From patchwork Thu Mar 9 10:28:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13167184 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 55DB2C74A5B for ; Thu, 9 Mar 2023 10:28:30 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.10024.1678357705840435795 for ; Thu, 09 Mar 2023 02:28:26 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=aXW1oxKv; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-202303091028234149930d1b98315ba7-7ndzfi@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 202303091028234149930d1b98315ba7 for ; Thu, 09 Mar 2023 11:28:23 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=NJBEPsDanDfqrn2U66WPsk/3buuoQ80AyCrTpPu7gPk=; b=aXW1oxKvOSKK2yCN2hykOJnSpwfzKokZMt9ohuv8dI8M1kLpPhrBIXb8ss8UJsTIYDnEU4 cJV8EPpg63kTrA7XA/uzhVrEELSA91k2H6su9reV+9jHweGyXKjXY1nYacfDlCh0AZ1rxbs2 3kIVbTl4386aawwcnpezuMgVmCLBw=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v6 1/7] use bullseye backports for systemd-cryptenroll Date: Thu, 9 Mar 2023 11:28:15 +0100 Message-Id: <20230309102821.307140-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230309102821.307140-1-Quirin.Gylstorff@siemens.com> References: <20230309102821.307140-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Mar 2023 10:28:30 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10963 From: Quirin Gylstorff Systemd >= 251 is required for systemd-cryptenroll. This version is part of backports. Signed-off-by: Quirin Gylstorff --- conf/distro/debian-bullseye-backports.list | 1 + .../preferences.bullseye-backports.tpm.conf | 8 ++++++++ kas/opt/encrypt-partitions.yml | 20 +++++++++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 conf/distro/debian-bullseye-backports.list create mode 100644 conf/distro/preferences.bullseye-backports.tpm.conf create mode 100644 kas/opt/encrypt-partitions.yml diff --git a/conf/distro/debian-bullseye-backports.list b/conf/distro/debian-bullseye-backports.list new file mode 100644 index 0000000..3a55e4c --- /dev/null +++ b/conf/distro/debian-bullseye-backports.list @@ -0,0 +1 @@ +deb http://ftp.us.debian.org/debian bullseye-backports main contrib non-free diff --git a/conf/distro/preferences.bullseye-backports.tpm.conf b/conf/distro/preferences.bullseye-backports.tpm.conf new file mode 100644 index 0000000..60c4265 --- /dev/null +++ b/conf/distro/preferences.bullseye-backports.tpm.conf @@ -0,0 +1,8 @@ +Package: * +Pin: release n=bullseye-backports +Pin-Priority: -1 + +Explanation: Use systemd and its dependencies from debian-backports to support systemd-cryptenroll +Package: libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libpam-systemd libudev* libsystemd* systemd systemd-* udev +Pin: release n=bullseye-backports +Pin-Priority: 801 diff --git a/kas/opt/encrypt-partitions.yml b/kas/opt/encrypt-partitions.yml new file mode 100644 index 0000000..1f91c0c --- /dev/null +++ b/kas/opt/encrypt-partitions.yml @@ -0,0 +1,20 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2022 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +header: + version: 12 + +local_conf_header: + systemd-cryptenroll: | + DISTRO_APT_SOURCES:append:bullseye = " conf/distro/debian-bullseye-backports.list" + DISTRO_APT_PREFERENCES:append:bullseye = " conf/distro/preferences.bullseye-backports.tpm.conf" + + From patchwork Thu Mar 9 10:28:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13167182 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 54B32C6FD1F for ; Thu, 9 Mar 2023 10:28:30 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.10025.1678357706144424806 for ; Thu, 09 Mar 2023 02:28:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=VFDufpY4; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-20230309102823623f9865d5ec4ef68b-7xx_bt@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20230309102823623f9865d5ec4ef68b for ; Thu, 09 Mar 2023 11:28:23 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=clSPcyPlUIJmWGwVuBPCbUTGisTdvjJCycm6vLHCACU=; b=VFDufpY4kD0ez1iuFlHwgFCKgiqsB2W+MMf0CP4xVC61RtuQ2F05FlbJ6gQF1xYvy4ik6A /Spt0yGHUN9kDd37/9iPe9AbWX7h9Gw7RPPD5Q6b+gMCFYt+1y03jNp6z1ec1etJbRE9G/zy hosK/i9RUg/hbCa83fiDks9Gcralo=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v6 2/7] KConfig: add option to encrypt data partitions Date: Thu, 9 Mar 2023 11:28:16 +0100 Message-Id: <20230309102821.307140-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230309102821.307140-1-Quirin.Gylstorff@siemens.com> References: <20230309102821.307140-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Mar 2023 10:28:30 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10965 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- Kconfig | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Kconfig b/Kconfig index 7d72094..cafb04c 100644 --- a/Kconfig +++ b/Kconfig @@ -193,4 +193,14 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT +config IMAGE_DATA_ENCRYPTION + bool "Encrypt data partitions on first boot" + depends on TARGET_QEMU_AMD64 + help + This enables LUKS encryption for the partitions /var and /home. + +config KAS_INCLUDE_DATA_ENCRYPTION + string + default "kas/opt/encrypt-partitions.yml" if IMAGE_DATA_ENCRYPTION + endif From patchwork Thu Mar 9 10:28:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13167183 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 628E3C76186 for ; Thu, 9 Mar 2023 10:28:30 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web10.10071.1678357706658389571 for ; Thu, 09 Mar 2023 02:28:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=n4tKEI/L; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-51332-202303091028247afa4086b3abcf6ea1-45yu5h@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202303091028247afa4086b3abcf6ea1 for ; Thu, 09 Mar 2023 11:28:24 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=OTo/8e2Z7Jn0Tm08mnQx3UrB08lP0THVJFs2j0qoRQY=; b=n4tKEI/LyvztHxpKV/KB/35crCt0/TYgPvczRaObizTD6cVdaU2aLw1iLrp4UyeE2VZAn4 oMigDHWweSqNudLPKd7CWJa6k0dvrBLipog5CsYvs/JcngeU+yRJ+EgW8W2Q1G7v9yfwLhy7 ErCuMcjqqporDmuqM2FH6M3T1s8+s=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v6 3/7] start-qemu.sh: Create a tpm2 device Date: Thu, 9 Mar 2023 11:28:17 +0100 Message-Id: <20230309102821.307140-4-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230309102821.307140-1-Quirin.Gylstorff@siemens.com> References: <20230309102821.307140-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Mar 2023 10:28:30 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10968 From: Quirin Gylstorff This allows testing the partition encryption with qemu. Signed-off-by: Quirin Gylstorff --- start-qemu.sh | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/start-qemu.sh b/start-qemu.sh index fcfbc5b..b46b066 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true" .config.yaml; then elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then SWUPDATE_BOOT="true" fi +if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then + TPM2_ENCRYPTION="true" +fi if [ -n "${QEMU_PATH}" ]; then QEMU_PATH="${QEMU_PATH}/" @@ -143,7 +146,21 @@ QEMU_COMMON_OPTIONS=" \ -m 1G \ -serial mon:stdio \ -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \ - ${QEMU_EXTRA_ARGS}" + " + +if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then + swtpm_dir="/tmp/qemu-swtpm" + mkdir -p "${swtpm_dir}" + rm "${swtpm_dir}"/* + if swtpm socket -d --tpmstate dir="${swtpm_dir}" \ + --ctrl type=unixio,path="${swtpm_dir}"/sock \ + --tpm2; then + QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \ + -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \ + -tpmdev emulator,id=tpm0,chardev=chrtpm \ + -device tpm-tis,tpmdev=tpm0" + fi +fi if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then case "${arch}" in @@ -158,14 +175,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ -drive if=pflash,format=raw,file=${ovmf_vars} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" else ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd} ${QEMU_PATH}${QEMU} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" fi ;; arm64|aarch64|arm|armhf) @@ -174,7 +191,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then ${QEMU_PATH}${QEMU} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ -bios ${u_boot_bin} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" ;; rv64|riscv64) opensbi_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-${QEMU_ARCH}/fw_payload.bin} @@ -199,5 +216,5 @@ else -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \ -kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \ -initrd ${INITRD_FILE} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" fi From patchwork Thu Mar 9 10:28:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13167188 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 78588C7618B for ; Thu, 9 Mar 2023 10:28:30 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web11.10026.1678357706309662372 for ; Thu, 09 Mar 2023 02:28:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=ZAWJpzfD; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-51332-2023030910282403d8e294910b82496c-xdcw8b@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 2023030910282403d8e294910b82496c for ; Thu, 09 Mar 2023 11:28:24 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=CsqAJXSBsIpLnRZ37gZXVo4MqTJuNw2pWKiOjpXTHzk=; b=ZAWJpzfDMrWuEFZ4Xf4f10/+OEGu9A8u7sH82MAbhI/4d9w+AG4qjPY1MZ5wQrmwVgxGxD RHjtXrqLRkRh1Lx+xmVImluO7Lz1ZpKq5757tFlFvfLXFPRWjOBZRMyduTFc54BcZFvI125R MBkdQ0DMZ3NyvCQgOcbWL0BuP3RVk=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v6 4/7] Add initramfs hook to encrypt a partition Date: Thu, 9 Mar 2023 11:28:18 +0100 Message-Id: <20230309102821.307140-5-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230309102821.307140-1-Quirin.Gylstorff@siemens.com> References: <20230309102821.307140-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Mar 2023 10:28:30 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10964 From: Quirin Gylstorff This creates a new luks encrypted ext4 partition with a the key stored in the tpm2. The initial key is randomly generated and removed from the LUKS partition. Therefore a new key cannot be added by the user and if the LUKS header is corrupted the data is no longer readable. Add extra-space to /var and /home as the partition size are reduced if they are encrypted. Signed-off-by: Quirin Gylstorff --- kas/opt/encrypt-partitions.yml | 3 +- .../cip-core-initramfs/cip-core-initramfs.bb | 2 + .../files/encrypt_partition.env.tmpl | 2 + .../files/encrypt_partition.hook | 53 +++++++ .../files/encrypt_partition.script | 145 ++++++++++++++++++ .../initramfs-crypt-hook_0.1.bb | 40 +++++ wic/x86-efibootguard.wks.in | 5 +- 7 files changed, 247 insertions(+), 3 deletions(-) create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb diff --git a/kas/opt/encrypt-partitions.yml b/kas/opt/encrypt-partitions.yml index 1f91c0c..f6baf9f 100644 --- a/kas/opt/encrypt-partitions.yml +++ b/kas/opt/encrypt-partitions.yml @@ -16,5 +16,6 @@ local_conf_header: systemd-cryptenroll: | DISTRO_APT_SOURCES:append:bullseye = " conf/distro/debian-bullseye-backports.list" DISTRO_APT_PREFERENCES:append:bullseye = " conf/distro/preferences.bullseye-backports.tpm.conf" - + initramfs-option-encrypt-partitions: | + OVERRIDES .= ":encrypt-partitions" diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb index 2935ed8..0e4cf74 100644 --- a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb +++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb @@ -14,3 +14,5 @@ inherit initramfs INITRAMFS_INSTALL += " \ initramfs-overlay-hook \ " + +INITRAMFS_INSTALL:append:encrypt-partitions = " initramfs-crypt-hook" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl new file mode 100644 index 0000000..d04be56 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl @@ -0,0 +1,2 @@ +PARTITIONS="${CRYPT_PARTITIONS}" +CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook new file mode 100644 index 0000000..2deee80 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook @@ -0,0 +1,53 @@ +#!/bin/sh +# Copyright (C) Siemens AG, 2020-2022 +# +# SPDX-License-Identifier: MIT + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +hook_error() { + echo "(ERROR): $2" >&2 + exit 1 +} + +manual_add_modules tpm +manual_add_modules tpm_tis_core +manual_add_modules tpm_tis +manual_add_modules tpm_crb +manual_add_modules dm_mod +manual_add_modules dm_crypt + +copy_exec /usr/bin/openssl || hook_error "/usr/bin/openssl not found" +copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found" +copy_exec /usr/bin/grep || hook_error "/usr/bin/grep not found" +copy_exec /usr/bin/awk || hook_error "/usr/bin/awk not found" +copy_exec /usr/bin/expr || hook_error "/usr/bin/expr not