[isar-cip-core][PATCH 0/3] Service watchdog in initramfs-crypto-hook, harden watchdog settings

[isar-cip-core][PATCH 0/3] Service watchdog in initramfs-crypto-hook, harden watchdog settings

[Jan Kiszka]

See patches for details.

Aside that, we still have an issue with the iTCO in 5.10 and older due
to a missing commit, see [1]. If upstream rejects stable as target, I
will propose the patches for -cip.

Jan

[1] https://lore.kernel.org/linux-watchdog/251a6e29-4ba1-73ed-d714-f35a2d3ee4b3@siemens.com/T/#t

Jan Kiszka (3):
  initramfs-crypt-hook: Remove needless differences between clevis and
    systemd scripts
  initramfs-crypt-hook: Service watchdog while setting up the crypto
    partitions
  x86: Harden watchdog settings

 .../files/encrypt_partition.clevis.script     | 22 +++++++++--
 .../files/encrypt_partition.env.tmpl          |  2 +
 .../files/encrypt_partition.systemd.hook      |  2 +
 .../files/encrypt_partition.systemd.script    | 39 +++++++++++++------
 .../initramfs-crypt-hook_0.1.bb               |  7 +++-
 wic/qemu-amd64-efibootguard-secureboot.wks.in |  2 +-
 wic/x86-efibootguard.wks.in                   |  2 +-
 7 files changed, 59 insertions(+), 17 deletions(-)

-- 
2.35.3

[isar-cip-core][PATCH 1/3] initramfs-crypt-hook: Remove needless differences between clevis and systemd scripts

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Just quoting and comment styles.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../files/encrypt_partition.clevis.script     |  5 ++---
 .../files/encrypt_partition.systemd.script    | 22 +++++++++----------
 2 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index bcb5a048..9a1c37ba 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -41,7 +41,7 @@ tpm_device=/dev/tpmrm0
 partition_sets="$PARTITIONS"
 create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
 
-if [ -z "${create_file_system_cmd}" ];then
+if [ -z "${create_file_system_cmd}" ]; then
 	create_file_system_cmd="mke2fs -t ext4"
 fi
 
@@ -73,7 +73,6 @@ reencrypt_existing_partition() {
 	else
 		/usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2"
 	fi
-
 }
 
 if [ ! -e "$tpm_device" ]; then
@@ -89,7 +88,7 @@ for partition_set in $partition_sets; do
 	partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
 	partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
 	partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
-	partition=/dev/disk/by-partlabel/$partition_label
+	partition=/dev/disk/by-partlabel/"$partition_label"
 	crypt_mount_name="encrypted_$partition_label"
 	decrypted_part=/dev/mapper/"$crypt_mount_name"
 	# clevis does not work with links in /dev/disk*
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index 927184c0..eefac4bd 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -8,6 +8,7 @@
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
 #
 # SPDX-License-Identifier: MIT
+
 prereqs()
 {
 	# Make sure that this script is run last in local-top
@@ -52,11 +53,11 @@ open_tpm2_partition() {
 }
 
 enroll_tpm2_token() {
-	#check systemd version and export password if necessary
+	# check systemd version and export password if necessary
 	if [ -x /usr/bin/systemd-cryptenroll ]; then
 		systemd_version=$(systemd-cryptenroll --version | \
 			  awk -F " " 'NR==1{print $2 }')
-		#check systemd version and export password if necessary
+		# check systemd version and export password if necessary
 		if [ "$systemd_version" -ge "251" ]; then
 			PASSWORD=$(cat "$2" )
 			export PASSWORD
@@ -72,20 +73,19 @@ enroll_tpm2_token() {
 }
 
 reencrypt_existing_partition() {
-	part_device=$(readlink -f "$partition")
-	part_size_blocks=$(cat /sys/class/block/"$(awk -v dev="$part_device" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)
+	part_device="$(readlink -f "$partition")"
+	part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$part_device" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)"
 	# reduce the filesystem and partition by 32M to fit the LUKS header
 	reduce_device_size=32768
-	reduced_size=$(expr "$part_size_blocks" - 65536 )
-	reduced_size_in_byte=$(expr "$reduced_size" \* 512)
-	reduced_size_in_kb=$(expr "$reduced_size_in_byte" / 1024)K
+	reduced_size="$(expr "$part_size_blocks" - 65536 )"
+	reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
+	reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
 	resize2fs "$1" "${reduced_size_in_kb}"
 	if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
 		/usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2"
 	else
 		/usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2"
 	fi
-
 }
 
