From: Gylstorff Quirin <quirin.gylstorff@siemens.com>
To: Jan Kiszka <jan.kiszka@siemens.com>, cip-dev@lists.cip-project.org
Subject: Re: [isar-cip-core][PATCH 2/3] initramfs-crypt-hook: Service watchdog while setting up the crypto partitions
Date: Mon, 10 Jul 2023 12:44:49 +0200 [thread overview]
Message-ID: <b9f0ffcf-985e-ef30-ab83-2fd282947e44@siemens.com> (raw)
In-Reply-To: <175ddbd7-b652-2da6-02a1-f9758136ab32@siemens.com>
On 7/10/23 12:14, Jan Kiszka wrote:
> On 10.07.23 11:11, Gylstorff Quirin wrote:
>>
>>
>> On 7/6/23 10:04, Jan Kiszka wrote:
>>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>>
>>> These operations can take longer than the watchdog timeout normally
>>> needed for booting Linux up to systemd. Add a background loop to both
>>> scripts then triggers the watchdog every 10 s, but only up to a
>>> configurable limit. Also the watchdog device can be configured, though
>>> the default /dev/watchdog should be fine in almost all cases.
>>>
>>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>>> ---
>>> .../files/encrypt_partition.clevis.script | 17 +++++++++++++++++
>>> .../files/encrypt_partition.env.tmpl | 2 ++
>>> .../files/encrypt_partition.systemd.hook | 2 ++
>>> .../files/encrypt_partition.systemd.script | 17 +++++++++++++++++
>>> .../initramfs-crypt-hook_0.1.bb | 7 ++++++-
>>> 5 files changed, 44 insertions(+), 1 deletion(-)
>>>
>>> diff --git
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
>>> index 9a1c37ba..c38c0e94 100644
>>> ---
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
>>> +++
>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
>>> @@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then
>>> create_file_system_cmd="mke2fs -t ext4"
>>> fi
>>> +service_watchdog() {
>>> + for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
>>> + printf '\0'
>>> + sleep 10
>>> + done > "$WATCHDOG_DEV"
>>> +}
>>> +
>>> open_tpm2_partition() {
>>> if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \
>>> -d "$1"; then
>>> @@ -104,6 +111,12 @@ for partition_set in $partition_sets; do
>>> continue
>>> fi
>>> + # service watchdog in the background during lengthy re-encryption
>>> + if [ -z "$watchdog_pid" ]; then
>>> + service_watchdog &
>>> + watchdog_pid=$!
>>> + fi
>>> +
>>> # create random password for initial encryption
>>> # this will be dropped after reboot
>>> tmp_key=/tmp/"$partition_label-lukskey"
>>> @@ -136,3 +149,7 @@ for partition_set in $partition_sets; do
>>> # afterwards no new keys can be enrolled
>>> cryptsetup -v luksKillSlot -q "$part_device" 0
>>> done
>>> +
>>> +if [ -n "$watchdog_pid" ]; then
>>> + kill "$watchdog_pid"
>>> +fi
>>> diff --git
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>>> index d04be56c..382fe45f 100644
>>> ---
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>>> +++
>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>>> @@ -1,2 +1,4 @@
>>> PARTITIONS="${CRYPT_PARTITIONS}"
>>> CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}"
>>> +SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}"
>>> +WATCHDOG_DEV="${WATCHDOG_DEVICE}"
>>> diff --git
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
>>> index fa37b57a..08ea631a 100755
>>> ---
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
>>> +++
>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
>>> @@ -36,6 +36,8 @@ copy_exec /usr/sbin/mke2fs || hook_error
>>> "/usr/sbin/mke2fs not found"
>>> copy_exec /usr/bin/grep || hook_error "/usr/bin/grep not found"
>>> copy_exec /usr/bin/awk || hook_error "/usr/bin/awk not found"
>>> copy_exec /usr/bin/expr || hook_error "/usr/bin/expr not found"
>>> +copy_exec /usr/bin/seq || hook_error "/usr/bin/seq not found"
>>> +copy_exec /usr/bin/sleep || hook_error "/usr/bin/sleep not found"
>>> copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found"
>>> copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not
>>> found"
>>> copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup
>>> not found"
>>> diff --git
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
>>> index eefac4bd..cf513dfe 100644
>>> ---
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
>>> +++
>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
>>> @@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then
>>> create_file_system_cmd="mke2fs -t ext4"
>>> fi
>>> +service_watchdog() {
>>> + for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
>>> + printf '\0'
>>> + sleep 10
>>> + done > "$WATCHDOG_DEV"
>>> +}
>>> +
>>> open_tpm2_partition() {
>>> if ! /usr/lib/systemd/systemd-cryptsetup attach
>>> "$crypt_mount_name" \
>>> "$1" - tpm2-device="$tpm_device"; then
>>> @@ -111,6 +118,12 @@ for partition_set in $partition_sets; do
>>> continue
>>> fi
>>> + # pet watchdog in the background during lengthy re-encryption
>>> + if [ -z "$watchdog_pid" ]; then
>>> + service_watchdog &
>>> + watchdog_pid=$!
