Message ID | 20240502093240.364093-1-Quirin.Gylstorff@siemens.com (mailing list archive) |
---|---|
Headers | show |
Series | Add option to encrypt the rootfs | expand |
On 02.05.24 11:31, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This adds the option to encrypt both root file system partitions. > The encrypted partition can be updated with SWUpdate. > > The disk encryption is indepented of the selected boot method and > could also be used to encrypt a single writable root file system. > > To simplify the handling of the swupdate the encrypted partition use > the uuid as the device mapper name. > > > If all partitions are encrypted the partition layout looks similar to > this: > > ``` > root@demo:~# lsblk > NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS > sda 8:0 0 5.4G 0 disk > ├─sda1 8:1 0 16.1M 0 part > ├─sda2 8:2 0 42M 0 part > ├─sda3 8:3 0 42M 0 part > ├─sda4 8:4 0 1G 0 part > │ └─fedcba98-7654-3210-cafe-5e0710000001 252:0 0 1008M 0 crypt > ├─sda5 8:5 0 1G 0 part > │ └─fedcba98-7654-3210-cafe-5e0710000002 252:1 0 1008M 0 crypt > │ └─verityroot 252:4 0 115.3M 1 crypt / > ├─sda6 8:6 0 1.3G 0 part > │ └─encrypted_home 252:2 0 1.3G 0 crypt /home > └─sda7 8:7 0 2G 0 part > └─encrypted_var 252:3 0 2G 0 crypt /var > ``` > Changes v4: > - Clarify that only non-boot partitions are encrypted > - Fix typos > - Add note for encryptition in secure environment > > Changes v3: > - Update the encrypted partition instead of the underling device > - Use uuids instead of labels for the partitions. > - Allow uuids and absolute path to select the partition to be > encrypted. > - Add Readme for partition selection. > > Changes v2: > - Rewrite commit messages > - Rename kas/opt/encrypt-partitions.yml to kas/opt/encrypt-data.yml > - Rename kas/opt/encrypt-rootfs.yml to kas/opt/encrypt-all.yml > - Fix assignment of CRYPT_PARTITIONS > > Changes from https://lists.cip-project.org/g/cip-dev/message/15512: > - add partition labels for a/b partitions > - use a/b rootfs configuration instead seperate wks file > > > Quirin Gylstorff (9): > wic/*: Add part-labels to system partition > initramfs: allow empty mountpoint for crypt hooks > initramfs-crypt: Only resize partition if ext* formatted > fix: use luks2 to identify encrypted partition > Rename encrypt-partitions to encrypt-data > Kconfig: Add option to encrypt the rootfs > crypt-hook: Extend partition selection > README: Add rootfs encryption > README.swupdate: Add section about partition selection > > .gitlab-ci.yml | 2 +- > Kconfig | 24 +++++++-- > doc/README.swupdate.md | 16 ++++++ > doc/README.tpm2.encryption.md | 22 +++++++-- > kas/opt/encrypt-all.yml | 23 +++++++++ > ...ncrypt-partitions.yml => encrypt-data.yml} | 0 > kas/opt/security.yml | 2 +- > .../files/encrypt_partition.clevis.hook | 2 + > .../files/encrypt_partition.script | 49 ++++++++++++++----- > .../files/encrypt_partition.systemd.hook | 2 + > .../files/mount_crypt_partitions.script | 24 +++++++-- > .../initramfs-crypt-hook_0.2.bb | 3 +- > wic/bbb-efibootguard.wks.in | 4 +- > wic/hihope-rzg2m-efibootguard.wks.in | 4 +- > wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 +- > wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 +- > wic/qemu-arm64-efibootguard.wks.in | 4 +- > wic/qemu-riscv64-efibootguard.wks.in | 4 +- > wic/x86-efibootguard.wks.in | 4 +- > 19 files changed, 157 insertions(+), 40 deletions(-) > create mode 100644 kas/opt/encrypt-all.yml > rename kas/opt/{encrypt-partitions.yml => encrypt-data.yml} (100%) > Just tested in qemu-amd64. It works, but there are many suspicious warnings and messages during first boot: Warning: keyslot operation could fail as it requires more than available memory. Progress: 52.4%, ETA 00m06s, 528 MiB written, speed 78.8 MiB/s Finished, time 00m11s, 1008 MiB written, speed 83.5 MiB/s New TPM2 token enrolled as key slot 1. /scripts/local-top/encrypt_partition: 55: /scripts/local-top/encrypt_partition: -: not found Device /dev/sda5 is not a valid LUKS device. skip disk resize as it not support or unnecessary for fstype: '' Warning: keyslot operation could fail as it requires more than available memory. Finished, time 00m11s, 1008 MiB written, speed 83.7 MiB/s New TPM2 token enrolled as key slot 1. /scripts/local-top/encrypt_partition: 55: /scripts/local-top/encrypt_partition: -: not found Device /dev/sda6 is not a valid LUKS device. Jan
