mbox series

[isar-cip-core,v4,0/9] Add option to encrypt the rootfs

Message ID 20240502093240.364093-1-Quirin.Gylstorff@siemens.com (mailing list archive)
Headers show
Series Add option to encrypt the rootfs | expand

Message

Quirin Gylstorff May 2, 2024, 9:31 a.m. UTC
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This adds the option to encrypt both root file system partitions.
The encrypted partition can be updated with SWUpdate.

The disk encryption is indepented of the selected boot method and
could also be used to encrypt a single writable root file system.

To simplify the handling of the swupdate the encrypted partition use
the uuid as the device mapper name.


If all partitions are encrypted the partition layout looks similar to
this:

```
root@demo:~# lsblk
NAME                                     MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda                                        8:0    0   5.4G  0 disk
├─sda1                                     8:1    0  16.1M  0 part
├─sda2                                     8:2    0    42M  0 part
├─sda3                                     8:3    0    42M  0 part
├─sda4                                     8:4    0     1G  0 part
│ └─fedcba98-7654-3210-cafe-5e0710000001 252:0    0  1008M  0 crypt
├─sda5                                     8:5    0     1G  0 part
│ └─fedcba98-7654-3210-cafe-5e0710000002 252:1    0  1008M  0 crypt
│   └─verityroot                         252:4    0 115.3M  1 crypt /
├─sda6                                     8:6    0   1.3G  0 part
│ └─encrypted_home                       252:2    0   1.3G  0 crypt /home
└─sda7                                     8:7    0     2G  0 part
  └─encrypted_var                        252:3    0     2G  0 crypt /var
```
Changes v4:
 - Clarify that only non-boot partitions are encrypted
 - Fix typos
 - Add note for encryptition in secure environment

Changes v3:
 - Update the encrypted partition instead of the underling device
 - Use uuids instead of labels for the partitions.
 - Allow uuids and absolute path to select the partition to be
   encrypted.
 - Add Readme for partition selection.

Changes v2:
 - Rewrite commit messages
 - Rename kas/opt/encrypt-partitions.yml to kas/opt/encrypt-data.yml
 - Rename kas/opt/encrypt-rootfs.yml to kas/opt/encrypt-all.yml
 - Fix assignment of CRYPT_PARTITIONS

Changes from https://lists.cip-project.org/g/cip-dev/message/15512:
 - add partition labels for a/b partitions
 - use a/b rootfs configuration instead seperate wks file


Quirin Gylstorff (9):
  wic/*: Add part-labels to system partition
  initramfs: allow empty mountpoint for crypt hooks
  initramfs-crypt: Only resize partition if ext* formatted
  fix: use luks2 to identify encrypted partition
  Rename encrypt-partitions to encrypt-data
  Kconfig: Add option to encrypt the rootfs
  crypt-hook: Extend partition selection
  README: Add rootfs encryption
  README.swupdate: Add section about partition selection

 .gitlab-ci.yml                                |  2 +-
 Kconfig                                       | 24 +++++++--
 doc/README.swupdate.md                        | 16 ++++++
 doc/README.tpm2.encryption.md                 | 22 +++++++--
 kas/opt/encrypt-all.yml                       | 23 +++++++++
 ...ncrypt-partitions.yml => encrypt-data.yml} |  0
 kas/opt/security.yml                          |  2 +-
 .../files/encrypt_partition.clevis.hook       |  2 +
 .../files/encrypt_partition.script            | 49 ++++++++++++++-----
 .../files/encrypt_partition.systemd.hook      |  2 +
 .../files/mount_crypt_partitions.script       | 24 +++++++--
 .../initramfs-crypt-hook_0.2.bb               |  3 +-
 wic/bbb-efibootguard.wks.in                   |  4 +-
 wic/hihope-rzg2m-efibootguard.wks.in          |  4 +-
 wic/qemu-amd64-efibootguard-secureboot.wks.in |  4 +-
 wic/qemu-arm64-efibootguard-secureboot.wks.in |  4 +-
 wic/qemu-arm64-efibootguard.wks.in            |  4 +-
 wic/qemu-riscv64-efibootguard.wks.in          |  4 +-
 wic/x86-efibootguard.wks.in                   |  4 +-
 19 files changed, 157 insertions(+), 40 deletions(-)
 create mode 100644 kas/opt/encrypt-all.yml
 rename kas/opt/{encrypt-partitions.yml => encrypt-data.yml} (100%)

