[PATCH v2 0/4] initramfs-crypt-hook patch

[PATCH v2 0/4] initramfs-crypt-hook patch

[Claudius Heine]

Hi,

this is the second version of the patchset.

Changes from v1:
 - Added more descriptive commit message
 - Added more descriptive documentation about noencrypt option
 - Fixed typos in documentation
 - removed unecessary setting of /conf/param.conf in initramfs-crypt-hook
 - added re-encryption recovery patch

Claudius Heine (4):
  initramfs-crypt-hook: make sure that mount path exists
  initramfs-crypt-hook: implement 'noencrypt' option
  initramfs-crypt-hook: add 'format-if-empty' feature
  initramfs-crypt-hook: add re-encryption recovery

 doc/README.tpm2.encryption.md                 |  4 +-
 .../files/local-bottom-complete               |  1 +
 .../files/local-top-complete                  | 73 ++++++++++++++++---
 .../initramfs-crypt-hook_0.6.bb               |  5 +-
 4 files changed, 68 insertions(+), 15 deletions(-)

-- 
2.47.2

[PATCH v2 1/4] initramfs-crypt-hook: make sure that mount path exists

[Claudius Heine]

Wherever or not the mount directory (and their parents) gets created
seem to be inconsistent; mentioning a missing mount point in the
`/etc/fstab` might cause the boot to fail, while using systemd `.mount`
units will just create the mount point.

Wic creates missing mount points that where mentioned in the `.wks`
file; so moving from such a setup to letting `initramfs-crypt-hook`
mount the file system at boot inside the ramdisk, the mount would
suddenly fail.

Therefore creating the mount point for your, if it doesn't exists seem to
provide a smoother transition.

Signed-off-by: Claudius Heine <ch@denx.de>
---
 .../initramfs-crypt-hook/files/local-bottom-complete             | 1 +
 1 file changed, 1 insertion(+)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-bottom-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-bottom-complete
index b991cb4..80553d1 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/local-bottom-complete
+++ b/recipes-initramfs/initramfs-crypt-hook/files/local-bottom-complete
@@ -41,6 +41,7 @@ mount_partition() {
 	partition_mountpoint=$2
 	[ "$debug" = "y" ] && echo "mount device: '$partition_dev_path' to '$partition_mountpoint'"
 	if ! mountpoint -q "${partition_mountpoint}"; then
+		mkdir -p "${partition_mountpoint}"
 		if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \
 			 "${partition_mountpoint}"; then
 			panic "Can't mount partition '${partition_dev_path}'!"
-- 
2.47.2

[PATCH v2 2/4] initramfs-crypt-hook: implement 'noencrypt' option

[Claudius Heine]

In case encryption needs to be enabled via an update, while still
allowing the update fall back to work. One update step where encryption
is supported, but no reencryption is taking place if the device is not
encrypted.

For this the `noencrypt` hook is implemented, which requires some
restructure/reordering of the `local-top-complete` script.

Signed-off-by: Claudius Heine <ch@denx.de>
---
 doc/README.tpm2.encryption.md                 |  3 ++-
 .../files/local-top-complete                  | 24 +++++++++++++++----
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md
index 3f7e89f..a503095 100644
--- a/doc/README.tpm2.encryption.md
+++ b/doc/README.tpm2.encryption.md
@@ -42,11 +42,12 @@ The initramfs-crypt-hook recipe has the following variables which can be overwri
 ### CRYPT_PARTITIONS
 
 The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount it.
-Each entry uses the schema `<partition-identifier>:<mountpoint>:<reencrypt or format>`.
+Each entry uses the schema `<partition-identifier>:<mountpoint>:<reencrypt | format | noencrypt>`.
 - The `partition-idenitifer` is used to identify the partition on the disk, it can contain a partition label, partition UUID or absolute path to the partition device, e.g. `/dev/sda`.
 - The `mountpoint` is used mount the decrypted partition in the root file system
 - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount
 - `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD`
+- `noencrypt` will not try to encrypt the partition, if it isn't encrypted already, but will open it if it is. This makes it possible for an system to support encrypted partitions, while not encrypting anything on their own. Useful when updating from a system that is unencrypted to one that is, while supporting a fallback system. For example, with a shared data partition, the fallback system would have the `noencrypt` option, while the encrypted system would have the `reencrypt` option set for it. Now the fallback system can still open the data partition if the update to the encrypted system failed.
 
 #### Encrypted root file system
 
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
index 502fcc1..67722fc 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
+++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
@@ -211,22 +211,36 @@ for partition_set in $partition_sets; do
 	if [ ! -e  "$part_device" ]; then
 		panic "Could not find device  mapped to '$partition' cannot be encrypted!"
 	fi
-	decrypted_part=/dev/mapper/"$crypt_mount_name"
-	# check if we are trying to mount root
-	if [ "$partition_mountpoint" = "/" ]; then
-		echo "ROOT=$decrypted_part" >/conf/param.conf
-	fi
 
 	if [ "$partition_expand" = "expand" ]; then
 		expand_partition $part_device
 	fi
 
+	# If partition is already encrypted, decrypt and continue with next partition:
+	decrypted_part=/dev/mapper/"$crypt_mount_name"
 	if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \
 			| grep -q "luks2"; then
 		open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
+
+		# check if we are trying to mount root, set ROOT to decrypted partition:
+		if [ "$partition_mountpoint" = "/" ]; then
+			echo "ROOT=$decrypted_part" >/conf/param.conf
+		fi
+
 		continue
 	fi
 
+	# If partition should not be encrypted, continue with next partition:
+	if [ "$partition_format" = "noencrypt" ]
+	then
+		continue
+	fi
+
+	# check if we are trying to mount root, set ROOT to decrypted partition:
+	if [ "$partition_mountpoint" = "/" ]; then
+		echo "ROOT=$decrypted_part" >/conf/param.conf
+	fi
+
 	# service watchdog in the background during lengthy re-encryption
 	if [ -z "$watchdog_pid" ]; then
 		service_watchdog &
-- 
2.47.2

[PATCH v2 3/4] initramfs-crypt-hook: add 'format-if-empty' feature

[Claudius Heine]

When encryption is enabled from one update to the next there is a
difference between flashing a fresh factory image to a empty storage
device, which contains an empty fallback partition set and updating it,
where the fallback partition contains the actual fallback partitions.

In the update case, the update case, the fallback system should be left
alone and unencrypted.

When doing a factory flash, the fallback partitions can be encrypted.

The best marker on in which case the system is booted is, if the
partition is empty or not. The 'format-if-empty' option will format the
partition with a luks format in case the first 10MiB are empty.

Signed-off-by: Claudius Heine <ch@denx.de>
---
 doc/README.tpm2.encryption.md                    |  3 ++-
 .../files/local-top-complete                     | 16 ++++++++++++++++
 .../initramfs-crypt-hook_0.6.bb                  |  2 +-
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md
index a503095..01b6033 100644
--- a/doc/README.tpm2.encryption.md
+++ b/doc/README.tpm2.encryption.md
@@ -42,12 +42,13 @@ The initramfs-crypt-hook recipe has the following variables which can be overwri
 ### CRYPT_PARTITIONS
 
 The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount it.
-Each entry uses the schema `<partition-identifier>:<mountpoint>:<reencrypt | format | noencrypt>`.
+Each entry uses the schema `<partition-identifier>:<mountpoint>:<reencrypt | format | noencrypt | format-if-empty>`.
 - The `partition-idenitifer` is used to identify the partition on the disk, it can contain a partition label, partition UUID or absolute path to the partition device, e.g. `/dev/sda`.
 - The `mountpoint` is used mount the decrypted partition in the root file system
 - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount
 - `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD`
 - `noencrypt` will not try to encrypt the partition, if it isn't encrypted already, but will open it if it is. This makes it possible for an system to support encrypted partitions, while not encrypting anything on their own. Useful when updating from a system that is unencrypted to one that is, while supporting a fallback system. For example, with a shared data partition, the fallback system would have the `noencrypt` option, while the encrypted system would have the `reencrypt` option set for it. Now the fallback system can still open the data partition if the update to the encrypted system failed.
+- `format-if-empty` will create a empty LUKS partition and formats it, like the `format` option, but only if the first 10MiB are empty (contain only 0x00). This makes it possible to differentiate if a partition is empty and can be encrypted, because it was freshly flashed via a factory image, or if it might contain an unencrypted fallback system and should be left alone.
 