On Fri, 2024-05-03 at 09:24 +0200, Jan Kiszka wrote: > On 02.05.24 11:31, Quirin Gylstorff wrote: > > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > > > This adds the option to encrypt both root file system partitions. > > The encrypted partition can be updated with SWUpdate. > > > > The disk encryption is indepented of the selected boot method and > > could also be used to encrypt a single writable root file system. > > > > To simplify the handling of the swupdate the encrypted partition > > use > > the uuid as the device mapper name. > > > > > > If all partitions are encrypted the partition layout looks similar > > to > > this: > > > > ``` > > root@demo:~# lsblk > > NAME MAJ:MIN RM SIZE RO TYPE > > MOUNTPOINTS > > sda 8:0 0 5.4G 0 disk > > ├─sda1 8:1 0 16.1M 0 part > > ├─sda2 8:2 0 42M 0 part > > ├─sda3 8:3 0 42M 0 part > > ├─sda4 8:4 0 1G 0 part > > │ └─fedcba98-7654-3210-cafe-5e0710000001 252:0 0 1008M 0 crypt > > ├─sda5 8:5 0 1G 0 part > > │ └─fedcba98-7654-3210-cafe-5e0710000002 252:1 0 1008M 0 crypt > > │ └─verityroot 252:4 0 115.3M 1 crypt > > / > > ├─sda6 8:6 0 1.3G 0 part > > │ └─encrypted_home 252:2 0 1.3G 0 crypt > > /home > > └─sda7 8:7 0 2G 0 part > > └─encrypted_var 252:3 0 2G 0 crypt > > /var > > ``` > > Changes v4: > > - Clarify that only non-boot partitions are encrypted > > - Fix typos > > - Add note for encryptition in secure environment > > > > Changes v3: > > - Update the encrypted partition instead of the underling device > > - Use uuids instead of labels for the partitions. > > - Allow uuids and absolute path to select the partition to be > > encrypted. > > - Add Readme for partition selection. > > > > Changes v2: > > - Rewrite commit messages > > - Rename kas/opt/encrypt-partitions.yml to kas/opt/encrypt- > > data.yml > > - Rename kas/opt/encrypt-rootfs.yml to kas/opt/encrypt-all.yml > > - Fix assignment of CRYPT_PARTITIONS > > > > Changes from https://lists.cip-project.org/g/cip-dev/message/15512: > > - add partition labels for a/b partitions > > - use a/b rootfs configuration instead seperate wks file > > > > > > Quirin Gylstorff (9): > > wic/*: Add part-labels to system partition > > initramfs: allow empty mountpoint for crypt hooks > > initramfs-crypt: Only resize partition if ext* formatted > > fix: use luks2 to identify encrypted partition > > Rename encrypt-partitions to encrypt-data > > Kconfig: Add option to encrypt the rootfs > > crypt-hook: Extend partition selection > > README: Add rootfs encryption > > README.swupdate: Add section about partition selection > > > > .gitlab-ci.yml | 2 +- > > Kconfig | 24 +++++++-- > > doc/README.swupdate.md | 16 ++++++ > > doc/README.tpm2.encryption.md | 22 +++++++-- > > kas/opt/encrypt-all.yml | 23 +++++++++ > > ...ncrypt-partitions.yml => encrypt-data.yml} | 0 > > kas/opt/security.yml | 2 +- > > .../files/encrypt_partition.clevis.hook | 2 + > > .../files/encrypt_partition.script | 49 ++++++++++++++- > > ---- > > .../files/encrypt_partition.systemd.hook | 2 + > > .../files/mount_crypt_partitions.script | 24 +++++++-- > > .../initramfs-crypt-hook_0.2.bb | 3 +- > > wic/bbb-efibootguard.wks.in | 4 +- > > wic/hihope-rzg2m-efibootguard.wks.in | 4 +- > > wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 +- > > wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 +- > > wic/qemu-arm64-efibootguard.wks.in | 4 +- > > wic/qemu-riscv64-efibootguard.wks.in | 4 +- > > wic/x86-efibootguard.wks.in | 4 +- > > 19 files changed, 157 insertions(+), 40 deletions(-) > > create mode 100644 kas/opt/encrypt-all.yml > > rename kas/opt/{encrypt-partitions.yml => encrypt-data.yml} (100%) > > > > Just tested in qemu-amd64. It works, but there are many suspicious > warnings and messages during first boot: > > Warning: keyslot operation could fail as it