Comments

Jan Kiszka May 3, 2024, 7:24 a.m. UTC | #1
On 02.05.24 11:31, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This adds the option to encrypt both root file system partitions.
> The encrypted partition can be updated with SWUpdate.
> 
> The disk encryption is indepented of the selected boot method and
> could also be used to encrypt a single writable root file system.
> 
> To simplify the handling of the swupdate the encrypted partition use
> the uuid as the device mapper name.
> 
> 
> If all partitions are encrypted the partition layout looks similar to
> this:
> 
> ```
> root@demo:~# lsblk
> NAME                                     MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
> sda                                        8:0    0   5.4G  0 disk
> ├─sda1                                     8:1    0  16.1M  0 part
> ├─sda2                                     8:2    0    42M  0 part
> ├─sda3                                     8:3    0    42M  0 part
> ├─sda4                                     8:4    0     1G  0 part
> │ └─fedcba98-7654-3210-cafe-5e0710000001 252:0    0  1008M  0 crypt
> ├─sda5                                     8:5    0     1G  0 part
> │ └─fedcba98-7654-3210-cafe-5e0710000002 252:1    0  1008M  0 crypt
> │   └─verityroot                         252:4    0 115.3M  1 crypt /
> ├─sda6                                     8:6    0   1.3G  0 part
> │ └─encrypted_home                       252:2    0   1.3G  0 crypt /home
> └─sda7                                     8:7    0     2G  0 part
>   └─encrypted_var                        252:3    0     2G  0 crypt /var
> ```
> Changes v4:
>  - Clarify that only non-boot partitions are encrypted
>  - Fix typos
>  - Add note for encryptition in secure environment
> 
> Changes v3:
>  - Update the encrypted partition instead of the underling device
>  - Use uuids instead of labels for the partitions.
>  - Allow uuids and absolute path to select the partition to be
>    encrypted.
>  - Add Readme for partition selection.
> 
> Changes v2:
>  - Rewrite commit messages
>  - Rename kas/opt/encrypt-partitions.yml to kas/opt/encrypt-data.yml
>  - Rename kas/opt/encrypt-rootfs.yml to kas/opt/encrypt-all.yml
>  - Fix assignment of CRYPT_PARTITIONS
> 
> Changes from https://lists.cip-project.org/g/cip-dev/message/15512:
>  - add partition labels for a/b partitions
>  - use a/b rootfs configuration instead seperate wks file
> 
> 
> Quirin Gylstorff (9):
>   wic/*: Add part-labels to system partition
>   initramfs: allow empty mountpoint for crypt hooks
>   initramfs-crypt: Only resize partition if ext* formatted
>   fix: use luks2 to identify encrypted partition
>   Rename encrypt-partitions to encrypt-data
>   Kconfig: Add option to encrypt the rootfs
>   crypt-hook: Extend partition selection
>   README: Add rootfs encryption
>   README.swupdate: Add section about partition selection
> 
>  .gitlab-ci.yml                                |  2 +-
>  Kconfig                                       | 24 +++++++--
>  doc/README.swupdate.md                        | 16 ++++++
>  doc/README.tpm2.encryption.md                 | 22 +++++++--
>  kas/opt/encrypt-all.yml                       | 23 +++++++++
>  ...ncrypt-partitions.yml => encrypt-data.yml} |  0
>  kas/opt/security.yml                          |  2 +-
>  .../files/encrypt_partition.clevis.hook       |  2 +
>  .../files/encrypt_partition.script            | 49 ++++++++++++++-----
>  .../files/encrypt_partition.systemd.hook      |  2 +
>  .../files/mount_crypt_partitions.script       | 24 +++++++--
>  .../initramfs-crypt-hook_0.2.bb               |  3 +-
>  wic/bbb-efibootguard.wks.in                   |  4 +-
>  wic/hihope-rzg2m-efibootguard.wks.in          |  4 +-
>  wic/qemu-amd64-efibootguard-secureboot.wks.in |  4 +-
>  wic/qemu-arm64-efibootguard-secureboot.wks.in |  4 +-
>  wic/qemu-arm64-efibootguard.wks.in            |  4 +-
>  wic/qemu-riscv64-efibootguard.wks.in          |  4 +-
>  wic/x86-efibootguard.wks.in                   |  4 +-
>  19 files changed, 157 insertions(+), 40 deletions(-)
>  create mode 100644 kas/opt/encrypt-all.yml
>  rename kas/opt/{encrypt-partitions.yml => encrypt-data.yml} (100%)
> 

Just tested in qemu-amd64. It works, but there are many suspicious
warnings and messages during first boot:

Warning: keyslot operation could fail as it requires more than available memory.
Progress:  52.4%, ETA 00m06s,  528 MiB written, speed  78.8 MiB/s
Finished, time 00m11s, 1008 MiB written, speed  83.5 MiB/s
New TPM2 token enrolled as key slot 1.
/scripts/local-top/encrypt_partition: 55: /scripts/local-top/encrypt_partition: -: not found
Device /dev/sda5 is not a valid LUKS device.
skip disk resize as it not support or unnecessary for fstype: ''
Warning: keyslot operation could fail as it requires more than available memory.
Finished, time 00m11s, 1008 MiB written, speed  83.7 MiB/s
New TPM2 token enrolled as key slot 1.
/scripts/local-top/encrypt_partition: 55: /scripts/local-top/encrypt_partition: -: not found
Device /dev/sda6 is not a valid LUKS device.

Jan
Felix Moessbauer May 3, 2024, 11:20 a.m. UTC | #2
On Fri, 2024-05-03 at 09:24 +0200, Jan Kiszka wrote:
> On 02.05.24 11:31, Quirin Gylstorff wrote:
> > From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> > 
> > This adds the option to encrypt both root file system partitions.
> > The encrypted partition can be updated with SWUpdate.
> > 
> > The disk encryption is indepented of the selected boot method and
> > could also be used to encrypt a single writable root file system.
> > 
> > To simplify the handling of the swupdate the encrypted partition
> > use
> > the uuid as the device mapper name.
> > 
> > 
> > If all partitions are encrypted the partition layout looks similar
> > to
> > this:
> > 
> > ```
> > root@demo:~# lsblk
> > NAME                                     MAJ:MIN RM   SIZE RO TYPE 
> > MOUNTPOINTS
> > sda                                        8:0    0   5.4G  0 disk
> > ├─sda1                                     8:1    0  16.1M  0 part
> > ├─sda2                                     8:2    0    42M  0 part
> > ├─sda3                                     8:3    0    42M  0 part
> > ├─sda4                                     8:4    0     1G  0 part
> > │ └─fedcba98-7654-3210-cafe-5e0710000001 252:0    0  1008M  0 crypt
> > ├─sda5                                     8:5    0     1G  0 part
> > │ └─fedcba98-7654-3210-cafe-5e0710000002 252:1    0  1008M  0 crypt
> > │   └─verityroot                         252:4    0 115.3M  1 crypt
> > /
> > ├─sda6                                     8:6    0   1.3G  0 part
> > │ └─encrypted_home                       252:2    0   1.3G  0 crypt
> > /home
> > └─sda7                                     8:7    0     2G  0 part
> >   └─encrypted_var                        252:3    0     2G  0 crypt
> > /var
> > ```
> > Changes v4:
> >  - Clarify that only non-boot partitions are encrypted
> >  - Fix typos
> >  - Add note for encryptition in secure environment
> > 
> > Changes v3:
> >  - Update the encrypted partition instead of the underling device
> >  - Use uuids instead of labels for the partitions.
> >  - Allow uuids and absolute path to select the partition to be
> >    encrypted.
> >  - Add Readme for partition selection.
> > 
> > Changes v2:
> >  - Rewrite commit messages
> >  - Rename kas/opt/encrypt-partitions.yml to kas/opt/encrypt-
> > data.yml
