| Message ID | 20240425115119.813384-7-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Add option to encrypt the rootfs | expand |
On Thu, 2024-04-25 at 13:50 +0200, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This allows to setup a full encrypted system. Nit pick: There is no "full disk encryption" for EFI. At least the ESP partition (and the EBG parts in our case) cannot be encrypted - by design. > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > Kconfig | 20 ++++++++++++++++++-- > kas/opt/encrypt-all.yml | 23 +++++++++++++++++++++++ > 2 files changed, 41 insertions(+), 2 deletions(-) > create mode 100644 kas/opt/encrypt-all.yml > > diff --git a/Kconfig b/Kconfig > index 9478a06..42e6b67 100644 > --- a/Kconfig > +++ b/Kconfig > @@ -202,15 +202,31 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT > default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && > !IMAGE_SECURE_BOOT > default "kas/opt/ebg-secure-boot-snakeoil.yml" if > IMAGE_SECURE_BOOT > > + > +menuconfig DISK_ENCRYPTION > + bool > + prompt "disk encryption" > + select IMAGE_SECURE_BOOT > + > config IMAGE_DATA_ENCRYPTION > bool "Encrypt data partitions on first boot" > - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || > TARGET_QEMU_ARM > - select IMAGE_SECURE_BOOT > + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || > TARGET_QEMU_ARM64 || TARGET_QEMU_ARM) > help > This enables LUKS encryption for the partitions /var and > /home. > > +config IMAGE_FULL_ENCRYPTION > + bool "Encrypt rootfs and data partitions" > + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || > TARGET_QEMU_ARM64 || TARGET_QEMU_ARM) > + select IMAGE_DATA_ENCRYPTION > + help > + This enables LUKS encryption for all partitions. > + > config KAS_INCLUDE_DATA_ENCRYPTION > string > default "kas/opt/encrypt-data.yml" if IMAGE_DATA_ENCRYPTION > > +config KAS_INCLUDE_FULL_ENCRYPTION Why not KAS_INCLUDE_ROOTFS_ENCRYPTION ? Anyways, it's just a nit pick. Can be ignored. Felix > + string > + default "kas/opt/encrypt-all.yml" if IMAGE_FULL_ENCRYPTION > + > endif > diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml > new file mode 100644 > index 0000000..b6d4041 > --- /dev/null > +++ b/kas/opt/encrypt-all.yml > @@ -0,0 +1,23 @@ > +# > +# CIP Core, generic profile > +# > +# Copyright (c) Siemens AG, 2024 > +# > +# Authors: > +# Quirin Gylstorff <quirin.gylstorff@siemens.com> > +# > +# SPDX-License-Identifier: MIT > +# > + > +header: > + version: 14 > + includes: > + - kas/opt/encrypt-data.yml > +local_conf_header: > + encrypted_root: | > + # Do not set mount points for systema and systemb as they are > mounted by the > + # abrootfs/verity initramfs > + # As we use a weak default assignment in the intramfs-crypt-hook > recipe we need > + # to set all partitions > + CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt > ${ABROOTFS_PART_UUID_B}::reencrypt \ > + home:/home:reencrypt var:/var:reencrypt"
diff --git a/Kconfig b/Kconfig index 9478a06..42e6b67 100644 --- a/Kconfig +++ b/Kconfig @@ -202,15 +202,31 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT + +menuconfig DISK_ENCRYPTION + bool + prompt "disk encryption" + select IMAGE_SECURE_BOOT + config IMAGE_DATA_ENCRYPTION bool "Encrypt data partitions on first boot" - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM - select IMAGE_SECURE_BOOT + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM) help This enables LUKS encryption for the partitions /var and /home. +config IMAGE_FULL_ENCRYPTION + bool "Encrypt rootfs and data partitions" + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM) + select IMAGE_DATA_ENCRYPTION + help + This enables LUKS encryption for all partitions. + config KAS_INCLUDE_DATA_ENCRYPTION string default "kas/opt/encrypt-data.yml" if IMAGE_DATA_ENCRYPTION +config KAS_INCLUDE_FULL_ENCRYPTION + string + default "kas/opt/encrypt-all.yml" if IMAGE_FULL_ENCRYPTION + endif diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml new file mode 100644 index 0000000..b6d4041 --- /dev/null +++ b/kas/opt/encrypt-all.yml @@ -0,0 +1,23 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# + +header: + version: 14 + includes: + - kas/opt/encrypt-data.yml +local_conf_header: + encrypted_root: | + # Do not set mount points for systema and systemb as they are mounted by the + # abrootfs/verity initramfs + # As we use a weak default assignment in the intramfs-crypt-hook recipe we need + # to set all partitions + CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt ${ABROOTFS_PART_UUID_B}::reencrypt \ + home:/home:reencrypt var:/var:reencrypt"