From: "MOESSBAUER, Felix" <felix.moessbauer@siemens.com>
To: "cip-dev@lists.cip-project.org" <cip-dev@lists.cip-project.org>,
"quirin.gylstorff@siemens.com" <quirin.gylstorff@siemens.com>,
"Kiszka, Jan" <jan.kiszka@siemens.com>,
"johnxw@amazon.com" <johnxw@amazon.com>
Subject: Re: [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs
Date: Fri, 3 May 2024 11:20:49 +0000 [thread overview]
Message-ID: <df10bbfc071cf45801ea4a255bb23b9598cf1aec.camel@siemens.com> (raw)
In-Reply-To: <0f2f4e54-db09-496d-9223-94fe108f104f@siemens.com>
On Fri, 2024-05-03 at 09:24 +0200, Jan Kiszka wrote:
> On 02.05.24 11:31, Quirin Gylstorff wrote:
> > From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> >
> > This adds the option to encrypt both root file system partitions.
> > The encrypted partition can be updated with SWUpdate.
> >
> > The disk encryption is indepented of the selected boot method and
> > could also be used to encrypt a single writable root file system.
> >
> > To simplify the handling of the swupdate the encrypted partition
> > use
> > the uuid as the device mapper name.
> >
> >
> > If all partitions are encrypted the partition layout looks similar
> > to
> > this:
> >
> > ```
> > root@demo:~# lsblk
> > NAME MAJ:MIN RM SIZE RO TYPE
> > MOUNTPOINTS
> > sda 8:0 0 5.4G 0 disk
> > ├─sda1 8:1 0 16.1M 0 part
> > ├─sda2 8:2 0 42M 0 part
> > ├─sda3 8:3 0 42M 0 part
> > ├─sda4 8:4 0 1G 0 part
> > │ └─fedcba98-7654-3210-cafe-5e0710000001 252:0 0 1008M 0 crypt
> > ├─sda5 8:5 0 1G 0 part
> > │ └─fedcba98-7654-3210-cafe-5e0710000002 252:1 0 1008M 0 crypt
> > │ └─verityroot 252:4 0 115.3M 1 crypt
> > /
> > ├─sda6 8:6 0 1.3G 0 part
> > │ └─encrypted_home 252:2 0 1.3G 0 crypt
> > /home
> > └─sda7 8:7 0 2G 0 part
> > └─encrypted_var 252:3 0 2G 0 crypt
> > /var
> > ```
> > Changes v4:
> > - Clarify that only non-boot partitions are encrypted
> > - Fix typos
> > - Add note for encryptition in secure environment
> >
> > Changes v3:
> > - Update the encrypted partition instead of the underling device
> > - Use uuids instead of labels for the partitions.
> > - Allow uuids and absolute path to select the partition to be
> > encrypted.
> > - Add Readme for partition selection.
> >
> > Changes v2:
> > - Rewrite commit messages
> > - Rename kas/opt/encrypt-partitions.yml to kas/opt/encrypt-
> > data.yml
> > - Rename kas/opt/encrypt-rootfs.yml to kas/opt/encrypt-all.yml
> > - Fix assignment of CRYPT_PARTITIONS
> >
> > Changes from https://lists.cip-project.org/g/cip-dev/message/15512:
> > - add partition labels for a/b partitions
> > - use a/b rootfs configuration instead seperate wks file
> >
> >
> > Quirin Gylstorff (9):
> > wic/*: Add part-labels to system partition
> > initramfs: allow empty mountpoint for crypt hooks
> > initramfs-crypt: Only resize partition if ext* formatted
> > fix: use luks2 to identify encrypted partition
> > Rename encrypt-partitions to encrypt-data
> > Kconfig: Add option to encrypt the rootfs
> > crypt-hook: Extend partition selection
> > README: Add rootfs encryption
> > README.swupdate: Add section about partition selection
> >
> > .gitlab-ci.yml | 2 +-
> > Kconfig | 24 +++++++--
> > doc/README.swupdate.md | 16 ++++++
> > doc/README.tpm2.encryption.md | 22 +++++++--
> > kas/opt/encrypt-all.yml | 23 +++++++++
> > ...ncrypt-partitions.yml => encrypt-data.yml} | 0
> > kas/opt/security.yml | 2 +-
> > .../files/encrypt_partition.clevis.hook | 2 +
> > .../files/encrypt_partition.script | 49 ++++++++++++++-
> > ----
> > .../files/encrypt_partition.systemd.hook | 2 +
> > .../files/mount_crypt_partitions.script | 24 +++++++--
> > .../initramfs-crypt-hook_0.2.bb | 3 +-
> > wic/bbb-efibootguard.wks.in | 4 +-
> > wic/hihope-rzg2m-efibootguard.wks.in | 4 +-
> > wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 +-
> > wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 +-
> > wic/qemu-arm64-efibootguard.wks.in | 4 +-
> > wic/qemu-riscv64-efibootguard.wks.in | 4 +-
> > wic/x86-efibootguard.wks.in | 4 +-
> > 19 files changed, 157 insertions(+), 40 deletions(-)
> > create mode 100644 kas/opt/encrypt-all.yml
> > rename kas/opt/{encrypt-partitions.yml => encrypt-data.yml} (100%)
> >
>
> Just tested in qemu-amd64. It works, but there are many suspicious
> warnings and messages during first boot:
>
> Warning: keyslot operation could fail as it requires more than
> available memory.
