diff mbox series

[isar-cip-core,v2,6/7] Kconfig: Add option to encrypt the rootfs

Message ID 20240422141120.577573-7-Quirin.Gylstorff@siemens.com (mailing list archive)
State Superseded
Headers show
Series Add option to encrypt the rootfs | expand

Commit Message

Quirin Gylstorff April 22, 2024, 2:09 p.m. UTC 
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This allows to setup a full encrypted system.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 Kconfig                 | 20 ++++++++++++++++++--
 kas/opt/encrypt-all.yml | 22 ++++++++++++++++++++++
 2 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 kas/opt/encrypt-all.yml
diff mbox series

Patch

diff --git a/Kconfig b/Kconfig
index 9478a06..42e6b67 100644
--- a/Kconfig
+++ b/Kconfig
@@ -202,15 +202,31 @@  config KAS_INCLUDE_SWUPDATE_SECBOOT
 	default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
 	default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
 
+
+menuconfig DISK_ENCRYPTION
+	bool
+	prompt "disk encryption"
+	select IMAGE_SECURE_BOOT
+
 config IMAGE_DATA_ENCRYPTION
 	bool "Encrypt data partitions on first boot"
-	depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM
-	select IMAGE_SECURE_BOOT
+	depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
 	help
 	  This enables LUKS encryption for the partitions /var and /home.
 
+config IMAGE_FULL_ENCRYPTION
+	bool "Encrypt rootfs and data partitions"
+	depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
+	select IMAGE_DATA_ENCRYPTION
+	help
+	  This enables LUKS encryption for all partitions.
+
 config KAS_INCLUDE_DATA_ENCRYPTION
 	string
 	default "kas/opt/encrypt-data.yml" if IMAGE_DATA_ENCRYPTION
 
+config KAS_INCLUDE_FULL_ENCRYPTION
+	string
+	default "kas/opt/encrypt-all.yml" if IMAGE_FULL_ENCRYPTION
+
 endif
diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml
new file mode 100644
index 0000000..edbc820
--- /dev/null
+++ b/kas/opt/encrypt-all.yml
@@ -0,0 +1,22 @@ 
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+  version: 14
+  includes:
+    - kas/opt/encrypt-data.yml
+local_conf_header:
+  encrypted_root: |
+    # Do not set mount points for systema and systemb as they are mounted by the
+    # abrootfs/verity initramfs
+    # As we use a weak default assignment in the intramfs-crypt-hook recipe we need
+    # to set all partitions
+    CRYPT_PARTITIONS = " systema::reencrypt systemb::reencrypt home:/home:reencrypt var:/var:reencrypt"