From patchwork Mon May 6 14:17:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13655535 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3E5DDC25B76 for ; Mon, 6 May 2024 14:18:45 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web10.21762.1715005117605735743 for ; Mon, 06 May 2024 07:18:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=UL7HjULJ; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-2024050614183489a2daf4a1c71054d5-9yyqbs@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 2024050614183489a2daf4a1c71054d5 for ; Mon, 06 May 2024 16:18:35 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=8YZbiSNipjBPgR3SWctZAv1TvugTkr/LyZIYtY1NtlY=; b=UL7HjULJewi/5duMZApIFdVvpzJNFm4XwpEHufMweQfye98D/Bc29Cdvra392fd8mszBIR nEyC2sGXsmojzHdNTNrqpI34oNWNMBr60YjSXp5RFliHQQSarbEcFwKLXSWdSmSGqty3eA+O SgIBL6h9ekmlz7d+gsoCV4rCsHRRc=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com, felix.moessbauer@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v5 01/11] wic/*: Add part-labels to system partition Date: Mon, 6 May 2024 16:17:22 +0200 Message-ID: <20240506141833.3622989-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> References: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 May 2024 14:18:45 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15834 From: Quirin Gylstorff This allows to use the part-label for encryptition or boot selection. Signed-off-by: Quirin Gylstorff --- wic/bbb-efibootguard.wks.in | 4 ++-- wic/hihope-rzg2m-efibootguard.wks.in | 4 ++-- wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 ++-- wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 ++-- wic/qemu-arm64-efibootguard.wks.in | 4 ++-- wic/qemu-riscv64-efibootguard.wks.in | 4 ++-- wic/x86-efibootguard.wks.in | 4 ++-- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/wic/bbb-efibootguard.wks.in b/wic/bbb-efibootguard.wks.in index e9c04b9..b5772c2 100644 --- a/wic/bbb-efibootguard.wks.in +++ b/wic/bbb-efibootguard.wks.in @@ -11,8 +11,8 @@ part --source rawcopy --sourceparams "file=/usr/lib/u-boot/bbb/u-boot.img" --no- include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 diff --git a/wic/hihope-rzg2m-efibootguard.wks.in b/wic/hihope-rzg2m-efibootguard.wks.in index 9227a71..164e8a9 100644 --- a/wic/hihope-rzg2m-efibootguard.wks.in +++ b/wic/hihope-rzg2m-efibootguard.wks.in @@ -3,8 +3,8 @@ include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in index ef40d70..0f4d637 100644 --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in @@ -1,7 +1,7 @@ include ebg-signed-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 diff --git a/wic/qemu-arm64-efibootguard-secureboot.wks.in b/wic/qemu-arm64-efibootguard-secureboot.wks.in index 01f395d..00d627d 100644 --- a/wic/qemu-arm64-efibootguard-secureboot.wks.in +++ b/wic/qemu-arm64-efibootguard-secureboot.wks.in @@ -1,7 +1,7 @@ include ebg-signed-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 diff --git a/wic/qemu-arm64-efibootguard.wks.in b/wic/qemu-arm64-efibootguard.wks.in index 942c3e1..6f03420 100644 --- a/wic/qemu-arm64-efibootguard.wks.in +++ b/wic/qemu-arm64-efibootguard.wks.in @@ -3,8 +3,8 @@ include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 diff --git a/wic/qemu-riscv64-efibootguard.wks.in b/wic/qemu-riscv64-efibootguard.wks.in index 6934977..1704ded 100644 --- a/wic/qemu-riscv64-efibootguard.wks.in +++ b/wic/qemu-riscv64-efibootguard.wks.in @@ -3,8 +3,8 @@ include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in index 6382ff7..4c0484f 100644 --- a/wic/x86-efibootguard.wks.in +++ b/wic/x86-efibootguard.wks.in @@ -3,8 +3,8 @@ include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema # home and var are extra partitions From patchwork Mon May 6 14:17:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13655540 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6C4C3C25B7B for ; Mon, 6 May 2024 14:18:45 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.21518.1715005117987240303 for ; Mon, 06 May 2024 07:18:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=AdFOjqHl; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-202405061418355aca18504bb03e9292-iteddp@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202405061418355aca18504bb03e9292 for ; Mon, 06 May 2024 16:18:35 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=3ZQDRvSZd7HchHLcccGLaaWbNMZOKMNJPS76k/d+4tI=; b=AdFOjqHlJxMGwbhvGLMktYycW1L7HLzJFHenT34Hb5SY4ip5fQmgoY4h6OHZZ9UsaJlMne fyqKdu/yx4Ytcl/YFuXJYqpxTl1Iei/NcM2B7T+OEyEh3uRrckenRKJqoQx9CKd0rGPlYzIv 5ddBvS2StyZBR5V9Ph+qogCR1OKrs=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com, felix.moessbauer@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v5 02/11] initramfs: allow empty mountpoint for crypt hooks Date: Mon, 6 May 2024 16:17:23 +0200 Message-ID: <20240506141833.3622989-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> References: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 May 2024 14:18:45 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15830 From: Quirin Gylstorff This allows to encrypt partitions, which have a seperate mount script like verity and abrootfs Signed-off-by: Quirin Gylstorff --- .../initramfs-crypt-hook/files/mount_crypt_partitions.script | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script index 3411e70..b72323f 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script @@ -51,7 +51,9 @@ for partition_set in $partition_sets; do part_device=$(readlink -f "$partition") crypt_mount_name="encrypted_$partition_label" decrypted_part=/dev/mapper/"$crypt_mount_name" - + if [ -z "$partition_mountpoint" ]; then + continue + fi if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \ | grep -q "luks2"; then mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" From patchwork Mon May 6 14:17:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13655531 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D5B5BC3DA40 for ; Mon, 6 May 2024 14:18:44 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.21516.1715005117706973248 for ; Mon, 06 May 2024 07:18:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=NsxN/GkT; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-51332-2024050614183576e48ee383d512bfb1-rvyfek@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 2024050614183576e48ee383d512bfb1 for ; Mon, 06 May 2024 16:18:35 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=UnRcyYY5K11QyDU06ng9fO8NOh+1zJBFth1koXkuLMA=; b=NsxN/GkTJSquobNlOHkLILlChm5MjC1D4ntLF8uK/L8/m6Kla53k8uauYQdzsSJNcDZENP mIRpCGcVs7dIigsvXjsFrvMwuMMqenSQslA+0v3wf0XaR4GfHvxHU1a9BRnQwioYQG7wF/sm n5U+CG5jB1AQ2+meqxwo+8bqI+dd8=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com, felix.moessbauer@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v5 03/11] initramfs-crypt: Only resize partition if ext* formatted Date: Mon, 6 May 2024 16:17:24 +0200 Message-ID: <20240506141833.3622989-4-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> References: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 May 2024 14:18:44 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15829 From: Quirin Gylstorff squashfs or empty partition cannot be resized with resize2fs. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.script | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script index 8f6cbf6..2e6abf9 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -64,14 +64,26 @@ service_watchdog() { reencrypt_existing_partition() { part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)" # reduce the filesystem and partition by 32M to fit the LUKS header + partition_fstype=$(get_fstype "${1}") reduce_device_size=32768 reduced_size="$(expr "$part_size_blocks" - 65536 )" reduced_size_in_byte="$(expr "$reduced_size" \* 512)" reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" - e2fsck -f "$1" - if ! resize2fs "$1" "${reduced_size_in_kb}"; then - panic "reencryption of filesystem $1 cannot continue!" - fi + case $partition_fstype in + ext*) + # reduce the filesystem and partition by 32M to fit the LUKS header + e2fsck -f "$1" + if ! resize2fs "$1" "${reduced_size_in_kb}"; then + panic "reencryption of filesystem $1 cannot continue!" + fi + ;; + squashfs|"") + echo "skip disk resize as it is not supported or unnecessary for fstype: '$partition_fstype'" + ;; + *) + panic "cannot resize parition. unsupport fstype: $partition_fstype" + ;; + esac if [ -x /usr/sbin/cryptsetup-reencrypt ]; then /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2" else From patchwork Mon May 6 14:17:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13655536 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 473FAC25B78 for ; Mon, 6 May 2024 14:18:45 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.21515.1715005117673833519 for ; Mon, 06 May 2024 07:18:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=l5Vt2o1i; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-51332-20240506141835f0229696b19efc2603-nskgao@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20240506141835f0229696b19efc2603 for ; Mon, 06 May 2024 16:18:35 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=IPPDMivXsGMLuh/iWR8m2aU1+wo2X5/VuI470sb9hBo=; b=l5Vt2o1iukitI4LOGbKoelwDeNTdZ9tLzIANOWnvfsvoev/6jpckSfKu2NBgQwjvU7X9+3 LQTXB+hbFFJlTKyFQyCa+zvyJrCl2namojlg3xhD8KtMVBmrAYHfnNsI4iCZ2SE8selgKO0H u/JEJ5hfwfeFnQFCvrq5s+bQRUvvM=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com, felix.moessbauer@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v5 04/11] fix: use luks2 to identify encrypted partition Date: Mon, 6 May 2024 16:17:25 +0200 Message-ID: <20240506141833.3622989-5-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> References: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 May 2024 14:18:45 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15833 From: Quirin Gylstorff This fixes an issue with encrypted rootfs during system reboot. With the token option it can happen that during reboot the no valid Luks partition is found and the boot up fails in the initrd. Signed-off-by: Quirin Gylstorff --- .../initramfs-crypt-hook/files/encrypt_partition.script | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script index 2e6abf9..7cb7f34 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -134,7 +134,7 @@ for partition_set in $partition_sets; do fi if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ - | grep -q "token"; then + | grep -q "luks2"; then open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" continue fi From patchwork Mon May 6 14:17:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13655534 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F2C6C25B75 for ; Mon, 6 May 2024 14:18:45 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web11.21517.1715005117711168043 for ; Mon, 06 May 2024 07:18:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=XUZufFpb; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-51332-2024050614183553118465a0176ab0d4-apf_az@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 2024050614183553118465a0176ab0d4 for ; Mon, 06 May 2024 16:18:35 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=wPdEsy+RHXV4s6BGhtUdmK9gYW1y2CD4292j3IfUK5o=; b=XUZufFpba6B0k0qehAZPgzwWA3sUAbOTMG/8zdauYtiyIgmGNWMqAxofX1esxGOtT4a6zV KfJ9OcRd/oXsycbT682VCX8ukuq+WGatbqxYsUBqCxXH+/EY1cIqGvAu4VsQfCY85hGHHpLp SNZctHnPVfnMoXecFUr7En1h/6JbY=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com, felix.moessbauer@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v5 05/11] Rename encrypt-partitions to encrypt-data Date: Mon, 6 May 2024 16:17:26 +0200 Message-ID: <20240506141833.3622989-6-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> References: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 May 2024 14:18:45 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15835 From: Quirin Gylstorff This makes the purpose of this option more clear. Signed-off-by: Quirin Gylstorff --- .gitlab-ci.yml | 2 +- Kconfig | 2 +- doc/README.tpm2.encryption.md | 2 +- kas/opt/{encrypt-partitions.yml => encrypt-data.yml} | 0 kas/opt/security.yml | 2 +- 5 files changed, 4 insertions(+), 4 deletions(-) rename kas/opt/{encrypt-partitions.yml => encrypt-data.yml} (100%) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index bd34c82..aab55be 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -64,7 +64,7 @@ default: - if [ "${release}" = "bullseye" ]; then base_yaml="${base_yaml}:kas/opt/bullseye.yml"; fi - if [ "${release}" = "bookworm" ]; then base_yaml="${base_yaml}:kas/opt/bookworm.yml"; fi - if [ "${release}" = "sid" ]; then base_yaml="${base_yaml}:kas/opt/sid.yml"; fi - - if [ "${encrypt}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/encrypt-partitions.yml"; fi + - if [ "${encrypt}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/encrypt-data.yml"; fi - if [ "${swupdate_version}" = "2022.12" ]; then base_yaml="${base_yaml}:kas/opt/swupdate-2022.12.yaml"; fi - echo "Building ${base_yaml}" - kas build ${base_yaml} diff --git a/Kconfig b/Kconfig index 7c19640..9478a06 100644 --- a/Kconfig +++ b/Kconfig @@ -211,6 +211,6 @@ config IMAGE_DATA_ENCRYPTION config KAS_INCLUDE_DATA_ENCRYPTION string - default "kas/opt/encrypt-partitions.yml" if IMAGE_DATA_ENCRYPTION + default "kas/opt/encrypt-data.yml" if IMAGE_DATA_ENCRYPTION endif diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md index 69a18dd..c5ac6c4 100644 --- a/doc/README.tpm2.encryption.md +++ b/doc/README.tpm2.encryption.md @@ -27,7 +27,7 @@ An example for qemu-amd64 can be build with by selecting the option after callin or by adding using the following command line build: ``` -./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/encrypt-partitions.yml +./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/encrypt-data.yml ``` ## initramfs-crypt-hook configuration diff --git a/kas/opt/encrypt-partitions.yml b/kas/opt/encrypt-data.yml similarity index 100% rename from kas/opt/encrypt-partitions.yml rename to kas/opt/encrypt-data.yml diff --git a/kas/opt/security.yml b/kas/opt/security.yml index 000c522..4aa40e0 100644 --- a/kas/opt/security.yml +++ b/kas/opt/security.yml @@ -11,7 +11,7 @@ header: version: 14 includes: - - kas/opt/encrypt-partitions.yml + - kas/opt/encrypt-data.yml - kas/opt/ebg-secure-boot-snakeoil.yml target: cip-core-image-security From patchwork Mon May 6 14:17:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13655539 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6C3E3C25B79 for ; Mon, 6 May 2024 14:18:45 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web10.21763.1715005117832761127 for ; Mon, 06 May 2024 07:18:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=nf6ioPZI; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-51332-202405061418366366fae671effd22ed-pb8w0l@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 202405061418366366fae671effd22ed for ; Mon, 06 May 2024 16:18:36 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=ZvAzp5y8U9Ed9hS3bWdMCTksPqG7pH/6Huv2kTDEWMg=; b=nf6ioPZIOfJEYPXIkOVZG4nSFYkHo9qFB6QyJ35SjUHgBcwnPVCPYqNjVVFHkxmJWKDSwk /Dwmqoq5MX6uTTxoBgqRw50W8DDfd2ARzLaWzbX4ebSt4fRCndgSoPAJ3ESibxZUzI3bAi4z SD+2MxRz9FcrF/caC/iab/LtBxjhM=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com, felix.moessbauer@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v5 06/11] Kconfig: Add option to encrypt the rootfs Date: Mon, 6 May 2024 16:17:27 +0200 Message-ID: <20240506141833.3622989-7-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> References: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 May 2024 14:18:45 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15831 From: Quirin Gylstorff This allows to setup a system with all non-boot partitions encrypted. Signed-off-by: Quirin Gylstorff --- Kconfig | 14 +++++++++++++- kas/opt/encrypt-all.yml | 23 +++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 kas/opt/encrypt-all.yml diff --git a/Kconfig b/Kconfig index 9478a06..dd41a2d 100644 --- a/Kconfig +++ b/Kconfig @@ -205,12 +205,24 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT config IMAGE_DATA_ENCRYPTION bool "Encrypt data partitions on first boot" depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM - select IMAGE_SECURE_BOOT help This enables LUKS encryption for the partitions /var and /home. +config IMAGE_FULL_ENCRYPTION + bool "Encrypt rootfs and data partitions" + depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM + select IMAGE_DATA_ENCRYPTION + help + This enables LUKS encryption for all non-boot partitions on first boot. + If the partitions contain secrets the first boot must occur in a secure + location. + config KAS_INCLUDE_DATA_ENCRYPTION string default "kas/opt/encrypt-data.yml" if IMAGE_DATA_ENCRYPTION +config KAS_INCLUDE_FULL_ENCRYPTION + string + default "kas/opt/encrypt-all.yml" if IMAGE_FULL_ENCRYPTION + endif diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml new file mode 100644 index 0000000..b6d4041 --- /dev/null +++ b/kas/opt/encrypt-all.yml @@ -0,0 +1,23 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +header: + version: 14 + includes: + - kas/opt/encrypt-data.yml +local_conf_header: + encrypted_root: | + # Do not set mount points for systema and systemb as they are mounted by the + # abrootfs/verity initramfs + # As we use a weak default assignment in the intramfs-crypt-hook recipe we need + # to set all partitions + CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt ${ABROOTFS_PART_UUID_B}::reencrypt \ + home:/home:reencrypt var:/var:reencrypt" From patchwork Mon May 6 14:17:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13655538 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5455AC25B77 for ; Mon, 6 May 2024 14:18:45 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web10.21764.1715005118034398596 for ; Mon, 06 May 2024 07:18:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=HFgf7q15; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-20240506141836ea1e8e62879232d0e1-rvycei@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20240506141836ea1e8e62879232d0e1 for ; Mon, 06 May 2024 16:18:36 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=34cQ3Qte/w3ZWWldCQsv1m0pk0ovHGlHKSzO/ewilSo=; b=HFgf7q15CpLBGHjNfNxbWc1UfAM01WcMSzIn/edDoM51IbSI5TczA9o/AREWynvRFkYW/V xloh4FgWT7zjzvN15IBN2utwm4XF/BWXBNAmGLlquGynplg/juOzNNhGfqi6HdT6w6K1x5eF /4ry++k4PIgJbNIN+DCeiu4aiXAcg=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com, felix.moessbauer@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v5 07/11] crypt-hook: Extend partition selection Date: Mon, 6 May 2024 16:17:28 +0200 Message-ID: <20240506141833.3622989-8-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> References: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 May 2024 14:18:45 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15832 From: Quirin Gylstorff This adds the possiblity to select the partition to be encrypted by UUID or absolute path. If used with an UUID the uuid is used as the name of the device mapper. With this change the swupdate-handler-roundrobin selects the /dev/mapper/ device for the update instead of the underling partition. This allows to update an encrypted partition without triggering a reencryption. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.hook | 2 ++ .../files/encrypt_partition.script | 27 ++++++++++++++----- .../files/encrypt_partition.systemd.hook | 2 ++ .../files/mount_crypt_partitions.script | 20 +++++++++++--- .../initramfs-crypt-hook_0.2.bb | 3 ++- 5 files changed, 43 insertions(+), 11 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook index 0bb8ce6..0644eab 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook @@ -72,6 +72,8 @@ copy_exec /usr/bin/seq || hook_error "Unable to copy /usr/bin/seq" copy_exec /usr/bin/pwmake || hook_error "Unable to copy /usr/bin/pwmake" copy_exec /usr/bin/file || hook_error "Unable to copy /usr/bin/file " copy_exec /usr/lib/*/libgcc_s.so.1 || hook_error "Unable to copy /usr/lib/*/libgcc_s.so.1 " +copy_exec /usr/bin/uuidparse || hook_error "Unable to copy /usr/bin/uuidparse" + if [ -x /usr/sbin/cryptsetup-reencrypt ]; then copy_exec /usr/sbin/cryptsetup-reencrypt fi diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script index 7cb7f34..857b73f 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -121,19 +121,34 @@ fi prepare_for_encryption for partition_set in $partition_sets; do - partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" - partition=/dev/disk/by-partlabel/"$partition_label" - crypt_mount_name="encrypted_$partition_label" + case "$partition" in + /*) + part_device=$(readlink -f "$partition") + crypt_mount_name="$( basename "$partition")" + ;; + *) + if uuidparse "$partition" -n -o TYPE | grep -q invalid; then + part_device=$(readlink -f /dev/disk/by-partlabel/"$partition") + crypt_mount_name="encrypted_${partition}" + else + part_device=$(readlink -f /dev/disk/by-partuuid/"$partition") + crypt_mount_name="${partition}" + fi + ;; + esac + if [ ! -e "$part_device" ]; then + panic "Could not find device mapped to '$partition' cannot be encrypted!" + fi decrypted_part=/dev/mapper/"$crypt_mount_name" - part_device=$(readlink -f "$partition") # check if we are trying to mount root if [ "$partition_mountpoint" = "/" ]; then echo "ROOT=$decrypted_part" >/conf/param.conf fi - if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ + if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \ | grep -q "luks2"; then open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" continue @@ -147,7 +162,7 @@ for partition_set in $partition_sets; do # create random password for initial encryption # this will be dropped after reboot - tmp_key=/tmp/"$partition_label-lukskey" + tmp_key=/tmp/"$(basename "$part_device")-lukskey" openssl rand -base64 32 > "$tmp_key" case "${partition_format}" in diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook index 941f0b1..19e0fe4 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook @@ -51,6 +51,8 @@ copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenro copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found" copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms" +copy_exec /usr/bin/basename || hook_error "Unable to copy /usr/bin/basename" +copy_exec /usr/bin/uuidparse || hook_error "Unable to copy /usr/bin/uuidparse" copy_exec /usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so || hook_error "/usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so not found" if [ -x /usr/sbin/cryptsetup-reencrypt ]; then diff --git a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script index b72323f..f35685e 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script @@ -45,11 +45,23 @@ mount_partition() { } partition_sets="$PARTITIONS" for partition_set in $partition_sets; do - partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" - partition=/dev/disk/by-partlabel/"$partition_label" - part_device=$(readlink -f "$partition") - crypt_mount_name="encrypted_$partition_label" + case "$partition" in + /*) + part_device=$(readlink -f "$partition") + crypt_mount_name="$( basename "$partition")" + ;; + *) + if uuidparse "$partition" -n -o TYPE | grep -q invalid; then + part_device=$(readlink -f /dev/disk/by-partlabel/"$partition") + crypt_mount_name="encrypted_${partition}" + else + part_device=$(readlink -f /dev/disk/by-partuuid/"$partition") + crypt_mount_name="${partition}" + fi + ;; + esac decrypted_part=/dev/mapper/"$crypt_mount_name" if [ -z "$partition_mountpoint" ]; then continue diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb index 1d5a4a7..72de5b6 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb @@ -11,7 +11,8 @@ inherit dpkg-raw DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \ awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \ - libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs, tpm2-tools" + libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, \ + e2fsprogs, tpm2-tools, coreutils, uuid-runtime" CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools" From patchwork Mon May 6 14:17:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13655532 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B34DC25B74 for ; Mon, 6 May 2024 14:18:45 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web10.21765.1715005118483388271 for ; Mon, 06 May 2024 07:18:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=ey9UEBo1; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-51332-2024050614183603f1fbb7247ca7f19d-3jn4zz@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 2024050614183603f1fbb7247ca7f19d for ; Mon, 06 May 2024 16:18:36 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=HaR5ayjJIxMZ2Zc2sfcoprY862lCjNHWWpjG2Z8w+5k=; b=ey9UEBo1E18sn9XNf7jDnGZdM/H21pI1BgiiwLwVnrRufwLQzOffM30lIltCO4oMPu4+Nk zpEL9Ae5FAh0IBG28If2CR+EntNnvjW5zCVWHOpn4mdPPnqxdD3DSXWp9YK9UPTZWwZvZsUG M7K0iq5DFje/0sp4H0AHvKh3EXI1I=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com, felix.moessbauer@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v5 08/11] README: Add rootfs encryption Date: Mon, 6 May 2024 16:17:29 +0200 Message-ID: <20240506141833.3622989-9-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> References: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 May 2024 14:18:45 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15837 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- doc/README.tpm2.encryption.md | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md index c5ac6c4..7dc97c0 100644 --- a/doc/README.tpm2.encryption.md +++ b/doc/README.tpm2.encryption.md @@ -4,6 +4,10 @@ By adding the recipe `initramfs-crypt-hook` to the initramfs build user defined encrypted during first boot. The encrypted partition is a LUKS partition and uses a TPM to secure the passphrase on the device. +> :exclamation:**IMPORTANT** +> All selected partitions are encrypted on first boot. In order to avoid the leakage of secrets +> the disk encryption must occur in a secure environment. + ## Requirements Testing with qemu-amd64 requires the package `swtpm`. Under Debian/Ubuntu this can be installed @@ -38,12 +42,22 @@ The initramfs-crypt-hook recipe has the following variables which can be overwri ### CRYPT_PARTITIONS The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount it. -Each entry uses the schema `::`. -- The `partition-label` is used to identify the partition on the disk +Each entry uses the schema `::`. +- The `partition-idenitifer` is used to identify the partition on the disk, it can contain a partition label, partition UUID or absolute path to the partition device, e.g. `/dev/sda`. - The `mountpoint` is used mount the decrypted partition in the root file system - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount - `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD` +#### Encrypted root file system + +To encrypt the root file system the variable `CRYPT_PARTITIONS` needs to be set to: +``` +CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt ${ABROOTFS_PART_UUID_B}::reencrypt" +``` +The mountpoint is empty as the root partition is mounted by a seperate initramfs hook. +Both partitions are encrypted during first boot. The initramfs hook opens `${ABROOTFS_PART_UUID_A}` and `${ABROOTFS_PART_UUID_B}` +during boot. + ### CRYPT_CREATE_FILE_SYSTEM_CMD The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly @@ -59,7 +73,7 @@ based encryption: - jq ## steps to convert clevis to systemd -The following script shows how to enroll a systemd-tpm2 token with a existinng clevis based encryption: +The following script shows how to enroll a systemd-tpm2 token with a existing clevis based encryption: ```bash export device=/dev/sda6 export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots | first' | head -n1) From patchwork Mon May 6 14:17:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13655530 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D307AC10F16 for ; Mon, 6 May 2024 14:18:44 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.21769.1715005119304099102 for ; Mon, 06 May 2024 07:18:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=AwC/UgaG; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-20240506141836e40efdc7622a20c43d-3hkmjc@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20240506141836e40efdc7622a20c43d for ; Mon, 06 May 2024 16:18:36 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=Mv6BrqES+TFIt6Y3qs76aegn7DxdkxAZNwB3G2DQFDg=; b=AwC/UgaG2ZnS4AtMxo8RKMnC1PK8tkJdaC2Ehp+Fr7w6eiMqRWRyPcwDQSoGliFjysSrau kkpL+h9sVIxeU4bweos/oDr3OGk+vDAe+EIlxxEy7ZsJ8492KBobUYXztGhkwJOdlrcGw52N gy7y0FRnNowrgiR3On8Geyrciaxx8=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com, felix.moessbauer@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v5 09/11] README.swupdate: Add section about partition selection Date: Mon, 6 May 2024 16:17:30 +0200 Message-ID: <20240506141833.3622989-10-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> References: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 May 2024 14:18:44 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15840 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- doc/README.swupdate.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md index b7e13f7..0c4473b 100644 --- a/doc/README.swupdate.md +++ b/doc/README.swupdate.md @@ -7,6 +7,22 @@ Start with cloning the isar-cip-core repository: ``` host$ git clone https://gitlab.com/cip-project/cip-core/isar-cip-core.git ``` + +## Update Partition selector(swupdate-handler-roundrobin) + +SWUpdate uses the handler [swupdate-handler-roundrobin](https://gitlab.com/cip-project/cip-sw-updates/swupdate-handler-roundrobin) to select the partition to update. +The handler uses the information from sw-description file to select the boot partition. +In the cip-core provided images the boot partitions are labeled `BOOT0` +and `BOOT1`, see [ebg-sysparts.inc](../wic/ebg-sysparts.inc). + +The [sw-description](recipes-core/images/swu/sw-description.tmpl) contains the mapping from boot +partition to root file system partition, e.g.: +``` +device = "C:BOOT0:linux.efi->${ABROOTFS_PART_UUID_A},C:BOOT1:linux.efi->${ABROOTFS_PART_UUID_B}"; +``` +The variables `ABROOTFS_PART_UUID_A` and `ABROOTFS_PART_UUID_B` contain partition uuids. The handler searches +for the matching device and SWUpdate writes the image to the selected device. + ## SWUpdate Efibootguard update :warning: **If the efibootguard binary is corrupted the system can no longer boot** From patchwork Mon May 6 14:17:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13655533 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0AEA3C25B5F for ; Mon, 6 May 2024 14:18:45 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.21519.1715005118938730790 for ; Mon, 06 May 2024 07:18:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=oox6vEZT; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-51332-20240506141836b348947f6bb149e8db-xpeojc@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20240506141836b348947f6bb149e8db for ; Mon, 06 May 2024 16:18:37 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=CsDk/I44tpNEBC69t9t6muDeP5tGvNsrQcP7JzgVh+8=; b=oox6vEZT/TcSEpavRezvvCQ1A4xzf+m8gMgh2+5xU0FaUryEZrMGzSI0C4Of2y+QgH72PN cnuSSFvaiC0nmL/GllMwxwx4fuzMk4fluyhb90dRTHkMLwMq6AvrRk1OfW1vm1uOVY+IiqIO /Q0uMIjlrYQLf7Tvn/t2JJbS6EJZY=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com, felix.moessbauer@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v5 10/11] fix: Remove spurious '-' Date: Mon, 6 May 2024 16:17:31 +0200 Message-ID: <20240506141833.3622989-11-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> References: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 May 2024 14:18:45 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15838 From: Quirin Gylstorff This remove the `-` introduced with cfef8103(initramfs-crypt-hook: Consolidate clevis and systemd scripts) to fix the following error: ``` /scripts/local-top/encrypt_partition: 55: /scripts/local-top/encrypt_partition: -: not found ``` Also set the missing