> >  - Rename kas/opt/encrypt-rootfs.yml to kas/opt/encrypt-all.yml
> >  - Fix assignment of CRYPT_PARTITIONS
> > 
> > Changes from https://lists.cip-project.org/g/cip-dev/message/15512:
> >  - add partition labels for a/b partitions
> >  - use a/b rootfs configuration instead seperate wks file
> > 
> > 
> > Quirin Gylstorff (9):
> >   wic/*: Add part-labels to system partition
> >   initramfs: allow empty mountpoint for crypt hooks
> >   initramfs-crypt: Only resize partition if ext* formatted
> >   fix: use luks2 to identify encrypted partition
> >   Rename encrypt-partitions to encrypt-data
> >   Kconfig: Add option to encrypt the rootfs
> >   crypt-hook: Extend partition selection
> >   README: Add rootfs encryption
> >   README.swupdate: Add section about partition selection
> > 
> >  .gitlab-ci.yml                                |  2 +-
> >  Kconfig                                       | 24 +++++++--
> >  doc/README.swupdate.md                        | 16 ++++++
> >  doc/README.tpm2.encryption.md                 | 22 +++++++--
> >  kas/opt/encrypt-all.yml                       | 23 +++++++++
> >  ...ncrypt-partitions.yml => encrypt-data.yml} |  0
> >  kas/opt/security.yml                          |  2 +-
> >  .../files/encrypt_partition.clevis.hook       |  2 +
> >  .../files/encrypt_partition.script            | 49 ++++++++++++++-
> > ----
> >  .../files/encrypt_partition.systemd.hook      |  2 +
> >  .../files/mount_crypt_partitions.script       | 24 +++++++--
> >  .../initramfs-crypt-hook_0.2.bb               |  3 +-
> >  wic/bbb-efibootguard.wks.in                   |  4 +-
> >  wic/hihope-rzg2m-efibootguard.wks.in          |  4 +-
> >  wic/qemu-amd64-efibootguard-secureboot.wks.in |  4 +-
> >  wic/qemu-arm64-efibootguard-secureboot.wks.in |  4 +-
> >  wic/qemu-arm64-efibootguard.wks.in            |  4 +-
> >  wic/qemu-riscv64-efibootguard.wks.in          |  4 +-
> >  wic/x86-efibootguard.wks.in                   |  4 +-
> >  19 files changed, 157 insertions(+), 40 deletions(-)
> >  create mode 100644 kas/opt/encrypt-all.yml
> >  rename kas/opt/{encrypt-partitions.yml => encrypt-data.yml} (100%)
> > 
> 
> Just tested in qemu-amd64. It works, but there are many suspicious
> warnings and messages during first boot:
> 
> Warning: keyslot operation could fail as it requires more than
> available memory.
> Progress:  52.4%, ETA 00m06s,  528 MiB written, speed  78.8 MiB/s
> Finished, time 00m11s, 1008 MiB written, speed  83.5 MiB/s
> New TPM2 token enrolled as key slot 1.
> /scripts/local-top/encrypt_partition: 55: /scripts/local-
> top/encrypt_partition: -: not found
> Device /dev/sda5 is not a valid LUKS device.
> skip disk resize as it not support or unnecessary for fstype: ''

This indicates a bug in the script, as the fstype is empty. Also, I'm
not sure if we want to issue this message at all. For me, that's just a
debug hint.

> Warning: keyslot operation could fail as it requires more than
> available memory.
> Finished, time 00m11s, 1008 MiB written, speed  83.7 MiB/s
> New TPM2 token enrolled as key slot 1.
> /scripts/local-top/encrypt_partition: 55: /scripts/local-
> top/encrypt_partition: -: not found

Also this should be fixed.

Felix

> Device /dev/sda6 is not a valid LUKS device.
> 
> Jan
>