[isar-cip-core,v2,13/13] Add example to encrypt the rootfs

Message ID	20240322100605.4129226-14-Quirin.Gylstorff@siemens.com (mailing list archive)
State	Rejected
Headers	show Return-Path: <quirin.gylstorff@siemens.com> ip: 185.136.64.228, mailfrom: fm-51332-20240322100609ebe0563931a080c132-s7ckcx@rts-flowmailer.siemens.com) From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com> To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v2 13/13] Add example to encrypt the rootfs Date: Fri, 22 Mar 2024 11:05:23 +0100 Message-ID: <20240322100605.4129226-14-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> References: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Feedback-ID: 519:519-51332:519-21489:flowmailer
Series	Rework disk encryption \| expand [isar-cip-core,v2,00/13] Rework disk encryption [isar-cip-core,v2,01/13] initramfs-crypt-hook: Allow switching between clevis and systemd [isar-cip-core,v2,02/13] initramfs-crypt-hook: Align systemd encryption and clevis encryption [isar-cip-core,v2,03/13] initramfs-crypt-hook: move the mounting of encrypted disks in a seperate f… [isar-cip-core,v2,04/13] initramfs-crypt-hook: Check if the TPM device fulfills the given requireme… [isar-cip-core,v2,05/13] initramfs-crypt-hook: add flag to make encryption optional [isar-cip-core,v2,06/13] initramfs-crypt-hook: add e2fsck to avoid resize error [isar-cip-core,v2,07/13] initramfs-crypt-hook: split encryption and mounting [isar-cip-core,v2,08/13] initramfs-crypt-hook: Add check if root is part of the mountpoints [isar-cip-core,v2,09/13] initramfs-crypt-hook: split hook in multiple files [isar-cip-core,v2,10/13] initramfs-crypt-hook: Consolidate clevis and systemd scripts [isar-cip-core,v2,11/13] initramfs-crypt-hook: Increase version [isar-cip-core,v2,12/13] README.tpm2.encryption: Add section to switch from clevis to systemd [isar-cip-core,v2,13/13] Add example to encrypt the rootfs

Message ID

20240322100605.4129226-14-Quirin.Gylstorff@siemens.com (mailing list archive)

State

Rejected

Headers

From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: jan.kiszka@siemens.com,
	cip-dev@lists.cip-project.org,
	johnxw@amazon.com
Subject: [cip-dev][isar-cip-core][PATCH v2 13/13] Add example to encrypt the
 rootfs
Date: Fri, 22 Mar 2024 11:05:23 +0100
Message-ID: <20240322100605.4129226-14-Quirin.Gylstorff@siemens.com>
In-Reply-To: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com>
References: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Feedback-ID: 519:519-51332:519-21489:flowmailer

Series

Rework disk encryption | expand

Commit Message

Gylstorff Quirin March 22, 2024, 10:05 a.m. UTC

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 kas/opt/encrypt_rootfs.yml   | 24 ++++++++++++++++++++++++
 wic/x86_64-encryption.wks.in | 16 ++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 kas/opt/encrypt_rootfs.yml
 create mode 100644 wic/x86_64-encryption.wks.in

