From patchwork Fri Mar 22 10:05:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13599893 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E270ECD1283 for ; Fri, 22 Mar 2024 10:06:19 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web10.9305.1711101968829621960 for ; Fri, 22 Mar 2024 03:06:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=j2P7NzoP; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-51332-20240322100606bf5487ee1ee26ff562-pwsqgp@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 20240322100606bf5487ee1ee26ff562 for ; Fri, 22 Mar 2024 11:06:06 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=SihjlxuH8eCo+mput6tIaKyWQBDGiv1ic/gp94GvunU=; b=j2P7NzoPkOGp2QORV2onQHV59Oq6ASihu0T8CfyYm3SyoihXTnhNypQTBwDdYDpfZgYASm tBllvYH7xbyuycCpNPDY9tEFP3ONjgXGFmtQVmje5FnXeU+bS54t4bCXgO7gkEHYmvjOFEmd WXfD4hrjazAdZ8S8S7dDH2dTyknRU=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v2 01/13] initramfs-crypt-hook: Allow switching between clevis and systemd Date: Fri, 22 Mar 2024 11:05:11 +0100 Message-ID: <20240322100605.4129226-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> References: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 22 Mar 2024 10:06:19 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15397 From: Quirin Gylstorff This allows device which started on Debian 11 to continue using clevis for encryption and decryption. Signed-off-by: Quirin Gylstorff --- .../initramfs-crypt-hook_0.1.bb | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index b275c0f..317ea12 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -1,7 +1,7 @@ # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2020-2023 +# Copyright (c) Siemens AG, 2020-2024 # # Authors: # Quirin Gylstorff @@ -17,7 +17,17 @@ CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools" DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}, libgcc-7-dev" DEBIAN_DEPENDS:append:bullseye = "${CLEVIS_DEPEND}" -DEBIAN_DEPENDS:append = ", systemd (>= 251) | clevis-tpm2" +DEBIAN_DEPENDS:append = "${@encryption_dependency(d)}" + +def encryption_dependency(d): + crypt_backend = d.getVar('CRYPT_BACKEND') + if crypt_backend == 'clevis': + clevis_depends= d.getVar('CLEVIS_DEPEND') + return f"{clevis_depends}, clevis-tpm2" + elif crypt_backend == 'systemd': + return ", systemd (>= 251)" + else: + bb.error("unkown cryptbackend defined") CRYPT_BACKEND:buster = "clevis" CRYPT_BACKEND:bullseye = "clevis" From patchwork Fri Mar 22 10:05:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13599898 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 45B36CD1288 for ; Fri, 22 Mar 2024 10:06:20 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web10.9304.1711101968804391098 for ; Fri, 22 Mar 2024 03:06:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=Uh9Wvrfg; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-51332-2024032210060628392b1af52b107c9c-fxnn79@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 2024032210060628392b1af52b107c9c for ; Fri, 22 Mar 2024 11:06:06 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=yqlNpChmOvPHuitayu5PdAQTVGO9xrsKLIRb+IZoWSo=; b=Uh9Wvrfgr3GTFCCTf6JDOLzcnPmz+6dY8QWb1cGQrWOp1QCX2KOj0ztT9b3n/Zb59Ks2hG zgTTJBmYE1Mq6jjkslHZ/jO4YFIF/+DDK1oH3+wvxPVsQUyKzBd5fA0uk6CJqf/2khqSoZZG FaIGXMT3UwWB49OgUJnN6hrwob60Q=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v2 02/13] initramfs-crypt-hook: Align systemd encryption and clevis encryption Date: Fri, 22 Mar 2024 11:05:12 +0100 Message-ID: <20240322100605.4129226-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> References: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 22 Mar 2024 10:06:20 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15398 From: Quirin Gylstorff The following changes were copied from systemd to clevis: - check return of resize command The following changes were copied form clevis to systemd: - check if create_filesystem command is empty - use part_device(/dev/*) instead of disk label(/dev/disk/by-partlabel/*) Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.script | 6 ++++-- .../files/encrypt_partition.systemd.script | 21 +++++++++++-------- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 0318966..4e76c44 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -2,7 +2,7 @@ # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2023 +# Copyright (c) Siemens AG, 2023-2024 # # Authors: # Quirin Gylstorff @@ -82,7 +82,9 @@ reencrypt_existing_partition() { reduced_size="$(expr "$part_size_blocks" - 65536 )" reduced_size_in_byte="$(expr "$reduced_size" \* 512)" reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" - resize2fs "$1" "${reduced_size_in_kb}" + if ! resize2fs "$1" "${reduced_size_in_kb}"; then + panic "reencryption of filesystem $1 cannot continue!" + fi if [ -x /usr/sbin/cryptsetup-reencrypt ]; then /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2" else diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index eeeb55a..f97a461 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -2,7 +2,7 @@ # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2023 +# Copyright (c) Siemens AG, 2023-2024 # # Authors: # Quirin Gylstorff @@ -47,6 +47,9 @@ modprobe loop tpm_device=/dev/tpmrm0 partition_sets="$PARTITIONS" create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" +if [ -z "${create_file_system_cmd}" ]; then + create_file_system_cmd="mke2fs -t ext4" +fi service_watchdog() { for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do @@ -83,8 +86,7 @@ enroll_tpm2_token() { } reencrypt_existing_partition() { - part_device="$(readlink -f "$partition")" - part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$part_device" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)" + part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)" # reduce the filesystem and partition by 32M to fit the LUKS header reduce_device_size=32768 reduced_size="$(expr "$part_size_blocks" - 65536 )" @@ -111,15 +113,16 @@ for partition_set in $partition_sets; do partition=/dev/disk/by-partlabel/"$partition_label" crypt_mount_name="encrypted_$partition_label" decrypted_part=/dev/mapper/"$crypt_mount_name" + part_device=$(readlink -f "$partition") # check if partition is already encrypted with systemd-tpm2 if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ | grep -q "systemd-tpm2"; then - open_tpm2_partition "$partition" if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \ "${rootmnt}${partition_mountpoint}"; then panic "Can't mount encrypted partition '${decrypted_part}'!" fi + open_tpm2_partition "$part_device" continue fi @@ -136,15 +139,15 @@ for partition_set in $partition_sets; do case "${partition_format}" in "reencrypt") - reencrypt_existing_partition "$partition" "$tmp_key" - enroll_tpm2_token "$partition" "$tmp_key" - open_tpm2_partition "$partition" + reencrypt_existing_partition "$part_device" "$tmp_key" + enroll_tpm2_token "$part_device" "$tmp_key" + open_tpm2_partition "$part_device" ;; "format") /usr/sbin/cryptsetup luksFormat --batch-mode \ --type luks2 "$partition" < "$tmp_key" - enroll_tpm2_token "$partition" "$tmp_key" - open_tpm2_partition "$partition" + enroll_tpm2_token "$part_device" "$tmp_key" + open_tpm2_partition "$part_device" eval "${create_file_system_cmd} ${decrypted_part}" ;; *) From patchwork Fri Mar 22 10:05:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13599887 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B44A4C47DD9 for ; Fri, 22 Mar 2024 10:06:19 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web10.9303.1711101968633346777 for ; Fri, 22 Mar 2024 03:06:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=FDMORy/3; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-51332-20240322100606e8e9b9c4d8646c25bb-0k0jql@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20240322100606e8e9b9c4d8646c25bb for ; Fri, 22 Mar 2024 11:06:07 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=NaFR/n2lebjMguG9ktD6vHxvUptZL4wpnpzgeNTZUXs=; b=FDMORy/3oT1PxkRgHAQgIkhKOTdblTXPQqFhK7r1aJ5oPpwOPNg74691YLXwt6fxCUYoNd SN5sx1ulORm6gfdJBQAWgxWZGXEtoK9ZGjUDN6g+U4eHlCzW1+YOXTKe/TD1a07XXCmUkgz5 yUczJAfELFk4HGRXdRUJ/d8JTMwVU=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v2 03/13] initramfs-crypt-hook: move the mounting of encrypted disks in a seperate function Date: Fri, 22 Mar 2024 11:05:13 +0100 Message-ID: <20240322100605.4129226-4-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> References: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 22 Mar 2024 10:06:19 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15396 From: Quirin Gylstorff This increase the maintainability and avoids missing checks. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.script | 20 +++++++++++-------- .../files/encrypt_partition.systemd.script | 20 +++++++++++-------- 2 files changed, 24 insertions(+), 16 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 4e76c44..0f82c1a 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -92,6 +92,16 @@ reencrypt_existing_partition() { fi } +mount_partition() { + partition_dev_path=$1 + partition_mountpoint=$2 + echo "mount device: '$partition' to '$partition_mountpoint'" + if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \ + "${partition_mountpoint}"; then + panic "Can't mount encrypted partition '${partition_dev_path}'!" + fi +} + if [ ! -e "$tpm_device" ]; then panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" fi @@ -114,10 +124,7 @@ for partition_set in $partition_sets; do if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ | grep -q "clevis"; then open_tpm2_partition "$part_device" - if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \ - "${rootmnt}${partition_mountpoint}"; then - panic "Can't mount encrypted partition '${decrypted_part}'!" - fi + mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" continue fi @@ -150,10 +157,7 @@ for partition_set in $partition_sets; do ;; esac - if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \ - "${rootmnt}${partition_mountpoint}"; then - panic "Can't mount encrypted partition '${decrypted_part}'!" - fi + mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" # delete initial key # afterwards no new keys can be enrolled diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index f97a461..6c6d22e 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -102,6 +102,16 @@ reencrypt_existing_partition() { fi } +mount_partition() { + partition_dev_path=$1 + partition_mountpoint=$2 + echo "mount device: '$partition' to '$partition_mountpoint'" + if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \ + "${partition_mountpoint}"; then + panic "Can't mount encrypted partition '${partition_dev_path}'!" + fi +} + if [ ! -e "$tpm_device" ]; then panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" fi @@ -118,11 +128,8 @@ for partition_set in $partition_sets; do # check if partition is already encrypted with systemd-tpm2 if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ | grep -q "systemd-tpm2"; then - if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \ - "${rootmnt}${partition_mountpoint}"; then - panic "Can't mount encrypted partition '${decrypted_part}'!" - fi open_tpm2_partition "$part_device" + mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" continue fi @@ -155,10 +162,7 @@ for partition_set in $partition_sets; do ;; esac - if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \ - "${rootmnt}${partition_mountpoint}"; then - panic "Can't mount encrypted partition '${decrypted_part}'!" - fi + mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" # delete initial key # afterwards no new keys can be enrolled From patchwork Fri Mar 22 10:05:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13599889 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E1EF4CD1280 for ; Fri, 22 Mar 2024 10:06:19 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web10.9307.1711101969159460432 for ; Fri, 22 Mar 2024 03:06:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=IRvj+/wB; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-202403221006074cf17f9c35fee44de0-acksbr@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 202403221006074cf17f9c35fee44de0 for ; Fri, 22 Mar 2024 11:06:07 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=/9EchmLfU9nprs/USFX4/6R1U5g1uq/u9eGaTRDxEh0=; b=IRvj+/wBi7y8Na4wbct5lwfQqQAJLidSm05WV4AskY1KyazhiF2uuNCj8GwjBu3Q144NbT hvo2AqD0tB0nj10s75mlYY0nSBBCFKkI0VOvC6RJkIHqAzwhIr9pAToj3Xnxg5382dspCBvo AYyJSKLbOXeijHAETNGHRpAVjimeU=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v2 04/13] initramfs-crypt-hook: Check if the TPM device fulfills the given requirements Date: Fri, 22 Mar 2024 11:05:14 +0100 Message-ID: <20240322100605.4129226-5-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> References: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 22 Mar 2024 10:06:19 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15399 From: Quirin Gylstorff This also adds the Crypt hash and Crypt algorithm parameter and avoids errors on missmatches between Hardware and software. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.hook | 7 ++--- .../files/encrypt_partition.clevis.script | 28 +++++++++++++++---- .../files/encrypt_partition.env.tmpl | 3 +- .../files/encrypt_partition.systemd.hook | 4 ++- .../files/encrypt_partition.systemd.script | 15 ++++++++-- .../initramfs-crypt-hook_0.1.bb | 7 +++-- 6 files changed, 48 insertions(+), 16 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook index d08594c..347551a 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook @@ -66,9 +66,10 @@ copy_exec /usr/bin/tpm2_create || hook_error "Unable to copy /usr/bin/tpm2_creat copy_exec /usr/bin/tpm2_load || hook_error "Unable to copy /usr/bin/tpm2_load" if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/tpm2_pcrread ]; then copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" + copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms" fi if [ "$VERSION_CODENAME" = "buster" ] && [ -x /usr/bin/tpm2_pcrlist ]; then - copy_exec /usr/bin/tpm2_pcrlist || hook_error "Unable to copy /usr/bin/tpm2_pcrread" + copy_exec /usr/bin/tpm2_pcrlist || hook_error "Unable to copy /usr/bin/tpm2_pcrlist" fi copy_exec /usr/bin/tpm2_createpolicy || hook_error "Unable to copy /usr/bin/tpm2_createpolicy" if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/tpm2_flushcontext ]; then @@ -86,9 +87,7 @@ copy_exec /usr/bin/basename || hook_error "Unable to copy /usr/bin/basename" copy_exec /usr/bin/seq || hook_error "Unable to copy /usr/bin/seq" copy_exec /usr/bin/pwmake || hook_error "Unable to copy /usr/bin/pwmake" copy_exec /usr/bin/file || hook_error "Unable to copy /usr/bin/file " -if [ "$VERSION_CODENAME" = "buster" ]; then - copy_exec /usr/lib/*/libgcc_s.so.1 || hook_error "Unable to copy /usr/lib/*/libgcc_s.so.1 " -fi +copy_exec /usr/lib/*/libgcc_s.so.1 || hook_error "Unable to copy /usr/lib/*/libgcc_s.so.1 " if [ -x /usr/sbin/cryptsetup-reencrypt ]; then copy_exec /usr/sbin/cryptsetup-reencrypt fi diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 0f82c1a..8de8015 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -43,12 +43,10 @@ modprobe xts # this needs to be probed particularly for re-encryption modprobe loop -# fixed tpm device or do we need to find it -tpm_device=/dev/tpmrm0 partition_sets="$PARTITIONS" create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" -hash_type="$HASH_TYPE" - +pcr_bank_hash_type="$HASH_TYPE" +tpm_key_algorithm="$KEY_ALGORITHM" if [ -z "${create_file_system_cmd}" ]; then create_file_system_cmd="mke2fs -t ext4" fi @@ -69,7 +67,7 @@ open_tpm2_partition() { enroll_tpm2_token() { if [ -x /usr/bin/clevis ]; then - clevis luks bind -d "$1" tpm2 '{"pcr_bank":"'"$hash_type"'","pcr_ids":"7"}' < "$2" + clevis luks bind -d "$1" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$2" else panic "clevis not available cannot enroll tpm2 key!" fi @@ -102,6 +100,26 @@ mount_partition() { fi } +for candidate in /dev/tpm*; do + if [ -x /usr/bin/tpm2_pcrread ]; then + if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet ; then + continue + fi + elif [ -x /usr/bin/tpm2_pcrlist ]; then + export TPM2TOOLS_DEVICE_FILE="$candidate" + if ! tpm2_pcrlist -L "$pcr_bank_hash_type":7 > /dev/null; then + continue + fi + fi + # Debian buster does not have tpm_testparms + if [ -x /usr/bin/tpm2_testparms ]; then + if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet; then + continue + fi + fi + tpm_device=$candidate +done + if [ ! -e "$tpm_device" ]; then panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" fi diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl index bcc57be..5d28dc5 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl @@ -2,4 +2,5 @@ PARTITIONS="${CRYPT_PARTITIONS}" CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}" SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}" WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}" -HASH_TYPE="${CRYPT_HASH_TYPE}" \ No newline at end of file +HASH_TYPE="${CRYPT_HASH_TYPE}" +KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook index c3b31d6..6e2a211 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook @@ -1,5 +1,5 @@ #!