>>> + fi
>>> +
>>> # create random password for initial encryption
>>> # this will be dropped after reboot
>>> tmp_key=/tmp/"$partition_label-lukskey"
>>> @@ -143,3 +156,7 @@ for partition_set in $partition_sets; do
>>> # afterwards no new keys can be enrolled
>>> /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
>>> done
>>> +
>>> +if [ -n "$watchdog_pid" ]; then
>>> + kill "$watchdog_pid"
>>> +fi
>>> diff --git
>>> a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>> b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>> index 997f469d..db65ea40 100644
>>> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>> @@ -33,8 +33,13 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt
>>> var:/var:reencrypt"
>>> # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create
>>> the filesystem
>>> # in a newly formatted LUKS Partition
>>> CRYPT_CREATE_FILE_SYSTEM_CMD ??= "mke2fs -t ext4"
>>> +# Timeout for creating / re-encrypting partitions on first boot
>>> +CRYPT_SETUP_TIMEOUT ??= "600"
>>> +# Watchdog to service during the initial setup of the crypto partitions
>>> +WATCHDOG_DEVICE ??= "/dev/watchdog"
>> Should there a prefix?
>
> "CRYPT_WATCHDOG_DEVICE" sounded wrong to me - the watchdog is not
> crypt-related. Better suggestions?
>
INITRD_WATCHDOG_DEVICE as it only applies to the initrd.
>>> -TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD"
>>> +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
>>> + CRYPT_SETUP_TIMEOUT WATCHDOG_DEVICE"
>> This indentation looks wrong.
>
> Hmm, 4 spaces - what would you have expected?
In git it looks fine. Something with my mail client settings.
Quirin
next prev parent reply other threads:[~2023-07-10 10:44 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-06 8:04 [isar-cip-core][PATCH 0/3] Service watchdog in initramfs-crypto-hook, harden watchdog settings Jan Kiszka
2023-07-06 8:04 ` [isar-cip-core][PATCH 1/3] initramfs-crypt-hook: Remove needless differences between clevis and systemd scripts Jan Kiszka
2023-07-06 8:04 ` [isar-cip-core][PATCH 2/3] initramfs-crypt-hook: Service watchdog while setting up the crypto partitions Jan Kiszka
2023-07-10 9:11 ` Gylstorff Quirin
2023-07-10 10:14 ` Jan Kiszka
2023-07-10 10:44 ` Gylstorff Quirin [this message]
2023-07-10 11:23 ` [isar-cip-core][PATCH v2 " Jan Kiszka
2023-07-06 8:04 ` [isar-cip-core][PATCH 3/3] x86: Harden watchdog settings Jan Kiszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b9f0ffcf-985e-ef30-ab83-2fd282947e44@siemens.com \
--to=quirin.gylstorff@siemens.com \
--cc=cip-dev@lists.cip-project.org \
--cc=jan.kiszka@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox