| Message ID | PRAPR10MB542285F67BAE6BF88C132356806F2@PRAPR10MB5422.EURPRD10.PROD.OUTLOOK.COM (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [isar-cip-core,v3] initramfs-crypt-hook: Add required kernel modules for upstream kernel | expand |
On 12.01.24 08:03, Cetin, Gokhan (ADV D EU TR C&E) wrote: > > This adds necessary crypt modules and loop device in case they are > not loaded at early boot as default. > > aesni-intel is dropped as it's not needed directly but its dependency > aes_generic is the required module. > > Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com> > --- > .../files/encrypt_partition.clevis.hook | 7 +++++-- > .../files/encrypt_partition.clevis.script | 7 +++++++ > .../files/encrypt_partition.systemd.hook | 7 +++++-- > .../files/encrypt_partition.systemd.script | 7 +++++++ > 4 files changed, 24 insertions(+), 4 deletions(-) > > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook > index 37b373c..d08594c 100755 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook > @@ -34,8 +34,11 @@ manual_add_modules tpm_crb > manual_add_modules dm_mod > manual_add_modules dm_crypt > > -# add crypto modules for debian upstream kernel > -manual_add_modules aesni-intel > +# add required crypto modules in case > +# the kernel does not have them as default > +manual_add_modules ecb > +manual_add_modules aes_generic > +manual_add_modules xts > > copy_exec /usr/bin/openssl || hook_error "/usr/bin/openssl not found" > copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found" > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > index 6d8f209..0318966 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > @@ -36,6 +36,13 @@ esac > modprobe tpm_tis > modprobe tpm_crb > > +modprobe ecb > +modprobe aes_generic > +modprobe xts > + > +# this needs to be probed particularly for re-encryption > +modprobe loop > + > # fixed tpm device or do we need to find it > tpm_device=/dev/tpmrm0 > partition_sets="$PARTITIONS" > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook > index 0a39da6..c3b31d6 100755 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook > @@ -31,8 +31,11 @@ manual_add_modules tpm_crb > manual_add_modules dm_mod > manual_add_modules dm_crypt > > -# add crypto modules for debian upstream kernel > -manual_add_modules aesni-intel > +# add required crypto modules in case > +# the kernel does not have them as default > +manual_add_modules ecb > +manual_add_modules aes_generic > +manual_add_modules xts > > copy_exec /usr/bin/openssl || hook_error "/usr/bin/openssl not found" > copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found" > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script > index 2ac8d30..eeeb55a 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script > @@ -36,6 +36,13 @@ esac > modprobe tpm_tis > modprobe tpm_crb > > +modprobe ecb > +modprobe aes_generic > +modprobe xts > + > +# this needs to be probed particularly for re-encryption > +modprobe loop > + > # fixed tpm device or do we need to find it > tpm_device=/dev/tpmrm0 > partition_sets="$PARTITIONS" Thanks, applied. BTW, I would assume that dropping the Intel optimized AES algorithm comes with a certain performance price, but let's leave optimizations to those who actually need them. Jan
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook index 37b373c..d08594c 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook @@ -34,8 +34,11 @@ manual_add_modules tpm_crb manual_add_modules dm_mod manual_add_modules dm_crypt -# add crypto modules for debian upstream kernel -manual_add_modules aesni-intel +# add required crypto modules in case +# the kernel does not have them as default +manual_add_modules ecb +manual_add_modules aes_generic +manual_add_modules xts copy_exec /usr/bin/openssl || hook_error "/usr/bin/openssl not found" copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 6d8f209..0318966 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -36,6 +36,13 @@ esac modprobe tpm_tis modprobe tpm_crb +modprobe ecb +modprobe aes_generic +modprobe xts + +# this needs to be probed particularly for re-encryption +modprobe loop + # fixed tpm device or do we need to find it tpm_device=/dev/tpmrm0 partition_sets="$PARTITIONS" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook index 0a39da6..c3b31d6 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook @@ -31,8 +31,11 @@ manual_add_modules tpm_crb manual_add_modules dm_mod manual_add_modules dm_crypt -# add crypto modules for debian upstream kernel -manual_add_modules aesni-intel +# add required crypto modules in case +# the kernel does not have them as default +manual_add_modules ecb +manual_add_modules aes_generic +manual_add_modules xts copy_exec /usr/bin/openssl || hook_error "/usr/bin/openssl not found" copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index 2ac8d30..eeeb55a 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -36,6 +36,13 @@ esac modprobe tpm_tis modprobe tpm_crb +modprobe ecb +modprobe aes_generic +modprobe xts + +# this needs to be probed particularly for re-encryption +modprobe loop + # fixed tpm device or do we need to find it tpm_device=/dev/tpmrm0 partition_sets="$PARTITIONS"
This adds necessary crypt modules and loop device in case they are not loaded at early boot as default. aesni-intel is dropped as it's not needed directly but its dependency aes_generic is the required module. Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com> --- .../files/encrypt_partition.clevis.hook | 7 +++++-- .../files/encrypt_partition.clevis.script | 7 +++++++ .../files/encrypt_partition.systemd.hook | 7 +++++-- .../files/encrypt_partition.systemd.script | 7 +++++++ 4 files changed, 24 insertions(+), 4 deletions(-)