From patchwork Fri Apr 19 08:20:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13635824 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F0DDFC04FF6 for ; Fri, 19 Apr 2024 08:20:48 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.15327.1713514839915340116 for ; Fri, 19 Apr 2024 01:20:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=mI+zu2dm; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-202404190820370ba5360bc6678d2630-f4yzfm@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 202404190820370ba5360bc6678d2630 for ; Fri, 19 Apr 2024 10:20:37 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=mb/yTACG3WH8Z+uJ6dm7y91OF7tN3ZyzkHL7qqmkgIE=; b=mI+zu2dm8NE/lJNTnaxAxTLOyUENUrAw4I7f+CZUXZFbKjUCe2EiXEtDG7mAWy/QpaZd5m ZGzkR18nrDK3gM4udUC8PHaYovLEa+dtS3iXB/l+2QmT4OqjLmhE/NQvzFVAuL2udcS0YgRI r3X7PsmDa9oLtIoB8Li9alSsg7vT8=; From: Quirin Gylstorff To: johnxw@amazon.com, cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH 1/7] wic/*: Add part-labels to system partition Date: Fri, 19 Apr 2024 10:20:11 +0200 Message-ID: <20240419082036.2389583-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240419082036.2389583-1-Quirin.Gylstorff@siemens.com> References: <20240419082036.2389583-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 19 Apr 2024 08:20:48 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15641 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- wic/bbb-efibootguard.wks.in | 4 ++-- wic/hihope-rzg2m-efibootguard.wks.in | 4 ++-- wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 ++-- wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 ++-- wic/qemu-arm64-efibootguard.wks.in | 4 ++-- wic/qemu-riscv64-efibootguard.wks.in | 4 ++-- wic/x86-efibootguard.wks.in | 4 ++-- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/wic/bbb-efibootguard.wks.in b/wic/bbb-efibootguard.wks.in index e9c04b9..b5772c2 100644 --- a/wic/bbb-efibootguard.wks.in +++ b/wic/bbb-efibootguard.wks.in @@ -11,8 +11,8 @@ part --source rawcopy --sourceparams "file=/usr/lib/u-boot/bbb/u-boot.img" --no- include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 diff --git a/wic/hihope-rzg2m-efibootguard.wks.in b/wic/hihope-rzg2m-efibootguard.wks.in index 9227a71..164e8a9 100644 --- a/wic/hihope-rzg2m-efibootguard.wks.in +++ b/wic/hihope-rzg2m-efibootguard.wks.in @@ -3,8 +3,8 @@ include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in index ef40d70..0f4d637 100644 --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in @@ -1,7 +1,7 @@ include ebg-signed-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 diff --git a/wic/qemu-arm64-efibootguard-secureboot.wks.in b/wic/qemu-arm64-efibootguard-secureboot.wks.in index 01f395d..00d627d 100644 --- a/wic/qemu-arm64-efibootguard-secureboot.wks.in +++ b/wic/qemu-arm64-efibootguard-secureboot.wks.in @@ -1,7 +1,7 @@ include ebg-signed-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 diff --git a/wic/qemu-arm64-efibootguard.wks.in b/wic/qemu-arm64-efibootguard.wks.in index 942c3e1..6f03420 100644 --- a/wic/qemu-arm64-efibootguard.wks.in +++ b/wic/qemu-arm64-efibootguard.wks.in @@ -3,8 +3,8 @@ include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 diff --git a/wic/qemu-riscv64-efibootguard.wks.in b/wic/qemu-riscv64-efibootguard.wks.in index 6934977..1704ded 100644 --- a/wic/qemu-riscv64-efibootguard.wks.in +++ b/wic/qemu-riscv64-efibootguard.wks.in @@ -3,8 +3,8 @@ include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in index 6382ff7..4c0484f 100644 --- a/wic/x86-efibootguard.wks.in +++ b/wic/x86-efibootguard.wks.in @@ -3,8 +3,8 @@ include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema # home and var are extra partitions From patchwork Fri Apr 19 08:20:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13635827 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0AC64C05052 for ; Fri, 19 Apr 2024 08:20:49 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.15328.1713514840054193210 for ; Fri, 19 Apr 2024 01:20:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=php0tWnd; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-51332-20240419082037c6cf3ab519e94dbce3-sgduld@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20240419082037c6cf3ab519e94dbce3 for ; Fri, 19 Apr 2024 10:20:37 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=rxFhcFtQq85P1V5x+iLgs2RBNBYhcghQLzRi1G09nXA=; b=php0tWndq54Nz+uEmaSNvzzCeBqQvZfQ0p8IJ+wtzH1XUs6BUCXprl+8P968EojVWNWHk0 9oX007D6O3msCM4L45K+VR1ZDqrJz3ZwSg7juJDr834S5NLroLiHast7BwOcU56DCLo+PYSD oS4Fo/fxHu/Uk6XznAoEt+xF9FiAU=; From: Quirin Gylstorff To: johnxw@amazon.com, cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH 2/7] initramfs: allow empty mountpoint for crypt hooks Date: Fri, 19 Apr 2024 10:20:12 +0200 Message-ID: <20240419082036.2389583-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240419082036.2389583-1-Quirin.Gylstorff@siemens.com> References: <20240419082036.2389583-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 19 Apr 2024 08:20:49 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15643 From: Quirin Gylstorff This allows to encrypt partition which have as seperate mount script like verity and abrootfs Signed-off-by: Quirin Gylstorff --- .../initramfs-crypt-hook/files/mount_crypt_partitions.script | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script index 3411e70..b72323f 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script @@ -51,7 +51,9 @@ for partition_set in $partition_sets; do part_device=$(readlink -f "$partition") crypt_mount_name="encrypted_$partition_label" decrypted_part=/dev/mapper/"$crypt_mount_name" - + if [ -z "$partition_mountpoint" ]; then + continue + fi if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \ | grep -q "luks2"; then mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" From patchwork Fri Apr 19 08:20:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13635823 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F0DA8C4345F for ; Fri, 19 Apr 2024 08:20:48 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web10.15347.1713514840272959741 for ; Fri, 19 Apr 2024 01:20:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=FHA71TD7; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-51332-2024041908203722d05d6d5a7a2c3cf7-opum1j@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 2024041908203722d05d6d5a7a2c3cf7 for ; Fri, 19 Apr 2024 10:20:37 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=gehmAT1K4Hln8xXUhy00AHYcmX5hWAsoXefSnk1iaLw=; b=FHA71TD7X0dM4khUzvpQaQzL7taxzWsKd/RcEdXzhUoXo4qAu7Zbkp25y/hP38H/OYg7lS fmQpaWM2fwzEJOg/tEKN6rRbeQupDLk0jxJB3uA5XV/xgPdbK0G6r94myQ1iwoR3rELLeXi4 QzhTeHmKKDAve1XrPX+P95W4FY3nM=; From: Quirin Gylstorff To: johnxw@amazon.com, cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH 3/7] fix: disk formatting Date: Fri, 19 Apr 2024 10:20:13 +0200 Message-ID: <20240419082036.2389583-4-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240419082036.2389583-1-Quirin.Gylstorff@siemens.com> References: <20240419082036.2389583-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 19 Apr 2024 08:20:48 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15642 From: Quirin Gylstorff This fixes an regression from cfef8103a0385c0d6c4631f23aabcdf65de4efba. As the format path was not update to the new function arguments. Signed-off-by: Quirin Gylstorff --- .../initramfs-crypt-hook/files/encrypt_partition.script | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script index 8763f69..8f6cbf6 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -147,7 +147,7 @@ for partition_set in $partition_sets; do "format") /usr/sbin/cryptsetup luksFormat --batch-mode \ --type luks2 "$partition" < "$tmp_key" - enroll_tpm2_token "$part_device" "$tmp_key" + enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type" open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" eval "${create_file_system_cmd} ${decrypted_part}" ;; From patchwork Fri Apr 19 08:20:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13635830 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3F7A2C071FD for ; Fri, 19 Apr 2024 08:20:49 +0000 (UTC) Received: from mta-65-228.siemens.flowmailer.net (mta-65-228.siemens.flowmailer.net [185.136.65.228]) by mx.groups.io with SMTP id smtpd.web10.15348.1713514840432269894 for ; Fri, 19 Apr 2024 01:20:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=IvFuvnWx; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.228, mailfrom: fm-51332-20240419082038007e83438833e0aa47-ndsstl@rts-flowmailer.siemens.com) Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id 20240419082038007e83438833e0aa47 for ; Fri, 19 Apr 2024 10:20:38 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=uqit3BLEeDuEB4mr1mO8T+mdkR0/0w4koXdXGP2Gw3w=; b=IvFuvnWxY3dfcxOMhhlGunnxv7rAiyI97gsgJHbT+UPMDaGYYXlhNBG06oEw0In3ZYo88G l8p4X1XV0NEMZTA9rAvuUAagLXwzOGSYDAk3aQgKn7w4blyGf1UnMBHzlg4ZxWGYQFwFXZdm 7aKKhLLfbE9rSE1bt96b6XojIbXfU=; From: Quirin Gylstorff To: johnxw@amazon.com, cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH 4/7] initramfs-crypt: Only resize partition if ext* formatted Date: Fri, 19 Apr 2024 10:20:14 +0200 Message-ID: <20240419082036.2389583-5-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240419082036.2389583-1-Quirin.Gylstorff@siemens.com> References: <20240419082036.2389583-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 19 Apr 2024 08:20:49 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15648 From: Quirin Gylstorff squashfs or empty partition cannot be resized with resize2fs. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.script | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script index 8f6cbf6..51c81f3 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -64,14 +64,26 @@ service_watchdog() { reencrypt_existing_partition() { part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)" # reduce the filesystem and partition by 32M to fit the LUKS header + partition_fstype=$(get_fstype "${1}") reduce_device_size=32768 reduced_size="$(expr "$part_size_blocks" - 65536 )" reduced_size_in_byte="$(expr "$reduced_size" \* 512)" reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" - e2fsck -f "$1" - if ! resize2fs "$1" "${reduced_size_in_kb}"; then - panic "reencryption of filesystem $1 cannot continue!" - fi + case $partition_fstype in + ext*) + # reduce the filesystem and partition by 32M to fit the LUKS header + e2fsck -f "$1" + if ! resize2fs "$1" "${reduced_size_in_kb}"; then + panic "reencryption of filesystem $1 cannot continue!" + fi + ;; + squashfs|"") + echo "skip disk resize as it not support or unnecessary for fstype: '$partition_fstype'" + ;; + *) + panic "cannot resize parition. unsupport fstype: $partition_fstype" + ;; + esac if [ -x /usr/sbin/cryptsetup-reencrypt ]; then /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2" else From patchwork Fri Apr 19 08:20:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13635828 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33E33C04FFF for ; Fri, 19 Apr 2024 08:20:49 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web10.15346.1713514840209752022 for ; Fri, 19 Apr 2024 01:20:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=Zqy+U918; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-20240419082038b3f3c750e6b0516f91-oqg4yc@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20240419082038b3f3c750e6b0516f91 for ; Fri, 19 Apr 2024 10:20:38 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=Xt0kRzMp/Bu6p7cgfPV7sdtGa5HLB+fsZZpCOgKmX5M=; b=Zqy+U918WEOWijd/5czGvL6cSpoyYJp7TWmUifK99jjB0pVKIVZ5RKB86emGMfv0d72UBZ Sc0QiJg9OoeAsLL+HtdstRHA+FSdoeqpBznTJA0wu+oDa2KgnzuKiwjmLWBFABT7hia0k8Ax s85UHUZfVxHzTj1avB9jFHz3/wdMg=; From: Quirin Gylstorff To: johnxw@amazon.com, cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH 5/7] use luks2 to identify encrypted partition Date: Fri, 19 Apr 2024 10:20:15 +0200 Message-ID: <20240419082036.2389583-6-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240419082036.2389583-1-Quirin.Gylstorff@siemens.com> References: <20240419082036.2389583-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 19 Apr 2024 08:20:49 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15647 From: Quirin Gylstorff This fixes an issue with encrypted rootfs during system reboot. Signed-off-by: Quirin Gylstorff --- .../initramfs-crypt-hook/files/encrypt_partition.script | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script index 51c81f3..685d882 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -134,7 +134,7 @@ for partition_set in $partition_sets; do fi if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ - | grep -q "token"; then + | grep -q "luks2"; then open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" continue fi From patchwork Fri Apr 19 08:20:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13635826 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0ACA1C41513 for ; Fri, 19 Apr 2024 08:20:49 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.15329.1713514840325071654 for ; Fri, 19 Apr 2024 01:20:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=A3qgsZzB; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-2024041908203866a0a2681b56b3bc9e-qsnngi@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 2024041908203866a0a2681b56b3bc9e for ; Fri, 19 Apr 2024 10:20:38 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=5zqUFGjfP/UY6eD/GxL8mn5lg+GPrDsbD+doLNjTEIY=; b=A3qgsZzBvvhCInh7gyVIPLg0Cv2VMcCytzFqrU3yhT9qFxtUTTLpn7TxcHCSsIKWL2W4Vk SbagbvXT2xAV2y71kHAl8CHCtoZiMtnfzC82C/t5JFmhujbWkRn8piV9jtZZmPD0OkIk0mrY ZHEkCI3w/OAI0nZ8nZEMD4WKOs9jw=; From: Quirin Gylstorff To: johnxw@amazon.com, cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH 6/7] Kconfig: Add option to encrypt the rootfs Date: Fri, 19 Apr 2024 10:20:16 +0200 Message-ID: <20240419082036.2389583-7-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240419082036.2389583-1-Quirin.Gylstorff@siemens.com> References: <20240419082036.2389583-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 19 Apr 2024 08:20:49 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15644 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- Kconfig | 20 ++++++++++++++++++-- kas/opt/encrypt-rootfs.yml | 22 ++++++++++++++++++++++ 2 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 kas/opt/encrypt-rootfs.yml diff --git a/Kconfig b/Kconfig index 7c19640..e657a22 100644 --- a/Kconfig +++ b/Kconfig @@ -202,15 +202,31 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT + +menuconfig DISK_ENCRYPTION + bool + prompt "disk encryption" + select IMAGE_SECURE_BOOT + config IMAGE_DATA_ENCRYPTION bool "Encrypt data partitions on first boot" - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM - select IMAGE_SECURE_BOOT + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM) help This enables LUKS encryption for the partitions /var and /home. +config IMAGE_FULL_ENCRYPTION + bool "Encrypt rootfs and data partitions" + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM) + select IMAGE_DATA_ENCRYPTION + help + This enables LUKS encryption for all partitions. + config KAS_INCLUDE_DATA_ENCRYPTION string default "kas/opt/encrypt-partitions.yml" if IMAGE_DATA_ENCRYPTION +config KAS_INCLUDE_ROOTFS_ENCRYPTION + string + default "kas/opt/encrypt-rootfs.yml" if IMAGE_FULL_ENCRYPTION + endif diff --git a/kas/opt/encrypt-rootfs.yml b/kas/opt/encrypt-rootfs.yml new file mode 100644 index 0000000..f273b65 --- /dev/null +++ b/kas/opt/encrypt-rootfs.yml @@ -0,0 +1,22 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +header: + version: 14 + includes: + - kas/opt/encrypt-partitions.yml +local_conf_header: + encrypted_root: | + # Do not set mount points for systema and systemb as they are mounted by the + # abrootfs/verity initramfs + # As we use a weak default assignment in the intramfs-crypt-hook recipe we need + # to set all partitions + CRYPT_PARTITIONS:append = "systema::reencrypt systemb::reencrypt home:/home:reencrypt var:/var:rueencrypt" From patchwork Fri Apr 19 08:20:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13635829 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2C779C071DB for ; Fri, 19 Apr 2024 08:20:49 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web10.15350.1713514840670917953 for ; Fri, 19 Apr 2024 01:20:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=G30d1tqh; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-202404190820389efd0dc916df8a6be2-26h9h_@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 202404190820389efd0dc916df8a6be2 for ; Fri, 19 Apr 2024 10:20:38 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=hZWFPVFrzPtYlO46DkdPXQh4aq5cOQir0S+6ZvWTGUA=; b=G30d1tqhc/3Fylu4rDJObNpgXwoa6IT1dIjLbSCt8YeJ9TAIAzr1+EzpR5I2c1oPsrcQlT WndKODWJIq/Po53lj2341JbrMfDky+z+ADvLNbiKgWpMShCdlAxrp911M7RXT28gA1ENUljh OdFaWf3Mluel9mBt3SNg5CaXubBKg=; From: Quirin Gylstorff To: johnxw@amazon.com, cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH 7/7] README: Add rootfs encryption Date: Fri, 19 Apr 2024 10:20:17 +0200 Message-ID: <20240419082036.2389583-8-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240419082036.2389583-1-Quirin.Gylstorff@siemens.com> References: <20240419082036.2389583-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 19 Apr 2024 08:20:49 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15646 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- doc/README.tpm2.encryption.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md index 69a18dd..a0a78d2 100644 --- a/doc/README.tpm2.encryption.md +++ b/doc/README.tpm2.encryption.md @@ -44,6 +44,16 @@ Each entry uses the schema `:: - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount - `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD` +#### Encrypted root file system + +To encrypt the root file system the variable `CRYPT_PARTITIONS` needs to be set to: +``` +CRYPT_PARTITIONS = "systema::reencrypt systemb::reencrypt" +``` +The mountpoint is empty as the root partition is mounted by another initramfs service. +Both partitions are encrypted during first boot. The initramfs opens systema and systemb +during boot. + ### CRYPT_CREATE_FILE_SYSTEM_CMD The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly @@ -59,7 +69,7 @@ based encryption: - jq ## steps to convert clevis to systemd -The following script shows how to enroll a systemd-tpm2 token with a existinng clevis based encryption: +The following script shows how to enroll a systemd-tpm2 token with a existing clevis based encryption: ```bash export device=/dev/sda6 export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots | first' | head -n1)