 #### Encrypted root file system
 
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
index 67722fc..4b6451a 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
+++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
@@ -269,6 +269,22 @@ for partition_set in $partition_sets; do
 			eval "${create_file_system_cmd} ${decrypted_part}"
 			log_end_msg
 		;;
+		"format-if-empty")
+			# Check if first 10MiB contain only zeros
+			if cmp -s -n "$(( 10 * 1024 * 1024 ))" "${part_device}" /dev/zero
+			then
+				log_begin_msg "Encryption of ${part_device}"
+				/usr/sbin/cryptsetup luksFormat --batch-mode \
+					 --type luks2 "$part_device" < "$tmp_key"
+				enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type"
+				open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
+				eval "${create_file_system_cmd} ${decrypted_part}"
+				log_end_msg
+			else
+				# If not empty, leave it alone.
+				continue
+			fi
+		;;
 		*)
 			panic "Unknown value ${partition_format}. Cannot create a encrypted partition !"
 		;;
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
index df335c9..c9a7f89 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
@@ -41,7 +41,7 @@ HOOK_ADD_MODULES = " \
 
 HOOK_COPY_EXECS = " \
     openssl mke2fs grep awk expr seq sleep basename uuidparse mountpoint \
-    e2fsck resize2fs cryptsetup \
+    e2fsck resize2fs cryptsetup cmp \
     tpm2_pcrread tpm2_testparms tpm2_flushcontext \
     /usr/lib/*/libgcc_s.so.1"
 
-- 
2.47.2

[PATCH v2 4/4] initramfs-crypt-hook: add re-encryption recovery

[Claudius Heine]

Integrate detection and recovery of power failures while a partition is
being encrypted.

There are possible scenarios:
1. Power-fail happens while the partition is reencrypted:
  - The LUKS header contains `online-reencrypt-v2` and needs to be
    repaired with `cryptsetup repair` before it can continue.
  - Also no resizing of the file system is necessary
2. Power-fail happens before the systemd-tpm2 token can be installed
  - The LUKS header does not contain 'systemd-tpm2', thus it needs to be
    registered and the temporary encryption key needs to be removed

In both scenarios the system after the reboot needs to have access to
the temporary encryption key that was initially used. So using a random
one, generated via `openssl rand` is not possible. Since it is only a
temporary key and gets removed after the systemd-tpm2 token was
installed, a known password can be used.

The list of these scenarios is not complete, there might be other
instances where a sudden power-fail could be fatal to the system, but
these where the most obvious and risky ones.

Signed-off-by: Claudius Heine <ch@denx.de>
---
 .../files/local-top-complete                  | 33 +++++++++++++++----
 .../initramfs-crypt-hook_0.6.bb               |  5 ++-
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
index 4b6451a..6034175 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
+++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
@@ -72,6 +72,9 @@ reencrypt_existing_partition() {
 	reduced_size="$(expr "$part_size_blocks" - 65536 )"
 	reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
 	reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
+
+	CRYPTSETUP_PARAMS="--reduce-device-size ${reduce_device_size}k"
+
 	case $partition_fstype in
 	ext*)
 		# reduce the filesystem and partition by 32M to fit the LUKS header
@@ -90,14 +93,25 @@ reencrypt_existing_partition() {
 	squashfs|swap|erofs|"")
 		[ "$debug" = "y" ] && echo "skip disk resize as it is not supported or unnecessary for fstype: '$partition_fstype'"
 		;;
+	luks)
+		# Check if reencrypt was aborted
+		if /usr/sbin/cryptsetup luksDump --batch-mode "$1" \
+				| grep -q "online-reencrypt-v2"; then
+			/usr/sbin/cryptsetup repair --batch-mode "$1" < "$2" || \
+				panic "cryptsetup repair was not successful"
+		fi
+
+		# already luks partition, don't resize
+		CRYPTSETUP_PARAMS=""
+		;;
 	*)
 		panic "cannot resize partition, unsupported fstype: '$partition_fstype'"
 		;;
 	esac
 	if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
-		/usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2"
+		/usr/sbin/cryptsetup-reencrypt --new ${CRYPTSETUP_PARAMS} "$1" < "$2"
 	else
-		/usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2"
+		/usr/sbin/cryptsetup reencrypt --encrypt ${CRYPTSETUP_PARAMS} "$1" < "$2"
 	fi
 }
 
@@ -219,7 +233,7 @@ for partition_set in $partition_sets; do
 	# If partition is already encrypted, decrypt and continue with next partition:
 	decrypted_part=/dev/mapper/"$crypt_mount_name"
 	if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \
-			| grep -q "luks2"; then
+			| grep -q "systemd-tpm2"; then
 		open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
 
 		# check if we are trying to mount root, set ROOT to decrypted partition:
@@ -230,6 +244,12 @@ for partition_set in $partition_sets; do
 		continue
 	fi
 
+	# If partition contains an aborted reencrypt luks header, switch to reencrypt mode:
+	if /usr/sbin/cryptsetup luksDump --batch-mode "${part_device}" \
+			| grep -q "online-reencrypt-v2"; then
+		partition_format="reencrypt"
+	fi
+
 	# If partition should not be encrypted, continue with next partition:
 	if [ "$partition_format" = "noencrypt" ]
 	then
@@ -247,10 +267,11 @@ for partition_set in $partition_sets; do
 		watchdog_pid=$!
 	fi
 
-	# create random password for initial encryption
-	# this will be dropped after reboot
+	# use partuuid of the partition for initial encryption password, this key
+	# will be removed after the reencryption has finished and the TPM2 token is
+	# registered:
 	tmp_key=/tmp/"$(basename "$part_device")-lukskey"
-	openssl rand -base64 32 > "$tmp_key"
+	lsblk -no partuuid "$part_device" > "$tmp_key"
 
 	case "${partition_format}" in
 		"reencrypt")
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
index c9a7f89..5e82521 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
@@ -14,7 +14,6 @@ require recipes-initramfs/initramfs-hook/hook.inc
 DEBIAN_DEPENDS .= ", \
     cryptsetup, \
     awk, \
-    openssl, \
     e2fsprogs, \
     tpm2-tools, \
     coreutils, \
@@ -40,8 +39,8 @@ HOOK_ADD_MODULES = " \
     ecb aes_generic xts"
 
 HOOK_COPY_EXECS = " \
-    openssl mke2fs grep awk expr seq sleep basename uuidparse mountpoint \
-    e2fsck resize2fs cryptsetup cmp \
+    mke2fs grep awk expr seq sleep basename uuidparse mountpoint \
+    e2fsck resize2fs cryptsetup cmp lsblk \
     tpm2_pcrread tpm2_testparms tpm2_flushcontext \
     /usr/lib/*/libgcc_s.so.1"
 
-- 
2.47.2

Re: [PATCH v2 4/4] initramfs-crypt-hook: add re-encryption recovery

[Quirin Gylstorff]