 if [ ! -e "$tpm_device" ]; then
@@ -93,9 +93,9 @@ if [ ! -e "$tpm_device" ]; then
 fi
 
 for partition_set in $partition_sets; do
-	partition_label=$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')
-	partition_mountpoint=$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')
-	partition_format=$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')
+	partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+	partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
+	partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
 	partition=/dev/disk/by-partlabel/"$partition_label"
 	crypt_mount_name="encrypted_$partition_label"
 	decrypted_part=/dev/mapper/"$crypt_mount_name"
-- 
2.35.3

[isar-cip-core][PATCH 2/3] initramfs-crypt-hook: Service watchdog while setting up the crypto partitions

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

These operations can take longer than the watchdog timeout normally
needed for booting Linux up to systemd. Add a background loop to both
scripts then triggers the watchdog every 10 s, but only up to a
configurable limit. Also the watchdog device can be configured, though
the default /dev/watchdog should be fine in almost all cases.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../files/encrypt_partition.clevis.script       | 17 +++++++++++++++++
 .../files/encrypt_partition.env.tmpl            |  2 ++
 .../files/encrypt_partition.systemd.hook        |  2 ++
 .../files/encrypt_partition.systemd.script      | 17 +++++++++++++++++
 .../initramfs-crypt-hook_0.1.bb                 |  7 ++++++-
 5 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index 9a1c37ba..c38c0e94 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then
 	create_file_system_cmd="mke2fs -t ext4"
 fi
 
+service_watchdog() {
+	for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
+		printf '\0'
+		sleep 10
+	done > "$WATCHDOG_DEV"
+}
+
 open_tpm2_partition() {
 	if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \
 		 -d "$1"; then
@@ -104,6 +111,12 @@ for partition_set in $partition_sets; do
 		continue
 	fi
 
+	# service watchdog in the background during lengthy re-encryption
+	if [ -z "$watchdog_pid" ]; then
+		service_watchdog &
+		watchdog_pid=$!
+	fi
+
 	# create random password for initial encryption
 	# this will be dropped after reboot
 	tmp_key=/tmp/"$partition_label-lukskey"
@@ -136,3 +149,7 @@ for partition_set in $partition_sets; do
 	# afterwards no new keys can be enrolled
 	cryptsetup -v luksKillSlot -q  "$part_device" 0
 done
+
+if [ -n "$watchdog_pid" ]; then
+	kill "$watchdog_pid"
+fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
index d04be56c..382fe45f 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
@@ -1,2 +1,4 @@
 PARTITIONS="${CRYPT_PARTITIONS}"
 CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}"
+SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}"
+WATCHDOG_DEV="${WATCHDOG_DEVICE}"
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
index fa37b57a..08ea631a 100755
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
@@ -36,6 +36,8 @@ copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found"
 copy_exec /usr/bin/grep || hook_error "/usr/bin/grep not found"
 copy_exec /usr/bin/awk || hook_error "/usr/bin/awk not found"
 copy_exec /usr/bin/expr || hook_error "/usr/bin/expr not found"
+copy_exec /usr/bin/seq || hook_error "/usr/bin/seq not found"
+copy_exec /usr/bin/sleep || hook_error "/usr/bin/sleep not found"
 copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found"
 copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found"
 copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found"
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index eefac4bd..cf513dfe 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then
 	create_file_system_cmd="mke2fs -t ext4"
 fi
 
+service_watchdog() {
+	for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
+		printf '\0'
+		sleep 10
+	done > "$WATCHDOG_DEV"
+}
+
 open_tpm2_partition() {
 	if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \
 		 "$1" - tpm2-device="$tpm_device"; then
@@ -111,6 +118,12 @@ for partition_set in $partition_sets; do
 		continue
 	fi
 
