@@ -205,12 +205,24 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT
config IMAGE_DATA_ENCRYPTION
bool "Encrypt data partitions on first boot"
depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM
- select IMAGE_SECURE_BOOT
help
This enables LUKS encryption for the partitions /var and /home.
+config IMAGE_FULL_ENCRYPTION
+ bool "Encrypt rootfs and data partitions"
+ depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM
+ select IMAGE_DATA_ENCRYPTION
+ help
+ This enables LUKS encryption for all non-boot partitions on first boot.
+ If the partitions contain secrets the first boot must occur in a secure
+ location.
+
config KAS_INCLUDE_DATA_ENCRYPTION
string
default "kas/opt/encrypt-data.yml" if IMAGE_DATA_ENCRYPTION
+config KAS_INCLUDE_FULL_ENCRYPTION
+ string
+ default "kas/opt/encrypt-all.yml" if IMAGE_FULL_ENCRYPTION
+
endif
new file mode 100644
@@ -0,0 +1,23 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 14
+ includes:
+ - kas/opt/encrypt-data.yml
+local_conf_header:
+ encrypted_root: |
+ # Do not set mount points for systema and systemb as they are mounted by the
+ # abrootfs/verity initramfs
+ # As we use a weak default assignment in the intramfs-crypt-hook recipe we need
+ # to set all partitions
+ CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt ${ABROOTFS_PART_UUID_B}::reencrypt \
+ home:/home:reencrypt var:/var:reencrypt"