/bin/sh -# Copyright (C) Siemens AG, 2020-2023 +# Copyright (C) Siemens AG, 2020-2024 # # SPDX-License-Identifier: MIT @@ -49,6 +49,8 @@ copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found" copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found" copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenroll not found" copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found" +copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" +copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms" copy_exec /usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so || hook_error "/usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so not found" if [ -x /usr/sbin/cryptsetup-reencrypt ]; then diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index 6c6d22e..ea267ac 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -43,10 +43,10 @@ modprobe xts # this needs to be probed particularly for re-encryption modprobe loop -# fixed tpm device or do we need to find it -tpm_device=/dev/tpmrm0 partition_sets="$PARTITIONS" create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" +pcr_bank_hash_type="$HASH_TYPE" +tpm_key_algorithm="$KEY_ALGORITHM" if [ -z "${create_file_system_cmd}" ]; then create_file_system_cmd="mke2fs -t ext4" fi @@ -71,6 +71,7 @@ enroll_tpm2_token() { systemd_version=$(systemd-cryptenroll --version | \ awk -F " " 'NR==1{print $2 }') # check systemd version and export password if necessary + # systemd version 251 does not suport hash_types if [ "$systemd_version" -ge "251" ]; then PASSWORD=$(cat "$2" ) export PASSWORD @@ -112,6 +113,16 @@ mount_partition() { fi } +for candidate in /dev/tpm*; do + if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then + continue + fi + if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet 2>/dev/null; then + continue + fi + tpm_device=$candidate +done + if [ ! -e "$tpm_device" ]; then panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" fi diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index 317ea12..7f732cf 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -11,7 +11,7 @@ inherit dpkg-raw DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \ awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \ - libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs" + libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs, tpm2-tools" CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools" @@ -49,10 +49,11 @@ CRYPT_SETUP_TIMEOUT ??= "600" INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog" # clevis needs tpm hash algorithm type CRYPT_HASH_TYPE ??= "sha256" - +CRYPT_KEY_ALGORITHM ??= "ecc" TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ - CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE" + CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \ + CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL" TEMPLATE_FILES = "encrypt_partition.env.tmpl" do_install[cleandirs] += " \ From patchwork Fri Mar 22 10:05:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13599888 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D344ACD1281 for ; Fri, 22 Mar 2024 10:06:19 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web10.9306.1711101969112874513 for ; Fri, 22 Mar 2024 03:06:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=ObW+R2ky; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-51332-2024032210060718b142d306b8e7546e-xe0s2e@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 2024032210060718b142d306b8e7546e for ; Fri, 22 Mar 2024 11:06:07 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=MiUaZV9PYjaEbSBNv/R1ZRB6xdJrJYtGkBVB4cwwb9c=; b=ObW+R2kyx/h6l3hTBY3nCoIvMq97eHZJMHRyXt4G8iTD+H+H339CxHe05XTXc3eBcL4RDs Bmz4CQKb/C+ZJSkwHA7Pqlbko0Lu5eWlA0oRi5k882nY1r0cR5UzGRsfFtLeERfyFfVh5jpo M5pVWN0Bl17Hr17cU4i8RdvzKqU9I=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v2 05/13] initramfs-crypt-hook: add flag to make encryption optional Date: Fri, 22 Mar 2024 11:05:15 +0100 Message-ID: <20240322100605.4129226-6-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> References: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 22 Mar 2024 10:06:19 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15403 From: Quirin Gylstorff This allows to use same image on devices with and without TPM. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.script | 20 ++++++++++++++++++- .../files/encrypt_partition.env.tmpl | 1 + .../files/encrypt_partition.systemd.script | 20 ++++++++++++++++++- .../initramfs-crypt-hook_0.1.bb | 1 + 4 files changed, 40 insertions(+), 2 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 8de8015..e0fcbf4 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -47,6 +47,7 @@ partition_sets="$PARTITIONS" create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" pcr_bank_hash_type="$HASH_TYPE" tpm_key_algorithm="$KEY_ALGORITHM" +tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL" if [ -z "${create_file_system_cmd}" ]; then create_file_system_cmd="mke2fs -t ext4" fi @@ -121,7 +122,24 @@ for candidate in /dev/tpm*; do done if [ ! -e "$tpm_device" ]; then - panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" + if [ "$tpm_encryption_optional" = "true" ]; then + echo "No tpm_device exists abort optional encryption" + for partition_set in $partition_sets; do + partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" + partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" + partition=/dev/disk/by-partlabel/"$partition_label" + case "${partition_format}" in + "reencrypt") + mount_partition "$partition" "$rootmnt""$partition_mountpoint" + ;; + *) + echo "cannot mount partition '$partition' as it is marked for formatting." + esac + done + exit 0 + fi + panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" fi # clevis needs /dev/fd create it in the initramfs diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl index 5d28dc5..bb93361 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl @@ -4,3 +4,4 @@ SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}" WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}" HASH_TYPE="${CRYPT_HASH_TYPE}" KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}" +ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index ea267ac..48ce999 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -47,6 +47,7 @@ partition_sets="$PARTITIONS" create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" pcr_bank_hash_type="$HASH_TYPE" tpm_key_algorithm="$KEY_ALGORITHM" +tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL" if [ -z "${create_file_system_cmd}" ]; then create_file_system_cmd="mke2fs -t ext4" fi @@ -124,7 +125,24 @@ for candidate in /dev/tpm*; do done if [ ! -e "$tpm_device" ]; then - panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" + if [ "$tpm_encryption_optional" = "true" ]; then + echo "No tpm_device exists abort optional encryption" + for partition_set in $partition_sets; do + partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" + partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" + partition=/dev/disk/by-partlabel/"$partition_label" + case "${partition_format}" in + "reencrypt") + mount_partition "$partition" "$rootmnt""$partition_mountpoint" + ;; + *) + echo "cannot mount partition '$partition' as it is marked for formatting." + esac + done + exit 0 + fi + panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" fi for partition_set in $partition_sets; do diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index 7f732cf..54c91fd 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -50,6 +50,7 @@ INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog" # clevis needs tpm hash algorithm type CRYPT_HASH_TYPE ??= "sha256" CRYPT_KEY_ALGORITHM ??= "ecc" +CRYPT_ENCRYPTION_OPTIONAL ??= "false" TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \ From patchwork Fri Mar 22 10:05:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13599896 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 329E6CD1287 for ; Fri, 22 Mar 2024 10:06:20 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.9596.1711101969632521602 for ; Fri, 22 Mar 2024 03:06:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=RqoidbVe; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-20240322100607dcbc138bf5c0e29ba6-dejlsa@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20240322100607dcbc138bf5c0e29ba6 for ; Fri, 22 Mar 2024 11:06:07 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=84SeeW0dOuA/Z5FRWvQNGIgk9yS0VOW6y0EvgysVAdo=; b=RqoidbVe7a5xEh8Ye5VCy1JrXwCdt2GkBg6/HFsfVgNmpMZ4mjFFtebDv9cqFHEE/069OX jPEWmZ6qOLlXfXAwtzOkYPY7D2hYXrFzJ/BWX661LZ3QZmiJWuSAdMpUhaompWPxv62GpZkg QsBfKPcpaqP++ko7qLxm4rVqtAaZY=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v2 06/13] initramfs-crypt-hook: add e2fsck to avoid resize error Date: Fri, 22 Mar 2024 11:05:16 +0100 Message-ID: <20240322100605.4129226-7-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> References: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 22 Mar 2024 10:06:20 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15401 From: Quirin Gylstorff This avoids the following error during resizing a file system: `Please run ‘e2fsck -f /dev/’ first` Signed-off-by: Quirin Gylstorff --- .../initramfs-crypt-hook/files/encrypt_partition.clevis.script | 1 + .../initramfs-crypt-hook/files/encrypt_partition.systemd.script | 1 + 2 files changed, 2 insertions(+) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index e0fcbf4..22caa46 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -81,6 +81,7 @@ reencrypt_existing_partition() { reduced_size="$(expr "$part_size_blocks" - 65536 )" reduced_size_in_byte="$(expr "$reduced_size" \* 512)" reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" + e2fsck -f "$1" if ! resize2fs "$1" "${reduced_size_in_kb}"; then panic "reencryption of filesystem $1 cannot continue!" fi diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index 48ce999..85b4fbc 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -94,6 +94,7 @@ reencrypt_existing_partition() { reduced_size="$(expr "$part_size_blocks" - 65536 )" reduced_size_in_byte="$(expr "$reduced_size" \* 512)" reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" + e2fsck -f "$1" if ! resize2fs "$1" "${reduced_size_in_kb}"; then panic "reencryption of filesystem $1 cannot continue!" fi From patchwork Fri Mar 22 