+	# pet watchdog in the background during lengthy re-encryption
+	if [ -z "$watchdog_pid" ]; then
+		service_watchdog &
+		watchdog_pid=$!
+	fi
+
 	# create random password for initial encryption
 	# this will be dropped after reboot
 	tmp_key=/tmp/"$partition_label-lukskey"
@@ -143,3 +156,7 @@ for partition_set in $partition_sets; do
 	# afterwards no new keys can be enrolled
 	/usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
 done
+
+if [ -n "$watchdog_pid" ]; then
+	kill "$watchdog_pid"
+fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
index 997f469d..db65ea40 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -33,8 +33,13 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
 # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem
 # in a newly formatted LUKS Partition
 CRYPT_CREATE_FILE_SYSTEM_CMD ??= "mke2fs -t ext4"
+# Timeout for creating / re-encrypting partitions on first boot
+CRYPT_SETUP_TIMEOUT ??= "600"
+# Watchdog to service during the initial setup of the crypto partitions
+WATCHDOG_DEVICE ??= "/dev/watchdog"
 
-TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD"
+TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
+    CRYPT_SETUP_TIMEOUT WATCHDOG_DEVICE"
 TEMPLATE_FILES = "encrypt_partition.env.tmpl"
 
 do_install[cleandirs] += " \
-- 
2.35.3

Re: [isar-cip-core][PATCH 2/3] initramfs-crypt-hook: Service watchdog while setting up the crypto partitions

[Gylstorff Quirin]

On 7/6/23 10:04, Jan Kiszka wrote:
> From: Jan Kiszka <jan.kiszka@siemens.com>
> 
> These operations can take longer than the watchdog timeout normally
> needed for booting Linux up to systemd. Add a background loop to both
> scripts then triggers the watchdog every 10 s, but only up to a
> configurable limit. Also the watchdog device can be configured, though
> the default /dev/watchdog should be fine in almost all cases.
> 
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> ---
>   .../files/encrypt_partition.clevis.script       | 17 +++++++++++++++++
>   .../files/encrypt_partition.env.tmpl            |  2 ++
>   .../files/encrypt_partition.systemd.hook        |  2 ++
>   .../files/encrypt_partition.systemd.script      | 17 +++++++++++++++++
>   .../initramfs-crypt-hook_0.1.bb                 |  7 ++++++-
>   5 files changed, 44 insertions(+), 1 deletion(-)
> 
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
> index 9a1c37ba..c38c0e94 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
> @@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then
>   	create_file_system_cmd="mke2fs -t ext4"
>   fi
>   
> +service_watchdog() {
> +	for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
> +		printf '\0'
> +		sleep 10
> +	done > "$WATCHDOG_DEV"
> +}
> +
>   open_tpm2_partition() {
>   	if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \
>   		 -d "$1"; then
> @@ -104,6 +111,12 @@ for partition_set in $partition_sets; do
>   		continue
>   	fi
>   
> +	# service watchdog in the background during lengthy re-encryption
> +	if [ -z "$watchdog_pid" ]; then
> +		service_watchdog &
> +		watchdog_pid=$!
> +	fi
> +
>   	# create random password for initial encryption
>   	# this will be dropped after reboot
>   	tmp_key=/tmp/"$partition_label-lukskey"
> @@ -136,3 +149,7 @@ for partition_set in $partition_sets; do
>   	# afterwards no new keys can be enrolled
>   	cryptsetup -v luksKillSlot -q  "$part_device" 0
>   done
> +
> +if [ -n "$watchdog_pid" ]; then
> +	kill "$watchdog_pid"
> +fi
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> index d04be56c..382fe45f 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> @@ -1,2 +1,4 @@
>   PARTITIONS="${CRYPT_PARTITIONS}"
>   CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}"
> +SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}"
> +WATCHDOG_DEV="${WATCHDOG_DEVICE}"
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
> index fa37b57a..08ea631a 100755
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
> @@ -36,6 +36,8 @@ copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found"
>   copy_exec /usr/bin/grep || hook_error "/usr/bin/grep not found"
>   copy_exec /usr/bin/awk || hook_error "/usr/bin/awk not found"
>   copy_exec /usr/bin/expr || hook_error "/usr/bin/expr not found"
> +copy_exec /usr/bin/seq || hook_error "/usr/bin/seq not found"
> +copy_exec /usr/bin/sleep || hook_error "/usr/bin/sleep not found"
>   copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found"
>   copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found"
>   copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found"
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
> index eefac4bd..cf513dfe 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
> @@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then
>   	create_file_system_cmd="mke2fs -t ext4"
>   fi
>   
> +service_watchdog() {
> +	for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
> +		printf '\0'
> +		sleep 10
> +	done > "$WATCHDOG_DEV"
> +}
> +
>   open_tpm2_partition() {
>   	if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \
>   		 "$1" - tpm2-device="$tpm_device"; then
> @@ -111,6 +118,12 @@ for partition_set in $partition_sets; do
>   		continue
>   	fi
>   
> +	# pet watchdog in the background during lengthy re-encryption
> +	if [ -z "$watchdog_pid" ]; then
> +		service_watchdog &
> +		watchdog_pid=$!
> +	fi
> +
>   	# create random password for initial encryption
>   	# this will be dropped after reboot
>   	tmp_key=/tmp/"$partition_label-lukskey"
> @@ -143,3 +156,7 @@ for partition_set in $partition_sets; do
>   	# afterwards no new keys can be enrolled
>   	/usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
>   done
> +
> +if [ -n "$watchdog_pid" ]; then
> +	kill "$watchdog_pid"
> +fi
> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
> index 997f469d..db65ea40 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
> @@ -33,8 +33,13 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
>   # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem
>   # in a newly formatted LUKS Partition
>   CRYPT_CREATE_FILE_SYSTEM_CMD ??= "mke2fs -t ext4"
> +# Timeout for creating / re-encrypting partitions on first boot
> +CRYPT_SETUP_TIMEOUT ??= "600"
> +# Watchdog to service during the initial setup of the crypto partitions
> +WATCHDOG_DEVICE ??= "/dev/watchdog"
Should there a prefix?
>   
> -TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD"
> +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
> +    CRYPT_SETUP_TIMEOUT WATCHDOG_DEVICE"
This indentation looks wrong.
Quirin

