mbox series

[isar-cip-core,v5,00/11] Add option to encrypt the rootfs

Message ID 20240506141833.3622989-1-Quirin.Gylstorff@siemens.com (mailing list archive)
Headers show
Series Add option to encrypt the rootfs | expand

Message

Quirin Gylstorff May 6, 2024, 2:17 p.m. UTC
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This adds the option to encrypt both root file system partitions.
The encrypted partition can be updated with SWUpdate.

The disk encryption is indepented of the selected boot method and
could also be used to encrypt a single writable root file system.

To simplify the handling of the swupdate the encrypted partition use
the uuid as the device mapper name.


If all partitions are encrypted the partition layout looks similar to
this:

```
root@demo:~# lsblk
NAME                                     MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda                                        8:0    0   5.4G  0 disk
├─sda1                                     8:1    0  16.1M  0 part
├─sda2                                     8:2    0    42M  0 part
├─sda3                                     8:3    0    42M  0 part
├─sda4                                     8:4    0     1G  0 part
│ └─fedcba98-7654-3210-cafe-5e0710000001 252:0    0  1008M  0 crypt
├─sda5                                     8:5    0     1G  0 part
│ └─fedcba98-7654-3210-cafe-5e0710000002 252:1    0  1008M  0 crypt
│   └─verityroot                         252:4    0 115.3M  1 crypt /
├─sda6                                     8:6    0   1.3G  0 part
│ └─encrypted_home                       252:2    0   1.3G  0 crypt /home
└─sda7                                     8:7    0     2G  0 part
  └─encrypted_var                        252:3    0     2G  0 crypt /var
```

Changes v5:
 - README and commit messages fix typos
 - README: Use must instead of should for secure environment in case of
   encryptition
 - Remove encryption menu from Kconfig
 - fix warning about '-'
 - use "log_*_message" functions
 - reduce log message

Changes v4:
 - Clarify that only non-boot partitions are encrypted
 - Fix typos
 - Add note for encryptition in secure environment

Changes v3:
 - Update the encrypted partition instead of the underling device
 - Use uuids instead of labels for the partitions.
 - Allow uuids and absolute path to select the partition to be
   encrypted.
 - Add Readme for partition selection.

Changes v2:
 - Rewrite commit messages
 - Rename kas/opt/encrypt-partitions.yml to kas/opt/encrypt-data.yml
 - Rename kas/opt/encrypt-rootfs.yml to kas/opt/encrypt-all.yml
 - Fix assignment of CRYPT_PARTITIONS

Changes from https://lists.cip-project.org/g/cip-dev/message/15512:
 - add partition labels for a/b partitions
 - use a/b rootfs configuration instead seperate wks file


Quirin Gylstorff (11):
  wic/*: Add part-labels to system partition
  initramfs: allow empty mountpoint for crypt hooks
  initramfs-crypt: Only resize partition if ext* formatted
  fix: use luks2 to identify encrypted partition
  Rename encrypt-partitions to encrypt-data
  Kconfig: Add option to encrypt the rootfs
  crypt-hook: Extend partition selection
  README: Add rootfs encryption
  README.swupdate: Add section about partition selection
  fix: Remove spurious '-'
  initramfs-crypt-hook: cleanup logging

 .gitlab-ci.yml                                |  2 +-
 Kconfig                                       | 16 +++++-
 doc/README.swupdate.md                        | 16 ++++++
 doc/README.tpm2.encryption.md                 | 22 +++++--
 kas/opt/encrypt-all.yml                       | 23 ++++++++
 ...ncrypt-partitions.yml => encrypt-data.yml} |  0
 kas/opt/security.yml                          |  2 +-
 .../files/encrypt_partition.clevis.hook       |  2 +
 .../files/encrypt_partition.script            | 57 ++++++++++++++-----
 .../files/encrypt_partition.systemd.hook      |  2 +
 .../files/encrypt_partition.systemd.script    |  2 +-
 .../files/mount_crypt_partitions.script       | 26 +++++++--
 .../initramfs-crypt-hook_0.2.bb               |  3 +-
 wic/bbb-efibootguard.wks.in                   |  4 +-
 wic/hihope-rzg2m-efibootguard.wks.in          |  4 +-
 wic/qemu-amd64-efibootguard-secureboot.wks.in |  4 +-
 wic/qemu-arm64-efibootguard-secureboot.wks.in |  4 +-
 wic/qemu-arm64-efibootguard.wks.in            |  4 +-
 wic/qemu-riscv64-efibootguard.wks.in          |  4 +-
 wic/x86-efibootguard.wks.in                   |  4 +-
 20 files changed, 158 insertions(+), 43 deletions(-)
 create mode 100644 kas/opt/encrypt-all.yml
 rename kas/opt/{encrypt-partitions.yml => encrypt-data.yml} (100%)

Comments

Jan Kiszka May 7, 2024, 3:58 p.m. UTC | #1
On 06.05.24 16:17, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This adds the option to encrypt both root file system partitions.
> The encrypted partition can be updated with SWUpdate.
> 
> The disk encryption is indepented of the selected boot method and
> could also be used to encrypt a single writable root file system.
> 
> To simplify the handling of the swupdate the encrypted partition use
> the uuid as the device mapper name.
> 
> 
> If all partitions are encrypted the partition layout looks similar to
> this:
> 
> ```
> root@demo:~# lsblk
> NAME                                     MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
> sda                                        8:0    0   5.4G  0 disk
> ├─sda1                                     8:1    0  16.1M  0 part
> ├─sda2                                     8:2    0    42M  0 part
> ├─sda3                                     8:3    0    42M  0 part
> ├─sda4                                     8:4    0     1G  0 part
> │ └─fedcba98-7654-3210-cafe-5e0710000001 252:0    0  1008M  0 crypt
> ├─sda5                                     8:5    0     1G  0 part
> │ └─fedcba98-7654-3210-cafe-5e0710000002 252:1    0  1008M  0 crypt
> │   └─verityroot                         252:4    0 115.3M  1 crypt /
> ├─sda6                                     8:6    0   1.3G  0 part
> │ └─encrypted_home                       252:2    0   1.3G  0 crypt /home
> └─sda7                                     8:7    0     2G  0 part
>   └─encrypted_var                        252:3    0     2G  0 crypt /var
> ```
> 
> Changes v5:
>  - README and commit messages fix typos
>  - README: Use must instead of should for secure environment in case of
>    encryptition
>  - Remove encryption menu from Kconfig
>  - fix warning about '-'
>  - use "log_*_message" functions
>  - reduce log message
> 
> Changes v4:
>  - Clarify that only non-boot partitions are encrypted
>  - Fix typos
>  - Add note for encryptition in secure environment
> 
> Changes v3:
>  - Update the encrypted partition instead of the underling device
>  - Use uuids instead of labels for the partitions.
>  - Allow uuids and absolute path to select the partition to be
>    encrypted.
>  - Add Readme for partition selection.
> 
> Changes v2:
>  - Rewrite commit messages
>  - Rename kas/opt/encrypt-partitions.yml to kas/opt/encrypt-data.yml
>  - Rename kas/opt/encrypt-rootfs.yml to kas/opt/encrypt-all.yml
>  - Fix assignment of CRYPT_PARTITIONS
> 
> Changes from https://lists.cip-project.org/g/cip-dev/message/15512:
>  - add partition labels for a/b partitions
>  - use a/b rootfs configuration instead seperate wks file
> 
> 
> Quirin Gylstorff (11):
>   wic/*: Add part-labels to system partition
>   initramfs: allow empty mountpoint for crypt hooks
>   initramfs-crypt: Only resize partition if ext* formatted
>   fix: use luks2 to identify encrypted partition
>   Rename encrypt-partitions to encrypt-data
>   Kconfig: Add option to encrypt the rootfs
>   crypt-hook: Extend partition selection
>   README: Add rootfs encryption
>   README.swupdate: Add section about partition selection
>   fix: Remove spurious '-'
>   initramfs-crypt-hook: cleanup logging
> 
>  .gitlab-ci.yml                                |  2 +-
>  Kconfig                                       | 16 +++++-
>  doc/README.swupdate.md                        | 16 ++++++
>  doc/README.tpm2.encryption.md                 | 22 +++++--
>  kas/opt/encrypt-all.yml                       | 23 ++++++++
>  ...ncrypt-partitions.yml => encrypt-data.yml} |  0
>  kas/opt/security.yml                          |  2 +-
>  .../files/encrypt_partition.clevis.hook       |  2 +
>  .../files/encrypt_partition.script            | 57 ++++++++++++++-----
>  .../files/encrypt_partition.systemd.hook      |  2 +
>  .../files/encrypt_partition.systemd.script    |  2 +-
>  .../files/mount_crypt_partitions.script       | 26 +++++++--
>  .../initramfs-crypt-hook_0.2.bb               |  3 +-
>  wic/bbb-efibootguard.wks.in                   |  4 +-
>  wic/hihope-rzg2m-efibootguard.wks.in          |  4 +-
>  wic/qemu-amd64-efibootguard-secureboot.wks.in |  4 +-
>  wic/qemu-arm64-efibootguard-secureboot.wks.in |  4 +-
>  wic/qemu-arm64-efibootguard.wks.in            |  4 +-
>  wic/qemu-riscv64-efibootguard.wks.in          |  4 +-
>  wic/x86-efibootguard.wks.in                   |  4 +-
>  20 files changed, 158 insertions(+), 43 deletions(-)
>  create mode 100644 kas/opt/encrypt-all.yml
>  rename kas/opt/{encrypt-partitions.yml => encrypt-data.yml} (100%)
> 

Thanks, applied.

Jan