| Message ID | 20240506141833.3622989-1-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Add option to encrypt the rootfs | expand |
On 06.05.24 16:17, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This adds the option to encrypt both root file system partitions. > The encrypted partition can be updated with SWUpdate. > > The disk encryption is indepented of the selected boot method and > could also be used to encrypt a single writable root file system. > > To simplify the handling of the swupdate the encrypted partition use > the uuid as the device mapper name. > > > If all partitions are encrypted the partition layout looks similar to > this: > > ``` > root@demo:~# lsblk > NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS > sda 8:0 0 5.4G 0 disk > ├─sda1 8:1 0 16.1M 0 part > ├─sda2 8:2 0 42M 0 part > ├─sda3 8:3 0 42M 0 part > ├─sda4 8:4 0 1G 0 part > │ └─fedcba98-7654-3210-cafe-5e0710000001 252:0 0 1008M 0 crypt > ├─sda5 8:5 0 1G 0 part > │ └─fedcba98-7654-3210-cafe-5e0710000002 252:1 0 1008M 0 crypt > │ └─verityroot 252:4 0 115.3M 1 crypt / > ├─sda6 8:6 0 1.3G 0 part > │ └─encrypted_home 252:2 0 1.3G 0 crypt /home > └─sda7 8:7 0 2G 0 part > └─encrypted_var 252:3 0 2G 0 crypt /var > ``` > > Changes v5: > - README and commit messages fix typos > - README: Use must instead of should for secure environment in case of > encryptition > - Remove encryption menu from Kconfig > - fix warning about '-' > - use "log_*_message" functions > - reduce log message > > Changes v4: > - Clarify that only non-boot partitions are encrypted > - Fix typos > - Add note for encryptition in secure environment > > Changes v3: > - Update the encrypted partition instead of the underling device > - Use uuids instead of labels for the partitions. > - Allow uuids and absolute path to select the partition to be > encrypted. > - Add Readme for partition selection. > > Changes v2: > - Rewrite commit messages > - Rename kas/opt/encrypt-partitions.yml to kas/opt/encrypt-data.yml > - Rename kas/opt/encrypt-rootfs.yml to kas/opt/encrypt-all.yml > - Fix assignment of CRYPT_PARTITIONS > > Changes from https://lists.cip-project.org/g/cip-dev/message/15512: > - add partition labels for a/b partitions > - use a/b rootfs configuration instead seperate wks file > > > Quirin Gylstorff (11): > wic/*: Add part-labels to system partition > initramfs: allow empty mountpoint for crypt hooks > initramfs-crypt: Only resize partition if ext* formatted > fix: use luks2 to identify encrypted partition > Rename encrypt-partitions to encrypt-data > Kconfig: Add option to encrypt the rootfs > crypt-hook: Extend partition selection > README: Add rootfs encryption > README.swupdate: Add section about partition selection > fix: Remove spurious '-' > initramfs-crypt-hook: cleanup logging > > .gitlab-ci.yml | 2 +- > Kconfig | 16 +++++- > doc/README.swupdate.md | 16 ++++++ > doc/README.tpm2.encryption.md | 22 +++++-- > kas/opt/encrypt-all.yml | 23 ++++++++ > ...ncrypt-partitions.yml => encrypt-data.yml} | 0 > kas/opt/security.yml | 2 +- > .../files/encrypt_partition.clevis.hook | 2 + > .../files/encrypt_partition.script | 57 ++++++++++++++----- > .../files/encrypt_partition.systemd.hook | 2 + > .../files/encrypt_partition.systemd.script | 2 +- > .../files/mount_crypt_partitions.script | 26 +++++++-- > .../initramfs-crypt-hook_0.2.bb | 3 +- > wic/bbb-efibootguard.wks.in | 4 +- > wic/hihope-rzg2m-efibootguard.wks.in | 4 +- > wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 +- > wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 +- > wic/qemu-arm64-efibootguard.wks.in | 4 +- > wic/qemu-riscv64-efibootguard.wks.in | 4 +- > wic/x86-efibootguard.wks.in | 4 +- > 20 files changed, 158 insertions(+), 43 deletions(-) > create mode 100644 kas/opt/encrypt-all.yml > rename kas/opt/{encrypt-partitions.yml => encrypt-data.yml} (100%) > Thanks, applied. Jan
