| Message ID | PRAPR10MB542260589618B60AAA1B6B1E80692@PRAPR10MB5422.EURPRD10.PROD.OUTLOOK.COM (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [isar-cip-core,v2] initramfs-crypt-hook: Add required kernel modules for upstream kernel | expand |
On 1/10/24 16:13, Cetin, Gokhan (ADV D EU TR C&E) wrote: > > This adds necessary crypt modules and loop device in case they are > not loaded at early boot as default. > > Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com> > --- > .../files/encrypt_partition.clevis.hook | 5 +++-- > .../files/encrypt_partition.clevis.script | 7 +++++++ > .../files/encrypt_partition.systemd.hook | 7 +++++-- > .../files/encrypt_partition.systemd.script | 7 +++++++ > 4 files changed, 22 insertions(+), 4 deletions(-) > > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook > index 37b373c..bcfe885 100755 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook > @@ -34,8 +34,9 @@ manual_add_modules tpm_crb > manual_add_modules dm_mod > manual_add_modules dm_crypt > > -# add crypto modules for debian upstream kernel > -manual_add_modules aesni-intel On which Hardware did you test? If i remember correctly asni-intel was necessary for the ipc227e. Reqards Quirin > +manual_add_modules ecb > +manual_add_modules aes_generic > +manual_add_modules xts > > copy_exec /usr/bin/openssl || hook_error "/usr/bin/openssl not found" > copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found" > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > index 6d8f209..0318966 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > @@ -36,6 +36,13 @@ esac > modprobe tpm_tis > modprobe tpm_crb > > +modprobe ecb > +modprobe aes_generic > +modprobe xts > + > +# this needs to be probed particularly for re-encryption > +modprobe loop > + > # fixed tpm device or do we need to find it > tpm_device=/dev/tpmrm0 > partition_sets="$PARTITIONS" > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook > index 0a39da6..c3b31d6 100755 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook > @@ -31,8 +31,11 @@ manual_add_modules tpm_crb > manual_add_modules dm_mod > manual_add_modules dm_crypt > > -# add crypto modules for debian upstream kernel > -manual_add_modules aesni-intel > +# add required crypto modules in case > +# the kernel does not have them as default > +manual_add_modules ecb > +manual_add_modules aes_generic > +manual_add_modules xts > > copy_exec /usr/bin/openssl || hook_error "/usr/bin/openssl not found" > copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found" > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script > index 2ac8d30..eeeb55a 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script > @@ -36,6 +36,13 @@ esac > modprobe tpm_tis > modprobe tpm_crb > > +modprobe ecb > +modprobe aes_generic > +modprobe xts > + > +# this needs to be probed particularly for re-encryption > +modprobe loop > + > # fixed tpm device or do we need to find it > tpm_device=/dev/tpmrm0 > partition_sets="$PARTITIONS"
> On 1/10/24 16:13, Cetin, Gokhan (ADV D EU TR C&E) wrote: > > > > This adds necessary crypt modules and loop device in case they are not > > loaded at early boot as default. > > > > Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com> > > --- > > .../files/encrypt_partition.clevis.hook | 5 +++-- > > .../files/encrypt_partition.clevis.script | 7 +++++++ > > .../files/encrypt_partition.systemd.hook | 7 +++++-- > > .../files/encrypt_partition.systemd.script | 7 +++++++ > > 4 files changed, 22 insertions(+), 4 deletions(-) > > > > diff --git > > a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevi > > s.hook > > b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevi > > s.hook > > index 37b373c..bcfe885 100755 > > --- > > a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevi > > s.hook > > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.c > > +++ levis.hook > > @@ -34,8 +34,9 @@ manual_add_modules tpm_crb > > manual_add_modules dm_mod > > manual_add_modules dm_crypt > > > > -# add crypto modules for debian upstream kernel -manual_add_modules > > aesni-intel > > On which Hardware did you test? If i remember correctly asni-intel was > necessary for the ipc227e. > > Reqards > Quirin Hi Quirin, The initial findings were like this, but we realized that instead of aesni-intel, these 3 crypto modules were sufficient and more generic. We tested it on several different (non-Siemens-IPC yet) x86 based devices. Also qemu and virsh also confirm this behavior. Best, Gokhan