> Progress: 52.4%, ETA 00m06s, 528 MiB written, speed 78.8 MiB/s
> Finished, time 00m11s, 1008 MiB written, speed 83.5 MiB/s
> New TPM2 token enrolled as key slot 1.
> /scripts/local-top/encrypt_partition: 55: /scripts/local-
> top/encrypt_partition: -: not found
> Device /dev/sda5 is not a valid LUKS device.
> skip disk resize as it not support or unnecessary for fstype: ''
This indicates a bug in the script, as the fstype is empty. Also, I'm
not sure if we want to issue this message at all. For me, that's just a
debug hint.
> Warning: keyslot operation could fail as it requires more than
> available memory.
> Finished, time 00m11s, 1008 MiB written, speed 83.7 MiB/s
> New TPM2 token enrolled as key slot 1.
> /scripts/local-top/encrypt_partition: 55: /scripts/local-
> top/encrypt_partition: -: not found
Also this should be fixed.
Felix
> Device /dev/sda6 is not a valid LUKS device.
>
> Jan
>
--
Siemens AG, Technology
Linux Expert Center
prev parent reply other threads:[~2024-05-03 11:47 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-02 9:31 [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs Quirin Gylstorff
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 1/9] wic/*: Add part-labels to system partition Quirin Gylstorff
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 2/9] initramfs: allow empty mountpoint for crypt hooks Quirin Gylstorff
2024-05-03 11:07 ` MOESSBAUER, Felix
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 3/9] initramfs-crypt: Only resize partition if ext* formatted Quirin Gylstorff
2024-05-03 11:07 ` MOESSBAUER, Felix
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 4/9] fix: use luks2 to identify encrypted partition Quirin Gylstorff
2024-05-03 11:09 ` MOESSBAUER, Felix
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 5/9] Rename encrypt-partitions to encrypt-data Quirin Gylstorff
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 6/9] Kconfig: Add option to encrypt the rootfs Quirin Gylstorff
2024-05-03 6:33 ` Jan Kiszka
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 7/9] crypt-hook: Extend partition selection Quirin Gylstorff
2024-05-03 11:11 ` MOESSBAUER, Felix
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 8/9] README: Add rootfs encryption Quirin Gylstorff
2024-05-03 11:14 ` MOESSBAUER, Felix
2024-05-02 9:31 ` [cip-dev][isar-cip-core][PATCH v4 9/9] README.swupdate: Add section about partition selection Quirin Gylstorff
2024-05-03 11:18 ` MOESSBAUER, Felix
2024-05-03 7:24 ` [cip-dev][isar-cip-core][PATCH v4 0/9] Add option to encrypt the rootfs Jan Kiszka
2024-05-03 11:20 ` MOESSBAUER, Felix [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=df10bbfc071cf45801ea4a255bb23b9598cf1aec.camel@siemens.com \
--to=felix.moessbauer@siemens.com \
--cc=cip-dev@lists.cip-project.org \
--cc=jan.kiszka@siemens.com \
--cc=johnxw@amazon.com \
--cc=quirin.gylstorff@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox