[isar-cip-core,v3,13/15] Add example to encrypt the rootfs

Message ID	20240409130638.559398-14-Quirin.Gylstorff@siemens.com (mailing list archive)
State	New
Headers	show Return-Path: <quirin.gylstorff@siemens.com> ip: 185.136.65.228, mailfrom: fm-51332-2024040913064129eb205e007bbe35ee-ljz5p3@rts-flowmailer.siemens.com) From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com> To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v3 13/15] Add example to encrypt the rootfs Date: Tue, 9 Apr 2024 15:05:30 +0200 Message-ID: <20240409130638.559398-14-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> References: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Feedback-ID: 519:519-51332:519-21489:flowmailer
Series	Rework disk encryption \| expand [isar-cip-core,v3,00/15] Rework disk encryption [isar-cip-core,v3,01/15] initramfs-crypt-hook: Allow switching between clevis and systemd [isar-cip-core,v3,02/15] initramfs-crypt-hook: Align systemd encryption and clevis encryption [isar-cip-core,v3,03/15] initramfs-crypt-hook: move the mounting of encrypted disks in a seperate f… [isar-cip-core,v3,04/15] initramfs-crypt-hook: Check if the TPM device fulfills the given requireme… [isar-cip-core,v3,05/15] initramfs-crypt-hook: add flag to make encryption optional [isar-cip-core,v3,06/15] initramfs-crypt-hook: add e2fsck to avoid resize error [isar-cip-core,v3,07/15] initramfs-crypt-hook: split encryption and mounting [isar-cip-core,v3,08/15] initramfs-crypt-hook: Add check if root is part of the mountpoints [isar-cip-core,v3,09/15] initramfs-crypt-hook: split hook in multiple files [isar-cip-core,v3,10/15] initramfs-crypt-hook: Consolidate clevis and systemd scripts [isar-cip-core,v3,11/15] initramfs-crypt-hook: Increase version [isar-cip-core,v3,12/15] README.tpm2.encryption: Add section to switch from clevis to systemd [isar-cip-core,v3,13/15] Add example to encrypt the rootfs [isar-cip-core,v3,14/15] Kconfig: Add option to encrypt the rootfs [isar-cip-core,v3,15/15] start-qemu.sh: Support encrypted rootfs

Message ID

20240409130638.559398-14-Quirin.Gylstorff@siemens.com (mailing list archive)

State

New

Headers

From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: jan.kiszka@siemens.com,
	cip-dev@lists.cip-project.org,
	johnxw@amazon.com
Subject: [cip-dev][isar-cip-core][PATCH v3 13/15] Add example to encrypt the
 rootfs
Date: Tue,  9 Apr 2024 15:05:30 +0200
Message-ID: <20240409130638.559398-14-Quirin.Gylstorff@siemens.com>
In-Reply-To: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com>
References: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Feedback-ID: 519:519-51332:519-21489:flowmailer

Series

Rework disk encryption | expand

Commit Message

Gylstorff Quirin April 9, 2024, 1:05 p.m. UTC

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 kas/opt/encrypt_rootfs.yml   | 25 +++++++++++++++++++++++++
 wic/x86_64-encryption.wks.in | 16 ++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 kas/opt/encrypt_rootfs.yml
 create mode 100644 wic/x86_64-encryption.wks.in

diff --git a/kas/opt/encrypt_rootfs.yml b/kas/opt/encrypt_rootfs.yml
new file mode 100644
index 0000000..9e284b4
--- /dev/null
+++ b/kas/opt/encrypt_rootfs.yml
@@ -0,0 +1,25 @@ 
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+  version: 14
+
+local_conf_header:
+  encrypted_root: |
+    WKS_FILE = "x86_64-encryption.wks.in"
+    CRYPT_PARTITIONS = "platform:/:reencrypt home:/home:reencrypt var:/var:reencrypt"
+    IMAGE_FSTYPES = "wic"
+    IMAGER_INSTALL:wic += "systemd-boot"
+    CIP_IMAGE_OPTIONS:append:qemu-amd64 = " recipes-core/images/deploy-ovmf.inc"
+    INITRAMFS_RECIPE ?= "cip-core-initramfs"
+    INITRAMFS_INSTALL:append = " initramfs-crypt-hook"
+    INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
+    do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build"
diff --git a/wic/x86_64-encryption.wks.in b/wic/x86_64-encryption.wks.in
new file mode 100644
index 0000000..800b56d
--- /dev/null
+++ b/wic/x86_64-encryption.wks.in
@@ -0,0 +1,16 @@ 
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# SPDX-License-Identifier: MIT
+#
+
+part /boot --source bootimg-efi-isar --sourceparams "loader=systemd-boot,initrd=${INITRD_IMAGE}" --label efi --part-type EF00 --align 1024 --fsuuid 0x4321dcba --uuid cf142945-6fa1-4945-b0f2-b8d6226298c0
+
+part / --source rootfs --fstype ext4  --mkfs-extraopts "-T default" --label platform --align 1024 --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid f225331b-2d9c-45a2-bcfe-4a6e86287dfb
+# home and var are extra partitions
+part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024  --size 1G --extra-space=100M --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
+part /var --fstype=ext4 --label var --align 1024 --fixed-size 2G --fsuuid 96be3374-4258-11ee-be56-0242ac120002
+
+bootloader --ptable gpt --timeout 2 --append "console=ttyS0,115200"

[isar-cip-core,v3,13/15] Add example to encrypt the rootfs

Commit Message

Patch