10:05:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13599891 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D33EDCD11DD for ; Fri, 22 Mar 2024 10:06:19 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.9595.1711101969588025674 for ; Fri, 22 Mar 2024 03:06:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=atMU7d8M; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-202403221006077a940111b8c3e63db6-el6wcd@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 202403221006077a940111b8c3e63db6 for ; Fri, 22 Mar 2024 11:06:07 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=yf0ldTeMP5TGskP4IPyKSq2lrD5E2R1CHF8CJ2crfIY=; b=atMU7d8MTqAAgqFnFrt6koR3Tx3ACi1RdQMBsXCz0p3sC/CTrn+OZVZ2j29lSgw8JTlLEE qocdbcsQEJ4sdEJBg2jaNszxqoeqoUfIMKbyjvIEi0vmbhBw2jKe5JNaQQeomMEx66hdtSgi iyLo3erpHJeEOO8Z/Z5WZBre6l//g=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v2 07/13] initramfs-crypt-hook: split encryption and mounting Date: Fri, 22 Mar 2024 11:05:17 +0100 Message-ID: <20240322100605.4129226-8-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> References: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 22 Mar 2024 10:06:19 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15400 From: Quirin Gylstorff The encryption now occurs before the rootfs is mounted. The file system is mounted after the rootfs. This removes the required order between overlay and disk encryption. Also it allows the encryption of the rootfs. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.script | 27 -------- .../files/encrypt_partition.systemd.script | 27 -------- .../files/mount_crypt_partitions.script | 61 +++++++++++++++++++ .../initramfs-crypt-hook_0.1.bb | 6 +- .../files/overlay.script.tmpl | 2 +- 5 files changed, 67 insertions(+), 56 deletions(-) create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 22caa46..6aec7b8 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -92,16 +92,6 @@ reencrypt_existing_partition() { fi } -mount_partition() { - partition_dev_path=$1 - partition_mountpoint=$2 - echo "mount device: '$partition' to '$partition_mountpoint'" - if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \ - "${partition_mountpoint}"; then - panic "Can't mount encrypted partition '${partition_dev_path}'!" - fi -} - for candidate in /dev/tpm*; do if [ -x /usr/bin/tpm2_pcrread ]; then if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet ; then @@ -125,19 +115,6 @@ done if [ ! -e "$tpm_device" ]; then if [ "$tpm_encryption_optional" = "true" ]; then echo "No tpm_device exists abort optional encryption" - for partition_set in $partition_sets; do - partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" - partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" - partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" - partition=/dev/disk/by-partlabel/"$partition_label" - case "${partition_format}" in - "reencrypt") - mount_partition "$partition" "$rootmnt""$partition_mountpoint" - ;; - *) - echo "cannot mount partition '$partition' as it is marked for formatting." - esac - done exit 0 fi panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" @@ -150,7 +127,6 @@ fi for partition_set in $partition_sets; do partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" - partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" partition=/dev/disk/by-partlabel/"$partition_label" crypt_mount_name="encrypted_$partition_label" @@ -161,7 +137,6 @@ for partition_set in $partition_sets; do if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ | grep -q "clevis"; then open_tpm2_partition "$part_device" - mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" continue fi @@ -194,8 +169,6 @@ for partition_set in $partition_sets; do ;; esac - mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" - # delete initial key # afterwards no new keys can be enrolled cryptsetup -v luksKillSlot -q "$part_device" 0 diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index 85b4fbc..7f2a6e3 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -105,16 +105,6 @@ reencrypt_existing_partition() { fi } -mount_partition() { - partition_dev_path=$1 - partition_mountpoint=$2 - echo "mount device: '$partition' to '$partition_mountpoint'" - if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \ - "${partition_mountpoint}"; then - panic "Can't mount encrypted partition '${partition_dev_path}'!" - fi -} - for candidate in /dev/tpm*; do if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then continue @@ -128,19 +118,6 @@ done if [ ! -e "$tpm_device" ]; then if [ "$tpm_encryption_optional" = "true" ]; then echo "No tpm_device exists abort optional encryption" - for partition_set in $partition_sets; do - partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" - partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" - partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" - partition=/dev/disk/by-partlabel/"$partition_label" - case "${partition_format}" in - "reencrypt") - mount_partition "$partition" "$rootmnt""$partition_mountpoint" - ;; - *) - echo "cannot mount partition '$partition' as it is marked for formatting." - esac - done exit 0 fi panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" @@ -148,7 +125,6 @@ fi for partition_set in $partition_sets; do partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" - partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" partition=/dev/disk/by-partlabel/"$partition_label" crypt_mount_name="encrypted_$partition_label" @@ -159,7 +135,6 @@ for partition_set in $partition_sets; do if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ | grep -q "systemd-tpm2"; then open_tpm2_partition "$part_device" - mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" continue fi @@ -192,8 +167,6 @@ for partition_set in $partition_sets; do ;; esac - mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" - # delete initial key # afterwards no new keys can be enrolled /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0 diff --git a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script new file mode 100644 index 0000000..3411e70 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script @@ -0,0 +1,61 @@ +#!/bin/sh +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT + +prereqs() +{ + # Make sure that this script is run last in local-top + local req + for req in "${0%/*}"/*; do + script="${req##*/}" + if [ "$script" != "${0##*/}" ]; then + printf '%s\n' "$script" + fi + done +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions + +# get configuration variables +. /usr/share/encrypt_partition/encrypt_partition.env + +mount_partition() { + partition_dev_path=$1 + partition_mountpoint=$2 + echo "mount device: '$partition_dev_path' to '$partition_mountpoint'" + if ! mountpoint -q "${partition_mountpoint}"; then + if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \ + "${partition_mountpoint}"; then + panic "Can't mount partition '${partition_dev_path}'!" + fi + fi +} +partition_sets="$PARTITIONS" +for partition_set in $partition_sets; do + partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" + partition=/dev/disk/by-partlabel/"$partition_label" + part_device=$(readlink -f "$partition") + crypt_mount_name="encrypted_$partition_label" + decrypted_part=/dev/mapper/"$crypt_mount_name" + + if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \ + | grep -q "luks2"; then + mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" + else + mount_partition "$part_device" "$rootmnt""$partition_mountpoint" + fi +done diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index 54c91fd..4e60c10 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -35,6 +35,7 @@ CRYPT_BACKEND = "systemd" SRC_URI += "file://encrypt_partition.env.tmpl \ file://encrypt_partition.${CRYPT_BACKEND}.script \ + file://mount_crypt_partitions.script \ file://encrypt_partition.${CRYPT_BACKEND}.hook \ file://pwquality.conf" @@ -60,12 +61,15 @@ TEMPLATE_FILES = "encrypt_partition.env.tmpl" do_install[cleandirs] += " \ ${D}/usr/share/initramfs-tools/hooks \ ${D}/usr/share/encrypt_partition \ + ${D}/usr/share/initramfs-tools/scripts/local-top \ ${D}/usr/share/initramfs-tools/scripts/local-bottom" do_install() { install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env" install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.script" \ - "${D}/usr/share/initramfs-tools/scripts/local-bottom/encrypt_partition" + "${D}/usr/share/initramfs-tools/scripts/local-top/encrypt_partition" + install -m 0755 "${WORKDIR}/mount_crypt_partitions.script" \ + "${D}/usr/share/initramfs-tools/scripts/local-bottom/mount_decrypted_partition" install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.hook" \ "${D}/usr/share/initramfs-tools/hooks/encrypt_partition" install -m 0644 "${WORKDIR}/pwquality.conf" "${D}/usr/share/encrypt_partition/pwquality.conf" diff --git a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl index a321490..2563dfd 100644 --- a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl +++ b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl @@ -9,7 +9,7 @@ # Quirin Gylstorff # -PREREQ="encrypt_partition" +PREREQ="" prereqs() { From patchwork Fri Mar 22 10:05:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13599897 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A27DCD1286 for ; Fri, 22 Mar 2024 10:06:20 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web10.9308.1711101969836433271 for ; Fri, 22 Mar 2024 03:06:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=Z/3xQ0Wf; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-20240322100607a43a2efebc1feade8a-wbsfsn@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20240322100607a43a2efebc1feade8a for ; Fri, 22 Mar 2024 11:06:08 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=1pG3HVF1ldqHb3ddz9MFXg3NhQQK3GwHO+U2X0XIUXM=; b=Z/3xQ0Wf8Pzn5ybk1FNZKadN7by61tnD+M4trghByzGDOCWzAoCUvT2U5IwOc0VKOZ+Tx2 QAs/cRnjztSqL8br39BE79oXglTeySImbsdSSiGK4DWJNxghY7QUnHMIcb8ThFQiqwHrhNJs b1/tFypGCLzo6PrOiy7giYZUzKz4Y=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v2 08/13] initramfs-crypt-hook: Add check if root is part of the mountpoints Date: Fri, 22 Mar 2024 11:05:18 +0100 Message-ID: <20240322100605.4129226-9-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> References: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 22 Mar 2024 10:06:20 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15404 From: Quirin Gylstorff If root will be encrypted the ROOT mountpoint will be set to '/dev/mapper/encrypted_'. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.script | 6 ++++++ .../files/encrypt_partition.systemd.script | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 6aec7b8..fdbd9b5 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -127,12 +127,17 @@ fi for partition_set in $partition_sets; do partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" partition=/dev/disk/by-partlabel/"$partition_label" crypt_mount_name="encrypted_$partition_label" decrypted_part=/dev/mapper/"$crypt_mount_name" # clevis does not work with links in /dev/disk* part_device=$(readlink -f "$partition") + # check if we are trying to mount root + if [ "$partition_mountpoint" = "/" ]; then + echo "ROOT=$decrypted_part" >/conf/param.conf + fi if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ | grep -q "clevis"; then @@ -169,6 +174,7 @@ for partition_set in $partition_sets; do ;; esac + # delete initial key # afterwards no new keys can be enrolled cryptsetup -v luksKillSlot -q "$part_device" 0 diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index 7f2a6e3..e0c84ce 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -125,12 +125,17 @@ fi for partition_set in $partition_sets; do partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" partition=/dev/disk/by-partlabel/"$partition_label" crypt_mount_name="encrypted_$partition_label" decrypted_part=/dev/mapper/"$crypt_mount_name" part_device=$(readlink -f "$partition") + # check if we are trying to mount root + if [ "$partition_mountpoint" = "/" ]; then + echo "ROOT=$decrypted_part" >/conf/param.conf + fi # check if partition is already encrypted with systemd-tpm2 if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ | grep -q "systemd-tpm2"; then From patchwork Fri Mar 22 10:05:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13599890 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C3583CD11DF for ; Fri, 22 Mar 2024 10:06:19 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web10.9303.1711101968633346777 for ; Fri, 22 Mar 2024 03:06:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=qf/ip9NL; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-51332-202403221006086a79f0615b739c5462-ymgw9d@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 202403221006086a79f0615b739c5462 for ; Fri, 22 Mar 2024 11:06:08 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=lP8vPta3VBv1pv1h9gXXM2wjvwupA4CkmTLpNinx7gg=; b=qf/ip9NLb7iyfZc7i5SftjrRgPUZvXFK9T79/3dDuYlyiOnyEIVbLezw7OfwCamx3Xnhtv 2qz1m9c5J7S6eJJKl69+USILOLfOQcs53DzoHOvCp38OMb++Hckc9c9NLej3WdvLknVY+1dv C+3+U9IwcgLkIklDja7eLMe3j4J3A=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v2 09/13] initramfs-crypt-hook: split hook in multiple files Date: Fri, 22 Mar 2024 11:05:19 +0100 Message-ID: <20240322100605.4129226-10-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> References: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 22 Mar 2024 10:06:19 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15405 From: Quirin Gylstorff Split the clevis hook in Distro specific files to increase the readability. Signed-off-by: Quirin Gylstorff --- ...pt_partition.clevis.bullseye_or_later.hook | 34 +++++++++++++++++++ .../encrypt_partition.clevis.buster.hook | 30 ++++++++++++++++ .../files/encrypt_partition.clevis.hook | 16 --------- .../initramfs-crypt-hook_0.1.bb | 18 +++++++++- 4 files changed, 81 insertions(+), 17 deletions(-) create mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook create mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook new file mode 100755 index 0000000..b244d45 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook @@ -0,0 +1,34 @@ +#!/bin/sh +# Copyright (C) Siemens AG, 2020-2023 +# +# SPDX-License-Identifier: MIT + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +if [ -f /etc/os-release ]; then + . /etc/os-release +fi +hook_error() { + echo "(ERROR): $1" >&2 + exit 1 +} + +copy_exec /usr/bin/clevis-luks-list || hook_error "/usr/bin/clevis-luks-list not found" +copy_exec /usr/bin/clevis-luks-common-functions || hook_error "/usr/bin/clevis-luks-common-functions not found" +copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" +copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms" +copy_exec /usr/bin/tpm2_flushcontext || hook_error "Unable to copy /usr/bin/tpm2_flushcontext" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook new file mode 100755 index 0000000..fd39c34 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook @@ -0,0 +1,30 @@ +#!/bin/sh +# Copyright (C) Siemens AG, 2020-2023 +# +# SPDX-License-Identifier: MIT + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +if [ -f /etc/os-release ]; then + . /etc/os-release +fi +hook_error() { + echo "(ERROR): $1" >&2 + exit 1 +} +copy_exec /usr/bin/tpm2_pcrlist || hook_error "Unable to copy /usr/bin/tpm2_pcrlist" + diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook index 347551a..1921aba 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook @@ -54,27 +54,11 @@ copy_exec /usr/bin/clevis-encrypt-tpm2 || hook_error "/usr/bin/clevis-encrypt-tp copy_exec /usr/bin/clevis-decrypt-tpm2 || hook_error "/usr/bin/clevis-decrypt-tpm2 not found" copy_exec /usr/bin/clevis-luks-bind || hook_error "/usr/bin/clevis-luks-bind not found" copy_exec /usr/bin/clevis-luks-unlock || hook_error "/usr/bin/clevis-luks-unlock not found" -if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/clevis-luks-list ]; then - copy_exec /usr/bin/clevis-luks-list || hook_error "/usr/bin/clevis-luks-list not found" -fi -if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/clevis-luks-common-functions ]; then - copy_exec /usr/bin/clevis-luks-common-functions || hook_error "/usr/bin/clevis-luks-common-functions not found" -fi copy_exec /usr/bin/tpm2_createprimary || hook_error "Unable to copy /usr/bin/tpm2_createprimary" copy_exec /usr/bin/tpm2_unseal || hook_error "Unable to copy /usr/bin/tpm2_unseal" copy_exec /usr/bin/tpm2_create || hook_error "Unable to copy /usr/bin/tpm2_create" copy_exec /usr/bin/tpm2_load || hook_error "Unable to copy /usr/bin/tpm2_load" -if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/tpm2_pcrread ]; then - copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" - copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms" -fi -if [ "$VERSION_CODENAME" = "buster" ] && [ -x /usr/bin/tpm2_pcrlist ]; then - copy_exec /usr/bin/tpm2_pcrlist || hook_error "Unable to copy /usr/bin/tpm2_pcrlist" -fi copy_exec /usr/bin/tpm2_createpolicy || hook_error "Unable to copy /usr/bin/tpm2_createpolicy" -if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/tpm2_flushcontext ]; then - copy_exec /usr/bin/tpm2_flushcontext || hook_error "Unable to copy /usr/bin/tpm2_flushcontext" -fi copy_exec /usr/bin/bash || hook_error "Unable to copy /usr/bin/bash" copy_exec /usr/bin/luksmeta || hook_error "Unable to copy /usr/bin/luksmeta" copy_exec /usr/bin/jose || hook_error "Unable to copy /usr/bin/jose" diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index 4e60c10..dc46ff8 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -29,6 +29,16 @@ def encryption_dependency(d): else: bb.error("unkown cryptbackend defined") +def add_additional_clevis_hooks(d): + base_distro_code_name = d.getVar('BASE_DISTRO_CODENAME') or "" + crypt_backend = d.getVar('CRYPT_BACKEND') or "" + if crypt_backend != 'clevis': + return "" + if base_distro_code_name == "buster": + return f"encrypt_partition.{crypt_backend}.buster.hook" + else: + return f"encrypt_partition.{crypt_backend}.bullseye_or_later.hook" + CRYPT_BACKEND:buster = "clevis" CRYPT_BACKEND:bullseye = "clevis" CRYPT_BACKEND = "systemd" @@ -38,7 +48,8 @@ SRC_URI += "file://encrypt_partition.env.tmpl \ file://mount_crypt_partitions.script \ file://encrypt_partition.${CRYPT_BACKEND}.hook \ file://pwquality.conf" - +ADDITIONAL_CLEVIS_HOOK = "${@add_additional_clevis_hooks(d)}" +SRC_URI += "${@ 'file://' + d.getVar('ADDITIONAL_CLEVIS_HOOK') if d.getVar('ADDITIONAL_CLEVIS_HOOK')else ''}" # CRYPT_PARTITIONS elements are :: CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt" # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem @@ -72,5 +83,10 @@ do_install() { "${D}/usr/share/initramfs-tools/scripts/local-bottom/mount_decrypted_partition" install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.hook" \ "${D}/usr/share/initramfs-tools/hooks/encrypt_partition" + if [ -f "${WORKDIR}"/"${ADDITIONAL_CLEVIS_HOOK}" ]; then + install -m 0755 "${WORKDIR}"/"${ADDITIONAL_CLEVIS_HOOK}" \ + "${D}/usr/share/initramfs-tools/hooks/encrypt_partition.${BASE_DISTRO_CODENAME}" + fi + install -m 0644 "${WORKDIR}/pwquality.conf" "${D}/usr/share/encrypt_partition/pwquality.conf" } From patchwork Fri Mar 22 10:05:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13599892 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B5412C6FD1F for ; Fri, 22 Mar 2024 10:06:19 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.9309.1711101970844202523 for ; Fri, 22 Mar 2024 03:06:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=cxR1QVv/; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-20240322100608891bc966230ee87127-wqjgsj@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20240322100608891bc966230ee87127 for ; Fri, 22 Mar 2024 11:06:08 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=EsWalcVDNXtkahH9g39M4UbiYdjj0ZKm+HmxLzsxBKk=; b=cxR1QVv/RX3WCRtNzc7CBNER3UTetZx7yYAXltYmtsw4M8zjw6sDCpL9XUx5+2LioA2rcK OGGIeg0U0XABK0AIexujcJk7KZKePPOAmoDJa6gU2ySXMyLuxAEKYjvHH7c7pkaJJlh0p+/W lg3oaKF6Fdw48HfpKGoOZcmVVJpzg=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v2 10/13] initramfs-crypt-hook: Consolidate clevis and systemd scripts Date: Fri, 22 Mar 2024 11:05:20 +0100 Message-ID: <20240322100605.4129226-11-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> References: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 22 Mar 2024 10:06:19 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15408 From: Quirin Gylstorff This reduce the maintaince as the common code is only maintained once. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.hook | 1 + .../files/encrypt_partition.clevis.script | 177 ++---------------- .../files/encrypt_partition.script | 164 ++++++++++++++++ .../files/encrypt_partition.systemd.hook | 1 + .../files/encrypt_partition.systemd.script | 163 ++-------------- .../initramfs-crypt-hook_0.1.bb | 5 +- 6 files changed, 208 insertions(+), 303 deletions(-) create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook index 1921aba..0bb8ce6 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook @@ -81,4 +81,5 @@ for _LIBRARY in /usr/lib/*/libtss2*; do done copy_file library /usr/share/encrypt_partition/encrypt_partition.env /usr/share/encrypt_partition/encrypt_partition.env +copy_file library /usr/share/encrypt_partition/encrypt_partition_tpm2 /usr/share/encrypt_partition/encrypt_partition_tpm2 copy_file pwmake-config /usr/share/encrypt_partition/pwquality.conf /etc/security/pwquality.conf diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index fdbd9b5..ddb3eab 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -9,177 +9,38 @@ # # SPDX-License-Identifier: MIT -prereqs() -{ - # Make sure that this script is run last in local-top - local req - for req in "${0%/*}"/*; do - script="${req##*/}" - if [ "$script" != "${0##*/}" ]; then - printf '%s\n' "$script" - fi - done -} -case $1 in -prereqs) - prereqs - exit 0 - ;; -esac - -. /scripts/functions - -# get configuration variables -. /usr/share/encrypt_partition/encrypt_partition.env - -# load necessary kernel modules: -modprobe tpm_tis -modprobe tpm_crb - -modprobe ecb -modprobe aes_generic -modprobe xts - -# this needs to be probed particularly for re-encryption -modprobe loop - -partition_sets="$PARTITIONS" -create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" -pcr_bank_hash_type="$HASH_TYPE" -tpm_key_algorithm="$KEY_ALGORITHM" -tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL" -if [ -z "${create_file_system_cmd}" ]; then - create_file_system_cmd="mke2fs -t ext4" -fi - -service_watchdog() { - for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do - printf '\0' - sleep 10 - done > "$WATCHDOG_DEV" -} open_tpm2_partition() { + partition_device="$1" + crypt_mount_name="$2" + #tpm_device="$3" if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \ - -d "$1"; then - panic "Can't decrypt '$1' !" + -d "$partition_device"; then + panic "Can't decrypt '$partition_device' !" fi } enroll_tpm2_token() { + partition_device="$1" + passphrase="$2" + #tpm_device="$3" + tpm_key_algorithm="$4" + pcr_bank_hash_type="$5" if [ -x /usr/bin/clevis ]; then - clevis luks bind -d "$1" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$2" + clevis luks bind -d "$partition_device" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$passphrase" else panic "clevis not available cannot enroll tpm2 key!" fi } -reencrypt_existing_partition() { - part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)" - # reduce the filesystem and partition by 32M to fit the LUKS header - reduce_device_size=32768 - reduced_size="$(expr "$part_size_blocks" - 65536 )" - reduced_size_in_byte="$(expr "$reduced_size" \* 512)" - reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" - e2fsck -f "$1" - if ! resize2fs "$1" "${reduced_size_in_kb}"; then - panic "reencryption of filesystem $1 cannot continue!" - fi - if [ -x /usr/sbin/cryptsetup-reencrypt ]; then - /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2" - else - /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2" +prepare_for_encryption() { + # clevis needs /dev/fd create it in the initramfs + if [ ! -e /dev/fd ]; then + ln -s /proc/self/fd /dev/fd fi } -for candidate in /dev/tpm*; do - if [ -x /usr/bin/tpm2_pcrread ]; then - if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet ; then - continue - fi - elif [ -x /usr/bin/tpm2_pcrlist ]; then - export TPM2TOOLS_DEVICE_FILE="$candidate" - if ! tpm2_pcrlist -L "$pcr_bank_hash_type":7 > /dev/null; then - continue - fi - fi - # Debian buster does not have tpm_testparms - if [ -x /usr/bin/tpm2_testparms ]; then - if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet; then - continue - fi - fi - tpm_device=$candidate -done - -if [ ! -e "$tpm_device" ]; then - if [ "$tpm_encryption_optional" = "true" ]; then - echo "No tpm_device exists abort optional encryption" - exit 0 - fi - panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" -fi - -# clevis needs /dev/fd create it in the initramfs -if [ ! -e /dev/fd ]; then - ln -s /proc/self/fd /dev/fd -fi - -for partition_set in $partition_sets; do - partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" - partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" - partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" - partition=/dev/disk/by-partlabel/"$partition_label" - crypt_mount_name="encrypted_$partition_label" - decrypted_part=/dev/mapper/"$crypt_mount_name" - # clevis does not work with links in /dev/disk* - part_device=$(readlink -f "$partition") - # check if we are trying to mount root - if [ "$partition_mountpoint" = "/" ]; then - echo "ROOT=$decrypted_part" >/conf/param.conf - fi - - if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ - | grep -q "clevis"; then - open_tpm2_partition "$part_device" - continue - fi - - # service watchdog in the background during lengthy re-encryption - if [ -z "$watchdog_pid" ]; then - service_watchdog & - watchdog_pid=$! - fi - - # create random password for initial encryption - # this will be dropped after reboot - tmp_key=/tmp/"$partition_label-lukskey" - openssl rand -base64 32 > "$tmp_key" - - case "${partition_format}" in - "reencrypt") - reencrypt_existing_partition "$part_device" "$tmp_key" - enroll_tpm2_token "$part_device" "$tmp_key" - open_tpm2_partition "$part_device" - ;; - "format") - /usr/sbin/cryptsetup luksFormat --batch-mode \ - --type luks2 "$partition" < "$tmp_key" - enroll_tpm2_token "$part_device" "$tmp_key" - open_tpm2_partition "$part_device" - eval "${create_file_system_cmd} ${decrypted_part}" - ;; - *) - panic "Unknown value ${partition_format}. Cannot create a encrypted partition !" - ;; - esac - - - # delete initial key - # afterwards no new keys can be enrolled - cryptsetup -v luksKillSlot -q "$part_device" 0 -done - -if [ -n "$watchdog_pid" ]; then - kill "$watchdog_pid" -fi +finalize_tpm2_encryption() { + partition_device="$1" + cryptsetup -v luksKillSlot -q "$partition_device" 0 +} diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script new file mode 100644 index 0000000..8763f69 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -0,0 +1,164 @@ +#!