diff mbox series

[isar-cip-core,v2,1/2] Fixing dependency of package expand-on-first-boot on cryptsetup and tss2 (tpm2) libraries when building with disk encryption enabled. (for bookworm)

Message ID 20241021185359.927395-2-alexander.heinisch@siemens.com (mailing list archive)
State New
Headers show
Series Fixing dependency of package expand-on-first-boot on cryptsetup and tss2 (tpm2) libraries when building with disk encryption enabled. | expand

Commit Message

Heinisch, Alexander Oct. 21, 2024, 6:53 p.m. UTC 
From: Alexander Heinisch <alexander.heinisch@siemens.com>

To fix dependencies of packages (in this specific case expand-on-first-boot in upstream isar)
we specified additional package dependencies used for disk encryption.
When building with disk encryption enabled (kas/opt/encrypt-*.yml) the initramfs encrypts
the specified disks if it detects unencrypted disks.
In case of a fresh installation this happens during first boot of the device.
Unfortunately, expand-on-first-boot (kas/opt/expand-on-first-boot.yml) is executed
after the initramfs already encrypted the data partition (in case of *-efibootguard-*.wks.in /var).

Checking if the disk to expand is encrypted got already handled by
https://github.com/ilbers/isar/commit/c44c088cd224e44a401410c860bd625f28950ac3
but dependencies are not automatically set for the package.
Since expand-on-first-boot is hosted in isar and disk encryption features are enabled with
encrypt-partitions override in isar-cip-core, we extended the recipe in isar
(see: https://github.com/ilbers/isar/commit/8b30a4f86cb3ea3369bff3884141872c3a7d9979) to
enable downstream to set additional dependencies accordingly.

While the dependency for cryptsetup is obvious, the other dependencies are not!
Here is why:

- bookworm (systemd as cryptbackend):

  From cryptsetup 2.4.0 release notes:
  "
    Cryptsetup 2.4 adds the possibility to implement token handlers
    in external libraries (possibly provided by other projects).
    ...
    As of cryptsetup 2.4.0 release systemd project already merged upstream
    native cryptsetup token handler for its systemd-tpm2 LUKS2 token
    released originally in systemd-v248. The token can be created using
    systemd-cryptenroll utility and devices may be manipulated either by
    systemd-cryptsetup cli or by cryptsetup for actions listed above.
  "
  ("actions above" include `resize` - see https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/docs/v2.4.0-ReleaseNotes)
  Proof: https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/lib/luks2/luks2_token.c#L170

  For the disk encryption method we use a token `systemd-tpm2` is added to the luks header.
  Thus, `cryptsetup resize` uses libcryptsetup-token-systemd-tpm2.so to handle this token
  which comes with package `systemd`.

  Following source gives the dependencies on libs: https://github.com/systemd/systemd/blob/a3f17a8f88f7332d0bef67a2d523c41f23f164b6/src/shared/tpm2-util.c#L114
  libtss2-esys.so.0 -> in package libtss2-esys-3.0.2-0
  libtss2-rc.so.0 -> in package libtss2-rc0
  libtss2-mu.so.0 -> in package libtss2-mu0

- bullseye, buster (clevis as cryptbackend)
  Since we are using clevis as cryptbackend the luks header resolves to "clevis" instead of "systemd-tpm2"
  Thus, cryptsetup resolves the library to be used to libcryptsetup-token-clevis.

  Unfortunately, I could not find such library anywhere! - Therefore, expand on first boot and similar,
  still won't work for current disk encryption implementations for buster and bullseye.

Signed-off-by: Alexander Heinisch <alexander.heinisch@siemens.com>
---
 conf/distro/cip-core-common.inc | 13 +++++++++++++
 1 file changed, 13 insertions(+)
diff mbox series

Patch

diff --git a/conf/distro/cip-core-common.inc b/conf/distro/cip-core-common.inc
index 4bd4b84..7006713 100644
--- a/conf/distro/cip-core-common.inc
+++ b/conf/distro/cip-core-common.inc
@@ -23,3 +23,16 @@  PREFERRED_VERSION_linux-cip-kbuildtarget ?= "${PREFERRED_VERSION_linux-cip}"
 
 PREFERRED_VERSION_linux-cip-rt-native ?= "${PREFERRED_VERSION_linux-cip-rt}"
 PREFERRED_VERSION_linux-cip-rt-kbuildtarget ?= "${PREFERRED_VERSION_linux-cip-rt}"
+
+ADDITIONAL_DISK_ENCRYPTION_PACKAGES ?= ""
+ADDITIONAL_DISK_ENCRYPTION_PACKAGES:encrypt-partitions ?= "\
+    cryptsetup, \
+    libtss2-esys-3.0.2-0, \
+    libtss2-rc0, \
+    libtss2-mu0 \
+    "
+
+ADDITIONAL_DISK_ENCRYPTION_PACKAGES:encrypt-partitions:buster ?= "\
+    cryptsetup, \
+    libtss2-esys0 \
+    "