
> - Add note for encryptition in secure environment
>
> Changes v3:
> - Update the encrypted partition instead of the underling device
> - Use uuids instead of labels for the partitions.
> - Allow uuids and absolute path to select the partition to be
> encrypted.
> - Add Readme for partition selection.
>
> Changes v2:
> - Rewrite commit messages
> - Rename kas/opt/encrypt-partitions.yml to kas/opt/encrypt-data.yml
> - Rename kas/opt/encrypt-rootfs.yml to kas/opt/encrypt-all.yml
> - Fix assignment of CRYPT_PARTITIONS
>
> Changes from https://lists.cip-project.org/g/cip-dev/message/15512:
> - add partition labels for a/b partitions
> - use a/b rootfs configuration instead seperate wks file
>
>
> Quirin Gylstorff (9):
> wic/*: Add part-labels to system partition
> initramfs: allow empty mountpoint for crypt hooks
> initramfs-crypt: Only resize partition if ext* formatted
> fix: use luks2 to identify encrypted partition
> Rename encrypt-partitions to encrypt-data
> Kconfig: Add option to encrypt the rootfs
> crypt-hook: Extend partition selection
> README: Add rootfs encryption
> README.swupdate: Add section about partition selection
>
> .gitlab-ci.yml | 2 +-
> Kconfig | 24 +++++++--
> doc/README.swupdate.md | 16 ++++++
> doc/README.tpm2.encryption.md | 22 +++++++--
> kas/opt/encrypt-all.yml | 23 +++++++++
> ...ncrypt-partitions.yml => encrypt-data.yml} | 0
> kas/opt/security.yml | 2 +-
> .../files/encrypt_partition.clevis.hook | 2 +
> .../files/encrypt_partition.script | 49 ++++++++++++++-----
> .../files/encrypt_partition.systemd.hook | 2 +
> .../files/mount_crypt_partitions.script | 24 +++++++--
> .../initramfs-crypt-hook_0.2.bb | 3 +-
> wic/bbb-efibootguard.wks.in | 4 +-
> wic/hihope-rzg2m-efibootguard.wks.in | 4 +-
> wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 +-
> wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 +-
> wic/qemu-arm64-efibootguard.wks.in | 4 +-
> wic/qemu-riscv64-efibootguard.wks.in | 4 +-
> wic/x86-efibootguard.wks.in | 4 +-
> 19 files changed, 157 insertions(+), 40 deletions(-)
> create mode 100644 kas/opt/encrypt-all.yml
> rename kas/opt/{encrypt-partitions.yml => encrypt-data.yml} (100%)
>
Just tested in qemu-amd64. It works, but there are many suspicious
warnings and messages during first boot:
Warning: keyslot operation could fail as it requires more than available memory.
Progress: 52.4%, ETA 00m06s, 528 MiB written, speed 78.8 MiB/s
Finished, time 00m11s, 1008 MiB written, speed 83.5 MiB/s
New TPM2 token enrolled as key slot 1.
/scripts/local-top/encrypt_partition: 55: /scripts/local-top/encrypt_partition: -: not found
Device /dev/sda5 is not a valid LUKS device.
skip disk resize as it not support or unnecessary for fstype: ''
Warning: keyslot operation could fail as it requires more than available memory.
Finished, time 00m11s, 1008 MiB written, speed 83.7 MiB/s
New TPM2 token enrolled as key slot 1.
/scripts/local-top/encrypt_partition: 55: /scripts/local-top/encrypt_partition: -: not found
Device /dev/sda6 is not a valid LUKS device.
Jan
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH v4 2/9] initramfs: allow empty mountpoint for crypt hooks
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 2/9] initramfs: allow empty mountpoint for crypt hooks Quirin Gylstorff
@ 2024-05-03 11:07 ` MOESSBAUER, Felix
0 siblings, 0 replies; 19+ messages in thread
From: MOESSBAUER, Felix @ 2024-05-03 11:07 UTC (permalink / raw)
To: cip-dev@lists.cip-project.org, quirin.gylstorff@siemens.com,
Kiszka, Jan, johnxw@amazon.com
On Thu, 2024-05-02 at 11:31 +0200, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> This allows to encrypt partition which have as seperate mount
---------------------------------^ partitions -^ a separate ...
Felix
> script like verity and abrootfs
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> .../initramfs-crypt-hook/files/mount_crypt_partitions.script | 4
> +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/recipes-initramfs/initramfs-crypt-
> hook/files/mount_crypt_partitions.script b/recipes-
> initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
> index 3411e70..b72323f 100644
> --- a/recipes-initramfs/initramfs-crypt-
> hook/files/mount_crypt_partitions.script
> +++ b/recipes-initramfs/initramfs-crypt-
> hook/files/mount_crypt_partitions.script
> @@ -51,7 +51,9 @@ for partition_set in $partition_sets; do
> part_device=$(readlink -f "$partition")
> crypt_mount_name="encrypted_$partition_label"
> decrypted_part=/dev/mapper/"$crypt_mount_name"
> -
> + if [ -z "$partition_mountpoint" ]; then
> + continue
> + fi
> if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device"
> \
> | grep -q "luks2"; then
> mount_partition "$decrypted_part"
> "${rootmnt}""$partition_mountpoint"
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH v4 3/9] initramfs-crypt: Only resize partition if ext* formatted
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 3/9] initramfs-crypt: Only resize partition if ext* formatted Quirin Gylstorff
@ 2024-05-03 11:07 ` MOESSBAUER, Felix
0 siblings, 0 replies; 19+ messages in thread
From: MOESSBAUER, Felix @ 2024-05-03 11:07 UTC (permalink / raw)
To: cip-dev@lists.cip-project.org, quirin.gylstorff@siemens.com,
Kiszka, Jan, johnxw@amazon.com
On Thu, 2024-05-02 at 11:31 +0200, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> squashfs or empty partition cannot be resized with resize2fs.
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> .../files/encrypt_partition.script | 20 +++++++++++++++--
> --
> 1 file changed, 16 insertions(+), 4 deletions(-)
>
> diff --git a/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-
> crypt-hook/files/encrypt_partition.script
> index 8f6cbf6..51c81f3 100644
> --- a/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script
> +++ b/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script
> @@ -64,14 +64,26 @@ service_watchdog() {
> reencrypt_existing_partition() {
> part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1"
> 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)"
> # reduce the filesystem and partition by 32M to fit the LUKS
> header
> + partition_fstype=$(get_fstype "${1}")
> reduce_device_size=32768
> reduced_size="$(expr "$part_size_blocks" - 65536 )"
> reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
> reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
> - e2fsck -f "$1"
> - if ! resize2fs "$1" "${reduced_size_in_kb}"; then
> - panic "reencryption of filesystem $1 cannot
> continue!"
> - fi
> + case $partition_fstype in
> + ext*)
> + # reduce the filesystem and partition by 32M to fit
> the LUKS header
> + e2fsck -f "$1"
> + if ! resize2fs "$1" "${reduced_size_in_kb}"; then
> + panic "reencryption of filesystem $1 cannot
> continue!"
> + fi
> + ;;
> + squashfs|"")
> + echo "skip disk resize as it not support or
---------------------------------------------^ it is not supported
Felix
> unnecessary for fstype: '$partition_fstype'"
> + ;;
> + *)
> + panic "cannot resize parition. unsupport fstype:
> $partition_fstype"
> + ;;
> + esac
> if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
> /usr/sbin/cryptsetup-reencrypt --new --reduce-device-
> size "$reduce_device_size"k "$1" < "$2"
> else
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH v4 4/9] fix: use luks2 to identify encrypted partition
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 4/9] fix: use luks2 to identify encrypted partition Quirin Gylstorff
@ 2024-05-03 11:09 ` MOESSBAUER, Felix
0 siblings, 0 replies; 19+ messages in thread
From: MOESSBAUER, Felix @ 2024-05-03 11:09 UTC (permalink / raw)
To: cip-dev@lists.cip-project.org, quirin.gylstorff@siemens.com,
Kiszka, Jan, johnxw@amazon.com
On Thu, 2024-05-02 at 11:31 +0200, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> This fixes an issue with encrypted rootfs during system reboot.
> With the token option it can happen that during reboot the no
> valid Luks partition is found and the boot up fails in the initrd.
Please improve the commit message. While doing so, please also explain
why this fixes the issue.
