| Message ID | 20240502093240.364093-7-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Add option to encrypt the rootfs | expand |
On 02.05.24 11:31, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This allows to setup a system with all non-boot partitions encrypted. > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > Kconfig | 22 ++++++++++++++++++++-- > kas/opt/encrypt-all.yml | 23 +++++++++++++++++++++++ > 2 files changed, 43 insertions(+), 2 deletions(-) > create mode 100644 kas/opt/encrypt-all.yml > > diff --git a/Kconfig b/Kconfig > index 9478a06..d0a9bea 100644 > --- a/Kconfig > +++ b/Kconfig > @@ -202,15 +202,33 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT > default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT > default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT > > + > +menuconfig DISK_ENCRYPTION > + bool > + prompt "disk encryption" > + select IMAGE_SECURE_BOOT > + A menu is overkill here, specifically as... > config IMAGE_DATA_ENCRYPTION > bool "Encrypt data partitions on first boot" > - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM > - select IMAGE_SECURE_BOOT > + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM) > help > This enables LUKS encryption for the partitions /var and /home. > > +config IMAGE_FULL_ENCRYPTION > + bool "Encrypt rootfs and data partitions" > + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM) > + select IMAGE_DATA_ENCRYPTION > + help > + This enables LUKS encryption for all non-boot partitions on first boot. > + If the partitions contain secrets the first boot must occur in a secure > + location. > + ...you can't select IMAGE_FULL_ENCRYPTION without IMAGE_DATA_ENCRYPTION (for good reasons). It's also strange when one only selects the menu but not any items of it. Therefore: config IMAGE_DATA_ENCRYPTION bool "Encrypt data partitions" select IMAGE_SECURE_BOOT depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM help This enables LUKS encryption for the partitions /var and /home. Encryption is done with a device-specific key on first boot. config IMAGE_FULL_ENCRYPTION bool "Encrypt rootfs and data partitions" depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM select IMAGE_DATA_ENCRYPTION help This enables LUKS encryption for all non-boot partitions on first boot. If the partitions contain secrets the first boot must occur in a secure location. Jan > config KAS_INCLUDE_DATA_ENCRYPTION > string > default "kas/opt/encrypt-data.yml" if IMAGE_DATA_ENCRYPTION > > +config KAS_INCLUDE_FULL_ENCRYPTION > + string > + default "kas/opt/encrypt-all.yml" if IMAGE_FULL_ENCRYPTION > + > endif > diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml > new file mode 100644 > index 0000000..b6d4041 > --- /dev/null > +++ b/kas/opt/encrypt-all.yml > @@ -0,0 +1,23 @@ > +# > +# CIP Core, generic profile > +# > +# Copyright (c) Siemens AG, 2024 > +# > +# Authors: > +# Quirin Gylstorff <quirin.gylstorff@siemens.com> > +# > +# SPDX-License-Identifier: MIT > +# > + > +header: > + version: 14 > + includes: > + - kas/opt/encrypt-data.yml > +local_conf_header: > + encrypted_root: | > + # Do not set mount points for systema and systemb as they are mounted by the > + # abrootfs/verity initramfs > + # As we use a weak default assignment in the intramfs-crypt-hook recipe we need > + # to set all partitions > + CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt ${ABROOTFS_PART_UUID_B}::reencrypt \ > + home:/home:reencrypt var:/var:reencrypt"
diff --git a/Kconfig b/Kconfig index 9478a06..d0a9bea 100644 --- a/Kconfig +++ b/Kconfig @@ -202,15 +202,33 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT + +menuconfig DISK_ENCRYPTION + bool + prompt "disk encryption" + select IMAGE_SECURE_BOOT + config IMAGE_DATA_ENCRYPTION bool "Encrypt data partitions on first boot" - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM - select IMAGE_SECURE_BOOT + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM) help This enables LUKS encryption for the partitions /var and /home. +config IMAGE_FULL_ENCRYPTION + bool "Encrypt rootfs and data partitions" + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM) + select IMAGE_DATA_ENCRYPTION + help + This enables LUKS encryption for all non-boot partitions on first boot. + If the partitions contain secrets the first boot must occur in a secure + location. + config KAS_INCLUDE_DATA_ENCRYPTION string default "kas/opt/encrypt-data.yml" if IMAGE_DATA_ENCRYPTION +config KAS_INCLUDE_FULL_ENCRYPTION + string + default "kas/opt/encrypt-all.yml" if IMAGE_FULL_ENCRYPTION + endif diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml new file mode 100644 index 0000000..b6d4041 --- /dev/null +++ b/kas/opt/encrypt-all.yml @@ -0,0 +1,23 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# + +header: + version: 14 + includes: + - kas/opt/encrypt-data.yml +local_conf_header: + encrypted_root: | + # Do not set mount points for systema and systemb as they are mounted by the + # abrootfs/verity initramfs + # As we use a weak default assignment in the intramfs-crypt-hook recipe we need + # to set all partitions + CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt ${ABROOTFS_PART_UUID_B}::reencrypt \ + home:/home:reencrypt var:/var:reencrypt"