| Message ID | 20230306123926.243471-3-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Encrypt Partition in initramfs | expand |
On 06.03.23 13:39, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > Kconfig | 11 +++++++++++ > 1 file changed, 11 insertions(+) > > diff --git a/Kconfig b/Kconfig > index 7d72094..7ce87d0 100644 > --- a/Kconfig > +++ b/Kconfig > @@ -193,4 +193,15 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT > default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT > default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT > > +config IMAGE_TPM2_ENCRYPTION > + bool "Encrypt partitions on first boot with TPM2 (Demo)" Why "Demo"? > + depends on TARGET_QEMU_AMD64 > + help > + This enables TPM2 encryption for the partition given in the variable > + CRYPT_PARTITIONS from recipes-initramfs/initramfs-crypt-hook. > + > +config KAS_INCLUDE_TPM2_ENCRYPTION > + string > + default "kas/opt/tpm.yml" if IMAGE_TPM2_ENCRYPTION > + > endif I'm struggling a bit with the naming and description (throughout the series). The feature is actually data encryption. The fact that we use TPM2 for key storage on x86 (and possibly also some form on other archs) is an implementation aspect. Let me think about it... Jan
On 3/6/23 18:27, Jan Kiszka wrote: > On 06.03.23 13:39, Quirin Gylstorff wrote: >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> --- >> Kconfig | 11 +++++++++++ >> 1 file changed, 11 insertions(+) >> >> diff --git a/Kconfig b/Kconfig >> index 7d72094..7ce87d0 100644 >> --- a/Kconfig >> +++ b/Kconfig >> @@ -193,4 +193,15 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT >> default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT >> default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT >> >> +config IMAGE_TPM2_ENCRYPTION >> + bool "Encrypt partitions on first boot with TPM2 (Demo)" > > Why "Demo"? To mark it for demonstration purpose only. > >> + depends on TARGET_QEMU_AMD64 >> + help >> + This enables TPM2 encryption for the partition given in the variable >> + CRYPT_PARTITIONS from recipes-initramfs/initramfs-crypt-hook. >> + >> +config KAS_INCLUDE_TPM2_ENCRYPTION >> + string >> + default "kas/opt/tpm.yml" if IMAGE_TPM2_ENCRYPTION >> + >> endif > > I'm struggling a bit with the naming and description (throughout the > series). The feature is actually data encryption. The fact that we use > TPM2 for key storage on x86 (and possibly also some form on other archs) > is an implementation aspect. > > Let me think about it... I can change it to: config IMAGE_DATA_ENCRYPTION bool "Encrypt data partitions on first boot" depends on TARGET_QEMU_AMD64 help This enables LUKS encryption for the partitions /var and /home. config KAS_INCLUDE_DATA_ENCRYPTION string default "kas/opt/encrypt-partitions.yml" > > Jan > Quirin
On 07.03.23 19:32, Gylstorff Quirin wrote: > > > On 3/6/23 18:27, Jan Kiszka wrote: >> On 06.03.23 13:39, Quirin Gylstorff wrote: >>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >>> >>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >>> --- >>> Kconfig | 11 +++++++++++ >>> 1 file changed, 11 insertions(+) >>> >>> diff --git a/Kconfig b/Kconfig >>> index 7d72094..7ce87d0 100644 >>> --- a/Kconfig >>> +++ b/Kconfig >>> @@ -193,4 +193,15 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT >>> default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && >>> !IMAGE_SECURE_BOOT >>> default "kas/opt/ebg-secure-boot-snakeoil.yml" if >>> IMAGE_SECURE_BOOT >>> +config IMAGE_TPM2_ENCRYPTION >>> + bool "Encrypt partitions on first boot with TPM2 (Demo)" >> >> Why "Demo"? > > To mark it for demonstration purpose only. I meant what part of it is demonstrational, what is reusable. >> >>> + depends on TARGET_QEMU_AMD64 >>> + help >>> + This enables TPM2 encryption for the partition given in the >>> variable >>> + CRYPT_PARTITIONS from recipes-initramfs/initramfs-crypt-hook. >>> + >>> +config KAS_INCLUDE_TPM2_ENCRYPTION >>> + string >>> + default "kas/opt/tpm.yml" if IMAGE_TPM2_ENCRYPTION >>> + >>> endif >> >> I'm struggling a bit with the naming and description (throughout the >> series). The feature is actually data encryption. The fact that we use >> TPM2 for key storage on x86 (and possibly also some form on other archs) >> is an implementation aspect. >> >> Let me think about it... > > I can change it to: > > config IMAGE_DATA_ENCRYPTION > bool "Encrypt data partitions on first boot" > depends on TARGET_QEMU_AMD64 > help > This enables LUKS encryption for the partitions /var and /home. > > config KAS_INCLUDE_DATA_ENCRYPTION > string > default "kas/opt/encrypt-partitions.yml" > Something like that, yeah. Thanks, Jan
diff --git a/Kconfig b/Kconfig index 7d72094..7ce87d0 100644 --- a/Kconfig +++ b/Kconfig @@ -193,4 +193,15 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT +config IMAGE_TPM2_ENCRYPTION + bool "Encrypt partitions on first boot with TPM2 (Demo)" + depends on TARGET_QEMU_AMD64 + help + This enables TPM2 encryption for the partition given in the variable + CRYPT_PARTITIONS from recipes-initramfs/initramfs-crypt-hook. + +config KAS_INCLUDE_TPM2_ENCRYPTION + string + default "kas/opt/tpm.yml" if IMAGE_TPM2_ENCRYPTION + endif