>   TEMPLATE_FILES = "encrypt_partition.env.tmpl"
>   
>   do_install[cleandirs] += " \

Re: [isar-cip-core][PATCH 2/3] initramfs-crypt-hook: Service watchdog while setting up the crypto partitions

[Jan Kiszka]

On 10.07.23 11:11, Gylstorff Quirin wrote:
> 
> 
> On 7/6/23 10:04, Jan Kiszka wrote:
>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>
>> These operations can take longer than the watchdog timeout normally
>> needed for booting Linux up to systemd. Add a background loop to both
>> scripts then triggers the watchdog every 10 s, but only up to a
>> configurable limit. Also the watchdog device can be configured, though
>> the default /dev/watchdog should be fine in almost all cases.
>>
>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>> ---
>>   .../files/encrypt_partition.clevis.script       | 17 +++++++++++++++++
>>   .../files/encrypt_partition.env.tmpl            |  2 ++
>>   .../files/encrypt_partition.systemd.hook        |  2 ++
>>   .../files/encrypt_partition.systemd.script      | 17 +++++++++++++++++
>>   .../initramfs-crypt-hook_0.1.bb                 |  7 ++++++-
>>   5 files changed, 44 insertions(+), 1 deletion(-)
>>
>> diff --git
>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
>> index 9a1c37ba..c38c0e94 100644
>> ---
>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
>> +++
>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
>> @@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then
>>       create_file_system_cmd="mke2fs -t ext4"
>>   fi
>>   +service_watchdog() {
>> +    for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
>> +        printf '\0'
>> +        sleep 10
>> +    done > "$WATCHDOG_DEV"
>> +}
>> +
>>   open_tpm2_partition() {
>>       if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \
>>            -d "$1"; then
>> @@ -104,6 +111,12 @@ for partition_set in $partition_sets; do
>>           continue
>>       fi
>>   +    # service watchdog in the background during lengthy re-encryption
>> +    if [ -z "$watchdog_pid" ]; then
>> +        service_watchdog &
>> +        watchdog_pid=$!
>> +    fi
>> +
>>       # create random password for initial encryption
>>       # this will be dropped after reboot
>>       tmp_key=/tmp/"$partition_label-lukskey"
>> @@ -136,3 +149,7 @@ for partition_set in $partition_sets; do
>>       # afterwards no new keys can be enrolled
>>       cryptsetup -v luksKillSlot -q  "$part_device" 0
>>   done
>> +
>> +if [ -n "$watchdog_pid" ]; then
>> +    kill "$watchdog_pid"
>> +fi
>> diff --git
>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>> index d04be56c..382fe45f 100644
>> ---
>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>> +++
>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>> @@ -1,2 +1,4 @@
>>   PARTITIONS="${CRYPT_PARTITIONS}"
>>   CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}"
>> +SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}"
>> +WATCHDOG_DEV="${WATCHDOG_DEVICE}"
>> diff --git
>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
>> index fa37b57a..08ea631a 100755
>> ---
>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
>> +++
>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
>> @@ -36,6 +36,8 @@ copy_exec /usr/sbin/mke2fs || hook_error
>> "/usr/sbin/mke2fs not found"
>>   copy_exec /usr/bin/grep || hook_error "/usr/bin/grep not found"
>>   copy_exec /usr/bin/awk || hook_error "/usr/bin/awk not found"
>>   copy_exec /usr/bin/expr || hook_error "/usr/bin/expr not found"
>> +copy_exec /usr/bin/seq || hook_error "/usr/bin/seq not found"
>> +copy_exec /usr/bin/sleep || hook_error "/usr/bin/sleep not found"
>>   copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found"
>>   copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not
>> found"
>>   copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup
>> not found"
>> diff --git
>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
>> index eefac4bd..cf513dfe 100644
>> ---
>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
>> +++
>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
>> @@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then
>>       create_file_system_cmd="mke2fs -t ext4"
>>   fi
>>   +service_watchdog() {
>> +    for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
>> +        printf '\0'
>> +        sleep 10
>> +    done > "$WATCHDOG_DEV"
>> +}
>> +
>>   open_tpm2_partition() {
>>       if ! /usr/lib/systemd/systemd-cryptsetup attach
>> "$crypt_mount_name" \
>>            "$1" - tpm2-device="$tpm_device"; then
>> @@ -111,6 +118,12 @@ for partition_set in $partition_sets; do
>>           continue
>>       fi
>>   +    # pet watchdog in the background during lengthy re-encryption
>> +    if [ -z "$watchdog_pid" ]; then
>> +        service_watchdog &
>> +        watchdog_pid=$!
>> +    fi
>> +
>>       # create random password for initial encryption
>>       # this will be dropped after reboot
>>       tmp_key=/tmp/"$partition_label-lukskey"
>> @@ -143,3 +156,7 @@ for partition_set in $partition_sets; do
>>       # afterwards no new keys can be enrolled
>>       /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
>>   done
>> +
>> +if [ -n "$watchdog_pid" ]; then
>> +    kill "$watchdog_pid"
>> +fi
>> diff --git
>> a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>> b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>> index 997f469d..db65ea40 100644
>> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>> @@ -33,8 +33,13 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt
>> var:/var:reencrypt"
>>   # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create
>> the filesystem
>>   # in a newly formatted LUKS Partition
>>   CRYPT_CREATE_FILE_SYSTEM_CMD ??= "mke2fs -t ext4"
>> +# Timeout for creating / re-encrypting partitions on first boot
>> +CRYPT_SETUP_TIMEOUT ??= "600"
>> +# Watchdog to service during the initial setup of the crypto partitions
>> +WATCHDOG_DEVICE ??= "/dev/watchdog"
> Should there a prefix?

"CRYPT_WATCHDOG_DEVICE" sounded wrong to me - the watchdog is not
crypt-related. Better suggestions?

