From patchwork Mon Apr 22 14:09:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13638557 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3EEB0C4345F for ; Mon, 22 Apr 2024 14:11:33 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web11.19555.1713795084846421415 for ; Mon, 22 Apr 2024 07:11:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=YDMPYDa5; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-51332-202404221411211b81ebea9dd93916c8-zba8wf@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 202404221411211b81ebea9dd93916c8 for ; Mon, 22 Apr 2024 16:11:22 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=8YZbiSNipjBPgR3SWctZAv1TvugTkr/LyZIYtY1NtlY=; b=YDMPYDa5jyxy3c3qlffx87STDoiZzfCe+GfdAIUdg2SibuFlp4y4XfStkV+fJSqXazAfmH xHwMkXb5KXzroJKrtsaNkDOm/cjoIJl/+OiQK5e/eMA7Rv3sgvpDbXkD7dOiDMkOrV430aJJ QEne64bsejfCDoihjHAiLjd1YnPNM=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, johnxw@amazon.com, cip-dev@lists.cip-project.org Subject: [cip-dev][isar-cip-core][PATCH v2 1/7] wic/*: Add part-labels to system partition Date: Mon, 22 Apr 2024 16:09:06 +0200 Message-ID: <20240422141120.577573-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240422141120.577573-1-Quirin.Gylstorff@siemens.com> References: <20240422141120.577573-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 22 Apr 2024 14:11:33 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15722 From: Quirin Gylstorff This allows to use the part-label for encryptition or boot selection. Signed-off-by: Quirin Gylstorff --- wic/bbb-efibootguard.wks.in | 4 ++-- wic/hihope-rzg2m-efibootguard.wks.in | 4 ++-- wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 ++-- wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 ++-- wic/qemu-arm64-efibootguard.wks.in | 4 ++-- wic/qemu-riscv64-efibootguard.wks.in | 4 ++-- wic/x86-efibootguard.wks.in | 4 ++-- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/wic/bbb-efibootguard.wks.in b/wic/bbb-efibootguard.wks.in index e9c04b9..b5772c2 100644 --- a/wic/bbb-efibootguard.wks.in +++ b/wic/bbb-efibootguard.wks.in @@ -11,8 +11,8 @@ part --source rawcopy --sourceparams "file=/usr/lib/u-boot/bbb/u-boot.img" --no- include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 diff --git a/wic/hihope-rzg2m-efibootguard.wks.in b/wic/hihope-rzg2m-efibootguard.wks.in index 9227a71..164e8a9 100644 --- a/wic/hihope-rzg2m-efibootguard.wks.in +++ b/wic/hihope-rzg2m-efibootguard.wks.in @@ -3,8 +3,8 @@ include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in index ef40d70..0f4d637 100644 --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in @@ -1,7 +1,7 @@ include ebg-signed-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 diff --git a/wic/qemu-arm64-efibootguard-secureboot.wks.in b/wic/qemu-arm64-efibootguard-secureboot.wks.in index 01f395d..00d627d 100644 --- a/wic/qemu-arm64-efibootguard-secureboot.wks.in +++ b/wic/qemu-arm64-efibootguard-secureboot.wks.in @@ -1,7 +1,7 @@ include ebg-signed-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 diff --git a/wic/qemu-arm64-efibootguard.wks.in b/wic/qemu-arm64-efibootguard.wks.in index 942c3e1..6f03420 100644 --- a/wic/qemu-arm64-efibootguard.wks.in +++ b/wic/qemu-arm64-efibootguard.wks.in @@ -3,8 +3,8 @@ include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 diff --git a/wic/qemu-riscv64-efibootguard.wks.in b/wic/qemu-riscv64-efibootguard.wks.in index 6934977..1704ded 100644 --- a/wic/qemu-riscv64-efibootguard.wks.in +++ b/wic/qemu-riscv64-efibootguard.wks.in @@ -3,8 +3,8 @@ include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in index 6382ff7..4c0484f 100644 --- a/wic/x86-efibootguard.wks.in +++ b/wic/x86-efibootguard.wks.in @@ -3,8 +3,8 @@ include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema # home and var are extra partitions From patchwork Mon Apr 22 14:09:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13638559 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57E4AC07C79 for ; Mon, 22 Apr 2024 14:11:33 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.19557.1713795085105400350 for ; Mon, 22 Apr 2024 