diff mbox series

[isar-cip-core,v2,7/7] README: Add rootfs encryption

Message ID 20240422141120.577573-8-Quirin.Gylstorff@siemens.com (mailing list archive)
State Superseded
Headers show
Series Add option to encrypt the rootfs | expand

Commit Message

Quirin Gylstorff April 22, 2024, 2:09 p.m. UTC
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 doc/README.tpm2.encryption.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

Comments

Felix Moessbauer April 23, 2024, 9:29 a.m. UTC | #1
On Mon, 2024-04-22 at 16:09 +0200, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  doc/README.tpm2.encryption.md | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/doc/README.tpm2.encryption.md
> b/doc/README.tpm2.encryption.md
> index c5ac6c4..a229d86 100644
> --- a/doc/README.tpm2.encryption.md
> +++ b/doc/README.tpm2.encryption.md
> @@ -44,6 +44,16 @@ Each entry uses the schema `<partition-
> label>:<mountpoint>:<reencrypt or format>
>  - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting
> content of the partition. This reduces the partition by 32MB and the
> file system by a similar amount
>  - `format` creates a empty LUKS partition and creates a file system
> defined with the shell command given in
> `CRYPT_CREATE_FILE_SYSTEM_CMD`
>  
> +#### Encrypted root file system
> +
> +To encrypt the root file system the variable `CRYPT_PARTITIONS`
> needs to be set to:
> +```
> +CRYPT_PARTITIONS = "systema::reencrypt systemb::reencrypt"
> +```
> +The mountpoint is empty as the root partition is mounted by another
> initramfs service.
> +Both partitions are encrypted during first boot. The initramfs opens
> systema and systemb
> +during boot.

Does that mean, the .swu file still contains the unencrypted
partitions? Or are these partitions encrypted with a fixed key and re-
encrypted on first boot? How are the initial keys distributed?

Before documenting the technical details, please document the general
deployment model, goals and non-goals, as well as security and
confidential guarantees.

For me it is currently unclear which kind of problem we want to solve
with this approach.

Best regards,
Felix

> +
>  ### CRYPT_CREATE_FILE_SYSTEM_CMD
>  
>  The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to
> create a new file system on a newly
> @@ -59,7 +69,7 @@ based encryption:
>   - jq
>  
>  ## steps to convert clevis to systemd
> -The following script shows how to enroll a systemd-tpm2 token with a
> existinng clevis based encryption:
> +The following script shows how to enroll a systemd-tpm2 token with a
> existing clevis based encryption:
>  ```bash
>  export device=/dev/sda6
>  export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-
> metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots
> | first' | head -n1)
Quirin Gylstorff April 23, 2024, 9:56 a.m. UTC | #2
On 4/23/24 11:29 AM, Moessbauer, Felix (T CED OES-DE) wrote:
> On Mon, 2024-04-22 at 16:09 +0200, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>   doc/README.tpm2.encryption.md | 12 +++++++++++-
>>   1 file changed, 11 insertions(+), 1 deletion(-)
>>
>> diff --git a/doc/README.tpm2.encryption.md
>> b/doc/README.tpm2.encryption.md
>> index c5ac6c4..a229d86 100644
>> --- a/doc/README.tpm2.encryption.md
>> +++ b/doc/README.tpm2.encryption.md
>> @@ -44,6 +44,16 @@ Each entry uses the schema `<partition-
>> label>:<mountpoint>:<reencrypt or format>
>>   - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting
>> content of the partition. This reduces the partition by 32MB and the
>> file system by a similar amount
>>   - `format` creates a empty LUKS partition and creates a file system
>> defined with the shell command given in
>> `CRYPT_CREATE_FILE_SYSTEM_CMD`
>>   
>> +#### Encrypted root file system
>> +
>> +To encrypt the root file system the variable `CRYPT_PARTITIONS`
>> needs to be set to:
>> +```
>> +CRYPT_PARTITIONS = "systema::reencrypt systemb::reencrypt"
>> +```
>> +The mountpoint is empty as the root partition is mounted by another
>> initramfs service.
>> +Both partitions are encrypted during first boot. The initramfs opens
>> systema and systemb
>> +during boot.
> 
> Does that mean, the .swu file still contains the unencrypted
> partitions? Or are these partitions encrypted with a fixed key and re-
> encrypted on first boot? How are the initial keys distributed?
We can enable symmetric encryption on the images of the swu. Which are 
then extracted on the target.
This images are still encrypted on first boot. So this this means the 
device needs to boot in a secure environment.
Initial keys almost always leak ;-).

> 
> Before documenting the technical details, please document the general
> deployment model, goals and non-goals, as well as security and
> confidential guarantees.

Sure i will add a section in the README.
> 
> For me it is currently unclear which kind of problem we want to solve
> with this approach.
> 
> Best regards,
> Felix
> 
>> +
>>   ### CRYPT_CREATE_FILE_SYSTEM_CMD
>>   
>>   The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to
>> create a new file system on a newly
>> @@ -59,7 +69,7 @@ based encryption:
>>    - jq
>>   
>>   ## steps to convert clevis to systemd
>> -The following script shows how to enroll a systemd-tpm2 token with a
>> existinng clevis based encryption:
>> +The following script shows how to enroll a systemd-tpm2 token with a
>> existing clevis based encryption:
>>   ```bash
>>   export device=/dev/sda6
>>   export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-
>> metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots
>> | first' | head -n1)
>
diff mbox series

Patch

diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md
index c5ac6c4..a229d86 100644
--- a/doc/README.tpm2.encryption.md
+++ b/doc/README.tpm2.encryption.md
@@ -44,6 +44,16 @@  Each entry uses the schema `<partition-label>:<mountpoint>:<reencrypt or format>
 - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount
 - `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD`
 
+#### Encrypted root file system
+
+To encrypt the root file system the variable `CRYPT_PARTITIONS` needs to be set to:
+```
+CRYPT_PARTITIONS = "systema::reencrypt systemb::reencrypt"
+```
+The mountpoint is empty as the root partition is mounted by another initramfs service.
+Both partitions are encrypted during first boot. The initramfs opens systema and systemb
+during boot.
+
 ### CRYPT_CREATE_FILE_SYSTEM_CMD
 
 The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly
@@ -59,7 +69,7 @@  based encryption:
  - jq
 
 ## steps to convert clevis to systemd
-The following script shows how to enroll a systemd-tpm2 token with a existinng clevis based encryption:
+The following script shows how to enroll a systemd-tpm2 token with a existing clevis based encryption:
 ```bash
 export device=/dev/sda6
 export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots | first' | head -n1)