>>   -TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD"
>> +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
>> +    CRYPT_SETUP_TIMEOUT WATCHDOG_DEVICE"
> This indentation looks wrong.

Hmm, 4 spaces - what would you have expected?

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [isar-cip-core][PATCH 2/3] initramfs-crypt-hook: Service watchdog while setting up the crypto partitions

[Gylstorff Quirin]

On 7/10/23 12:14, Jan Kiszka wrote:
> On 10.07.23 11:11, Gylstorff Quirin wrote:
>>
>>
>> On 7/6/23 10:04, Jan Kiszka wrote:
>>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>>
>>> These operations can take longer than the watchdog timeout normally
>>> needed for booting Linux up to systemd. Add a background loop to both
>>> scripts then triggers the watchdog every 10 s, but only up to a
>>> configurable limit. Also the watchdog device can be configured, though
>>> the default /dev/watchdog should be fine in almost all cases.
>>>
>>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>>> ---
>>>    .../files/encrypt_partition.clevis.script       | 17 +++++++++++++++++
>>>    .../files/encrypt_partition.env.tmpl            |  2 ++
>>>    .../files/encrypt_partition.systemd.hook        |  2 ++
>>>    .../files/encrypt_partition.systemd.script      | 17 +++++++++++++++++
>>>    .../initramfs-crypt-hook_0.1.bb                 |  7 ++++++-
>>>    5 files changed, 44 insertions(+), 1 deletion(-)
>>>
>>> diff --git
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
>>> index 9a1c37ba..c38c0e94 100644
>>> ---
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
>>> +++
>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
>>> @@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then
>>>        create_file_system_cmd="mke2fs -t ext4"
>>>    fi
>>>    +service_watchdog() {
>>> +    for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
>>> +        printf '\0'
>>> +        sleep 10
>>> +    done > "$WATCHDOG_DEV"
>>> +}
>>> +
>>>    open_tpm2_partition() {
>>>        if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \
>>>             -d "$1"; then
>>> @@ -104,6 +111,12 @@ for partition_set in $partition_sets; do
>>>            continue
>>>        fi
>>>    +    # service watchdog in the background during lengthy re-encryption
>>> +    if [ -z "$watchdog_pid" ]; then
>>> +        service_watchdog &
>>> +        watchdog_pid=$!
>>> +    fi
>>> +
>>>        # create random password for initial encryption
>>>        # this will be dropped after reboot
>>>        tmp_key=/tmp/"$partition_label-lukskey"
>>> @@ -136,3 +149,7 @@ for partition_set in $partition_sets; do
>>>        # afterwards no new keys can be enrolled
>>>        cryptsetup -v luksKillSlot -q  "$part_device" 0
>>>    done
>>> +
>>> +if [ -n "$watchdog_pid" ]; then
>>> +    kill "$watchdog_pid"
>>> +fi
>>> diff --git
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>>> index d04be56c..382fe45f 100644
>>> ---
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>>> +++
>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>>> @@ -1,2 +1,4 @@
>>>    PARTITIONS="${CRYPT_PARTITIONS}"
>>>    CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}"
>>> +SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}"
>>> +WATCHDOG_DEV="${WATCHDOG_DEVICE}"
