Message ID | 20240322100605.4129226-14-Quirin.Gylstorff@siemens.com (mailing list archive) |
---|---|
State | Rejected |
Headers | show |
Series | Rework disk encryption | expand |
On 22.03.24 11:05, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > kas/opt/encrypt_rootfs.yml | 24 ++++++++++++++++++++++++ > wic/x86_64-encryption.wks.in | 16 ++++++++++++++++ > 2 files changed, 40 insertions(+) > create mode 100644 kas/opt/encrypt_rootfs.yml > create mode 100644 wic/x86_64-encryption.wks.in > > diff --git a/kas/opt/encrypt_rootfs.yml b/kas/opt/encrypt_rootfs.yml > new file mode 100644 > index 0000000..4001c75 > --- /dev/null > +++ b/kas/opt/encrypt_rootfs.yml > @@ -0,0 +1,24 @@ > +# > +# CIP Core, generic profile > +# > +# Copyright (c) Siemens AG, 2024 > +# > +# Authors: > +# Quirin Gylstorff <quirin.gylstorff@siemens.com> > +# > +# SPDX-License-Identifier: MIT > +# > + > +header: > + version: 14 > + > +local_conf_header: > + encrypted_root: | > + WKS_FILE = "x86_64-encryption.wks.in" > + CRYPT_PARTITIONS = "platform:/:reencrypt home:/home:reencrypt var:/var:reencrypt" > + IMAGE_FSTYPES = "wic" > + IMAGER_INSTALL:wic += "systemd-boot" > + CIP_IMAGE_OPTIONS:append:qemu-amd64 = " recipes-core/images/deploy-ovmf.inc" > + INITRAMFS_RECIPE ?= "cip-core-initramfs" > + INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img" > + do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build" > diff --git a/wic/x86_64-encryption.wks.in b/wic/x86_64-encryption.wks.in > new file mode 100644 > index 0000000..800b56d > --- /dev/null > +++ b/wic/x86_64-encryption.wks.in > @@ -0,0 +1,16 @@ > +# > +# CIP Core, generic profile > +# > +# Copyright (c) Siemens AG, 2024 > +# > +# SPDX-License-Identifier: MIT > +# > + > +part /boot --source bootimg-efi-isar --sourceparams "loader=systemd-boot,initrd=${INITRD_IMAGE}" --label efi --part-type EF00 --align 1024 --fsuuid 0x4321dcba --uuid cf142945-6fa1-4945-b0f2-b8d6226298c0 > + > +part / --source rootfs --fstype ext4 --mkfs-extraopts "-T default" --label platform --align 1024 --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid f225331b-2d9c-45a2-bcfe-4a6e86287dfb > +# home and var are extra partitions > +part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --extra-space=100M --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 > +part /var --fstype=ext4 --label var --align 1024 --fixed-size 2G --fsuuid 96be3374-4258-11ee-be56-0242ac120002 > + > +bootloader --ptable gpt --timeout 2 --append "console=ttyS0,115200" On second glance, this one confuses me. It comes with zero documentation or at least some Kconfig entry to make clear in which context it can be used. I bet it collides heavily when combined with the qemu-amd64 secure boot example. I'm taking this out again. Please clean up and provide a documented example with at least Kconfig integration. Jan
diff --git a/kas/opt/encrypt_rootfs.yml b/kas/opt/encrypt_rootfs.yml new file mode 100644 index 0000000..4001c75 --- /dev/null +++ b/kas/opt/encrypt_rootfs.yml @@ -0,0 +1,24 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# + +header: + version: 14 + +local_conf_header: + encrypted_root: | + WKS_FILE = "x86_64-encryption.wks.in" + CRYPT_PARTITIONS = "platform:/:reencrypt home:/home:reencrypt var:/var:reencrypt" + IMAGE_FSTYPES = "wic" + IMAGER_INSTALL:wic += "systemd-boot" + CIP_IMAGE_OPTIONS:append:qemu-amd64 = " recipes-core/images/deploy-ovmf.inc" + INITRAMFS_RECIPE ?= "cip-core-initramfs" + INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img" + do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build" diff --git a/wic/x86_64-encryption.wks.in b/wic/x86_64-encryption.wks.in new file mode 100644 index 0000000..800b56d --- /dev/null +++ b/wic/x86_64-encryption.wks.in @@ -0,0 +1,16 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# SPDX-License-Identifier: MIT +# + +part /boot --source bootimg-efi-isar --sourceparams "loader=systemd-boot,initrd=${INITRD_IMAGE}" --label efi --part-type EF00 --align 1024 --fsuuid 0x4321dcba --uuid cf142945-6fa1-4945-b0f2-b8d6226298c0 + +part / --source rootfs --fstype ext4 --mkfs-extraopts "-T default" --label platform --align 1024 --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid f225331b-2d9c-45a2-bcfe-4a6e86287dfb +# home and var are extra partitions +part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --extra-space=100M --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 +part /var --fstype=ext4 --label var --align 1024 --fixed-size 2G --fsuuid 96be3374-4258-11ee-be56-0242ac120002 + +bootloader --ptable gpt --timeout 2 --append "console=ttyS0,115200"