[isar-cip-core,7/7] README: Add rootfs encryption

Commit Message

Gylstorff Quirin April 19, 2024, 8:20 a.m. UTC

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 doc/README.tpm2.encryption.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

Patch

diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md
index 69a18dd..a0a78d2 100644
--- a/doc/README.tpm2.encryption.md
+++ b/doc/README.tpm2.encryption.md
@@ -44,6 +44,16 @@  Each entry uses the schema `<partition-label>:<mountpoint>:<reencrypt or format>
 - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount
 - `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD`
 
+#### Encrypted root file system
+
+To encrypt the root file system the variable `CRYPT_PARTITIONS` needs to be set to:
+```
+CRYPT_PARTITIONS = "systema::reencrypt systemb::reencrypt"
+```
+The mountpoint is empty as the root partition is mounted by another initramfs service.
+Both partitions are encrypted during first boot. The initramfs opens systema and systemb
+during boot.
+
 ### CRYPT_CREATE_FILE_SYSTEM_CMD
 
 The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly
@@ -59,7 +69,7 @@  based encryption:
  - jq
 
 ## steps to convert clevis to systemd
-The following script shows how to enroll a systemd-tpm2 token with a existinng clevis based encryption:
+The following script shows how to enroll a systemd-tpm2 token with a existing clevis based encryption:
 ```bash
 export device=/dev/sda6
 export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots | first' | head -n1)