| Message ID | 20240419082036.2389583-7-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Add option to encrypt the rootfs | expand |
On 19.04.24 10:20, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > Kconfig | 20 ++++++++++++++++++-- > kas/opt/encrypt-rootfs.yml | 22 ++++++++++++++++++++++ > 2 files changed, 40 insertions(+), 2 deletions(-) > create mode 100644 kas/opt/encrypt-rootfs.yml > > diff --git a/Kconfig b/Kconfig > index 7c19640..e657a22 100644 > --- a/Kconfig > +++ b/Kconfig > @@ -202,15 +202,31 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT > default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT > default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT > > + > +menuconfig DISK_ENCRYPTION > + bool > + prompt "disk encryption" > + select IMAGE_SECURE_BOOT > + > config IMAGE_DATA_ENCRYPTION > bool "Encrypt data partitions on first boot" > - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM > - select IMAGE_SECURE_BOOT > + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM) > help > This enables LUKS encryption for the partitions /var and /home. > > +config IMAGE_FULL_ENCRYPTION > + bool "Encrypt rootfs and data partitions" > + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM) > + select IMAGE_DATA_ENCRYPTION > + help > + This enables LUKS encryption for all partitions. > + > config KAS_INCLUDE_DATA_ENCRYPTION > string > default "kas/opt/encrypt-partitions.yml" if IMAGE_DATA_ENCRYPTION > > +config KAS_INCLUDE_ROOTFS_ENCRYPTION > + string > + default "kas/opt/encrypt-rootfs.yml" if IMAGE_FULL_ENCRYPTION We still have a logic flip in the name of the kas option files: "encrypt-partitions" suggest "all partitions" while "encrypt-rootfs" does not suggest that it actually means "(almost) all". I would suggest: encrypt-partitions.yml -> encrypt-data.yml encrypt-rootfs.yml -> encrypt-all.yml Jan > + > endif > diff --git a/kas/opt/encrypt-rootfs.yml b/kas/opt/encrypt-rootfs.yml > new file mode 100644 > index 0000000..f273b65 > --- /dev/null > +++ b/kas/opt/encrypt-rootfs.yml > @@ -0,0 +1,22 @@ > +# > +# CIP Core, generic profile > +# > +# Copyright (c) Siemens AG, 2024 > +# > +# Authors: > +# Quirin Gylstorff <quirin.gylstorff@siemens.com> > +# > +# SPDX-License-Identifier: MIT > +# > + > +header: > + version: 14 > + includes: > + - kas/opt/encrypt-partitions.yml > +local_conf_header: > + encrypted_root: | > + # Do not set mount points for systema and systemb as they are mounted by the > + # abrootfs/verity initramfs > + # As we use a weak default assignment in the intramfs-crypt-hook recipe we need > + # to set all partitions > + CRYPT_PARTITIONS:append = "systema::reencrypt systemb::reencrypt home:/home:reencrypt var:/var:rueencrypt"
diff --git a/Kconfig b/Kconfig index 7c19640..e657a22 100644 --- a/Kconfig +++ b/Kconfig @@ -202,15 +202,31 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT + +menuconfig DISK_ENCRYPTION + bool + prompt "disk encryption" + select IMAGE_SECURE_BOOT + config IMAGE_DATA_ENCRYPTION bool "Encrypt data partitions on first boot" - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM - select IMAGE_SECURE_BOOT + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM) help This enables LUKS encryption for the partitions /var and /home. +config IMAGE_FULL_ENCRYPTION + bool "Encrypt rootfs and data partitions" + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM) + select IMAGE_DATA_ENCRYPTION + help + This enables LUKS encryption for all partitions. + config KAS_INCLUDE_DATA_ENCRYPTION string default "kas/opt/encrypt-partitions.yml" if IMAGE_DATA_ENCRYPTION +config KAS_INCLUDE_ROOTFS_ENCRYPTION + string + default "kas/opt/encrypt-rootfs.yml" if IMAGE_FULL_ENCRYPTION + endif diff --git a/kas/opt/encrypt-rootfs.yml b/kas/opt/encrypt-rootfs.yml new file mode 100644 index 0000000..f273b65 --- /dev/null +++ b/kas/opt/encrypt-rootfs.yml @@ -0,0 +1,22 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# + +header: + version: 14 + includes: + - kas/opt/encrypt-partitions.yml +local_conf_header: + encrypted_root: | + # Do not set mount points for systema and systemb as they are mounted by the + # abrootfs/verity initramfs + # As we use a weak default assignment in the intramfs-crypt-hook recipe we need + # to set all partitions + CRYPT_PARTITIONS:append = "systema::reencrypt systemb::reencrypt home:/home:reencrypt var:/var:rueencrypt"