found" +copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found" +copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found" +copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found" +copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenroll not found" +copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found" + +if [ -x cryptsetup-reencrypt ]; then + copy_exec /usr/sbin/cryptsetup-reencrypt +fi + +for _LIBRARY in /usr/lib/*/libtss2*; do + copy_exec "$_LIBRARY" +done + +copy_file library /usr/share/encrypt_partition/encrypt_partition.env /usr/share/encrypt_partition/encrypt_partition.env diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script new file mode 100644 index 0000000..468b308 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -0,0 +1,145 @@ +#!/bin/sh +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +prereqs() +{ + # Make sure that this script is run last in local-top + local req + for req in "${0%/*}"/*; do + script="${req##*/}" + if [ "$script" != "${0##*/}" ]; then + printf '%s\n' "$script" + fi + done +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions + +# get configuration variables +. /usr/share/encrypt_partition/encrypt_partition.env + +# load necessary kernel modules: +modprobe tpm_tis +modprobe tpm_crb + +# fixed tpm device or do we need to find it +tpm_device=/dev/tpmrm0 +partition_sets="$PARTITIONS" +create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" + +if [ -z "${create_file_system_cmd}" ]; then + create_file_system_cmd = "mke2fs -t ext4" +fi + +open_tpm2_partition() { + if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \ + "$1" - tpm2-device="$tpm_device"; then + panic "Can't decrypt '$1' !" + fi +} + +enroll_tpm2_token() { + #check systemd version and export password if necessary + if [ -x /usr/bin/systemd-cryptenroll ]; then + systemd_version=$(systemd-cryptenroll --version | \ + awk -F " " 'NR==1{print $2 }') + #check systemd version and export password if necessary + if [ "$systemd_version" -ge "251" ]; then + PASSWORD=$(cat "$2" ) + export PASSWORD + /usr/bin/systemd-cryptenroll --tpm2-device="$tpm_device" \ + --tpm2-pcrs=7 "$1" + PASSWORD= + else + panic "Unknown systemd version: '$systemd_version'!" + fi + else + panic "systemd-cryptenroll not available cannot enroll tpm2 key!" + fi +} + +reencrypt_existing_partition() { + part_device=$(readlink -f "$partition") + part_size_blocks=$(cat /sys/class/block/"$(awk -v dev=$part_device 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size) + # reduce the filesystem and partition by 32M to fit the LUKS header + reduce_device_size=32768 + reduced_size=$(expr $part_size_blocks - 65536 ) + reduced_size_in_byte=$(expr $reduced_size \* 512) + reduced_size_in_kb=$(expr $reduced_size_in_byte / 1024)K + resize2fs "$1" "${reduced_size_in_kb}" + if [ -x cryptsetup-reencrypt ]; then + /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k $1 < $2 + else + /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k $1 < $2 + fi + +} + +if [ ! -e "$tpm_device" ]; then + panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" +fi + +for partition_set in $partition_sets; do + partition_label=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[1]}') + partition_mountpoint=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[2]}') + partition_format=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[3]}') + partition=/dev/disk/by-partlabel/$partition_label + crypt_mount_name="encrypted_$partition_label" + decrypted_part=/dev/mapper/"$crypt_mount_name" + + # check if partition is already encrypted with systemd-tpm2 + if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ + | grep -q "systemd-tpm2"; then + open_tpm2_partition "$partition" + if ! mount -t $(get_fstype "${decrypted_part}") "${decrypted_part}" \ + "${rootmnt}${partition_mountpoint}"; then + panic "Can't mount encrypted partition '${decrypted_part}'!" + fi + continue + fi + + # create random password for initial encryption + # this will be dropped after reboot + tmp_key=/tmp/"$partition_label-lukskey" + openssl rand -base64 32 > "$tmp_key" + + case "${partition_format}" in + "reencrypt") + reencrypt_existing_partition "$partition" "$tmp_key" + enroll_tpm2_token "$partition" "$tmp_key" + open_tpm2_partition "$partition" + ;; + "format") + /usr/sbin/cryptsetup luksFormat --batch-mode \ + --type luks2 "$partition" < "$tmp_key" + enroll_tpm2_token "$partition" "$tmp_key" + open_tpm2_partition_tpm2_partition "$partition" + eval "${create_file_system_cmd} ${decrypted_part}" + ;; + *) + panic "Unknown value ${partition_format}. Cannot create a encrypted partition !" + ;; + esac + + if ! mount -t $(get_fstype "${decrypted_part}") "${decrypted_part}" \ + "${rootmnt}${partition_mountpoint}"; then + panic "Can't mount encrypted partition '${decrypted_part}'!" + fi + + # delete initial key + # afterwards no new keys can be enrolled + /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0 +done diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb new file mode 100644 index 0000000..30c89a2 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -0,0 +1,40 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020-2022 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT + + +inherit dpkg-raw + +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, systemd(>= 251), \ + awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0, e2fsprogs" + +SRC_URI += "file://encrypt_partition.hook \ + file://encrypt_partition.script \ + file://encrypt_partition.env.tmpl" + +# CRYPT_PARTITIONS elements are :: +CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt" +# CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem +# in a newly formatted LUKS Partition +CRYPT_CREATE_FILE_SYSTEM_CMD ??= "mke2fs -t ext4" + +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD" +TEMPLATE_FILES = "encrypt_partition.env.tmpl" + +do_install[cleandirs] += " \ + ${D}/usr/share/initramfs-tools/hooks \ + ${D}/usr/share/encrypt_partition \ + ${D}/usr/share/initramfs-tools/scripts/local-bottom" +do_install() { + install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env" + install -m 0755 "${WORKDIR}/encrypt_partition.script" \ + "${D}/usr/share/initramfs-tools/scripts/local-bottom/encrypt_partition" + install -m 0755 "${WORKDIR}/encrypt_partition.hook" \ + "${D}/usr/share/initramfs-tools/hooks/encrypt_partition" +} diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in index b635a8b..24b4387 100644 --- a/wic/x86-efibootguard.wks.in +++ b/wic/x86-efibootguard.wks.in @@ -7,7 +7,8 @@ part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1 part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" # home and var are extra partitions -part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G -part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024 --size 2G + +part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G --extra-space=100M +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024 --size 2G --extra-space=100M bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk" From patchwork Thu Mar 9 10:28:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13167187 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 71F35C76188 for ; Thu, 9 Mar 2023 10:28:30 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.10072.1678357707093457278 for ; Thu, 09 Mar 2023 02:28:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=MnJzaBt+; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-202303091028248a61826a098ca7f421-qrd9xa@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 202303091028248a61826a098ca7f421 for ; Thu, 09 Mar 2023 11:28:24 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=3dMvYUVMOid6+jVVUtJrj++qcM6+J+sP39Go8KpCH4c=; b=MnJzaBt+02xklv5gnwCYZ2v5zehZzkX0d7ZUuzUtDrI2sDzSWekagrXSoWxdKIC+j+vmjt e2VI7Ugy/oUOMzrfss2WUw17QFMOc23AvNldoFQz5CcmfEuZTI/a8NZhnsXgOrl4+5Kp+SyF Nzpy+/ieYgXfURmwoIPPBTKls0s3E=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v6 5/7] overlay: add prerequisite 'encrypt_partition' Date: Thu, 9 Mar 2023 11:28:19 +0100 Message-Id: <20230309102821.307140-6-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230309102821.307140-1-Quirin.Gylstorff@siemens.com> References: <20230309102821.307140-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Mar 2023 10:28:30 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10969 From: Quirin Gylstorff If /var shall be encrypted encrypt_partition needs to be executed before the overlay script. If the prerequisite is not available the overlay script will be executed. Signed-off-by: Quirin Gylstorff --- .../initramfs-overlay-hook/files/overlay.hook | 1 + .../initramfs-overlay-hook/files/overlay.script.tmpl | 12 +++++++----- .../initramfs-overlay-hook_0.1.bb | 2 +- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook b/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook index 5bec258..8b00ecf 100644 --- a/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook +++ b/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook @@ -23,4 +23,5 @@ esac . /usr/share/initramfs-tools/hook-functions manual_add_modules overlay +copy_exec /usr/bin/mountpoint copy_exec /usr/bin/awk diff --git a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl index 87ec72f..71d2599 100644 --- a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl +++ b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl @@ -9,7 +9,7 @@ # Quirin Gylstorff # -PREREQ="" +PREREQ="encrypt_partition" prereqs() { @@ -33,10 +33,12 @@ ovl_lower_dirs="${INITRAMFS_OVERLAY_PATHS}" root_mount_storage=${rootmnt}${ovl_storage_path} -if ! mount -t $(get_fstype /dev/disk/by-label/${ovl_partition_label}) \ - /dev/disk/by-label/${ovl_partition_label} \ - ${rootmnt}/${ovl_partition_label}; then - panic "Can't mount /${ovl_partition_label} partition - overlay will not work!" +if ! mountpoint -q "${rootmnt}/${ovl_partition_label}"; then + if ! mount -t $(get_fstype /dev/disk/by-label/${ovl_partition_label}) \ + /dev/disk/by-label/${ovl_partition_label} \ + ${rootmnt}/${ovl_partition_label}; then + panic "Can't mount /${ovl_partition_label} partition - overlay will not work!" + fi fi for ovl_lower_dir in ${ovl_lower_dirs}; do diff --git a/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb b/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb index 78831ba..566bd15 100644 --- a/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb +++ b/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb @@ -26,7 +26,7 @@ TEMPLATE_VARS += " INITRAMFS_OVERLAY_STORAGE_PATH \ INITRAMFS_OVERLAY_PATHS \ INITRAMFS_OVERLAY_STORAGE_PARTITION_LABEL" -DEBIAN_DEPENDS = "initramfs-tools, awk, coreutils" +DEBIAN_DEPENDS = "initramfs-tools, awk, coreutils, util-linux" do_install[cleandirs] += " \ ${D}/usr/share/initramfs-tools/hooks \ From patchwork Thu Mar 9 10:28:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13167181 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 61C2BC74A4B for ; Thu, 9 Mar 2023 10:28:30 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.10027.1678357706974019885 for ; Thu, 09 Mar 2023 02:28:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=oYbcsRy9; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-202303091028258a7f599bb0b0f54d7f-ywyjpq@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202303091028258a7f599bb0b0f54d7f for ; Thu, 09 Mar 2023 11:28:25 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=jdqrKQW6nK9WKcpdm3TbBVvVoXO7RPI+bRvO4s47+JQ=; b=oYbcsRy98dMP+vfYk6J15iVbFwgjBros7q2wVsFcGQZU7VvHVWW5Ylo4b21b4o4DI0uiCp uC5u3aGbEw1W18SWOxeeX9gUNFUbRuOCFg6G9+ByFVfejOxOqg9+q9K9lZYYVrWiSCbV1Lfq 6lSHIWGjpyQSSaSHr+ZjJ0kdOZLD4=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v6 6/7] .gitlabci: Add ci build Date: Thu, 9 Mar 2023 11:28:20 +0100 Message-Id: <20230309102821.307140-7-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230309102821.307140-1-Quirin.Gylstorff@siemens.com> References: <20230309102821.307140-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Mar 2023 10:28:30 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10967 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- .gitlab-ci.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f51b64b..1921183 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -19,6 +19,7 @@ variables: release: bullseye extension: none use_rt: enable + tpm: disable wic_targz: enable targz: disable dtb: none @@ -55,6 +56,7 @@ default: - if [ "${release}" = "buster" ]; then base_yaml="${base_yaml}:kas/opt/buster.yml"; fi - if [ "${release}" = "bullseye" ]; then base_yaml="${base_yaml}:kas/opt/bullseye.yml"; fi - if [ "${release}" = "sid-ports" ]; then base_yaml="${base_yaml}:kas/opt/sid-ports.yml"; fi + - if [ "${tpm}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/encrypt-partitions.yml"; fi - echo "Building ${base_yaml}" - kas build ${base_yaml} - if [ "${deploy}" = "enable" ]; then scripts/deploy-cip-core.sh ${release} ${target} ${extension} ${dtb} ${CI_COMMIT_REF_SLUG}; fi @@ -224,6 +226,17 @@ build:qemu-amd64-secure-boot: wic_targz: disable deploy: disable +build:qemu-amd64-secure-boot-tpm: + extends: + - .build_base + variables: + target: qemu-amd64 + extension: ebg-secure-boot-snakeoil + use_rt: disable + wic_targz: disable + deploy: disable + tpm: enable + build:qemu-amd64-swupdate: extends: - .build_base From patchwork Thu Mar 9 10:28:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13167185 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 53A42C61DA4 for ; Thu, 9 Mar 2023 10:28:30 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.10028.1678357707365682091 for ; Thu, 09 Mar 2023 02:28:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=QspnDT0I; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-51332-20230309102825a8ebcf6633de462bf9-azd_xd@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20230309102825a8ebcf6633de462bf9 for ; Thu, 09 Mar 2023 11:28:25 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=/rRDDkBDYXvnK6t0nBUSNigjm5ySGyiqHzGeJwbmYm8=; b=QspnDT0IoSLFa9TM2Iz66x9x4RNArDLtAihQe4wql7ftMdBVx918m1i9RKDOOfL14TWD4g DTr+/oU5hJiiuXJaT3mDCbIMEBl4x1C92iIULesmMtqUqq0dwlv/EnYWxPy+EBdqmrfWaq8I tpnAtW3PejYyPFYdZcuiq7wFOJUZ0=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v6 7/7] Add README for encrypted partitions Date: Thu, 9 Mar 2023 11:28:21 +0100 Message-Id: <20230309102821.307140-8-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230309102821.307140-1-Quirin.Gylstorff@siemens.com> References: <20230309102821.307140-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Mar 2023 10:28:30 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10970 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- doc/README.tpm2.encryption.md | 55 +++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 doc/README.tpm2.encryption.md diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md new file mode 100644 index 0000000..58ebb8a --- /dev/null +++ b/doc/README.tpm2.encryption.md @@ -0,0 +1,55 @@ +# Encrypted Partitions + +By adding the recipe `initramfs-crypt-hook` to the initramfs build user defined partitions will be +encrypted during first boot. The encrypted partition is a LUKS partition and uses a TPM to secure the +passphrase on the device. + +## Requirements + +To enroll the keys Debian 12(bookworm) or Debian 11(bullseye) with backports is required. +The implementation in Debian 11 is for *demonstration purpose only* as we need backports for +systemd >= 248. [systemd version 248](https://github.com/systemd/systemd/blob/a41ac8ac407a1a58612059a45229f0d440f58e28/NEWS#L3391) adds the necessary systemd-cryptenroll functionality. + +Testing with qemu-amd64 requires the package `swtpm`. Under Debian/Ubuntu this can be installed + +``` shell +apt-get install swtpm +``` + +## TPM2 protected LUKS passphrase + +The recipe `initramfs-crypt-hook` uses `systemd-cryptenroll` to enroll a TPM2 protected LUKS passphrase. +The procedure for storing a key is described in [systemd/src/shared/tpm2-util.c](https://github.com/systemd/systemd/blob/0254e4d66af7aa893b31b2326335ded5dde48b51/src/shared/tpm2-util.c#L1395). + +## How to build an QEMU image with TPM encryption +An example for qemu-amd64 can be build with by selecting the option after calling: + +``` +./kas-container menu +``` +or by adding using the following command line build: + +``` +./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/tpm.yml +``` +## initramfs-crypt-hook configuration + +The initramfs-crypt-hook recipe has the following variables which can be overwritten during image build: +- CRYPT_PARTITIONS +- CRYPT_CREATE_FILE_SYSTEM_CMD + +### CRYPT_PARTITIONS + +The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount it. +Each entry uses the schema `::`. +- The `partition-label` is used to identify the partition on the disk +- The `mountpoint` is used mount the decrypted partition in the root file system +- `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount +- `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD` + +### CRYPT_CREATE_FILE_SYSTEM_CMD + +The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly +encrypted partition. The Default (`mke2fs -t ext4`) creates an ext4 partition. + +