From patchwork Mon Dec 2 14:51:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13890859 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CD835D78337 for ; Mon, 2 Dec 2024 14:51:39 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web10.174653.1733151094835637345 for ; Mon, 02 Dec 2024 06:51:35 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm2 header.b=RDPXl+VX; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-294854-202412021451307065c1521d16ec5f67-6gpbmg@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202412021451307065c1521d16ec5f67 for ; Mon, 02 Dec 2024 15:51:31 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=7hOrchbnXlMxSPyVG4kxyNwO9WCEr9pmPYbVBrskxIs=; b=RDPXl+VXKdreiiAkY1kZvqokzhYJY3daXOPh3X6gi2rTnVuMLKxU/buvV97d9IAQJp3tDm xWnaUMrIh4s2zf7rpylt9XJUNDU9c/ovddbENAp+jAhH7NFa0saXKVIKtZdaYHeWSsveRLen yMg/qxC8kKZqyxd3HShqJZhEa0n4rDjG/dIelixYxvOgPm2xmnhMzEktvfByT8ZRaXySfnA/ dyKkpmobDAZtI1Z9zjp2L4UTKYiN2AaeUY9CNMn22m/bcoKL3HtA67bnRR2mvdDTkwTG/CQn wPSNHkvbsApoNFHyBpR6YB3X7ckeY26O8/Rm3XXlJglklieP9dYGZAMg==; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Alexander Heinisch , Quirin Gylstorff Subject: [isar-cip-core][PATCH 00/10] Various initramfs hook improvements Date: Mon, 2 Dec 2024 15:51:03 +0100 Message-ID: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Dec 2024 14:51:39 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17310 This uses the new initramfs hook generator of isar to simplify our own hook recipes. It furthermore brings support for expanding the last partition before encrypting it. This needs to be done as part of the initramfs-crypt-hook because we only know there which device and which partition to use. Finally, this improves the security of the disk encryption keys by preventing access to them after initramfs usage. Thus, the main Linux is now no longer able to leak the keys during an attack. Jan Jan Kiszka (10): Update isar revision initramfs-abrootfs-hook: Convert to hook.inc initramfs-crypt-hook: Convert awk statement into simple variable evaluation initramfs-crypt-hook: Convert to hook.inc initramfs-erofs/squashfs-hook: Convert to hook.inc initramfs-overlay-hook: Convert to hook.inc initramfs-verity-hook: Drop dead verity.conf-hook artifact initramfs-verity-hook: Convert to hook.inc initramfs-crypt-hook: Add support for expanding encrypted partition initramfs-crypt-hook: invalidate PCR7 after unlocking partitions kas-cip.yml | 2 +- kas/opt/expand-on-first-boot.yml | 3 + .../files/abrootfs.hook | 24 ----- .../initramfs-abrootfs-hook/files/hook | 5 + .../{abrootfs.script => local-top-complete} | 0 ..._0.1.bb => initramfs-abrootfs-hook_0.2.bb} | 25 ++--- ...pt_partition.clevis.bullseye_or_later.hook | 34 ------ .../encrypt_partition.clevis.buster.hook | 29 ----- .../files/encrypt_partition.clevis.hook | 88 --------------- .../files/encrypt_partition.systemd.hook | 68 ------------ .../initramfs-crypt-hook/files/hook | 11 ++ ...artitions.script => local-bottom-complete} | 0 ...pt_partition.script => local-top-complete} | 68 +++++++++++- .../initramfs-crypt-hook_0.4.bb | 96 ----------------- .../initramfs-crypt-hook_0.5.bb | 101 ++++++++++++++++++ .../initramfs-erofs-hook/files/erofs.hook | 25 ----- .../initramfs-erofs-hook_0.1.bb | 24 ----- .../initramfs-erofs-hook_0.2.bb | 14 +++ ...{overlay.script.tmpl => local-bottom.tmpl} | 23 +--- .../initramfs-overlay-hook/files/overlay.hook | 34 ------ ...k_0.1.bb => initramfs-overlay-hook_0.2.bb} | 20 ++-- .../initramfs-squashfs-hook_0.1.bb | 24 ----- .../initramfs-squashfs-hook_0.2.bb | 14 +++ .../initramfs-verity-hook/files/hook | 5 + ...ty.script.tmpl => local-top-complete.tmpl} | 0 .../files/verity.conf-hook | 1 - .../initramfs-verity-hook/files/verity.hook | 23 ---- ...ok_0.1.bb => initramfs-verity-hook_0.2.bb} | 24 ++--- 28 files changed, 250 insertions(+), 535 deletions(-) delete mode 100644 recipes-initramfs/initramfs-abrootfs-hook/files/abrootfs.hook create mode 100644 recipes-initramfs/initramfs-abrootfs-hook/files/hook rename recipes-initramfs/initramfs-abrootfs-hook/files/{abrootfs.script => local-top-complete} (100%) rename recipes-initramfs/initramfs-abrootfs-hook/{initramfs-abrootfs-hook_0.1.bb => initramfs-abrootfs-hook_0.2.bb} (61%) delete mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook delete mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook delete mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook delete mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/hook rename recipes-initramfs/initramfs-crypt-hook/files/{mount_crypt_partitions.script => local-bottom-complete} (100%) rename recipes-initramfs/initramfs-crypt-hook/files/{encrypt_partition.script => local-top-complete} (71%) delete mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.4.bb create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.5.bb delete mode 100644 recipes-initramfs/initramfs-erofs-hook/files/erofs.hook delete mode 100644 recipes-initramfs/initramfs-erofs-hook/initramfs-erofs-hook_0.1.bb create mode 100644 recipes-initramfs/initramfs-erofs-hook/initramfs-erofs-hook_0.2.bb rename recipes-initramfs/initramfs-overlay-hook/files/{overlay.script.tmpl => local-bottom.tmpl} (91%) delete mode 100644 recipes-initramfs/initramfs-overlay-hook/files/overlay.hook rename recipes-initramfs/initramfs-overlay-hook/{initramfs-overlay-hook_0.1.bb => initramfs-overlay-hook_0.2.bb} (71%) delete mode 100644 recipes-initramfs/initramfs-squashfs-hook/initramfs-squashfs-hook_0.1.bb create mode 100644 recipes-initramfs/initramfs-squashfs-hook/initramfs-squashfs-hook_0.2.bb create mode 100644 recipes-initramfs/initramfs-verity-hook/files/hook rename recipes-initramfs/initramfs-verity-hook/files/{verity.script.tmpl => local-top-complete.tmpl} (100%) delete mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook delete mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook rename recipes-initramfs/initramfs-verity-hook/{initramfs-verity-hook_0.1.bb => initramfs-verity-hook_0.2.bb} (65%)