>>> diff --git
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
>>> index fa37b57a..08ea631a 100755
>>> ---
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
>>> +++
>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
>>> @@ -36,6 +36,8 @@ copy_exec /usr/sbin/mke2fs || hook_error
>>> "/usr/sbin/mke2fs not found"
>>>    copy_exec /usr/bin/grep || hook_error "/usr/bin/grep not found"
>>>    copy_exec /usr/bin/awk || hook_error "/usr/bin/awk not found"
>>>    copy_exec /usr/bin/expr || hook_error "/usr/bin/expr not found"
>>> +copy_exec /usr/bin/seq || hook_error "/usr/bin/seq not found"
>>> +copy_exec /usr/bin/sleep || hook_error "/usr/bin/sleep not found"
>>>    copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found"
>>>    copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not
>>> found"
>>>    copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup
>>> not found"
>>> diff --git
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
>>> index eefac4bd..cf513dfe 100644
>>> ---
>>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
>>> +++
>>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
>>> @@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then
>>>        create_file_system_cmd="mke2fs -t ext4"
>>>    fi
>>>    +service_watchdog() {
>>> +    for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
>>> +        printf '\0'
>>> +        sleep 10
>>> +    done > "$WATCHDOG_DEV"
>>> +}
>>> +
>>>    open_tpm2_partition() {
>>>        if ! /usr/lib/systemd/systemd-cryptsetup attach
>>> "$crypt_mount_name" \
>>>             "$1" - tpm2-device="$tpm_device"; then
>>> @@ -111,6 +118,12 @@ for partition_set in $partition_sets; do
>>>            continue
>>>        fi
>>>    +    # pet watchdog in the background during lengthy re-encryption
>>> +    if [ -z "$watchdog_pid" ]; then
>>> +        service_watchdog &
>>> +        watchdog_pid=$!
>>> +    fi
>>> +
>>>        # create random password for initial encryption
>>>        # this will be dropped after reboot
>>>        tmp_key=/tmp/"$partition_label-lukskey"
>>> @@ -143,3 +156,7 @@ for partition_set in $partition_sets; do
>>>        # afterwards no new keys can be enrolled
>>>        /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
>>>    done
>>> +
>>> +if [ -n "$watchdog_pid" ]; then
>>> +    kill "$watchdog_pid"
>>> +fi
>>> diff --git
>>> a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>> b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>> index 997f469d..db65ea40 100644
>>> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>>> @@ -33,8 +33,13 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt
>>> var:/var:reencrypt"
>>>    # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create
>>> the filesystem
>>>    # in a newly formatted LUKS Partition
>>>    CRYPT_CREATE_FILE_SYSTEM_CMD ??= "mke2fs -t ext4"
>>> +# Timeout for creating / re-encrypting partitions on first boot
>>> +CRYPT_SETUP_TIMEOUT ??= "600"
>>> +# Watchdog to service during the initial setup of the crypto partitions
>>> +WATCHDOG_DEVICE ??= "/dev/watchdog"
>> Should there a prefix?
> 
> "CRYPT_WATCHDOG_DEVICE" sounded wrong to me - the watchdog is not
> crypt-related. Better suggestions?
>
INITRD_WATCHDOG_DEVICE as it only applies to the initrd.