parameter $part_device. Signed-off-by: Quirin Gylstorff --- .../initramfs-crypt-hook/files/encrypt_partition.script | 2 +- .../initramfs-crypt-hook/files/encrypt_partition.systemd.script | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script index 857b73f..d9a85e5 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -183,7 +183,7 @@ for partition_set in $partition_sets; do ;; esac - finalize_tpm2_encryption + finalize_tpm2_encryption "$part_device" done if [ -n "$watchdog_pid" ]; then diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index 611f9cf..1b7c83b 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -52,6 +52,6 @@ prepare_for_encryption() { finalize_tpm2_encryption() { partition_device="$1" -- /usr/bin/systemd-cryptenroll --wipe-slot=0 "$partition_device" + /usr/bin/systemd-cryptenroll --wipe-slot=0 "$partition_device" } From patchwork Mon May 6 14:17:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13655529 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D4051C25B4F for ; Mon, 6 May 2024 14:18:44 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web10.21767.1715005119064229741 for ; Mon, 06 May 2024 07:18:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=MUHHjhXo; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-51332-20240506141837bfb813215830beb692-i5rah3@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20240506141837bfb813215830beb692 for ; Mon, 06 May 2024 16:18:37 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=pdU+I4P0CBYAPeYH3Hwr7y0zwB3m1lNg7jkmtNe6rmw=; b=MUHHjhXorMJjofDueZlWuKYNJq4pWLsjzOmccR9yv89AV46Nq2JJPTPgObO7jQZWMGPw22 mWZ/jqB3gTCWlhgVIiZfR6O9C7b6RsbykAoxUKxzzQ1z+u1TSEF5NyoOyfH3YXHb2RhmUUoZ 5VdEtMolXzZzlFwXB/c+GDyBjTfsA=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com, felix.moessbauer@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v5 11/11] initramfs-crypt-hook: cleanup logging Date: Mon, 6 May 2024 16:17:32 +0200 Message-ID: <20240506141833.3622989-12-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> References: <20240506141833.3622989-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 May 2024 14:18:44 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15839 From: Quirin Gylstorff Reduce the clutter during boot. Print messages only if debug is set in the commandline. Use the provided logging functionality. Signed-off-by: Quirin Gylstorff --- .../initramfs-crypt-hook/files/encrypt_partition.script | 8 ++++++-- .../files/mount_crypt_partitions.script | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script index d9a85e5..d48db94 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -78,7 +78,7 @@ reencrypt_existing_partition() { fi ;; squashfs|"") - echo "skip disk resize as it is not supported or unnecessary for fstype: '$partition_fstype'" + [ "$debug" = "y" ] && echo "skip disk resize as it is not supported or unnecessary for fstype: '$partition_fstype'" ;; *) panic "cannot resize parition. unsupport fstype: $partition_fstype" @@ -112,7 +112,7 @@ done if [ ! -e "$tpm_device" ]; then if [ "$tpm_encryption_optional" = "true" ]; then - echo "No tpm_device exists abort optional encryption" + log_warning_msg "No tpm_device exists abort optional encryption" exit 0 fi panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" @@ -167,16 +167,20 @@ for partition_set in $partition_sets; do case "${partition_format}" in "reencrypt") + log_begin_msg "Encryption of ${part_device}" reencrypt_existing_partition "$part_device" "$tmp_key" enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type" open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" + log_end_msg ;; "format") + log_begin_msg "Encryption of ${part_device}" /usr/sbin/cryptsetup luksFormat --batch-mode \ --type luks2 "$partition" < "$tmp_key" enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type" open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" eval "${create_file_system_cmd} ${decrypted_part}" + log_end_msg ;; *) panic "Unknown value ${partition_format}. Cannot create a encrypted partition !" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script index f35685e..f47219b 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script @@ -35,7 +35,7 @@ esac mount_partition() { partition_dev_path=$1 partition_mountpoint=$2 - echo "mount device: '$partition_dev_path' to '$partition_mountpoint'" + [ "$debug" = "y" ] && echo "mount device: '$partition_dev_path' to '$partition_mountpoint'" if ! mountpoint -q "${partition_mountpoint}"; then if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \ "${partition_mountpoint}"; then