On 2/27/25 15:30, Claudius Heine wrote:
> Integrate detection and recovery of power failures while a partition is
> being encrypted.
> 
> There are possible scenarios:
> 1. Power-fail happens while the partition is reencrypted:
>    - The LUKS header contains `online-reencrypt-v2` and needs to be
>      repaired with `cryptsetup repair` before it can continue.
>    - Also no resizing of the file system is necessary
> 2. Power-fail happens before the systemd-tpm2 token can be installed
>    - The LUKS header does not contain 'systemd-tpm2', thus it needs to be
>      registered and the temporary encryption key needs to be removed
> 
> In both scenarios the system after the reboot needs to have access to
> the temporary encryption key that was initially used. So using a random
> one, generated via `openssl rand` is not possible. Since it is only a
> temporary key and gets removed after the systemd-tpm2 token was
> installed, a known password can be used.
> 
> The list of these scenarios is not complete, there might be other
> instances where a sudden power-fail could be fatal to the system, but
> these where the most obvious and risky ones.
> 
> Signed-off-by: Claudius Heine <ch@denx.de>
> ---
>   .../files/local-top-complete                  | 33 +++++++++++++++----
>   .../initramfs-crypt-hook_0.6.bb               |  5 ++-
>   2 files changed, 29 insertions(+), 9 deletions(-)
> 
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
> index 4b6451a..6034175 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
> @@ -72,6 +72,9 @@ reencrypt_existing_partition() {
>   	reduced_size="$(expr "$part_size_blocks" - 65536 )"
>   	reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
>   	reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
> +
> +	CRYPTSETUP_PARAMS="--reduce-device-size ${reduce_device_size}k"
> +
>   	case $partition_fstype in
>   	ext*)
>   		# reduce the filesystem and partition by 32M to fit the LUKS header
> @@ -90,14 +93,25 @@ reencrypt_existing_partition() {
>   	squashfs|swap|erofs|"")
>   		[ "$debug" = "y" ] && echo "skip disk resize as it is not supported or unnecessary for fstype: '$partition_fstype'"
>   		;;
> +	luks)
> +		# Check if reencrypt was aborted
> +		if /usr/sbin/cryptsetup luksDump --batch-mode "$1" \
> +				| grep -q "online-reencrypt-v2"; then
> +			/usr/sbin/cryptsetup repair --batch-mode "$1" < "$2" || \
> +				panic "cryptsetup repair was not successful"
> +		fi
> +
> +		# already luks partition, don't resize
> +		CRYPTSETUP_PARAMS=""
> +		;;
>   	*)
>   		panic "cannot resize partition, unsupported fstype: '$partition_fstype'"
>   		;;
>   	esac
>   	if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
> -		/usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2"
> +		/usr/sbin/cryptsetup-reencrypt --new ${CRYPTSETUP_PARAMS} "$1" < "$2"
>   	else
> -		/usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2"
> +		/usr/sbin/cryptsetup reencrypt --encrypt ${CRYPTSETUP_PARAMS} "$1" < "$2"
>   	fi
>   }
>   
> @@ -219,7 +233,7 @@ for partition_set in $partition_sets; do
>   	# If partition is already encrypted, decrypt and continue with next partition:
>   	decrypted_part=/dev/mapper/"$crypt_mount_name"
>   	if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \
> -			| grep -q "luks2"; then
> +			| grep -q "systemd-tpm2"; then
This should break encryption with clevis.

>   		open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
>   
>   		# check if we are trying to mount root, set ROOT to decrypted partition:
> @@ -230,6 +244,12 @@ for partition_set in $partition_sets; do
>   		continue
>   	fi
>   
> +	# If partition contains an aborted reencrypt luks header, switch to reencrypt mode:
> +	if /usr/sbin/cryptsetup luksDump --batch-mode "${part_device}" \
> +			| grep -q "online-reencrypt-v2"; then
> +		partition_format="reencrypt"
> +	fi
> +
>   	# If partition should not be encrypted, continue with next partition:
>   	if [ "$partition_format" = "noencrypt" ]
>   	then
> @@ -247,10 +267,11 @@ for partition_set in $partition_sets; do
>   		watchdog_pid=$!
>   	fi
>   
> -	# create random password for initial encryption
> -	# this will be dropped after reboot
> +	# use partuuid of the partition for initial encryption password, this key
> +	# will be removed after the reencryption has finished and the TPM2 token is
> +	# registered:
>   	tmp_key=/tmp/"$(basename "$part_device")-lukskey"
> -	openssl rand -base64 32 > "$tmp_key"
> +	lsblk -no partuuid "$part_device" > "$tmp_key"

This has the security implication that until the tpm key is used the 
device is insecure.

Quirin
>   
>   	case "${partition_format}" in
>   		"reencrypt")
> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
> index c9a7f89..5e82521 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
> @@ -14,7 +14,6 @@ require recipes-initramfs/initramfs-hook/hook.inc
>   DEBIAN_DEPENDS .= ", \
>       cryptsetup, \
>       awk, \
> -    openssl, \
>       e2fsprogs, \
>       tpm2-tools, \
>       coreutils, \
> @@ -40,8 +39,8 @@ HOOK_ADD_MODULES = " \
>       ecb aes_generic xts"
>   
>   HOOK_COPY_EXECS = " \
> -    openssl mke2fs grep awk expr seq sleep basename uuidparse mountpoint \
> -    e2fsck resize2fs cryptsetup cmp \
> +    mke2fs grep awk expr seq sleep basename uuidparse mountpoint \
> +    e2fsck resize2fs cryptsetup cmp lsblk \
>       tpm2_pcrread tpm2_testparms tpm2_flushcontext \
>       /usr/lib/*/libgcc_s.so.1"
>   

Re: [PATCH v2 2/4] initramfs-crypt-hook: implement 'noencrypt' option

[Quirin Gylstorff]

On 2/27/25 15:30, Claudius Heine wrote:
> In case encryption needs to be enabled via an update, while still
> allowing the update fall back to work. One update step where encryption
> is supported, but no reencryption is taking place if the device is not
> encrypted.

The scenario this patch tries to solve is update from A to B:
- Update is not confirmed
- the encryption was successful
-  Error occurs and we fallback to Partition A

Is that correct?

Quirin
> 
> For this the `noencrypt` hook is implemented, which requires some
> restructure/reordering of the `local-top-complete` script.
> 
> Signed-off-by: Claudius Heine <ch@denx.de>
> ---
>   doc/README.tpm2.encryption.md                 |  3 ++-
>   .../files/local-top-complete                  | 24 +++++++++++++++----
>   2 files changed, 21 insertions(+), 6 deletions(-)
> 
> diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md
> index 3f7e89f..a503095 100644
> --- a/doc/README.tpm2.encryption.md
> +++ b/doc/README.tpm2.encryption.md
> @@ -42,11 +42,12 @@ The initramfs-crypt-hook recipe has the following variables which can be overwri
>   ### CRYPT_PARTITIONS
>   
>   The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount it.
> -Each entry uses the schema `<partition-identifier>:<mountpoint>:<reencrypt or format>`.
> +Each entry uses the schema `<partition-identifier>:<mountpoint>:<reencrypt | format | noencrypt>`.
>   - The `partition-idenitifer` is used to identify the partition on the disk, it can contain a partition label, partition UUID or absolute path to the partition device, e.g. `/dev/sda`.
>   - The `mountpoint` is used mount the decrypted partition in the root file system
>   - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount
>   - `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD`
> +- `noencrypt` will not try to encrypt the partition, if it isn't encrypted already, but will open it if it is. This makes it possible for an system to support encrypted partitions, while not encrypting anything on their own. Useful when updating from a system that is unencrypted to one that is, while supporting a fallback system. For example, with a shared data partition, the fallback system would have the `noencrypt` option, while the encrypted system would have the `reencrypt` option set for it. Now the fallback system can still open the data partition if the update to the encrypted system failed.
>   
>   #### Encrypted root file system
>   
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
> index 502fcc1..67722fc 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
> @@ -211,22 +211,36 @@ for partition_set in $partition_sets; do
>   	if [ ! -e  "$part_device" ]; then
>   		panic "Could not find device  mapped to '$partition' cannot be encrypted!"
>   	fi
> -	decrypted_part=/dev/mapper/"$crypt_mount_name"
> -	# check if we are trying to mount root
> -	if [ "$partition_mountpoint" = "/" ]; then
> -		echo "ROOT=$decrypted_part" >/conf/param.conf
> -	fi
>   
>   	if [ "$partition_expand" = "expand" ]; then
>   		expand_partition $part_device
>   	fi
>   
> +	# If partition is already encrypted, decrypt and continue with next partition:
> +	decrypted_part=/dev/mapper/"$crypt_mount_name"
>   	if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \
>   			| grep -q "luks2"; then
>   		open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
> +
> +		# check if we are trying to mount root, set ROOT to decrypted partition:
> +		if [ "$partition_mountpoint" = "/" ]; then
> +			echo "ROOT=$decrypted_part" >/conf/param.conf
> +		fi
> +
>   		continue
>   	fi
>   
> +	# If partition should not be encrypted, continue with next partition:
> +	if [ "$partition_format" = "noencrypt" ]
> +	then
> +		continue
> +	fi
> +
> +	# check if we are trying to mount root, set ROOT to decrypted partition:
> +	if [ "$partition_mountpoint" = "/" ]; then
> +		echo "ROOT=$decrypted_part" >/conf/param.conf
> +	fi
> +
>   	# service watchdog in the background during lengthy re-encryption
>   	if [ -z "$watchdog_pid" ]; then
>   		service_watchdog &

Re: [PATCH v2 4/4] initramfs-crypt-hook: add re-encryption recovery

[Claudius Heine]

Hi Quirin,

On 2025-02-27 3:37 pm, Quirin Gylstorff wrote:
> 
> 
> On 2/27/25 15:30, Claudius Heine wrote:
>> Integrate detection and recovery of power failures while a partition is
>> being encrypted.
>>
>> There are possible scenarios:
>> 1. Power-fail happens while the partition is reencrypted:
>>    - The LUKS header contains `online-reencrypt-v2` and needs to be
>>      repaired with `cryptsetup repair` before it can continue.
>>    - Also no resizing of the file system is necessary
>> 2. Power-fail happens before the systemd-tpm2 token can be installed
>>    - The LUKS header does not contain 'systemd-tpm2', thus it needs to be
>>      registered and the temporary encryption key needs to be removed
>>
>> In both scenarios the system after the reboot needs to have access to
>> the temporary encryption key that was initially used. So using a random
>> one, generated via `openssl rand` is not possible. Since it is only a
>> temporary key and gets removed after the systemd-tpm2 token was
>> installed, a known password can be used.
>>
>> The list of these scenarios is not complete, there might be other
>> instances where a sudden power-fail could be fatal to the system, but
>> these where the most obvious and risky ones.
>>
>> Signed-off-by: Claudius Heine <ch@denx.de>
>> ---
>>   .../files/local-top-complete                  | 33 +++++++++++++++----
>>   .../initramfs-crypt-hook_0.6.bb               |  5 ++-
>>   2 files changed, 29 insertions(+), 9 deletions(-)
>>
>> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top- 
>> complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top- 
>> complete
>> index 4b6451a..6034175 100644
>> --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
>> +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
>> @@ -72,6 +72,9 @@ reencrypt_existing_partition() {
>>       reduced_size="$(expr "$part_size_blocks" - 65536 )"
>>       reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
>>       reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
>> +
>> +    CRYPTSETUP_PARAMS="--reduce-device-size ${reduce_device_size}k"
>> +
>>       case $partition_fstype in
>>       ext*)
>>           # reduce the filesystem and partition by 32M to fit the LUKS 
>> header
>> @@ -90,14 +93,25 @@ reencrypt_existing_partition() {
>>       squashfs|swap|erofs|"")
>>           [ "$debug" = "y" ] && echo "skip disk resize as it is not 
>> supported or unnecessary for fstype: '$partition_fstype'"
>>           ;;
>> +    luks)
>> +        # Check if reencrypt was aborted
>> +        if /usr/sbin/cryptsetup luksDump --batch-mode "$1" \
>> +                | grep -q "online-reencrypt-v2"; then
>> +            /usr/sbin/cryptsetup repair --batch-mode "$1" < "$2" || \
>> +                panic "cryptsetup repair was not successful"
>> +        fi
>> +
>> +        # already luks partition, don't resize
>> +        CRYPTSETUP_PARAMS=""
>> +        ;;
>>       *)
>>           panic "cannot resize partition, unsupported fstype: 
>> '$partition_fstype'"
>>           ;;
>>       esac
>>       if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
>> -        /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size 
>> "$reduce_device_size"k "$1" < "$2"
>> +        /usr/sbin/cryptsetup-reencrypt --new ${CRYPTSETUP_PARAMS} 
>> "$1" < "$2"
>>       else
>> -        /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size 
>> "$reduce_device_size"k "$1" < "$2"
>> +        /usr/sbin/cryptsetup reencrypt --encrypt ${CRYPTSETUP_PARAMS} 
>> "$1" < "$2"
>>       fi
>>   }
>> @@ -219,7 +233,7 @@ for partition_set in $partition_sets; do
>>       # If partition is already encrypted, decrypt and continue with 
>> next partition:
>>       decrypted_part=/dev/mapper/"$crypt_mount_name"
>>       if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \
>> -            | grep -q "luks2"; then
>> +            | grep -q "systemd-tpm2"; then
> This should break encryption with clevis.

I don't have a test setup for clevis, so any input on how to fix this, 
would be great.

> 
>>           open_tpm2_partition "$part_device" "$crypt_mount_name" 
>> "$tpm_device"
>>           # check if we are trying to mount root, set ROOT to 
>> decrypted partition:
>> @@ -230,6 +244,12 @@ for partition_set in $partition_sets; do
>>           continue
>>       fi
>> +    # If partition contains an aborted reencrypt luks header, switch 
>> to reencrypt mode:
>> +    if /usr/sbin/cryptsetup luksDump --batch-mode "${part_device}" \
>> +            | grep -q "online-reencrypt-v2"; then
>> +        partition_format="reencrypt"
>> +    fi
>> +
>>       # If partition should not be encrypted, continue with next 
>> partition:
>>       if [ "$partition_format" = "noencrypt" ]
>>       then
>> @@ -247,10 +267,11 @@ for partition_set in $partition_sets; do
>>           watchdog_pid=$!
>>       fi
>> -    # create random password for initial encryption
>> -    # this will be dropped after reboot
>> +    # use partuuid of the partition for initial encryption password, 
>> this key
>> +    # will be removed after the reencryption has finished and the 
>> TPM2 token is
>> +    # registered:
>>       tmp_key=/tmp/"$(basename "$part_device")-lukskey"
>> -    openssl rand -base64 32 > "$tmp_key"
>> +    lsblk -no partuuid "$part_device" > "$tmp_key"
> 
> This has the security implication that until the tpm key is used the 
> device is insecure.

Yes. As I noted in the commit message.

The other method, I thought about was using the tpm2, where I am 
encrypting a known key, like the partuuid with an internal tpm2 key, and 
using the resulting encrypted blob as a hexstring for the password.

But I am not very familiar with TPM2 on how to properly do that.

Other options would be to create a password and store it in the TPM2 
NVRAM, but that would not be very secure as well.

So any suggestions for improvment here would be great.

regards,
Claudius

> 
> Quirin
>>       case "${partition_format}" in
>>           "reencrypt")
>> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- 
>> hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- 
>> hook_0.6.bb
>> index c9a7f89..5e82521 100644
>> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
>> @@ -14,7 +14,6 @@ require recipes-initramfs/initramfs-hook/hook.inc
>>   DEBIAN_DEPENDS .= ", \
>>       cryptsetup, \
>>       awk, \
>> -    openssl, \
>>       e2fsprogs, \
>>       tpm2-tools, \
>>       coreutils, \
>> @@ -40,8 +39,8 @@ HOOK_ADD_MODULES = " \
>>       ecb aes_generic xts"
>>   HOOK_COPY_EXECS = " \
>> -    openssl mke2fs grep awk expr seq sleep basename uuidparse 
>> mountpoint \
>> -    e2fsck resize2fs cryptsetup cmp \
>> +    mke2fs grep awk expr seq sleep basename uuidparse mountpoint \
>> +    e2fsck resize2fs cryptsetup cmp lsblk \
>>       tpm2_pcrread tpm2_testparms tpm2_flushcontext \
>>       /usr/lib/*/libgcc_s.so.1"
> 

-- 
DENX Software Engineering GmbH,        Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de

Re: [PATCH v2 2/4] initramfs-crypt-hook: implement 'noencrypt' option

[Claudius Heine]

Hi Qurin,

On 2025-02-27 3:42 pm, Quirin Gylstorff wrote:
> 
> 
> On 2/27/25 15:30, Claudius Heine wrote:
>> In case encryption needs to be enabled via an update, while still
>> allowing the update fall back to work. One update step where encryption
>> is supported, but no reencryption is taking place if the device is not
>> encrypted.
> 
> The scenario this patch tries to solve is update from A to B:
> - Update is not confirmed
> - the encryption was successful
> -  Error occurs and we fallback to Partition A
> 
> Is that correct?

Yes, and it is about a shared data partition, that needs to be available 
on both systems and should eventually be encrypted. The root file 
systems do not really matter, because they are belong to each update slot.

Update slot A needs to be able to mount the encrypted partition, but 
should not encrypt it.

regards,
Claudius

> 
> Quirin
>>
>> For this the `noencrypt` hook is implemented, which requires some
>> restructure/reordering of the `local-top-complete` script.
>>
>> Signed-off-by: Claudius Heine <ch@denx.de>
>> ---
>>   doc/README.tpm2.encryption.md                 |  3 ++-
>>   .../files/local-top-complete                  | 24 +++++++++++++++----
>>   2 files changed, 21 insertions(+), 6 deletions(-)
>>
>> diff --git a/doc/README.tpm2.encryption.md b/doc/ 
>> README.tpm2.encryption.md
>> index 3f7e89f..a503095 100644
>> --- a/doc/README.tpm2.encryption.md
>> +++ b/doc/README.tpm2.encryption.md
>> @@ -42,11 +42,12 @@ The initramfs-crypt-hook recipe has the following 
>> variables which can be overwri
>>   ### CRYPT_PARTITIONS
>>   The variable `CRYPT_PARTITIONS` contains the information which 
>> partition shall be encrypted where to mount it.
>> -Each entry uses the schema `<partition- 
>> identifier>:<mountpoint>:<reencrypt or format>`.
>> +Each entry uses the schema `<partition- 
>> identifier>:<mountpoint>:<reencrypt | format | noencrypt>`.
>>   - The `partition-idenitifer` is used to identify the partition on 
>> the disk, it can contain a partition label, partition UUID or absolute 
>> path to the partition device, e.g. `/dev/sda`.
>>   - The `mountpoint` is used mount the decrypted partition in the root 
>> file system
>>   - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting 
>> content of the partition. This reduces the partition by 32MB and the 
>> file system by a similar amount
>>   - `format` creates a empty LUKS partition and creates a file system 
>> defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD`
>> +- `noencrypt` will not try to encrypt the partition, if it isn't 
>> encrypted already, but will open it if it is. This makes it possible 
>> for an system to support encrypted partitions, while not encrypting 
>> anything on their own. Useful when updating from a system that is 
>> unencrypted to one that is, while supporting a fallback system. For 
>> example, with a shared data partition, the fallback system would have 
>> the `noencrypt` option, while the encrypted system would have the 
>> `reencrypt` option set for it. Now the fallback system can still open 
>> the data partition if the update to the encrypted system failed.
>>   #### Encrypted root file system
>> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top- 
>> complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top- 
>> complete
>> index 502fcc1..67722fc 100644
>> --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
>> +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
>> @@ -211,22 +211,36 @@ for partition_set in $partition_sets; do
>>       if [ ! -e  "$part_device" ]; then
>>           panic "Could not find device  mapped to '$partition' cannot 
>> be encrypted!"
>>       fi
>> -    decrypted_part=/dev/mapper/"$crypt_mount_name"
>> -    # check if we are trying to mount root
>> -    if [ "$partition_mountpoint" = "/" ]; then
>> -        echo "ROOT=$decrypted_part" >/conf/param.conf
>> -    fi
>>       if [ "$partition_expand" = "expand" ]; then
>>           expand_partition $part_device
>>       fi
>> +    # If partition is already encrypted, decrypt and continue with 
>> next partition:
>> +    decrypted_part=/dev/mapper/"$crypt_mount_name"
>>       if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \
>>               | grep -q "luks2"; then
>>           open_tpm2_partition "$part_device" "$crypt_mount_name" 
>> "$tpm_device"
>> +
>> +        # check if we are trying to mount root, set ROOT to decrypted 
>> partition:
>> +        if [ "$partition_mountpoint" = "/" ]; then
>> +            echo "ROOT=$decrypted_part" >/conf/param.conf
>> +        fi
>> +
>>           continue
>>       fi
>> +    # If partition should not be encrypted, continue with next 
>> partition:
>> +    if [ "$partition_format" = "noencrypt" ]
>> +    then
>> +        continue
>> +    fi
>> +
>> +    # check if we are trying to mount root, set ROOT to decrypted 
>> partition:
>> +    if [ "$partition_mountpoint" = "/" ]; then
>> +        echo "ROOT=$decrypted_part" >/conf/param.conf
>> +    fi
>> +
>>       # service watchdog in the background during lengthy re-encryption
>>       if [ -z "$watchdog_pid" ]; then
>>           service_watchdog &
> 

-- 
DENX Software Engineering GmbH,        Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de

Re: [PATCH v2 4/4] initramfs-crypt-hook: add re-encryption recovery

[Quirin Gylstorff]

On 2/27/25 15:46, Claudius Heine wrote:
> Hi Quirin,
> 
> On 2025-02-27 3:37 pm, Quirin Gylstorff wrote:
>>
>>
>> On 2/27/25 15:30, Claudius Heine wrote:
>>> Integrate detection and recovery of power failures while a partition is
>>> being encrypted.
>>>
>>> There are possible scenarios:
>>> 1. Power-fail happens while the partition is reencrypted:
>>>    - The LUKS header contains `online-reencrypt-v2` and needs to be
>>>      repaired with `cryptsetup repair` before it can continue.
>>>    - Also no resizing of the file system is necessary
>>> 2. Power-fail happens before the systemd-tpm2 token can be installed
>>>    - The LUKS header does not contain 'systemd-tpm2', thus it needs 
>>> to be
>>>      registered and the temporary encryption key needs to be removed
>>>
>>> In both scenarios the system after the reboot needs to have access to
>>> the temporary encryption key that was initially used. So using a random
>>> one, generated via `openssl rand` is not possible. Since it is only a
>>> temporary key and gets removed after the systemd-tpm2 token was
>>> installed, a known password can be used.
>>>
>>> The list of these scenarios is not complete, there might be other
>>> instances where a sudden power-fail could be fatal to the system, but
>>> these where the most obvious and risky ones.
>>>
>>> Signed-off-by: Claudius Heine <ch@denx.de>
>>> ---
>>>   .../files/local-top-complete                  | 33 +++++++++++++++----
>>>   .../initramfs-crypt-hook_0.6.bb               |  5 ++-
>>>   2 files changed, 29 insertions(+), 9 deletions(-)
>>>
>>> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top- 
>>> complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top- 
>>> complete
>>> index 4b6451a..6034175 100644
>>> --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
>>> +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
>>> @@ -72,6 +72,9 @@ reencrypt_existing_partition() {
>>>       reduced_size="$(expr "$part_size_blocks" - 65536 )"
>>>       reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
>>>       reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
>>> +
>>> +    CRYPTSETUP_PARAMS="--reduce-device-size ${reduce_device_size}k"
>>> +
>>>       case $partition_fstype in
>>>       ext*)
>>>           # reduce the filesystem and partition by 32M to fit the 
>>> LUKS header
>>> @@ -90,14 +93,25 @@ reencrypt_existing_partition() {
>>>       squashfs|swap|erofs|"")
>>>           [ "$debug" = "y" ] && echo "skip disk resize as it is not 
>>> supported or unnecessary for fstype: '$partition_fstype'"
>>>           ;;
>>> +    luks)
>>> +        # Check if reencrypt was aborted
>>> +        if /usr/sbin/cryptsetup luksDump --batch-mode "$1" \
>>> +                | grep -q "online-reencrypt-v2"; then
>>> +            /usr/sbin/cryptsetup repair --batch-mode "$1" < "$2" || \
>>> +                panic "cryptsetup repair was not successful"
>>> +        fi
>>> +
>>> +        # already luks partition, don't resize
>>> +        CRYPTSETUP_PARAMS=""
>>> +        ;;
>>>       *)
>>>           panic "cannot resize partition, unsupported fstype: 
>>> '$partition_fstype'"
>>>           ;;
>>>       esac
>>>       if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
>>> -        /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size 
>>> "$reduce_device_size"k "$1" < "$2"
>>> +        /usr/sbin/cryptsetup-reencrypt --new ${CRYPTSETUP_PARAMS} 
>>> "$1" < "$2"
>>>       else
>>> -        /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device- 
>>> size "$reduce_device_size"k "$1" < "$2"
>>> +        /usr/sbin/cryptsetup reencrypt --encrypt 
>>> ${CRYPTSETUP_PARAMS} "$1" < "$2"
>>>       fi
>>>   }
>>> @@ -219,7 +233,7 @@ for partition_set in $partition_sets; do
>>>       # If partition is already encrypted, decrypt and continue with 
>>> next partition:
>>>       decrypted_part=/dev/mapper/"$crypt_mount_name"
>>>       if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \
>>> -            | grep -q "luks2"; then
>>> +            | grep -q "systemd-tpm2"; then
>> This should break encryption with clevis.
> 
> I don't have a test setup for clevis, so any input on how to fix this, 
> would be great.


If you set `CRYPT_BACKEND = "clevis" ` in the kas configuration of 
isar-cip-core. You directly use clevis instead of systemd.

https://gitlab.com/cip-project/cip-core/isar-cip-core/-/blob/master/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb?ref_type=heads#L25

Quirin
> 
>>
>>>           open_tpm2_partition "$part_device" "$crypt_mount_name" 
>>> "$tpm_device"
>>>           # check if we are trying to mount root, set ROOT to 
>>> decrypted partition:
>>> @@ -230,6 +244,12 @@ for partition_set in $partition_sets; do
>>>           continue
>>>       fi
>>> +    # If partition contains an aborted reencrypt luks header, switch 
>>> to reencrypt mode:
>>> +    if /usr/sbin/cryptsetup luksDump --batch-mode "${part_device}" \
>>> +            | grep -q "online-reencrypt-v2"; then
>>> +        partition_format="reencrypt"
>>> +    fi
>>> +
>>>       # If partition should not be encrypted, continue with next 
>>> partition:
>>>       if [ "$partition_format" = "noencrypt" ]
>>>       then
>>> @@ -247,10 +267,11 @@ for partition_set in $partition_sets; do
>>>           watchdog_pid=$!
>>>       fi
>>> -    # create random password for initial encryption
>>> -    # this will be dropped after reboot
>>> +    # use partuuid of the partition for initial encryption password, 
>>> this key
>>> +    # will be removed after the reencryption has finished and the 
>>> TPM2 token is
>>> +    # registered:
>>>       tmp_key=/tmp/"$(basename "$part_device")-lukskey"
>>> -    openssl rand -base64 32 > "$tmp_key"
>>> +    lsblk -no partuuid "$part_device" > "$tmp_key"
>>
>> This has the security implication that until the tpm key is used the 
>> device is insecure.
> 
> Yes. As I noted in the commit message.
> 
> The other method, I thought about was using the tpm2, where I am 
> encrypting a known key, like the partuuid with an internal tpm2 key, and 
> using the resulting encrypted blob as a hexstring for the password.
> 
> But I am not very familiar with TPM2 on how to properly do that.
> 
> Other options would be to create a password and store it in the TPM2 
> NVRAM, but that would not be very secure as well.
> 
> So any suggestions for improvment here would be great.
> 
> regards,
> Claudius
> 
>>
>> Quirin
>>>       case "${partition_format}" in
>>>           "reencrypt")
>>> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- 
>>> hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- 
>>> hook_0.6.bb
>>> index c9a7f89..5e82521 100644
>>> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
>>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
>>> @@ -14,7 +14,6 @@ require recipes-initramfs/initramfs-hook/hook.inc
>>>   DEBIAN_DEPENDS .= ", \
>>>       cryptsetup, \
>>>       awk, \
>>> -    openssl, \
>>>       e2fsprogs, \
>>>       tpm2-tools, \
>>>       coreutils, \
>>> @@ -40,8 +39,8 @@ HOOK_ADD_MODULES = " \
>>>       ecb aes_generic xts"
>>>   HOOK_COPY_EXECS = " \
>>> -    openssl mke2fs grep awk expr seq sleep basename uuidparse 
>>> mountpoint \
>>> -    e2fsck resize2fs cryptsetup cmp \
>>> +    mke2fs grep awk expr seq sleep basename uuidparse mountpoint \
>>> +    e2fsck resize2fs cryptsetup cmp lsblk \
>>>       tpm2_pcrread tpm2_testparms tpm2_flushcontext \
>>>       /usr/lib/*/libgcc_s.so.1"
>>
> 

Re: [PATCH v2 4/4] initramfs-crypt-hook: add re-encryption recovery

[Claudius Heine]

On 2025-02-27 3:56 pm, Quirin Gylstorff wrote:
> 
> 
> On 2/27/25 15:46, Claudius Heine wrote:
>> Hi Quirin,
>>
>> On 2025-02-27 3:37 pm, Quirin Gylstorff wrote:
>>>
>>>
>>> On 2/27/25 15:30, Claudius Heine wrote:
>>>> Integrate detection and recovery of power failures while a partition is
>>>> being encrypted.
>>>>
>>>> There are possible scenarios:
>>>> 1. Power-fail happens while the partition is reencrypted:
>>>>    - The LUKS header contains `online-reencrypt-v2` and needs to be
>>>>      repaired with `cryptsetup repair` before it can continue.
>>>>    - Also no resizing of the file system is necessary
>>>> 2. Power-fail happens before the systemd-tpm2 token can be installed
>>>>    - The LUKS header does not contain 'systemd-tpm2', thus it needs 
>>>> to be
>>>>      registered and the temporary encryption key needs to be removed
>>>>
>>>> In both scenarios the system after the reboot needs to have access to
>>>> the temporary encryption key that was initially used. So using a random
>>>> one, generated via `openssl rand` is not possible. Since it is only a
>>>> temporary key and gets removed after the systemd-tpm2 token was
>>>> installed, a known password can be used.
>>>>
>>>> The list of these scenarios is not complete, there might be other
>>>> instances where a sudden power-fail could be fatal to the system, but
>>>> these where the most obvious and risky ones.
>>>>
>>>> Signed-off-by: Claudius Heine <ch@denx.de>
>>>> ---
>>>>   .../files/local-top-complete                  | 33 ++++++++++++++ 
>>>> +----
>>>>   .../initramfs-crypt-hook_0.6.bb               |  5 ++-
>>>>   2 files changed, 29 insertions(+), 9 deletions(-)
>>>>
>>>> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top- 
>>>> complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top- 
>>>> complete
>>>> index 4b6451a..6034175 100644
>>>> --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
>>>> +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
>>>> @@ -72,6 +72,9 @@ reencrypt_existing_partition() {
>>>>       reduced_size="$(expr "$part_size_blocks" - 65536 )"
>>>>       reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
>>>>       reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
>>>> +
>>>> +    CRYPTSETUP_PARAMS="--reduce-device-size ${reduce_device_size}k"
>>>> +
>>>>       case $partition_fstype in
>>>>       ext*)
>>>>           # reduce the filesystem and partition by 32M to fit the 
>>>> LUKS header
>>>> @@ -90,14 +93,25 @@ reencrypt_existing_partition() {
>>>>       squashfs|swap|erofs|"")
>>>>           [ "$debug" = "y" ] && echo "skip disk resize as it is not 
>>>> supported or unnecessary for fstype: '$partition_fstype'"
>>>>           ;;
>>>> +    luks)
>>>> +        # Check if reencrypt was aborted
>>>> +        if /usr/sbin/cryptsetup luksDump --batch-mode "$1" \
>>>> +                | grep -q "online-reencrypt-v2"; then
>>>> +            /usr/sbin/cryptsetup repair --batch-mode "$1" < "$2" || \
>>>> +                panic "cryptsetup repair was not successful"
>>>> +        fi
>>>> +
>>>> +        # already luks partition, don't resize
>>>> +        CRYPTSETUP_PARAMS=""
>>>> +        ;;
>>>>       *)
>>>>           panic "cannot resize partition, unsupported fstype: 
>>>> '$partition_fstype'"
>>>>           ;;
>>>>       esac
>>>>       if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
>>>> -        /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size 
>>>> "$reduce_device_size"k "$1" < "$2"
>>>> +        /usr/sbin/cryptsetup-reencrypt --new ${CRYPTSETUP_PARAMS} 
>>>> "$1" < "$2"
>>>>       else
>>>> -        /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device- 
>>>> size "$reduce_device_size"k "$1" < "$2"
>>>> +        /usr/sbin/cryptsetup reencrypt --encrypt 
>>>> ${CRYPTSETUP_PARAMS} "$1" < "$2"
>>>>       fi
>>>>   }
>>>> @@ -219,7 +233,7 @@ for partition_set in $partition_sets; do
>>>>       # If partition is already encrypted, decrypt and continue with 
>>>> next partition:
>>>>       decrypted_part=/dev/mapper/"$crypt_mount_name"
>>>>       if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \
>>>> -            | grep -q "luks2"; then
>>>> +            | grep -q "systemd-tpm2"; then
>>> This should break encryption with clevis.
>>
>> I don't have a test setup for clevis, so any input on how to fix this, 
>> would be great.
> 
> 
> If you set `CRYPT_BACKEND = "clevis" ` in the kas configuration of isar- 
> cip-core. You directly use clevis instead of systemd.
> 
> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/blob/master/ 
> recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb? 
> ref_type=heads#L25

I can look into it. I suppose there might be some other marker that can 
be used.

> 
> Quirin
>>
>>>
>>>>           open_tpm2_partition "$part_device" "$crypt_mount_name" 
>>>> "$tpm_device"
>>>>           # check if we are trying to mount root, set ROOT to 
>>>> decrypted partition:
>>>> @@ -230,6 +244,12 @@ for partition_set in $partition_sets; do
>>>>           continue
>>>>       fi
>>>> +    # If partition contains an aborted reencrypt luks header, 
>>>> switch to reencrypt mode:
>>>> +    if /usr/sbin/cryptsetup luksDump --batch-mode "${part_device}" \
>>>> +            | grep -q "online-reencrypt-v2"; then
>>>> +        partition_format="reencrypt"
>>>> +    fi
>>>> +
>>>>       # If partition should not be encrypted, continue with next 
>>>> partition:
>>>>       if [ "$partition_format" = "noencrypt" ]
>>>>       then
>>>> @@ -247,10 +267,11 @@ for partition_set in $partition_sets; do
>>>>           watchdog_pid=$!
>>>>       fi
>>>> -    # create random password for initial encryption
>>>> -    # this will be dropped after reboot
>>>> +    # use partuuid of the partition for initial encryption 
>>>> password, this key
>>>> +    # will be removed after the reencryption has finished and the 
>>>> TPM2 token is
>>>> +    # registered:
>>>>       tmp_key=/tmp/"$(basename "$part_device")-lukskey"
>>>> -    openssl rand -base64 32 > "$tmp_key"
>>>> +    lsblk -no partuuid "$part_device" > "$tmp_key"
>>>
>>> This has the security implication that until the tpm key is used the 
>>> device is insecure.

Also, there is a security implication already with this implementation, 
even before applying this patch, that until the device is booted and the 
re-encryption process is started, the storage is completely unencrypted 
and thus the device is insecure. :P

I assume that the people that actually need to deploy images in factory, 
will take care of letting the re-encryption process properly finish.

An in-field the device before the re-encryption process is about the 
same insecure as a device in the middle of the reencryption process with 
a known key.

regards,
Claudius

>>
>> Yes. As I noted in the commit message.
>>
>> The other method, I thought about was using the tpm2, where I am 
>> encrypting a known key, like the partuuid with an internal tpm2 key, 
>> and using the resulting encrypted blob as a hexstring for the password.
>>
>> But I am not very familiar with TPM2 on how to properly do that.
>>
>> Other options would be to create a password and store it in the TPM2 
>> NVRAM, but that would not be very secure as well.
>>
>> So any suggestions for improvment here would be great.
>>
>> regards,
>> Claudius
>>
>>>
>>> Quirin
>>>>       case "${partition_format}" in
>>>>           "reencrypt")
>>>> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- 
>>>> hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs- 
>>>> crypt- hook_0.6.bb
>>>> index c9a7f89..5e82521 100644
>>>> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- 
>>>> hook_0.6.bb
>>>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- 
>>>> hook_0.6.bb
>>>> @@ -14,7 +14,6 @@ require recipes-initramfs/initramfs-hook/hook.inc
>>>>   DEBIAN_DEPENDS .= ", \
>>>>       cryptsetup, \
>>>>       awk, \
>>>> -    openssl, \
>>>>       e2fsprogs, \
>>>>       tpm2-tools, \
>>>>       coreutils, \
>>>> @@ -40,8 +39,8 @@ HOOK_ADD_MODULES = " \
>>>>       ecb aes_generic xts"
>>>>   HOOK_COPY_EXECS = " \
>>>> -    openssl mke2fs grep awk expr seq sleep basename uuidparse 
>>>> mountpoint \
>>>> -    e2fsck resize2fs cryptsetup cmp \
>>>> +    mke2fs grep awk expr seq sleep basename uuidparse mountpoint \
>>>> +    e2fsck resize2fs cryptsetup cmp lsblk \
>>>>       tpm2_pcrread tpm2_testparms tpm2_flushcontext \
>>>>       /usr/lib/*/libgcc_s.so.1"
>>>
>>
> 

-- 
DENX Software Engineering GmbH,        Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de

Re: [PATCH v2 2/4] initramfs-crypt-hook: implement 'noencrypt' option

[Quirin Gylstorff]

On 2/27/25 15:49, Claudius Heine wrote:
> Hi Qurin,
> 
> On 2025-02-27 3:42 pm, Quirin Gylstorff wrote:
>>
>>
>> On 2/27/25 15:30, Claudius Heine wrote:
>>> In case encryption needs to be enabled via an update, while still
>>> allowing the update fall back to work. One update step where encryption
>>> is supported, but no reencryption is taking place if the device is not
>>> encrypted.
>>
>> The scenario this patch tries to solve is update from A to B:
>> - Update is not confirmed
>> - the encryption was successful
>> -  Error occurs and we fallback to Partition A
>>
>> Is that correct?
> 
> Yes, and it is about a shared data partition, that needs to be available 
> on both systems and should eventually be encrypted. The root file 
> systems do not really matter, because they are belong to each update slot.
> 
> Update slot A needs to be able to mount the encrypted partition, but 
> should not encrypt it.