Comments

Jan Kiszka April 8, 2024, 5:50 p.m. UTC | #1

On 22.03.24 11:05, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  kas/opt/encrypt_rootfs.yml   | 24 ++++++++++++++++++++++++
>  wic/x86_64-encryption.wks.in | 16 ++++++++++++++++
>  2 files changed, 40 insertions(+)
>  create mode 100644 kas/opt/encrypt_rootfs.yml
>  create mode 100644 wic/x86_64-encryption.wks.in
> 
> diff --git a/kas/opt/encrypt_rootfs.yml b/kas/opt/encrypt_rootfs.yml
> new file mode 100644
> index 0000000..4001c75
> --- /dev/null
> +++ b/kas/opt/encrypt_rootfs.yml
> @@ -0,0 +1,24 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2024
> +#
> +# Authors:
> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +header:
> +  version: 14
> +
> +local_conf_header:
> +  encrypted_root: |
> +    WKS_FILE = "x86_64-encryption.wks.in"
> +    CRYPT_PARTITIONS = "platform:/:reencrypt home:/home:reencrypt var:/var:reencrypt"
> +    IMAGE_FSTYPES = "wic"
> +    IMAGER_INSTALL:wic += "systemd-boot"
> +    CIP_IMAGE_OPTIONS:append:qemu-amd64 = " recipes-core/images/deploy-ovmf.inc"
> +    INITRAMFS_RECIPE ?= "cip-core-initramfs"
> +    INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
> +    do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build"
> diff --git a/wic/x86_64-encryption.wks.in b/wic/x86_64-encryption.wks.in
> new file mode 100644
> index 0000000..800b56d
> --- /dev/null
> +++ b/wic/x86_64-encryption.wks.in
> @@ -0,0 +1,16 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2024
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +part /boot --source bootimg-efi-isar --sourceparams "loader=systemd-boot,initrd=${INITRD_IMAGE}" --label efi --part-type EF00 --align 1024 --fsuuid 0x4321dcba --uuid cf142945-6fa1-4945-b0f2-b8d6226298c0
> +
> +part / --source rootfs --fstype ext4  --mkfs-extraopts "-T default" --label platform --align 1024 --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid f225331b-2d9c-45a2-bcfe-4a6e86287dfb
> +# home and var are extra partitions
> +part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024  --size 1G --extra-space=100M --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
> +part /var --fstype=ext4 --label var --align 1024 --fixed-size 2G --fsuuid 96be3374-4258-11ee-be56-0242ac120002
> +
> +bootloader --ptable gpt --timeout 2 --append "console=ttyS0,115200"

On second glance, this one confuses me. It comes with zero documentation
or at least some Kconfig entry to make clear in which context it can be
used. I bet it collides heavily when combined with the qemu-amd64 secure
boot example.

I'm taking this out again. Please clean up and provide a documented
example with at least Kconfig integration.

Jan

diff --git a/kas/opt/encrypt_rootfs.yml b/kas/opt/encrypt_rootfs.yml
new file mode 100644
index 0000000..4001c75
--- /dev/null
+++ b/kas/opt/encrypt_rootfs.yml
@@ -0,0 +1,24 @@ 
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+  version: 14
+
+local_conf_header:
+  encrypted_root: |
+    WKS_FILE = "x86_64-encryption.wks.in"
+    CRYPT_PARTITIONS = "platform:/:reencrypt home:/home:reencrypt var:/var:reencrypt"
+    IMAGE_FSTYPES = "wic"
+    IMAGER_INSTALL:wic += "systemd-boot"
+    CIP_IMAGE_OPTIONS:append:qemu-amd64 = " recipes-core/images/deploy-ovmf.inc"
+    INITRAMFS_RECIPE ?= "cip-core-initramfs"
+    INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
+    do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build"
diff --git a/wic/x86_64-encryption.wks.in b/wic/x86_64-encryption.wks.in
new file mode 100644
index 0000000..800b56d
--- /dev/null
+++ b/wic/x86_64-encryption.wks.in
@@ -0,0 +1,16 @@ 
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# SPDX-License-Identifier: MIT
+#
+
+part /boot --source bootimg-efi-isar --sourceparams "loader=systemd-boot,initrd=${INITRD_IMAGE}" --label efi --part-type EF00 --align 1024 --fsuuid 0x4321dcba --uuid cf142945-6fa1-4945-b0f2-b8d6226298c0
+
+part / --source rootfs --fstype ext4  --mkfs-extraopts "-T default" --label platform --align 1024 --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid f225331b-2d9c-45a2-bcfe-4a6e86287dfb
+# home and var are extra partitions
+part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024  --size 1G --extra-space=100M --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
+part /var --fstype=ext4 --label var --align 1024 --fixed-size 2G --fsuuid 96be3374-4258-11ee-be56-0242ac120002
+
+bootloader --ptable gpt --timeout 2 --append "console=ttyS0,115200"

[isar-cip-core,v2,13/13] Add example to encrypt the rootfs

Commit Message

Comments

Patch