[isar-cip-core,v5,07/11] crypt-hook: Extend partition selection

Message ID	20240506141833.3622989-8-Quirin.Gylstorff@siemens.com (mailing list archive)
State	Accepted
Headers	show Return-Path: <quirin.gylstorff@siemens.com> ip: 185.136.65.227, mailfrom: fm-51332-20240506141836ea1e8e62879232d0e1-rvycei@rts-flowmailer.siemens.com) From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com> To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com, felix.moessbauer@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v5 07/11] crypt-hook: Extend partition selection Date: Mon, 6 May 2024 16:17:28 +0200 Message-ID: <20240506141833.3622989-8-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> References: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Feedback-ID: 519:519-51332:519-21489:flowmailer
Series	Add option to encrypt the rootfs \| expand [isar-cip-core,v5,00/11] Add option to encrypt the rootfs [isar-cip-core,v5,01/11] wic/: Add part-labels to system partition [isar-cip-core,v5,02/11] initramfs: allow empty mountpoint for crypt hooks [isar-cip-core,v5,03/11] initramfs-crypt: Only resize partition if ext formatted [isar-cip-core,v5,04/11] fix: use luks2 to identify encrypted partition [isar-cip-core,v5,05/11] Rename encrypt-partitions to encrypt-data [isar-cip-core,v5,06/11] Kconfig: Add option to encrypt the rootfs [isar-cip-core,v5,07/11] crypt-hook: Extend partition selection [isar-cip-core,v5,08/11] README: Add rootfs encryption [isar-cip-core,v5,09/11] README.swupdate: Add section about partition selection [isar-cip-core,v5,10/11] fix: Remove spurious '-' [isar-cip-core,v5,11/11] initramfs-crypt-hook: cleanup logging

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook index 0bb8ce6..0644eab 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook @@ -72,6 +72,8 @@ copy_exec /usr/bin/seq || hook_error "Unable to copy /usr/bin/seq" copy_exec /usr/bin/pwmake || hook_error "Unable to copy /usr/bin/pwmake" copy_exec /usr/bin/file || hook_error "Unable to copy /usr/bin/file " copy_exec /usr/lib/*/libgcc_s.so.1 || hook_error "Unable to copy /usr/lib/*/libgcc_s.so.1 " +copy_exec /usr/bin/uuidparse || hook_error "Unable to copy /usr/bin/uuidparse" + if [ -x /usr/sbin/cryptsetup-reencrypt ]; then copy_exec /usr/sbin/cryptsetup-reencrypt fi diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script index 7cb7f34..857b73f 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -121,19 +121,34 @@ fi prepare_for_encryption for partition_set in $partition_sets; do - partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" - partition=/dev/disk/by-partlabel/"$partition_label" - crypt_mount_name="encrypted_$partition_label" + case "$partition" in + /*) + part_device=$(readlink -f "$partition") + crypt_mount_name="$( basename "$partition")" + ;; + *) + if uuidparse "$partition" -n -o TYPE | grep -q invalid; then + part_device=$(readlink -f /dev/disk/by-partlabel/"$partition") + crypt_mount_name="encrypted_${partition}" + else + part_device=$(readlink -f /dev/disk/by-partuuid/"$partition") + crypt_mount_name="${partition}" + fi + ;; + esac + if [ ! -e "$part_device" ]; then + panic "Could not find device mapped to '$partition' cannot be encrypted!" + fi decrypted_part=/dev/mapper/"$crypt_mount_name" - part_device=$(readlink -f "$partition") # check if we are trying to mount root if [ "$partition_mountpoint" = "/" ]; then echo "ROOT=$decrypted_part" >/conf/param.conf fi - if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ + if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \ | grep -q "luks2"; then open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" continue @@ -147,7 +162,7 @@ for partition_set in $partition_sets; do # create random password for initial encryption # this will be dropped after reboot - tmp_key=/tmp/"$partition_label-lukskey" + tmp_key=/tmp/"$(basename "$part_device")-lukskey" openssl rand -base64 32 > "$tmp_key" case "${partition_format}" in diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook index 941f0b1..19e0fe4 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook @@ -51,6 +51,8 @@ copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenro copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found" copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms" +copy_exec /usr/bin/basename || hook_error "Unable to copy /usr/bin/basename" +copy_exec /usr/bin/uuidparse || hook_error "Unable to copy /usr/bin/uuidparse" copy_exec /usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so || hook_error "/usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so not found" if [ -x /usr/sbin/cryptsetup-reencrypt ]; then diff --git a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script index b72323f..f35685e 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script @@ -45,11 +45,23 @@ mount_partition() { } partition_sets="$PARTITIONS" for partition_set in $partition_sets; do - partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" - partition=/dev/disk/by-partlabel/"$partition_label" - part_device=$(readlink -f "$partition") - crypt_mount_name="encrypted_$partition_label" + case "$partition" in + /*) + part_device=$(readlink -f "$partition") + crypt_mount_name="$( basename "$partition")" + ;; + *) + if uuidparse "$partition" -n -o TYPE | grep -q invalid; then + part_device=$(readlink -f /dev/disk/by-partlabel/"$partition") + crypt_mount_name="encrypted_${partition}" + else + part_device=$(readlink -f /dev/disk/by-partuuid/"$partition") + crypt_mount_name="${partition}" + fi + ;; + esac decrypted_part=/dev/mapper/"$crypt_mount_name" if [ -z "$partition_mountpoint" ]; then continue diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb index 1d5a4a7..72de5b6 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb @@ -11,7 +11,8 @@ inherit dpkg-raw DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \ awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \ - libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs, tpm2-tools" + libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, \ + e2fsprogs, tpm2-tools, coreutils, uuid-runtime" CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools"

[isar-cip-core,v5,07/11] crypt-hook: Extend partition selection

Commit Message

Patch