Felix
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> .../initramfs-crypt-hook/files/encrypt_partition.script | 2
> +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-
> crypt-hook/files/encrypt_partition.script
> index 51c81f3..685d882 100644
> --- a/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script
> +++ b/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script
> @@ -134,7 +134,7 @@ for partition_set in $partition_sets; do
> fi
>
> if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
> - | grep -q "token"; then
> + | grep -q "luks2"; then
> open_tpm2_partition "$part_device"
> "$crypt_mount_name" "$tpm_device"
> continue
> fi
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH v4 7/9] crypt-hook: Extend partition selection
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 7/9] crypt-hook: Extend partition selection Quirin Gylstorff
@ 2024-05-03 11:11 ` MOESSBAUER, Felix
0 siblings, 0 replies; 19+ messages in thread
From: MOESSBAUER, Felix @ 2024-05-03 11:11 UTC (permalink / raw)
To: cip-dev@lists.cip-project.org, quirin.gylstorff@siemens.com,
Kiszka, Jan, johnxw@amazon.com
On Thu, 2024-05-02 at 11:31 +0200, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> This adds the possiblity to select to partition to be encrypted
-------------------------------------^ the partition?
> by UUID or absolute path.
>
> If used with an UUID the uuid is used as the name of the device
> mapper. With this change the swupdate-handler-roundrobin selects
> the /dev/mapper/<PARTUUID> device for the update instead of the
> underling partition.
>
> This allows to update encrpyted partition without triggering a
-------------------^ an encrypted
Felix
> reencryption.
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> .../files/encrypt_partition.clevis.hook | 2 ++
> .../files/encrypt_partition.script | 27 ++++++++++++++---
> --
> .../files/encrypt_partition.systemd.hook | 2 ++
> .../files/mount_crypt_partitions.script | 20 +++++++++++---
> .../initramfs-crypt-hook_0.2.bb | 3 ++-
> 5 files changed, 43 insertions(+), 11 deletions(-)
>
> diff --git a/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.clevis.hook b/recipes-
> initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
> index 0bb8ce6..0644eab 100755
> --- a/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.clevis.hook
> +++ b/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.clevis.hook
> @@ -72,6 +72,8 @@ copy_exec /usr/bin/seq || hook_error "Unable to
> copy /usr/bin/seq"
> copy_exec /usr/bin/pwmake || hook_error "Unable to copy
> /usr/bin/pwmake"
> copy_exec /usr/bin/file || hook_error "Unable to copy /usr/bin/file
> "
> copy_exec /usr/lib/*/libgcc_s.so.1 || hook_error "Unable to copy
> /usr/lib/*/libgcc_s.so.1 "
> +copy_exec /usr/bin/uuidparse || hook_error "Unable to copy
> /usr/bin/uuidparse"
> +
> if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
> copy_exec /usr/sbin/cryptsetup-reencrypt
> fi
> diff --git a/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-
> crypt-hook/files/encrypt_partition.script
> index 685d882..293bfb1 100644
> --- a/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script
> +++ b/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script
> @@ -121,19 +121,34 @@ fi
> prepare_for_encryption
>
> for partition_set in $partition_sets; do
> - partition_label="$(awk -v var="$partition_set"
> 'BEGIN{split(var,a,":"); print a[1]}')"
> + partition="$(awk -v var="$partition_set"
> 'BEGIN{split(var,a,":"); print a[1]}')"
> partition_mountpoint="$(awk -v var="$partition_set"
> 'BEGIN{split(var,a,":"); print a[2]}')"
> partition_format="$(awk -v var="$partition_set"
> 'BEGIN{split(var,a,":"); print a[3]}')"
> - partition=/dev/disk/by-partlabel/"$partition_label"
> - crypt_mount_name="encrypted_$partition_label"
> + case "$partition" in
> + /*)
> + part_device=$(readlink -f "$partition")
> + crypt_mount_name="$( basename "$partition")"
> + ;;
> + *)
> + if uuidparse "$partition" -n -o TYPE | grep -
> q invalid; then
> + part_device=$(readlink -f
> /dev/disk/by-partlabel/"$partition")
> + crypt_mount_name="encrypted_${partiti
> on}"
> + else
> + part_device=$(readlink -f
> /dev/disk/by-partuuid/"$partition")
> + crypt_mount_name="${partition}"
> + fi
> + ;;
> + esac
> + if [ ! -e "$part_device" ]; then
> + panic "Could not find device mapped to '$partition'
> cannot be encrypted!"
> + fi
> decrypted_part=/dev/mapper/"$crypt_mount_name"
> - part_device=$(readlink -f "$partition")
> # check if we are trying to mount root
> if [ "$partition_mountpoint" = "/" ]; then
> echo "ROOT=$decrypted_part" >/conf/param.conf
> fi
>
> - if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
> + if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device"
> \
> | grep -q "luks2"; then
> open_tpm2_partition "$part_device"
> "$crypt_mount_name" "$tpm_device"
> continue
> @@ -147,7 +162,7 @@ for partition_set in $partition_sets; do
>
> # create random password for initial encryption
> # this will be dropped after reboot
> - tmp_key=/tmp/"$partition_label-lukskey"
> + tmp_key=/tmp/"$(basename "$part_device")-lukskey"
> openssl rand -base64 32 > "$tmp_key"
>
> case "${partition_format}" in
> diff --git a/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.systemd.hook b/recipes-
> initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
> index 941f0b1..19e0fe4 100755
> --- a/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.systemd.hook
> +++ b/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.systemd.hook
> @@ -51,6 +51,8 @@ copy_exec /usr/bin/systemd-cryptenroll ||
> hook_error "/usr/bin/systemd-cryptenro
> copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error
> "/usr/lib/systemd/systemd-cryptsetup not found"
> copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy
> /usr/bin/tpm2_pcrread"
> copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy
> /usr/bin/tpm2_testparms"
> +copy_exec /usr/bin/basename || hook_error "Unable to copy
> /usr/bin/basename"
> +copy_exec /usr/bin/uuidparse || hook_error "Unable to copy
> /usr/bin/uuidparse"
>
> copy_exec /usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so
> || hook_error "/usr/lib/*/cryptsetup/libcryptsetup-token-systemd-
> tpm2.so not found"
> if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
> diff --git a/recipes-initramfs/initramfs-crypt-
> hook/files/mount_crypt_partitions.script b/recipes-
> initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
> index b72323f..f35685e 100644
> --- a/recipes-initramfs/initramfs-crypt-
> hook/files/mount_crypt_partitions.script
> +++ b/recipes-initramfs/initramfs-crypt-
> hook/files/mount_crypt_partitions.script
> @@ -45,11 +45,23 @@ mount_partition() {
> }
> partition_sets="$PARTITIONS"
> for partition_set in $partition_sets; do
> - partition_label="$(awk -v var="$partition_set"
> 'BEGIN{split(var,a,":"); print a[1]}')"
> + partition="$(awk -v var="$partition_set"
> 'BEGIN{split(var,a,":"); print a[1]}')"
> partition_mountpoint="$(awk -v var="$partition_set"
> 'BEGIN{split(var,a,":"); print a[2]}')"
> - partition=/dev/disk/by-partlabel/"$partition_label"
> - part_device=$(readlink -f "$partition")
> - crypt_mount_name="encrypted_$partition_label"
> + case "$partition" in
> + /*)
> + part_device=$(readlink -f "$partition")
> + crypt_mount_name="$( basename "$partition")"
> + ;;
> + *)
> + if uuidparse "$partition" -n -o TYPE | grep -
> q invalid; then
> + part_device=$(readlink -f
> /dev/disk/by-partlabel/"$partition")
> + crypt_mount_name="encrypted_${partiti
> on}"
> + else
> + part_device=$(readlink -f
> /dev/disk/by-partuuid/"$partition")
> + crypt_mount_name="${partition}"
> + fi
> + ;;
> + esac
> decrypted_part=/dev/mapper/"$crypt_mount_name"
> if [ -z "$partition_mountpoint" ]; then
> continue
> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
> hook_0.2.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
> hook_0.2.bb
> index 1d5a4a7..72de5b6 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
> hook_0.2.bb
> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
> hook_0.2.bb
> @@ -11,7 +11,8 @@
> inherit dpkg-raw
> DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \
> awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \
> - libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0,
> e2fsprogs, tpm2-tools"
> + libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, \
> + e2fsprogs, tpm2-tools, coreutils, uuid-runtime"
>
> CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file,
> libpwquality-tools"
>
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH v4 8/9] README: Add rootfs encryption
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 8/9] README: Add rootfs encryption Quirin Gylstorff
@ 2024-05-03 11:14 ` MOESSBAUER, Felix
0 siblings, 0 replies; 19+ messages in thread
From: MOESSBAUER, Felix @ 2024-05-03 11:14 UTC (permalink / raw)
To: cip-dev@lists.cip-project.org, quirin.gylstorff@siemens.com,
Kiszka, Jan, johnxw@amazon.com
On Thu, 2024-05-02 at 11:31 +0200, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> doc/README.tpm2.encryption.md | 20 +++++++++++++++++---
> 1 file changed, 17 insertions(+), 3 deletions(-)
>
> diff --git a/doc/README.tpm2.encryption.md
> b/doc/README.tpm2.encryption.md
> index c5ac6c4..889c3ca 100644
> --- a/doc/README.tpm2.encryption.md
> +++ b/doc/README.tpm2.encryption.md
> @@ -4,6 +4,10 @@ By adding the recipe `initramfs-crypt-hook` to the
> initramfs build user defined
> encrypted during first boot. The encrypted partition is a LUKS
> partition and uses a TPM to secure the
> passphrase on the device.