07:11:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=kaHwZBYe; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-51332-20240422141121d58fabd9ac805e8f54-scslaa@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20240422141121d58fabd9ac805e8f54 for ; Mon, 22 Apr 2024 16:11:22 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=rxFhcFtQq85P1V5x+iLgs2RBNBYhcghQLzRi1G09nXA=; b=kaHwZBYen/mH8UzzpzT0TZeisJezejujm9SgTOhEiuBFCcBNtFJdNk3kkiMM9+y1Z/CGtM hMxlgHZ84upfzKTMhAIu1EhYNIe9fuP2L3tpHbX5c+KCqNgFl6WABa8PMZRFR1eE/P2nxFgr ntXXipKg0QZZM8PAA4Qd4ofjk7vGE=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, johnxw@amazon.com, cip-dev@lists.cip-project.org Subject: [cip-dev][isar-cip-core][PATCH v2 2/7] initramfs: allow empty mountpoint for crypt hooks Date: Mon, 22 Apr 2024 16:09:07 +0200 Message-ID: <20240422141120.577573-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240422141120.577573-1-Quirin.Gylstorff@siemens.com> References: <20240422141120.577573-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 22 Apr 2024 14:11:33 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15727 From: Quirin Gylstorff This allows to encrypt partition which have as seperate mount script like verity and abrootfs Signed-off-by: Quirin Gylstorff --- .../initramfs-crypt-hook/files/mount_crypt_partitions.script | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script index 3411e70..b72323f 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script @@ -51,7 +51,9 @@ for partition_set in $partition_sets; do part_device=$(readlink -f "$partition") crypt_mount_name="encrypted_$partition_label" decrypted_part=/dev/mapper/"$crypt_mount_name" - + if [ -z "$partition_mountpoint" ]; then + continue + fi if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \ | grep -q "luks2"; then mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" From patchwork Mon Apr 22 14:09:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13638556 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40547C07E8E for ; Mon, 22 Apr 2024 14:11:33 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web11.19556.1713795084930940205 for ; Mon, 22 Apr 2024 07:11:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=JlCuBOMN; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-51332-20240422141122d769edc314a911ff97-icbbfz@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 20240422141122d769edc314a911ff97 for ; Mon, 22 Apr 2024 16:11:22 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=uqit3BLEeDuEB4mr1mO8T+mdkR0/0w4koXdXGP2Gw3w=; b=JlCuBOMN5QvUag3oSCF8iHy2ALcX6G8XDJVhqqzXoZwo5Zaq8w0UMReQCHe2cM0+gQOis6 UQDzExdrco027U/O098+WJnMKLPMAB2fgXULK1O5rYvo1aKL//XQmxTi7T3Gd6tRJmsMw5ww CJD6zrrC7iDKvKWmb4KT4u4oWhfyU=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, johnxw@amazon.com, cip-dev@lists.cip-project.org Subject: [cip-dev][isar-cip-core][PATCH v2 3/7] initramfs-crypt: Only resize partition if ext* formatted Date: Mon, 22 Apr 2024 16:09:08 +0200 Message-ID: <20240422141120.577573-4-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240422141120.577573-1-Quirin.Gylstorff@siemens.com> References: <20240422141120.577573-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 22 Apr 2024 14:11:33 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15723 From: Quirin Gylstorff squashfs or empty partition cannot be resized with resize2fs. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.script | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script index 8f6cbf6..51c81f3 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -64,14 +64,26 @@ service_watchdog() { reencrypt_existing_partition() { part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)" # reduce the filesystem and partition by 32M to fit the LUKS header + partition_fstype=$(get_fstype "${1}") reduce_device_size=32768 reduced_size="$(expr "$part_size_blocks" - 65536 )" reduced_size_in_byte="$(expr "$reduced_size" \* 512)" reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" - e2fsck -f "$1" - if ! resize2fs "$1" "${reduced_size_in_kb}"; then - panic "reencryption of filesystem $1 cannot continue!" - fi + case $partition_fstype in + ext*) + # reduce the filesystem and partition by 32M to fit the LUKS header + e2fsck -f "$1" + if ! resize2fs "$1" "${reduced_size_in_kb}"; then + panic "reencryption of filesystem $1 cannot continue!" + fi + ;; + squashfs|"") + echo "skip disk resize as it not support or unnecessary for fstype: '$partition_fstype'" + ;; + *) + panic "cannot resize parition. unsupport fstype: $partition_fstype" + ;; + esac if [ -x /usr/sbin/cryptsetup-reencrypt ]; then /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2" else From patchwork Mon Apr 22 14:09:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13638561 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 797A9C18E72 for ; Mon, 22 Apr 2024 14:11:33 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web10.19472.1713795084846138737 for ; Mon, 22 Apr 2024 07:11:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=bBZfZ2XD; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-51332-20240422141122ded3887665e9febd28-hj54bw@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20240422141122ded3887665e9febd28 for ; Mon, 22 Apr 2024 16:11:22 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=92laoSyA7ibBoNhzAQr2FvY4IP6MNIW/tOc+ONdCPmM=; b=bBZfZ2XDUocMojJwsu7WHM0KRlwigigjr7VjECzwkVipVLJtZRFo++HUq1cUCcrXjRl3T+ /R6KYv15da2PLUXbhj9SPPua/Jnr4LnUZCAqNtPHPUNKT73JZ18xcO+P7ZEvhHwd/wY9Tfwu Kcc1tW9HWyzlU6xN5gOl8nQ3aK1iI=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, johnxw@amazon.com, cip-dev@lists.cip-project.org Subject: [cip-dev][isar-cip-core][PATCH v2 4/7] fix: use luks2 to identify encrypted partition Date: Mon, 22 Apr 2024 16:09:09 +0200 Message-ID: <20240422141120.577573-5-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240422141120.577573-1-Quirin.Gylstorff@siemens.com> References: <20240422141120.577573-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 22 Apr 2024 14:11:33 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15724 From: Quirin Gylstorff This fixes an issue with encrypted rootfs during system reboot. With the token option it can happen that during reboot the no valid Luks partition is found and the boot up fails in the initrd. Signed-off-by: Quirin Gylstorff --- .../initramfs-crypt-hook/files/encrypt_partition.script | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script index 51c81f3..685d882 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -134,7 +134,7 @@ for partition_set in $partition_sets; do fi if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ - | grep -q "token"; then + | grep -q "luks2"; then open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" continue fi From patchwork Mon Apr 22 14:09:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13638562 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 881C0C1746D for ; Mon, 22 Apr 2024 14:11:33 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.19558.1713795085210414205 for ; Mon, 22 Apr 2024 07:11:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=K5dwBCY3; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-20240422141122be789fa53f90c6d5b9-jf9aiu@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20240422141122be789fa53f90c6d5b9 for ; Mon, 22 Apr 2024 16:11:22 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=wPdEsy+RHXV4s6BGhtUdmK9gYW1y2CD4292j3IfUK5o=; b=K5dwBCY3mogFTe7t6W9i9jvwHt0Ez+5ONxHYfW+z5wNcDALq3x29j1jpKMJzxQQSE6Hvdb ghycgkUcOUiY+HGjQoEJi5JP5H6e93vTkgaiZk2uKR7i4uOSKPBwUNM86DA9SuykK8sqz72+ C0/2KIfPKZNgQOWDZAG86TD61aONI=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, johnxw@amazon.com, cip-dev@lists.cip-project.org Subject: [cip-dev][isar-cip-core][PATCH v2 5/7] Rename encrypt-partitions to encrypt-data Date: Mon, 22 Apr 2024 16:09:10 +0200 Message-ID: <20240422141120.577573-6-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240422141120.577573-1-Quirin.Gylstorff@siemens.com> References: <20240422141120.577573-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 22 Apr 2024 14:11:33 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15729 From: Quirin Gylstorff This makes the purpose of this option more clear. Signed-off-by: Quirin Gylstorff --- .gitlab-ci.yml | 2 +- Kconfig | 2 +- doc/README.tpm2.encryption.md | 2 +- kas/opt/{encrypt-partitions.yml => encrypt-data.yml} | 0 kas/opt/security.yml | 2 +- 5 files changed, 4 insertions(+), 4 deletions(-) rename kas/opt/{encrypt-partitions.yml => encrypt-data.yml} (100%) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index bd34c82..aab55be 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -64,7 +64,7 @@ default: - if [ "${release}" = "bullseye" ]; then base_yaml="${base_yaml}:kas/opt/bullseye.yml"; fi - if [ "${release}" = "bookworm" ]; then base_yaml="${base_yaml}:kas/opt/bookworm.yml"; fi - if [ "${release}" = "sid" ]; then base_yaml="${base_yaml}:kas/opt/sid.yml"; fi - - if [ "${encrypt}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/encrypt-partitions.yml"; fi + - if [ "${encrypt}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/encrypt-data.yml"; fi - if [ "${swupdate_version}" = "2022.12" ]; then base_yaml="${base_yaml}:kas/opt/swupdate-2022.12.yaml"; fi - echo "Building ${base_yaml}" - kas build ${base_yaml} diff --git a/Kconfig b/Kconfig index 7c19640..9478a06 100644 --- a/Kconfig +++ b/Kconfig @@ -211,6 +211,6 @@ config IMAGE_DATA_ENCRYPTION config KAS_INCLUDE_DATA_ENCRYPTION string - default "kas/opt/encrypt-partitions.yml" if IMAGE_DATA_ENCRYPTION + default "kas/opt/encrypt-data.yml" if IMAGE_DATA_ENCRYPTION endif diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md index 69a18dd..c5ac6c4 100644 --- a/doc/README.tpm2.encryption.md +++ b/doc/README.tpm2.encryption.md @@ -27,7 +27,7 @@ An example for qemu-amd64 can be build with by selecting the option after callin or by adding using the following command line build: ``` -./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/encrypt-partitions.yml +./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/encrypt-data.yml ``` ## initramfs-crypt-hook configuration diff --git a/kas/opt/encrypt-partitions.yml b/kas/opt/encrypt-data.yml similarity index 100% rename from kas/opt/encrypt-partitions.yml rename to kas/opt/encrypt-data.yml diff --git a/kas/opt/security.yml b/kas/opt/security.yml index 000c522..4aa40e0 100644 --- a/kas/opt/security.yml +++ b/kas/opt/security.yml @@ -11,7 +11,7 @@ header: version: 14 includes: - - kas/opt/encrypt-partitions.yml + - kas/opt/encrypt-data.yml - kas/opt/ebg-secure-boot-snakeoil.yml target: cip-core-image-security From patchwork Mon Apr 22 14:09:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13638558 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 69CA3C10F1A for ; Mon, 22 Apr 2024 14:11:33 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web10.19471.1713795084838902854 for ; Mon, 22 Apr 2024 07:11:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=adxQkQW5; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-51332-20240422141122faea6c8c212e027cb8-_w1akl@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20240422141122faea6c8c212e027cb8 for ; Mon, 22 Apr 2024 16:11:22 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=gDTH8+GEbOVYfV2fg9XCatm8cbBYt/TM68CvvhhmEfU=; b=adxQkQW55aHu0RhJuGKu8AgpCBtIw9/c5EHWEDI/qvCyOy6V2DHjq5mjcpmqnc1YrirUPn B/sZufvyH0lThCrSp3eNiJbC6nWh6D+0ZxuHOHZdgjllqthUIUBV73uZx5ILIIK1nCL8cWTw KH0y6wfvw0OoAYYQNaqKmpFLAxqa4=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, johnxw@amazon.com, cip-dev@lists.cip-project.org Subject: [cip-dev][isar-cip-core][PATCH v2 6/7] Kconfig: Add option to encrypt the rootfs Date: Mon, 22 Apr 2024 16:09:11 +0200 Message-ID: <20240422141120.577573-7-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240422141120.577573-1-Quirin.Gylstorff@siemens.com> References: <20240422141120.577573-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 22 Apr 2024 14:11:33 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15726 From: Quirin Gylstorff This allows to setup a full encrypted system. Signed-off-by: Quirin Gylstorff --- Kconfig | 20 ++++++++++++++++++-- kas/opt/encrypt-all.yml | 22 ++++++++++++++++++++++ 2 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 kas/opt/encrypt-all.yml diff --git a/Kconfig b/Kconfig index 9478a06..42e6b67 100644 --- a/Kconfig +++ b/Kconfig @@ -202,15 +202,31 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT + +menuconfig DISK_ENCRYPTION + bool + prompt "disk encryption" + select IMAGE_SECURE_BOOT + config