/bin/sh +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023-2024 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT + +prereqs() +{ + # Make sure that this script is run last in local-top + local req + for req in "${0%/*}"/*; do + script="${req##*/}" + if [ "$script" != "${0##*/}" ]; then + printf '%s\n' "$script" + fi + done +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions + +# get configuration variables +. /usr/share/encrypt_partition/encrypt_partition.env + +# get the implementation +. /usr/share/encrypt_partition/encrypt_partition_tpm2 +# load necessary kernel modules: +modprobe tpm_tis +modprobe tpm_crb + +modprobe ecb +modprobe aes_generic +modprobe xts + +# this needs to be probed particularly for re-encryption +modprobe loop + +partition_sets="$PARTITIONS" +create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" +pcr_bank_hash_type="$HASH_TYPE" +tpm_key_algorithm="$KEY_ALGORITHM" +tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL" +if [ -z "${create_file_system_cmd}" ]; then + create_file_system_cmd="mke2fs -t ext4" +fi + +service_watchdog() { + for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do + printf '\0' + sleep 10 + done > "$WATCHDOG_DEV" +} + +reencrypt_existing_partition() { + part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)" + # reduce the filesystem and partition by 32M to fit the LUKS header + reduce_device_size=32768 + reduced_size="$(expr "$part_size_blocks" - 65536 )" + reduced_size_in_byte="$(expr "$reduced_size" \* 512)" + reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" + e2fsck -f "$1" + if ! resize2fs "$1" "${reduced_size_in_kb}"; then + panic "reencryption of filesystem $1 cannot continue!" + fi + if [ -x /usr/sbin/cryptsetup-reencrypt ]; then + /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2" + else + /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2" + fi +} +for candidate in /dev/tpm*; do + if [ -x /usr/bin/tpm2_pcrread ]; then + if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet ; then + continue + fi + elif [ -x /usr/bin/tpm2_pcrlist ]; then + export TPM2TOOLS_DEVICE_FILE="$candidate" + if ! tpm2_pcrlist -L "$pcr_bank_hash_type":7 > /dev/null; then + continue + fi + fi + # Debian buster does not have tpm_testparms + if [ -x /usr/bin/tpm2_testparms ]; then + if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet; then + continue + fi + fi + tpm_device=$candidate +done + +if [ ! -e "$tpm_device" ]; then + if [ "$tpm_encryption_optional" = "true" ]; then + echo "No tpm_device exists abort optional encryption" + exit 0 + fi + panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" +fi + +prepare_for_encryption + +for partition_set in $partition_sets; do + partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" + partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" + partition=/dev/disk/by-partlabel/"$partition_label" + crypt_mount_name="encrypted_$partition_label" + decrypted_part=/dev/mapper/"$crypt_mount_name" + part_device=$(readlink -f "$partition") + # check if we are trying to mount root + if [ "$partition_mountpoint" = "/" ]; then + echo "ROOT=$decrypted_part" >/conf/param.conf + fi + + if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ + | grep -q "token"; then + open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" + continue + fi + + # service watchdog in the background during lengthy re-encryption + if [ -z "$watchdog_pid" ]; then + service_watchdog & + watchdog_pid=$! + fi + + # create random password for initial encryption + # this will be dropped after reboot + tmp_key=/tmp/"$partition_label-lukskey" + openssl rand -base64 32 > "$tmp_key" + + case "${partition_format}" in + "reencrypt") + reencrypt_existing_partition "$part_device" "$tmp_key" + enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type" + open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" + ;; + "format") + /usr/sbin/cryptsetup luksFormat --batch-mode \ + --type luks2 "$partition" < "$tmp_key" + enroll_tpm2_token "$part_device" "$tmp_key" + open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" + eval "${create_file_system_cmd} ${decrypted_part}" + ;; + *) + panic "Unknown value ${partition_format}. Cannot create a encrypted partition !" + ;; + esac + + finalize_tpm2_encryption +done + +if [ -n "$watchdog_pid" ]; then + kill "$watchdog_pid" +fi diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook index 6e2a211..941f0b1 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook @@ -61,4 +61,5 @@ for _LIBRARY in /usr/lib/*/libtss2* /usr/lib/*/libgcc_s.so.1; do copy_exec "$_LIBRARY" done +copy_file library /usr/share/encrypt_partition/encrypt_partition_tpm2 /usr/share/encrypt_partition/encrypt_partition_tpm2 copy_file library /usr/share/encrypt_partition/encrypt_partition.env /usr/share/encrypt_partition/encrypt_partition.env diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index e0c84ce..611f9cf 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -9,64 +9,23 @@ # # SPDX-License-Identifier: MIT -prereqs() -{ - # Make sure that this script is run last in local-top - local req - for req in "${0%/*}"/*; do - script="${req##*/}" - if [ "$script" != "${0##*/}" ]; then - printf '%s\n' "$script" - fi - done -} -case $1 in -prereqs) - prereqs - exit 0 - ;; -esac - -. /scripts/functions - -# get configuration variables -. /usr/share/encrypt_partition/encrypt_partition.env - -# load necessary kernel modules: -modprobe tpm_tis -modprobe tpm_crb - -modprobe ecb -modprobe aes_generic -modprobe xts - -# this needs to be probed particularly for re-encryption -modprobe loop - -partition_sets="$PARTITIONS" -create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" -pcr_bank_hash_type="$HASH_TYPE" -tpm_key_algorithm="$KEY_ALGORITHM" -tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL" -if [ -z "${create_file_system_cmd}" ]; then - create_file_system_cmd="mke2fs -t ext4" -fi - -service_watchdog() { - for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do - printf '\0' - sleep 10 - done > "$WATCHDOG_DEV" -} - open_tpm2_partition() { + partition_device="$1" + crypt_mount_name="$2" + tpm_device="$3" if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \ - "$1" - tpm2-device="$tpm_device"; then - panic "Can't decrypt '$1' !" + "$partition_device" - tpm2-device="$tpm_device"; then + panic "Can't decrypt '$partition_device' !" fi } enroll_tpm2_token() { + partition_device="$1" + passphrase="$2" + tpm_device="$3" + #tpm_key_algorithm="$4" + #pcr_bank_hash_type="$5" + # check systemd version and export password if necessary if [ -x /usr/bin/systemd-cryptenroll ]; then systemd_version=$(systemd-cryptenroll --version | \ @@ -74,10 +33,10 @@ enroll_tpm2_token() { # check systemd version and export password if necessary # systemd version 251 does not suport hash_types if [ "$systemd_version" -ge "251" ]; then - PASSWORD=$(cat "$2" ) + PASSWORD=$(cat "$passphrase" ) export PASSWORD /usr/bin/systemd-cryptenroll --tpm2-device="$tpm_device" \ - --tpm2-pcrs=7 "$1" + --tpm2-pcrs=7 "$partition_device" PASSWORD= else panic "Unknown systemd version: '$systemd_version'!" @@ -87,96 +46,12 @@ enroll_tpm2_token() { fi } -reencrypt_existing_partition() { - part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)" - # reduce the filesystem and partition by 32M to fit the LUKS header - reduce_device_size=32768 - reduced_size="$(expr "$part_size_blocks" - 65536 )" - reduced_size_in_byte="$(expr "$reduced_size" \* 512)" - reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" - e2fsck -f "$1" - if ! resize2fs "$1" "${reduced_size_in_kb}"; then - panic "reencryption of filesystem $1 cannot continue!" - fi - if [ -x /usr/sbin/cryptsetup-reencrypt ]; then - /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2" - else - /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2" - fi +prepare_for_encryption() { + true } -for candidate in /dev/tpm*; do - if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then - continue - fi - if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet 2>/dev/null; then - continue - fi - tpm_device=$candidate -done - -if [ ! -e "$tpm_device" ]; then - if [ "$tpm_encryption_optional" = "true" ]; then - echo "No tpm_device exists abort optional encryption" - exit 0 - fi - panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" -fi - -for partition_set in $partition_sets; do - partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" - partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" - partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" - partition=/dev/disk/by-partlabel/"$partition_label" - crypt_mount_name="encrypted_$partition_label" - decrypted_part=/dev/mapper/"$crypt_mount_name" - part_device=$(readlink -f "$partition") - - # check if we are trying to mount root - if [ "$partition_mountpoint" = "/" ]; then - echo "ROOT=$decrypted_part" >/conf/param.conf - fi - # check if partition is already encrypted with systemd-tpm2 - if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ - | grep -q "systemd-tpm2"; then - open_tpm2_partition "$part_device" - continue - fi - - # service watchdog in the background during lengthy re-encryption - if [ -z "$watchdog_pid" ]; then - service_watchdog & - watchdog_pid=$! - fi - - # create random password for initial encryption - # this will be dropped after reboot - tmp_key=/tmp/"$partition_label-lukskey" - openssl rand -base64 32 > "$tmp_key" - - case "${partition_format}" in - "reencrypt") - reencrypt_existing_partition "$part_device" "$tmp_key" - enroll_tpm2_token "$part_device" "$tmp_key" - open_tpm2_partition "$part_device" - ;; - "format") - /usr/sbin/cryptsetup luksFormat --batch-mode \ - --type luks2 "$partition" < "$tmp_key" - enroll_tpm2_token "$part_device" "$tmp_key" - open_tpm2_partition "$part_device" - eval "${create_file_system_cmd} ${decrypted_part}" - ;; - *) - panic "Unknown value ${partition_format}. Cannot create a encrypted partition !" - ;; - esac - - # delete initial key - # afterwards no new keys can be enrolled - /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0 -done +finalize_tpm2_encryption() { + partition_device="$1" +- /usr/bin/systemd-cryptenroll --wipe-slot=0 "$partition_device" +} -if [ -n "$watchdog_pid" ]; then - kill "$watchdog_pid" -fi diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index dc46ff8..1d5a4a7 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -44,6 +44,7 @@ CRYPT_BACKEND:bullseye = "clevis" CRYPT_BACKEND = "systemd" SRC_URI += "file://encrypt_partition.env.tmpl \ + file://encrypt_partition.script \ file://encrypt_partition.${CRYPT_BACKEND}.script \ file://mount_crypt_partitions.script \ file://encrypt_partition.${CRYPT_BACKEND}.hook \ @@ -77,8 +78,10 @@ do_install[cleandirs] += " \ do_install() { install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env" - install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.script" \ + install -m 0755 "${WORKDIR}/encrypt_partition.script" \ "${D}/usr/share/initramfs-tools/scripts/local-top/encrypt_partition" + install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.script" \ + "${D}/usr/share/encrypt_partition/encrypt_partition_tpm2" install -m 0755 "${WORKDIR}/mount_crypt_partitions.script" \ "${D}/usr/share/initramfs-tools/scripts/local-bottom/mount_decrypted_partition" install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.hook" \ From patchwork Fri Mar 22 10:05:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13599895 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 170D0CD1282 for ; Fri, 22 Mar 2024 10:06:20 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web11.9597.1711101970934025681 for ; Fri, 22 Mar 2024 03:06:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=dUjlIWPB; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-51332-20240322100608c6078c07275c216993-mgqaeu@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 20240322100608c6078c07275c216993 for ; Fri, 22 Mar 2024 11:06:09 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=gyOHq8aO6lkSZ5WPPxkF9fxmpmxTcYVIVUHlHQ1sdJ4=; b=dUjlIWPBusHNHnKizJuY7HAXsLJj/dRkWJv83uZfbHf+8R4zxjCEnLxQpiUry88cf8IZGP B13knD6OhfIIl6EEMvasyWBaXEUJodoCNxSdiEmJVcV3OtIS2f12/5oo5+y7yLwUVjjzQgeG BnxOKxxPjy1EaVU5nB/WdXKUaw6xs=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v2 11/13] initramfs-crypt-hook: Increase version Date: Fri, 22 Mar 2024 11:05:21 +0100 Message-ID: <20240322100605.4129226-12-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> References: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 22 Mar 2024 10:06:20 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15407 From: Quirin Gylstorff This package had significate changes Signed-off-by: Quirin Gylstorff --- .../{initramfs-crypt-hook_0.1.bb => initramfs-crypt-hook_0.2.bb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt-hook_0.1.bb => initramfs-crypt-hook_0.2.bb} (100%) diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb similarity index 100% rename from recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb rename to recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb From patchwork Fri Mar 22 10:05:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13599886 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BDC68C54E71 for ; Fri, 22 Mar 2024 10:06:19 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web10.9305.1711101968829621960 for ; Fri, 22 Mar 2024 03:06:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=j8E8i9gu; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-51332-2024032210060988466ad6147c5770fe-otue2v@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 2024032210060988466ad6147c5770fe for ; Fri, 22 Mar 2024 11:06:09 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=vKG0QWWeocWNrOMY/O6gIN+Kmj6q0BWXuIYB8sqm+Xg=; b=j8E8i9gub1B5lBy+sFxO6fL7O17pDvjot2CVeaEuOWi3gq+JPVvHgAms93klCBslhhCv4h esKDyZM6/wQWkJccNLaKv1CKwM3hBTie9r0AYpgds7ARU0XHh6YpQpemf8IMWPOxvFeE/J9l 7ukeFZ131tpm4ZdLrLDeEwjByW9pY=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v2 12/13] README.tpm2.encryption: Add section to switch from clevis to systemd Date: Fri, 22 Mar 2024 11:05:22 +0100 Message-ID: <20240322100605.4129226-13-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> References: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 22 Mar 2024 10:06:19 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15406 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- doc/README.tpm2.encryption.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md index cb3f640..69a18dd 100644 --- a/doc/README.tpm2.encryption.md +++ b/doc/README.tpm2.encryption.md @@ -48,3 +48,23 @@ Each entry uses the schema `:: The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly encrypted partition. The Default (`mke2fs -t ext4`) creates an ext4 partition. + +# Convert clevis based encryption to systemd-cryptenroll +## Prerequisites +The following packages are necessary to convert a clevis based encryption to a systemd-cryptenroll +based encryption: + - clevis-luks + - clevis-tpm2 + - cryptsetup + - jq + +## steps to convert clevis to systemd +The following script shows how to enroll a systemd-tpm2 token with a existinng clevis based encryption: +```bash +export device=/dev/sda6 +export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots | first' | head -n1) +if [ -n "$keyslot" ]; then + export PASSWORD=$(clevis luks pass -d "$device" -s"$keyslot") + systemd-cryptenroll --tpm2-device="$tpm_device" --tpm2-pcrs=7 "$device" +fi +``` From patchwork Fri Mar 22 10:05:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13599894 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 059CECD1284 for ; Fri, 22 Mar 2024 10:06:20 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web10.9310.1711101971422728829 for ; Fri, 22 Mar 2024 03:06:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=V6k419Sz; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-51332-20240322100609ebe0563931a080c132-s7ckcx@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20240322100609ebe0563931a080c132 for ; Fri, 22 Mar 2024 11:06:09 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=1qH2aCzusd6k2U6wQxIR2ADd9BsHTh9kRmvb4yFFTBI=; b=V6k419SzfPrHskBZLy/0iE0dziriyw2iEShG5KQQMqC3tMqXNVCUPg++1N9A6wgQCxQosN 6krGLGBIPdTRfxThlOcYZ5pWEV+vqImOp3TuFDTcNZXRLxZwA8IyPulWSF3tjWLqnIp7nuxF 7HgZCaNZ/aUMNE/tJ2OC9H8hr23wI=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v2 13/13] Add example to encrypt the rootfs Date: Fri, 22 Mar 2024 11:05:23 +0100 Message-ID: <20240322100605.4129226-14-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> References: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 22 Mar 2024 10:06:20 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15409 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- kas/opt/encrypt_rootfs.yml | 24 ++++++++++++++++++++++++ wic/x86_64-encryption.wks.in | 16 ++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 kas/opt/encrypt_rootfs.yml create mode 100644 wic/x86_64-encryption.wks.in diff --git a/kas/opt/encrypt_rootfs.yml b/kas/opt/encrypt_rootfs.yml new file mode 100644 index 0000000..4001c75 --- /dev/null +++ b/kas/opt/encrypt_rootfs.yml @@ -0,0 +1,24 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +header: + version: 14 + +local_conf_header: + encrypted_root: | + WKS_FILE = "x86_64-encryption.wks.in" + CRYPT_PARTITIONS = "platform:/:reencrypt home:/home:reencrypt var:/var:reencrypt" + IMAGE_FSTYPES = "wic" + IMAGER_INSTALL:wic += "systemd-boot" + CIP_IMAGE_OPTIONS:append:qemu-amd64 = " recipes-core/images/deploy-ovmf.inc" + INITRAMFS_RECIPE ?= "cip-core-initramfs" + INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img" + do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build" diff --git a/wic/x86_64-encryption.wks.in b/wic/x86_64-encryption.wks.in new file mode 100644 index 0000000..800b56d --- /dev/null +++ b/wic/x86_64-encryption.wks.in @@ -0,0 +1,16 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# SPDX-License-Identifier: MIT +# + +part /boot --source bootimg-efi-isar --sourceparams "loader=systemd-boot,initrd=${INITRD_IMAGE}" --label efi --part-type EF00 --align 1024 --fsuuid 0x4321dcba --uuid cf142945-6fa1-4945-b0f2-b8d6226298c0 + +part / --source rootfs --fstype ext4 --mkfs-extraopts "-T default" --label platform --align 1024 --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid f225331b-2d9c-45a2-bcfe-4a6e86287dfb +# home and var are extra partitions +part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --extra-space=100M --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 +part /var --fstype=ext4 --label var --align 1024 --fixed-size 2G --fsuuid 96be3374-4258-11ee-be56-0242ac120002 + +bootloader --ptable gpt --timeout 2 --append "console=ttyS0,115200"