| Message ID | 20250313-initramfs-crypt-hook-patches-2-v5-0-fc62d4a2ad29@denx.de (mailing list archive) |
|---|---|
| Headers | show |
| Series | initramfs-crypt-hook patch | expand |
On 13.03.25 13:35, Claudius Heine wrote: > Hi, > > here is v5 of my patchset. > > I tested this on Debian bookworm (12). > > This creates a different password for every partition, since that was > how it was done before, but maybe it would make sense to have the same > initial password for every partition. > > It might happen that the fallback system needs to continue the > re-encryption process, and using different password means that the > fallback system as well as the update system needs to process the > re-encryptions in the same order. > > What do you think? > Still need to look into the details. In any case, this is post-1.7 material. Jan > --- > Changes in v2: > - Added more descriptive commit message > - Added more descriptive documentation about noencrypt option > - Fixed typos in documentation > - removed unecessary setting of /conf/param.conf in initramfs-crypt-hook > - added re-encryption recovery patch > > Changes in v3: > - Rebase on current next > - Extended `noencrypt` documentation > - support clevis tokens for re-encryption recovery > > Changes in v4: > - improve documentation and commit messages > - reorder commits, to put re-encryption recovery up front > - extract static temporary encryption key patch into its own > - switch from lsblk to blkid > > Changes in v5: > - Switch to use TPM2 protected password instead of static initial > password for encryption > - Link to v4: https://lore.kernel.org/r/20250305-initramfs-crypt-hook-patches-2-v4-0-4170912e5261@denx.de > > --- > Claudius Heine (4): > initramfs-crypt-hook: store initial encryption key in TPM2 > initramfs-crypt-hook: add re-encryption recovery > initramfs-crypt-hook: implement 'noencrypt' option > initramfs-crypt-hook: add 'format-if-empty' feature > > doc/README.tpm2.encryption.md | 25 ++++- > .../initramfs-crypt-hook/files/local-top-complete | 123 +++++++++++++++++++-- > .../initramfs-crypt-hook_0.7.bb | 12 +- > 3 files changed, 142 insertions(+), 18 deletions(-) > --- > base-commit: ddc2f2500b8984aceef9cf4b884e69e52d515567 > change-id: 20250305-initramfs-crypt-hook-patches-2-9cc4a027c89a > > Best regards,
Hi, here is v5 of my patchset. I tested this on Debian bookworm (12). This creates a different password for every partition, since that was how it was done before, but maybe it would make sense to have the same initial password for every partition. It might happen that the fallback system needs to continue the re-encryption process, and using different password means that the fallback system as well as the update system needs to process the re-encryptions in the same order. What do you think? --- Changes in v2: - Added more descriptive commit message - Added more descriptive documentation about noencrypt option - Fixed typos in documentation - removed unecessary setting of /conf/param.conf in initramfs-crypt-hook - added re-encryption recovery patch Changes in v3: - Rebase on current next - Extended `noencrypt` documentation - support clevis tokens for re-encryption recovery Changes in v4: - improve documentation and commit messages - reorder commits, to put re-encryption recovery up front - extract static temporary encryption key patch into its own - switch from lsblk to blkid Changes in v5: - Switch to use TPM2 protected password instead of static initial password for encryption - Link to v4: https://lore.kernel.org/r/20250305-initramfs-crypt-hook-patches-2-v4-0-4170912e5261@denx.de --- Claudius Heine (4): initramfs-crypt-hook: store initial encryption key in TPM2 initramfs-crypt-hook: add re-encryption recovery initramfs-crypt-hook: implement 'noencrypt' option initramfs-crypt-hook: add 'format-if-empty' feature doc/README.tpm2.encryption.md | 25 ++++- .../initramfs-crypt-hook/files/local-top-complete | 123 +++++++++++++++++++-- .../initramfs-crypt-hook_0.7.bb | 12 +- 3 files changed, 142 insertions(+), 18 deletions(-) --- base-commit: ddc2f2500b8984aceef9cf4b884e69e52d515567 change-id: 20250305-initramfs-crypt-hook-patches-2-9cc4a027c89a Best regards,