>>>    -TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD"
>>> +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
>>> +    CRYPT_SETUP_TIMEOUT WATCHDOG_DEVICE"
>> This indentation looks wrong.
> 
> Hmm, 4 spaces - what would you have expected?

In git it looks fine. Something with my mail client settings.

Quirin

[isar-cip-core][PATCH v2 2/3] initramfs-crypt-hook: Service watchdog while setting up the crypto partitions

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

These operations can take longer than the watchdog timeout normally
needed for booting Linux up to systemd. Add a background loop to both
scripts then triggers the watchdog every 10 s, but only up to a
configurable limit. Also the watchdog device can be configured, though
the default /dev/watchdog should be fine in almost all cases.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---

Changes in v2:
 - renames WATCHDOG_DEVICE to INITRAMFS_WATCHDOG_DEVICE

 .../files/encrypt_partition.clevis.script       | 17 +++++++++++++++++
 .../files/encrypt_partition.env.tmpl            |  2 ++
 .../files/encrypt_partition.systemd.hook        |  2 ++
 .../files/encrypt_partition.systemd.script      | 17 +++++++++++++++++
 .../initramfs-crypt-hook_0.1.bb                 |  7 ++++++-
 5 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index fd53c587..899f20e6 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then
 	create_file_system_cmd="mke2fs -t ext4"
 fi
 
+service_watchdog() {
+	for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
+		printf '\0'
+		sleep 10
+	done > "$WATCHDOG_DEV"
+}
+
 open_tpm2_partition() {
 	if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \
 		 -d "$1"; then
@@ -104,6 +111,12 @@ for partition_set in $partition_sets; do
 		continue
 	fi
 