requires more than > available memory. > Progress: 52.4%, ETA 00m06s, 528 MiB written, speed 78.8 MiB/s > Finished, time 00m11s, 1008 MiB written, speed 83.5 MiB/s > New TPM2 token enrolled as key slot 1. > /scripts/local-top/encrypt_partition: 55: /scripts/local- > top/encrypt_partition: -: not found > Device /dev/sda5 is not a valid LUKS device. > skip disk resize as it not support or unnecessary for fstype: '' This indicates a bug in the script, as the fstype is empty. Also, I'm not sure if we want to issue this message at all. For me, that's just a debug hint. > Warning: keyslot operation could fail as it requires more than > available memory. > Finished, time 00m11s, 1008 MiB written, speed 83.7 MiB/s > New TPM2 token enrolled as key slot 1. > /scripts/local-top/encrypt_partition: 55: /scripts/local- > top/encrypt_partition: -: not found Also this should be fixed. Felix > Device /dev/sda6 is not a valid LUKS device. > > Jan >
From: Quirin Gylstorff <quirin.gylstorff@siemens.com> This adds the option to encrypt both root file system partitions. The encrypted partition can be updated with SWUpdate. The disk encryption is indepented of the selected boot method and could also be used to encrypt a single writable root file system. To simplify the handling of the swupdate the encrypted partition use the uuid as the device mapper name. If all partitions are encrypted the partition layout looks similar to this: ``` root@demo:~# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sda 8:0 0 5.4G 0 disk ├─sda1 8:1 0 16.1M 0 part ├─sda2 8:2 0 42M 0 part ├─sda3 8:3 0 42M 0 part ├─sda4 8:4 0 1G 0 part │ └─fedcba98-7654-3210-cafe-5e0710000001 252:0 0 1008M 0 crypt ├─sda5 8:5 0 1G 0 part │ └─fedcba98-7654-3210-cafe-5e0710000002 252:1 0 1008M 0 crypt │ └─verityroot 252:4 0 115.3M 1 crypt / ├─sda6 8:6 0 1.3G 0 part │ └─encrypted_home 252:2 0 1.3G 0 crypt /home └─sda7 8:7 0 2G 0 part └─encrypted_var 252:3 0 2G 0 crypt /var ``` Changes v4: - Clarify that only non-boot partitions are encrypted - Fix typos - Add note for encryptition in secure environment Changes v3: - Update the encrypted partition instead of the underling device - Use uuids instead of labels for the partitions. - Allow uuids and absolute path to select the partition to be encrypted. - Add Readme for partition selection. Changes v2: - Rewrite commit messages - Rename kas/opt/encrypt-partitions.yml to kas/opt/encrypt-data.yml - Rename kas/opt/encrypt-rootfs.yml to kas/opt/encrypt-all.yml - Fix assignment of CRYPT_PARTITIONS Changes from https://lists.cip-project.org/g/cip-dev/message/15512: - add partition labels for a/b partitions - use a/b rootfs configuration instead seperate wks file Quirin Gylstorff (9): wic/*: Add part-labels to system partition initramfs: allow empty mountpoint for crypt hooks initramfs-crypt: Only resize partition if ext* formatted fix: use luks2 to identify encrypted partition Rename encrypt-partitions to encrypt-data Kconfig: Add option to encrypt the rootfs crypt-hook: Extend partition selection README: Add rootfs encryption README.swupdate: Add section about partition selection .gitlab-ci.yml | 2 +- Kconfig | 24 +++++++-- doc/README.swupdate.md | 16 ++++++ doc/README.tpm2.encryption.md | 22 +++++++-- kas/opt/encrypt-all.yml | 23 +++++++++ ...ncrypt-partitions.yml => encrypt-data.yml} | 0 kas/opt/security.yml | 2 +- .../files/encrypt_partition.clevis.hook | 2 + .../files/encrypt_partition.script | 49 ++++++++++++++----- .../files/encrypt_partition.systemd.hook | 2 + .../files/mount_crypt_partitions.script | 24 +++++++-- .../initramfs-crypt-hook_0.2.bb | 3 +- wic/bbb-efibootguard.wks.in | 4 +- wic/hihope-rzg2m-efibootguard.wks.in | 4 +- wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 +- wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 +- wic/qemu-arm64-efibootguard.wks.in | 4 +- wic/qemu-riscv64-efibootguard.wks.in | 4 +- wic/x86-efibootguard.wks.in | 4 +- 19 files changed, 157 insertions(+), 40 deletions(-) create mode 100644 kas/opt/encrypt-all.yml rename kas/opt/{encrypt-partitions.yml => encrypt-data.yml} (100%)