On 10.01.24 20:58, Cetin, Gokhan (ADV D EU TR C&E) wrote: >> On 1/10/24 16:13, Cetin, Gokhan (ADV D EU TR C&E) wrote: >>> >>> This adds necessary crypt modules and loop device in case they are not >>> loaded at early boot as default. >>> >>> Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com> >>> --- >>> .../files/encrypt_partition.clevis.hook | 5 +++-- >>> .../files/encrypt_partition.clevis.script | 7 +++++++ >>> .../files/encrypt_partition.systemd.hook | 7 +++++-- >>> .../files/encrypt_partition.systemd.script | 7 +++++++ >>> 4 files changed, 22 insertions(+), 4 deletions(-) >>> >>> diff --git >>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevi >>> s.hook >>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevi >>> s.hook >>> index 37b373c..bcfe885 100755 >>> --- >>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevi >>> s.hook >>> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.c >>> +++ levis.hook >>> @@ -34,8 +34,9 @@ manual_add_modules tpm_crb >>> manual_add_modules dm_mod >>> manual_add_modules dm_crypt >>> >>> -# add crypto modules for debian upstream kernel -manual_add_modules >>> aesni-intel >> >> On which Hardware did you test? If i remember correctly asni-intel was >> necessary for the ipc227e. >> >> Reqards >> Quirin > > Hi Quirin, > > The initial findings were like this, but we realized that instead of aesni-intel, these 3 crypto modules were sufficient and more generic. > We tested it on several different (non-Siemens-IPC yet) x86 based devices. Also qemu and virsh also confirm this behavior. > Mind to enhance the commit message with a sentence that explains why dropping that module is fine? Jan
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook index 37b373c..bcfe885 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook @@ -34,8 +34,9 @@ manual_add_modules tpm_crb manual_add_modules dm_mod manual_add_modules dm_crypt -# add crypto modules for debian upstream kernel -manual_add_modules aesni-intel +manual_add_modules ecb +manual_add_modules aes_generic +manual_add_modules xts copy_exec /usr/bin/openssl || hook_error "/usr/bin/openssl not found" copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 6d8f209..0318966 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -36,6 +36,13 @@ esac modprobe tpm_tis modprobe tpm_crb +modprobe ecb +modprobe aes_generic +modprobe xts + +# this needs to be probed particularly for re-encryption +modprobe loop + # fixed tpm device or do we need to find it tpm_device=/dev/tpmrm0 partition_sets="$PARTITIONS" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook index 0a39da6..c3b31d6 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook @@ -31,8 +31,11 @@ manual_add_modules tpm_crb manual_add_modules dm_mod manual_add_modules dm_crypt -# add crypto modules for debian upstream kernel -manual_add_modules aesni-intel +# add required crypto modules in case +# the kernel does not have them as default +manual_add_modules ecb +manual_add_modules aes_generic +manual_add_modules xts copy_exec /usr/bin/openssl || hook_error "/usr/bin/openssl not found" copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index 2ac8d30..eeeb55a 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -36,6 +36,13 @@ esac modprobe tpm_tis modprobe tpm_crb +modprobe ecb +modprobe aes_generic +modprobe xts + +# this needs to be probed particularly for re-encryption +modprobe loop + # fixed tpm device or do we need to find it tpm_device=/dev/tpmrm0 partition_sets="$PARTITIONS"
This adds necessary crypt modules and loop device in case they are not loaded at early boot as default. Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com> --- .../files/encrypt_partition.clevis.hook | 5 +++-- .../files/encrypt_partition.clevis.script | 7 +++++++ .../files/encrypt_partition.systemd.hook | 7 +++++-- .../files/encrypt_partition.systemd.script | 7 +++++++ 4 files changed, 22 insertions(+), 4 deletions(-)