IMAGE_DATA_ENCRYPTION bool "Encrypt data partitions on first boot" - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM - select IMAGE_SECURE_BOOT + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM) help This enables LUKS encryption for the partitions /var and /home. +config IMAGE_FULL_ENCRYPTION + bool "Encrypt rootfs and data partitions" + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM) + select IMAGE_DATA_ENCRYPTION + help + This enables LUKS encryption for all partitions. + config KAS_INCLUDE_DATA_ENCRYPTION string default "kas/opt/encrypt-data.yml" if IMAGE_DATA_ENCRYPTION +config KAS_INCLUDE_FULL_ENCRYPTION + string + default "kas/opt/encrypt-all.yml" if IMAGE_FULL_ENCRYPTION + endif diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml new file mode 100644 index 0000000..edbc820 --- /dev/null +++ b/kas/opt/encrypt-all.yml @@ -0,0 +1,22 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +header: + version: 14 + includes: + - kas/opt/encrypt-data.yml +local_conf_header: + encrypted_root: | + # Do not set mount points for systema and systemb as they are mounted by the + # abrootfs/verity initramfs + # As we use a weak default assignment in the intramfs-crypt-hook recipe we need + # to set all partitions + CRYPT_PARTITIONS = " systema::reencrypt systemb::reencrypt home:/home:reencrypt var:/var:reencrypt" From patchwork Mon Apr 22 14:09:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13638560 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4E10DC41513 for ; Mon, 22 Apr 2024 14:11:33 +0000 (UTC) Received: from mta-65-228.siemens.flowmailer.net (mta-65-228.siemens.flowmailer.net [185.136.65.228]) by mx.groups.io with SMTP id smtpd.web10.19473.1713795085209530741 for ; Mon, 22 Apr 2024 07:11:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=PVZTBL9i; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.228, mailfrom: fm-51332-20240422141122feda227b99091e7d9b-nwp_ay@rts-flowmailer.siemens.com) Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id 20240422141122feda227b99091e7d9b for ; Mon, 22 Apr 2024 16:11:22 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=Edfkjx3ST7nMFCukgUt/n5i2SsOFSnznauwwKpHsFnw=; b=PVZTBL9ijVEiU0525dR35JNxz6s2rUwNjT9FalmAnsY98VNYbFYYWkq9kA+gZfj8YGuy/1 lFxRrE0dj8v62CP6VTwFDUVMJ2TkVYjLlTc3kKs6f9w0AwtgIWYJdIdCLzhBHFbnrDdt+Odj 6SaVtOxsIYdEjpVyv76AoVp5E/S64=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, johnxw@amazon.com, cip-dev@lists.cip-project.org Subject: [cip-dev][isar-cip-core][PATCH v2 7/7] README: Add rootfs encryption Date: Mon, 22 Apr 2024 16:09:12 +0200 Message-ID: <20240422141120.577573-8-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240422141120.577573-1-Quirin.Gylstorff@siemens.com> References: <20240422141120.577573-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 22 Apr 2024 14:11:33 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15728 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- doc/README.tpm2.encryption.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md index c5ac6c4..a229d86 100644 --- a/doc/README.tpm2.encryption.md +++ b/doc/README.tpm2.encryption.md @@ -44,6 +44,16 @@ Each entry uses the schema `:: - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount - `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD` +#### Encrypted root file system + +To encrypt the root file system the variable `CRYPT_PARTITIONS` needs to be set to: +``` +CRYPT_PARTITIONS = "systema::reencrypt systemb::reencrypt" +``` +The mountpoint is empty as the root partition is mounted by another initramfs service. +Both partitions are encrypted during first boot. The initramfs opens systema and systemb +during boot. + ### CRYPT_CREATE_FILE_SYSTEM_CMD The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly @@ -59,7 +69,7 @@ based encryption: - jq ## steps to convert clevis to systemd -The following script shows how to enroll a systemd-tpm2 token with a existinng clevis based encryption: +The following script shows how to enroll a systemd-tpm2 token with a existing clevis based encryption: ```bash export device=/dev/sda6 export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots | first' | head -n1)