+	# service watchdog in the background during lengthy re-encryption
+	if [ -z "$watchdog_pid" ]; then
+		service_watchdog &
+		watchdog_pid=$!
+	fi
+
 	# create random password for initial encryption
 	# this will be dropped after reboot
 	tmp_key=/tmp/"$partition_label-lukskey"
@@ -136,3 +149,7 @@ for partition_set in $partition_sets; do
 	# afterwards no new keys can be enrolled
 	cryptsetup -v luksKillSlot -q  "$part_device" 0
 done
+
+if [ -n "$watchdog_pid" ]; then
+	kill "$watchdog_pid"
+fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
index d04be56c..52dbd005 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
@@ -1,2 +1,4 @@
 PARTITIONS="${CRYPT_PARTITIONS}"
 CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}"
+SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}"
+WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}"
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
index fa37b57a..08ea631a 100755
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
@@ -36,6 +36,8 @@ copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found"
 copy_exec /usr/bin/grep || hook_error "/usr/bin/grep not found"
 copy_exec /usr/bin/awk || hook_error "/usr/bin/awk not found"
 copy_exec /usr/bin/expr || hook_error "/usr/bin/expr not found"
+copy_exec /usr/bin/seq || hook_error "/usr/bin/seq not found"
+copy_exec /usr/bin/sleep || hook_error "/usr/bin/sleep not found"
 copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found"
 copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found"
 copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found"
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index a5bd4fbe..330188a5 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then
 	create_file_system_cmd="mke2fs -t ext4"
 fi
 
+service_watchdog() {
+	for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
+		printf '\0'
+		sleep 10
+	done > "$WATCHDOG_DEV"
+}
+
 open_tpm2_partition() {
 	if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \
 		 "$1" - tpm2-device="$tpm_device"; then
@@ -111,6 +118,12 @@ for partition_set in $partition_sets; do
 		continue
 	fi
 
+	# service watchdog in the background during lengthy re-encryption
+	if [ -z "$watchdog_pid" ]; then
+		service_watchdog &
+		watchdog_pid=$!
+	fi
+
 	# create random password for initial encryption
 	# this will be dropped after reboot
 	tmp_key=/tmp/"$partition_label-lukskey"
@@ -143,3 +156,7 @@ for partition_set in $partition_sets; do
 	# afterwards no new keys can be enrolled
 	/usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
 done
+
+if [ -n "$watchdog_pid" ]; then
+	kill "$watchdog_pid"
+fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
index 997f469d..1c1bf3da 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -33,8 +33,13 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
 # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem
 # in a newly formatted LUKS Partition
 CRYPT_CREATE_FILE_SYSTEM_CMD ??= "mke2fs -t ext4"
+# Timeout for creating / re-encrypting partitions on first boot
+CRYPT_SETUP_TIMEOUT ??= "600"
+# Watchdog to service during the initial setup of the crypto partitions
+INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog"
 
-TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD"
+TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
+    CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE"
 TEMPLATE_FILES = "encrypt_partition.env.tmpl"
 
 do_install[cleandirs] += " \
-- 
2.35.3

[isar-cip-core][PATCH 3/3] x86: Harden watchdog settings

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

These ensure that the watchdog is only starting to be services by
systemd, not yet by the kernel itself right after probing. This is
needed in order to catch lock-ups in the initramfs userspace.

While at it, turn the iTCO - where used - into no-way-out mode, making
things even more robust.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 wic/qemu-amd64-efibootguard-secureboot.wks.in | 2 +-
 wic/x86-efibootguard.wks.in                   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index 5c411161..12fa45f0 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -7,4 +7,4 @@ part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}
 part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
 part /var  --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var  --fstype=ext4 --label var  --align 1024 --size 2G
 
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=5"
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk watchdog.handle_boot_enabled=0 iTCO_wdt.nowayout=1 panic=5"
diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
index 24b43873..38ad4117 100644
--- a/wic/x86-efibootguard.wks.in
+++ b/wic/x86-efibootguard.wks.in
@@ -11,4 +11,4 @@ part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}
 part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024  --size 1G --extra-space=100M 
 part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024  --size 2G --extra-space=100M
 
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk watchdog.handle_boot_enabled=0 iTCO_wdt.nowayout=1 "
-- 
2.35.3