From: Quirin Gylstorff <quirin.gylstorff@siemens.com> This adds the option to encrypt both root file system partitions. The encrypted partition can be updated with SWUpdate. The disk encryption is indepented of the selected boot method and could also be used to encrypt a single writable root file system. To simplify the handling of the swupdate the encrypted partition use the uuid as the device mapper name. If all partitions are encrypted the partition layout looks similar to this: ``` root@demo:~# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sda 8:0 0 5.4G 0 disk ├─sda1 8:1 0 16.1M 0 part ├─sda2 8:2 0 42M 0 part ├─sda3 8:3 0 42M 0 part ├─sda4 8:4 0 1G 0 part │ └─fedcba98-7654-3210-cafe-5e0710000001 252:0 0 1008M 0 crypt ├─sda5 8:5 0 1G 0 part │ └─fedcba98-7654-3210-cafe-5e0710000002 252:1 0 1008M 0 crypt │ └─verityroot 252:4 0 115.3M 1 crypt / ├─sda6 8:6 0 1.3G 0 part │ └─encrypted_home 252:2 0 1.3G 0 crypt /home └─sda7 8:7 0 2G 0 part └─encrypted_var 252:3 0 2G 0 crypt /var ``` Changes v5: - README and commit messages fix typos - README: Use must instead of should for secure environment in case of encryptition - Remove encryption menu from Kconfig - fix warning about '-' - use "log_*_message" functions - reduce log message Changes v4: - Clarify that only non-boot partitions are encrypted - Fix typos - Add note for encryptition in secure environment Changes v3: - Update the encrypted partition instead of the underling device - Use uuids instead of labels for the partitions. - Allow uuids and absolute path to select the partition to be encrypted. - Add Readme for partition selection. Changes v2: - Rewrite commit messages - Rename kas/opt/encrypt-partitions.yml to kas/opt/encrypt-data.yml - Rename kas/opt/encrypt-rootfs.yml to kas/opt/encrypt-all.yml - Fix assignment of CRYPT_PARTITIONS Changes from https://lists.cip-project.org/g/cip-dev/message/15512: - add partition labels for a/b partitions - use a/b rootfs configuration instead seperate wks file Quirin Gylstorff (11): wic/*: Add part-labels to system partition initramfs: allow empty mountpoint for crypt hooks initramfs-crypt: Only resize partition if ext* formatted fix: use luks2 to identify encrypted partition Rename encrypt-partitions to encrypt-data Kconfig: Add option to encrypt the rootfs crypt-hook: Extend partition selection README: Add rootfs encryption README.swupdate: Add section about partition selection fix: Remove spurious '-' initramfs-crypt-hook: cleanup logging .gitlab-ci.yml | 2 +- Kconfig | 16 +++++- doc/README.swupdate.md | 16 ++++++ doc/README.tpm2.encryption.md | 22 +++++-- kas/opt/encrypt-all.yml | 23 ++++++++ ...ncrypt-partitions.yml => encrypt-data.yml} | 0 kas/opt/security.yml | 2 +- .../files/encrypt_partition.clevis.hook | 2 + .../files/encrypt_partition.script | 57 ++++++++++++++----- .../files/encrypt_partition.systemd.hook | 2 + .../files/encrypt_partition.systemd.script | 2 +- .../files/mount_crypt_partitions.script | 26 +++++++-- .../initramfs-crypt-hook_0.2.bb | 3 +- wic/bbb-efibootguard.wks.in | 4 +- wic/hihope-rzg2m-efibootguard.wks.in | 4 +- wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 +- wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 +- wic/qemu-arm64-efibootguard.wks.in | 4 +- wic/qemu-riscv64-efibootguard.wks.in | 4 +- wic/x86-efibootguard.wks.in | 4 +- 20 files changed, 158 insertions(+), 43 deletions(-) create mode 100644 kas/opt/encrypt-all.yml rename kas/opt/{encrypt-partitions.yml => encrypt-data.yml} (100%)