>
> +> :exclamation:**IMPORTANT**
> +> All selected partition are encrypted on first boot. In order to
------------------^ partitions
> avoid the leakage of secrets
> +> the disk encryption should occur in a secure environment.
-------------------------^ should? I would be more strict and say
"must".
> +
> ## Requirements
>
> Testing with qemu-amd64 requires the package `swtpm`. Under
> Debian/Ubuntu this can be installed
> @@ -38,12 +42,22 @@ The initramfs-crypt-hook recipe has the following
> variables which can be overwri
> ### CRYPT_PARTITIONS
>
> The variable `CRYPT_PARTITIONS` contains the information which
> partition shall be encrypted where to mount it.
> -Each entry uses the schema `<partition-
> label>:<mountpoint>:<reencrypt or format>`.
> -- The `partition-label` is used to identify the partition on the
> disk
> +Each entry uses the schema `<partition-
> identifier>:<mountpoint>:<reencrypt or format>`.
> +- The `partition-idenitifer` is used to identify the partition on
> the disk, it can contain a partition label, partition UUID or
> absolute path to the partition device, e.g. `/dev/sda`.
> - The `mountpoint` is used mount the decrypted partition in the root
> file system
> - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting
> content of the partition. This reduces the partition by 32MB and the
> file system by a similar amount
> - `format` creates a empty LUKS partition and creates a file system
> defined with the shell command given in
> `CRYPT_CREATE_FILE_SYSTEM_CMD`
>
> +#### Encrypted root file system
> +
> +To encrypt the root file system the variable `CRYPT_PARTITIONS`
> needs to be set to:
> +```
> +CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt
> ${ABROOTFS_PART_UUID_B}::reencrypt"
> +```
> +The mountpoint is empty as the root partition is mounted by another
---------------------------------------------------------------^ an
instead of another.
> initramfs service.
> +Both partitions are encrypted during first boot. The initramfs opens
-----------------------------------------------------------------^ hook
Felix
> `${ABROOTFS_PART_UUID_A}` and `${ABROOTFS_PART_UUID_B}`
> +during boot.
> +
> ### CRYPT_CREATE_FILE_SYSTEM_CMD
>
> The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to
> create a new file system on a newly
> @@ -59,7 +73,7 @@ based encryption:
> - jq
>
> ## steps to convert clevis to systemd
> -The following script shows how to enroll a systemd-tpm2 token with a
> existinng clevis based encryption:
> +The following script shows how to enroll a systemd-tpm2 token with a
> existing clevis based encryption:
> ```bash
> export device=/dev/sda6
> export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-
> metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots
> | first' | head -n1)
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH v4 9/9] README.swupdate: Add section about partition selection
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 9/9] README.swupdate: Add section about partition selection Quirin Gylstorff
@ 2024-05-03 11:18 ` MOESSBAUER, Felix
0 siblings, 0 replies; 19+ messages in thread
From: MOESSBAUER, Felix @ 2024-05-03 11:18 UTC (permalink / raw)
To: cip-dev@lists.cip-project.org, quirin.gylstorff@siemens.com,
Kiszka, Jan, johnxw@amazon.com
On Thu, 2024-05-02 at 11:31 +0200, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> doc/README.swupdate.md | 16 ++++++++++++++++
> 1 file changed, 16 insertions(+)
>
> diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md
> index b7e13f7..fee695e 100644
> --- a/doc/README.swupdate.md
> +++ b/doc/README.swupdate.md
> @@ -7,6 +7,22 @@ Start with cloning the isar-cip-core repository:
> ```
> host$ git clone
> https://gitlab.com/cip-project/cip-core/isar-cip-core.git
> ```
> +
> +## Update Partition selector(swupdate-handler-roundrobin)
> +
> +SWUpdate uses the handler [swupdate-handler-
> roundrobin](https://gitlab.com/cip-project/cip-sw-updates/swupdate-
> handler-roundrobin) to select the update partition.