Can you add that example  to the commit message.

Quirin
> 
> regards,
> Claudius
> 
>>
>> Quirin
>>>
>>> For this the `noencrypt` hook is implemented, which requires some
>>> restructure/reordering of the `local-top-complete` script.
>>>
>>> Signed-off-by: Claudius Heine <ch@denx.de>
>>> ---
>>>   doc/README.tpm2.encryption.md                 |  3 ++-
>>>   .../files/local-top-complete                  | 24 +++++++++++++++----
>>>   2 files changed, 21 insertions(+), 6 deletions(-)
>>>
>>> diff --git a/doc/README.tpm2.encryption.md b/doc/ 
>>> README.tpm2.encryption.md
>>> index 3f7e89f..a503095 100644
>>> --- a/doc/README.tpm2.encryption.md
>>> +++ b/doc/README.tpm2.encryption.md
>>> @@ -42,11 +42,12 @@ The initramfs-crypt-hook recipe has the following 
>>> variables which can be overwri
>>>   ### CRYPT_PARTITIONS
>>>   The variable `CRYPT_PARTITIONS` contains the information which 
>>> partition shall be encrypted where to mount it.
>>> -Each entry uses the schema `<partition- 
>>> identifier>:<mountpoint>:<reencrypt or format>`.
>>> +Each entry uses the schema `<partition- 
>>> identifier>:<mountpoint>:<reencrypt | format | noencrypt>`.
>>>   - The `partition-idenitifer` is used to identify the partition on 
>>> the disk, it can contain a partition label, partition UUID or 
>>> absolute path to the partition device, e.g. `/dev/sda`.
>>>   - The `mountpoint` is used mount the decrypted partition in the 
>>> root file system
>>>   - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting 
>>> content of the partition. This reduces the partition by 32MB and the 
>>> file system by a similar amount
>>>   - `format` creates a empty LUKS partition and creates a file system 
>>> defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD`
>>> +- `noencrypt` will not try to encrypt the partition, if it isn't 
>>> encrypted already, but will open it if it is. This makes it possible 
>>> for an system to support encrypted partitions, while not encrypting 
>>> anything on their own. Useful when updating from a system that is 
>>> unencrypted to one that is, while supporting a fallback system. For 
>>> example, with a shared data partition, the fallback system would have 
>>> the `noencrypt` option, while the encrypted system would have the 
>>> `reencrypt` option set for it. Now the fallback system can still open 
>>> the data partition if the update to the encrypted system failed.
>>>   #### Encrypted root file system
>>> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top- 
>>> complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top- 
>>> complete
>>> index 502fcc1..67722fc 100644
>>> --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
>>> +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
>>> @@ -211,22 +211,36 @@ for partition_set in $partition_sets; do
>>>       if [ ! -e  "$part_device" ]; then
>>>           panic "Could not find device  mapped to '$partition' cannot 
>>> be encrypted!"
>>>       fi
>>> -    decrypted_part=/dev/mapper/"$crypt_mount_name"
>>> -    # check if we are trying to mount root
>>> -    if [ "$partition_mountpoint" = "/" ]; then
>>> -        echo "ROOT=$decrypted_part" >/conf/param.conf
>>> -    fi
>>>       if [ "$partition_expand" = "expand" ]; then
>>>           expand_partition $part_device
>>>       fi
>>> +    # If partition is already encrypted, decrypt and continue with 
>>> next partition:
>>> +    decrypted_part=/dev/mapper/"$crypt_mount_name"
>>>       if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \
>>>               | grep -q "luks2"; then
>>>           open_tpm2_partition "$part_device" "$crypt_mount_name" 
>>> "$tpm_device"
>>> +
>>> +        # check if we are trying to mount root, set ROOT to 
>>> decrypted partition:
>>> +        if [ "$partition_mountpoint" = "/" ]; then
>>> +            echo "ROOT=$decrypted_part" >/conf/param.conf
>>> +        fi
>>> +
>>>           continue
>>>       fi
>>> +    # If partition should not be encrypted, continue with next 
>>> partition:
>>> +    if [ "$partition_format" = "noencrypt" ]
>>> +    then
>>> +        continue
>>> +    fi
>>> +
>>> +    # check if we are trying to mount root, set ROOT to decrypted 
>>> partition:
>>> +    if [ "$partition_mountpoint" = "/" ]; then
>>> +        echo "ROOT=$decrypted_part" >/conf/param.conf
>>> +    fi
>>> +
>>>       # service watchdog in the background during lengthy re-encryption
>>>       if [ -z "$watchdog_pid" ]; then
>>>           service_watchdog &
>>
> 

Re: [PATCH v2 2/4] initramfs-crypt-hook: implement 'noencrypt' option

[Jan Kiszka]

On 27.02.25 17:07, Quirin Gylstorff wrote:
> 
> 
> On 2/27/25 15:49, Claudius Heine wrote:
>> Hi Qurin,
>>
>> On 2025-02-27 3:42 pm, Quirin Gylstorff wrote:
>>>
>>>
>>> On 2/27/25 15:30, Claudius Heine wrote:
>>>> In case encryption needs to be enabled via an update, while still
>>>> allowing the update fall back to work. One update step where encryption
>>>> is supported, but no reencryption is taking place if the device is not
>>>> encrypted.
>>>
>>> The scenario this patch tries to solve is update from A to B:
>>> - Update is not confirmed
>>> - the encryption was successful
>>> -  Error occurs and we fallback to Partition A
>>>
>>> Is that correct?
>>
>> Yes, and it is about a shared data partition, that needs to be
>> available on both systems and should eventually be encrypted. The root
>> file systems do not really matter, because they are belong to each
>> update slot.
>>
>> Update slot A needs to be able to mount the encrypted partition, but
>> should not encrypt it.
> 
> Can you add that example  to the commit message.
> 

Actually, that should better go into our documentation so that the
reference case is also clear to users not parsing the code history.

Jan

-- 
Siemens AG, Foundational Technologies
Linux Expert Center

Re: [PATCH v2 2/4] initramfs-crypt-hook: implement 'noencrypt' option

[Claudius Heine]

On 2025-02-27 5:46 pm, Jan Kiszka wrote:
> On 27.02.25 17:07, Quirin Gylstorff wrote:
>>
>>
>> On 2/27/25 15:49, Claudius Heine wrote:
>>> Hi Qurin,
>>>
>>> On 2025-02-27 3:42 pm, Quirin Gylstorff wrote:
>>>>
>>>>
>>>> On 2/27/25 15:30, Claudius Heine wrote:
>>>>> In case encryption needs to be enabled via an update, while still
>>>>> allowing the update fall back to work. One update step where encryption
>>>>> is supported, but no reencryption is taking place if the device is not
>>>>> encrypted.
>>>>
>>>> The scenario this patch tries to solve is update from A to B:
>>>> - Update is not confirmed
>>>> - the encryption was successful
>>>> -  Error occurs and we fallback to Partition A
>>>>
>>>> Is that correct?
>>>
>>> Yes, and it is about a shared data partition, that needs to be
>>> available on both systems and should eventually be encrypted. The root
>>> file systems do not really matter, because they are belong to each
>>> update slot.
>>>
>>> Update slot A needs to be able to mount the encrypted partition, but
>>> should not encrypt it.
>>
>> Can you add that example  to the commit message.
>>
> 
> Actually, that should better go into our documentation so that the
> reference case is also clear to users not parsing the code history.

I have described this scenario in the documentation with in this patch:

 > For example, with a shared data partition, the fallback system would 
have the `noencrypt` option, while the encrypted system would have the 
`reencrypt` option set for it. Now the fallback system can still open 
the data partition if the update to the encrypted system failed.

But maybe I having it more structured instead of just an paragraph would 
make it easier to consume and understand.

regards,
Claudius

> 
> Jan
> 

-- 
DENX Software Engineering GmbH,        Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de