... the partition to update.
> +The handler uses the label of the
> by efibootguard selected boot partition.
It that always true? What the handler selects depends on what you put
into the sw-description file. In the CIP reference implementation, this
is indeed a label.
Felix
> +In the cip-core provided images the boot partitions are labeled
> `BOOT0`
> +and `BOOT1`, see [ebg-sysparts.inc](../wic/ebg-sysparts.inc).
> +
> +The [sw-description](recipes-core/images/swu/sw-description.tmpl)
> contains the mapping from boot
> +partition to root file system partition, e.g.:
> +```
> +device = "C:BOOT0:linux.efi-
> >${ABROOTFS_PART_UUID_A},C:BOOT1:linux.efi->${ABROOTFS_PART_UUID_B}";
> +```
> +The variables `ABROOTFS_PART_UUID_A` and `ABROOTFS_PART_UUID_B`
> contain partition uuids. The handler searches
> +for the matching device and SWUpdate writes the image to the
> selected device.
> +
> ## SWUpdate Efibootguard update
>
> :warning: **If the efibootguard binary is corrupted the system can
> no longer boot**
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs
2024-05-03 7:24 ` [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs Jan Kiszka
@ 2024-05-03 11:20 ` MOESSBAUER, Felix
0 siblings, 0 replies; 19+ messages in thread
From: MOESSBAUER, Felix @ 2024-05-03 11:20 UTC (permalink / raw)
To: cip-dev@lists.cip-project.org, quirin.gylstorff@siemens.com,
Kiszka, Jan, johnxw@amazon.com
On Fri, 2024-05-03 at 09:24 +0200, Jan Kiszka wrote:
> On 02.05.24 11:31, Quirin Gylstorff wrote:
> > From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> >
> > This adds the option to encrypt both root file system partitions.
> > The encrypted partition can be updated with SWUpdate.
> >
> > The disk encryption is indepented of the selected boot method and
> > could also be used to encrypt a single writable root file system.
> >
> > To simplify the handling of the swupdate the encrypted partition
> > use
> > the uuid as the device mapper name.
> >
> >
> > If all partitions are encrypted the partition layout looks similar
> > to
> > this:
> >
> > ```
> > root@demo:~# lsblk
> > NAME MAJ:MIN RM SIZE RO TYPE
> > MOUNTPOINTS
> > sda 8:0 0 5.4G 0 disk
> > ├─sda1 8:1 0 16.1M 0 part
> > ├─sda2 8:2 0 42M 0 part
> > ├─sda3 8:3 0 42M 0 part
> > ├─sda4 8:4 0 1G 0 part
> > │ └─fedcba98-7654-3210-cafe-5e0710000001 252:0 0 1008M 0 crypt
> > ├─sda5 8:5 0 1G 0 part
> > │ └─fedcba98-7654-3210-cafe-5e0710000002 252:1 0 1008M 0 crypt
> > │ └─verityroot 252:4 0 115.3M 1 crypt
> > /
> > ├─sda6 8:6 0 1.3G 0 part
> > │ └─encrypted_home 252:2 0 1.3G 0 crypt
> > /home
> > └─sda7 8:7 0 2G 0 part
> > └─encrypted_var 252:3 0 2G 0 crypt
> > /var
> > ```
> > Changes v4:
> > - Clarify that only non-boot partitions are encrypted
> > - Fix typos
> > - Add note for encryptition in secure environment
> >
> > Changes v3:
> > - Update the encrypted partition instead of the underling device
> > - Use uuids instead of labels for the partitions.
> > - Allow uuids and absolute path to select the partition to be
> > encrypted.
> > - Add Readme for partition selection.
> >
> > Changes v2:
> > - Rewrite commit messages
> > - Rename kas/opt/encrypt-partitions.yml to kas/opt/encrypt-
> > data.yml
> > - Rename kas/opt/encrypt-rootfs.yml to kas/opt/encrypt-all.yml
> > - Fix assignment of CRYPT_PARTITIONS
> >
> > Changes from https://lists.cip-project.org/g/cip-dev/message/15512:
> > - add partition labels for a/b partitions
> > - use a/b rootfs configuration instead seperate wks file
> >
> >
> > Quirin Gylstorff (9):
> > wic/*: Add part-labels to system partition
> > initramfs: allow empty mountpoint for crypt hooks
> > initramfs-crypt: Only resize partition if ext* formatted
> > fix: use luks2 to identify encrypted partition
> > Rename encrypt-partitions to encrypt-data
> > Kconfig: Add option to encrypt the rootfs
> > crypt-hook: Extend partition selection
> > README: Add rootfs encryption
> > README.swupdate: Add section about partition selection
> >
> > .gitlab-ci.yml | 2 +-
> > Kconfig | 24 +++++++--
> > doc/README.swupdate.md | 16 ++++++
> > doc/README.tpm2.encryption.md | 22 +++++++--
> > kas/opt/encrypt-all.yml | 23 +++++++++
> > ...ncrypt-partitions.yml => encrypt-data.yml} | 0
> > kas/opt/security.yml | 2 +-
> > .../files/encrypt_partition.clevis.hook | 2 +
> > .../files/encrypt_partition.script | 49 ++++++++++++++-
> > ----
> > .../files/encrypt_partition.systemd.hook | 2 +
> > .../files/mount_crypt_partitions.script | 24 +++++++--
> > .../initramfs-crypt-hook_0.2.bb | 3 +-
> > wic/bbb-efibootguard.wks.in | 4 +-
> > wic/hihope-rzg2m-efibootguard.wks.in | 4 +-
> > wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 +-
> > wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 +-
> > wic/qemu-arm64-efibootguard.wks.in | 4 +-
> > wic/qemu-riscv64-efibootguard.wks.in | 4 +-
> > wic/x86-efibootguard.wks.in | 4 +-
> > 19 files changed, 157 insertions(+), 40 deletions(-)
> > create mode 100644 kas/opt/encrypt-all.yml
> > rename kas/opt/{encrypt-partitions.yml => encrypt-data.yml} (100%)
> >
>
> Just tested in qemu-amd64. It works, but there are many suspicious
> warnings and messages during first boot:
>
> Warning: keyslot operation could fail as it requires more than
> available memory.
> Progress: 52.4%, ETA 00m06s, 528 MiB written, speed 78.8 MiB/s
> Finished, time 00m11s, 1008 MiB written, speed 83.5 MiB/s
> New TPM2 token enrolled as key slot 1.
> /scripts/local-top/encrypt_partition: 55: /scripts/local-
> top/encrypt_partition: -: not found
> Device /dev/sda5 is not a valid LUKS device.
> skip disk resize as it not support or unnecessary for fstype: ''
This indicates a bug in the script, as the fstype is empty. Also, I'm
not sure if we want to issue this message at all. For me, that's just a
debug hint.
> Warning: keyslot operation could fail as it requires more than
> available memory.
> Finished, time 00m11s, 1008 MiB written, speed 83.7 MiB/s
> New TPM2 token enrolled as key slot 1.
> /scripts/local-top/encrypt_partition: 55: /scripts/local-
> top/encrypt_partition: -: not found
Also this should be fixed.
Felix
> Device /dev/sda6 is not a valid LUKS device.
>
> Jan
>
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2024-05-03 11:47 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-02 9:31 [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs Quirin Gylstorff
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 1/9] wic/*: Add part-labels to system partition Quirin Gylstorff
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 2/9] initramfs: allow empty mountpoint for crypt hooks Quirin Gylstorff
2024-05-03 11:07 ` MOESSBAUER, Felix
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 3/9] initramfs-crypt: Only resize partition if ext* formatted Quirin Gylstorff
2024-05-03 11:07 ` MOESSBAUER, Felix
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 4/9] fix: use luks2 to identify encrypted partition Quirin Gylstorff
2024-05-03 11:09 ` MOESSBAUER, Felix
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 5/9] Rename encrypt-partitions to encrypt-data Quirin Gylstorff
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 6/9] Kconfig: Add option to encrypt the rootfs Quirin Gylstorff
2024-05-03 6:33 ` Jan Kiszka
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 7/9] crypt-hook: Extend partition selection Quirin Gylstorff
2024-05-03 11:11 ` MOESSBAUER, Felix
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 8/9] README: Add rootfs encryption Quirin Gylstorff
2024-05-03 11:14 ` MOESSBAUER, Felix
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 9/9] README.swupdate: Add section about partition selection Quirin Gylstorff
2024-05-03 11:18 ` MOESSBAUER, Felix
2024-05-03 7:24 ` [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs Jan Kiszka
2024-05-03 11:20 ` MOESSBAUER, Felix
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox