From patchwork Thu Mar 20 07:43:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Claudius Heine X-Patchwork-Id: 14023490 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D66AC36002 for ; Thu, 20 Mar 2025 07:43:26 +0000 (UTC) Received: from mx.denx.de (mx.denx.de [89.58.32.78]) by mx.groups.io with SMTP id smtpd.web11.2369.1742456600861965255 for ; Thu, 20 Mar 2025 00:43:21 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@denx.de header.s=mx-20241105 header.b=TbIn6Qf9; spf=pass (domain: denx.de, ip: 89.58.32.78, mailfrom: ch@denx.de) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id F17DE101E90E2; Thu, 20 Mar 2025 08:43:18 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=mx-20241105; t=1742456599; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=MSeL0XQp5SDliXMCLkr6D0ZYViPoiJgR5HA5ZuJHgRA=; b=TbIn6Qf9FEB+WQE6d72BqdXZyv9yruVedN3/RXaOuLqy2lunrcEPimYiccC/5cfSLCawRI mCdIfXj8qmSQxOF/Gp50PI6shnIR7ddcAAEoKrkaFfyLlY/tMcJ+z0wmTsFvE8FGuBl/Uc a9+E2pw97AqIhkq7Bl06+NfNCOsk9FbPNAahkxwpvw4TyunK6/1c6bktFyQUNt8XrRApp+ r/pU/xlCgXyvzM284fUR56Ig9L59oL2IOO5KcCSHbSEHCFlNmqMJVRjKKfJkjbNKVJs2b/ PR5AhNyk1cdnWObUvgmRIy/NFSLvXyn0E0Intf8JgyTDryTXencsE3qxn49CwQ== From: Claudius Heine Date: Thu, 20 Mar 2025 08:43:05 +0100 Subject: [PATCH v6 1/4] initramfs-crypt-hook: store initial encryption key in TPM2 MIME-Version: 1.0 Message-Id: <20250320-initramfs-crypt-hook-patches-2-v6-1-ef10c11cad94@denx.de> References: <20250320-initramfs-crypt-hook-patches-2-v6-0-ef10c11cad94@denx.de> In-Reply-To: <20250320-initramfs-crypt-hook-patches-2-v6-0-ef10c11cad94@denx.de> To: cip-dev@lists.cip-project.org Cc: Jan Kiszka , Quirin Gylstorff , Alexander , Claudius Heine X-Mailer: b4 0.14.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 20 Mar 2025 07:43:26 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/18284 cryptsetup and systemd-cryptenroll do not currently support encrypting partitions directly with keys stored in the TPM. For that reason a temporary random password is used for the initial encryption, which will get removed once the TPM2 token is added to the partition. However this process does not allow continuing with the encryption process in case of power failure. For that reason store the initial encryption password in the TPM, protected via measured boot based on the TPM2-PCR:7 register, which is the default for `systemd-cryptenroll` and load it if it exists. Signed-off-by: Claudius Heine --- .../initramfs-crypt-hook/files/local-top-complete | 56 ++++++++++++++++++++-- .../initramfs-crypt-hook_0.7.bb | 12 ++--- 2 files changed, 59 insertions(+), 9 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete index ae0dcef4cb62a135beb6d4229237144b6d4edf8b..e511e8ef2d0bd4f4c8fd2fca248312dee173d224 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete @@ -216,6 +216,54 @@ if [ ! -e "$tpm_device" ]; then panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" fi +export TPM2TOOLS_TCTI="device:${tpm_device}" +TPM2_HANDLE="0x81080001" +tpm2_key_get() { + key_file="$1" + TPM2_WORKDIR="/tmp/tpm2" + + if ! tpm2_getcap handles-persistent | grep -q "$TPM2_HANDLE"; then + mkdir -p "${TPM2_WORKDIR}" + # Open session: + tpm2_startauthsession -S "${TPM2_WORKDIR}/session.ctx" + tpm2_policypcr -Q -S "${TPM2_WORKDIR}/session.ctx" \ + -l "${HASH_TYPE}:7" \ + -L "${TPM2_WORKDIR}/pcr7.${HASH_TYPE}.policy" + tpm2_flushcontext "${TPM2_WORKDIR}/session.ctx" + + # Add new key to tpm: + tpm2_createprimary -Q -C o -c "${TPM2_WORKDIR}/prim.ctx" + echo "$(tr -dc 'A-Za-z0-9_' "$key_file" + tpm2_flushcontext "${TPM2_WORKDIR}/session.ctx" + rm -rf "${TPM2_WORKDIR}" +} + +tpm2_key_del() { + tpm2_evictcontrol -C o -c "$TPM2_HANDLE" +} + prepare_for_encryption for partition_set in $partition_sets; do @@ -259,16 +307,17 @@ for partition_set in $partition_sets; do watchdog_pid=$! fi - # create random password for initial encryption - # this will be dropped after reboot + # create random password, store it in the tpm2 encrypted and protected with + # PCR:7 registers to allow continuing reencryption in case of power-failure. tmp_key=/tmp/"$(basename "$part_device")-lukskey" - openssl rand -base64 32 > "$tmp_key" + tpm2_key_get "${tmp_key}" case "${partition_format}" in "reencrypt") log_begin_msg "Encryption of ${part_device}" reencrypt_existing_partition "$part_device" "$tmp_key" enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type" + tpm2_key_del open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" log_end_msg ;; @@ -277,6 +326,7 @@ for partition_set in $partition_sets; do /usr/sbin/cryptsetup luksFormat --batch-mode \ --type luks2 "$part_device" < "$tmp_key" enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type" + tpm2_key_del open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" eval "${create_file_system_cmd} ${decrypted_part}" log_end_msg diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb index 80a4755e4e0acfc96bb2d0f8e175e2787473e384..cde6582fe07981c78d646fe592e0c53ef46a2fb4 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb @@ -14,7 +14,6 @@ require recipes-initramfs/initramfs-hook/hook.inc DEBIAN_DEPENDS .= ", \ cryptsetup, \ awk, \ - openssl, \ e2fsprogs, \ tpm2-tools, \ coreutils, \ @@ -40,19 +39,20 @@ HOOK_ADD_MODULES = " \ ecb aes_generic xts" HOOK_COPY_EXECS = " \ - openssl mke2fs grep awk expr seq sleep basename uuidparse mountpoint \ - e2fsck resize2fs cryptsetup \ - tpm2_pcrread tpm2_testparms tpm2_flushcontext \ + mke2fs grep awk expr seq sleep basename uuidparse mountpoint \ + e2fsck resize2fs cryptsetup head tr rm \ + tpm2_pcrread tpm2_testparms tpm2_flushcontext tpm2_startauthsession \ + tpm2_policypcr tpm2_createprimary tpm2_create tpm2_load tpm2_evictcontrol \ + tpm2_unseal tpm2_getcap \ /usr/lib/*/libgcc_s.so.1" HOOK_COPY_EXECS:append:clevis = " \ clevis clevis-decrypt clevis-encrypt-tpm2 clevis-decrypt-tpm2 \ clevis-luks-bind clevis-luks-unlock \ clevis-luks-list clevis-luks-common-functions \ - tpm2_createprimary tpm2_unseal tpm2_create tpm2_load tpm2_createpolicy \ bash luksmeta jose sed tail sort rm mktemp pwmake file" HOOK_COPY_EXECS:append:systemd = " \ - systemd-cryptenroll tpm2_pcrread tpm2_testparms \ + systemd-cryptenroll \ /usr/lib/systemd/systemd-cryptsetup \ /usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so" From patchwork Thu Mar 20 07:43:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Claudius Heine X-Patchwork-Id: 14023486 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 793D6C28B30 for ; Thu, 20 Mar 2025 07:43:26 +0000 (UTC) Received: from mx.denx.de (mx.denx.de [89.58.32.78]) by mx.groups.io with SMTP id smtpd.web10.2316.1742456602036458730 for ; Thu, 20 Mar 2025 00:43:22 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@denx.de header.s=mx-20241105 header.b=fhUsBJpc; spf=pass (domain: denx.de, ip: 89.58.32.78, mailfrom: ch@denx.de) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 3A894101E90E4; Thu, 20 Mar 2025 08:43:20 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=mx-20241105; t=1742456600; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=y114rpuR6znSx5RFZ5iCFDNfn5RWhAKP+ri87JSaczg=; b=fhUsBJpcpNjrbDS3tI8kBT2YKENq5uh/779XBGaoq9scrv6awY1P3PniYpZelHMkoda5kP iJ+gNy13kGGo/HPUF7LxLijn0D+sD+7c5ecFJt1yVAXrQ8iwm49K4WgLBVxDF0r4/w0Xbe Yj4YTySfRonU/qpMKHmgAa6C75bMBfcMT4axhpBi7hWFpWxP3305qoLbHdvqh18M7wHn9b VnXWadU8TXUNFGpH3ff9yuY+ymZlQw0pP/BXKYJMW3lus6bUXubHaFVfL4G+8ZgwozNwJ6 MeWsRn8FDT8KQHkZHMWS/3iPm3T0MSViAF9oUWSIwnga8JlWQseTBC8E0Ua2IQ== From: Claudius Heine Date: Thu, 20 Mar 2025 08:43:06 +0100 Subject: [PATCH v6 2/4] initramfs-crypt-hook: add re-encryption recovery MIME-Version: 1.0 Message-Id: <20250320-initramfs-crypt-hook-patches-2-v6-2-ef10c11cad94@denx.de> References: <20250320-initramfs-crypt-hook-patches-2-v6-0-ef10c11cad94@denx.de> In-Reply-To: <20250320-initramfs-crypt-hook-patches-2-v6-0-ef10c11cad94@denx.de> To: cip-dev@lists.cip-project.org Cc: Jan Kiszka , Quirin Gylstorff , Alexander , Claudius Heine X-Mailer: b4 0.14.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 20 Mar 2025 07:43:26 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/18285 Integrate detection and recovery of power failures while a partition is being encrypted. There are possible scenarios: 1. Power-fail happens while the partition is reencrypted: - The LUKS header contains `online-reencrypt-v2` and needs to be repaired with `cryptsetup repair` before it can continue. - Also no resizing of the file system is necessary 2. Power-fail happens before the systemd-tpm2/clevis token can be installed - The LUKS header does not contain 'systemd-tpm2'/'clevis', thus it needs to be registered and the temporary encryption key needs to be removed The list of these scenarios is not complete, there might be other instances where a sudden power-fail could be fatal to the system, but these where the most obvious and risky ones. Signed-off-by: Claudius Heine --- .../initramfs-crypt-hook/files/local-top-complete | 26 +++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete index e511e8ef2d0bd4f4c8fd2fca248312dee173d224..6df4cccee9c99653fa9869ca2e46ead549d6fc2d 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete @@ -73,6 +73,9 @@ reencrypt_existing_partition() { reduced_size="$(expr "$part_size_blocks" - 65536 )" reduced_size_in_byte="$(expr "$reduced_size" \* 512)" reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" + + CRYPTSETUP_PARAMS="--reduce-device-size ${reduce_device_size}k" + case $partition_fstype in ext*) # reduce the filesystem and partition by 32M to fit the LUKS header @@ -91,14 +94,25 @@ reencrypt_existing_partition() { squashfs|swap|erofs|"") [ "$debug" = "y" ] && echo "skip disk resize as it is not supported or unnecessary for fstype: '$partition_fstype'" ;; + luks) + # Check if reencrypt was aborted + if /usr/sbin/cryptsetup luksDump --batch-mode "$1" \ + | grep -q "online-reencrypt-v2"; then + /usr/sbin/cryptsetup repair --batch-mode "$1" < "$2" || \ + panic "cryptsetup repair was not successful" + fi + + # already luks partition, don't resize + CRYPTSETUP_PARAMS="" + ;; *) panic "cannot resize partition, unsupported fstype: '$partition_fstype'" ;; esac if [ -x /usr/sbin/cryptsetup-reencrypt ]; then - /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2" + /usr/sbin/cryptsetup-reencrypt --new ${CRYPTSETUP_PARAMS} "$1" < "$2" else - /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2" + /usr/sbin/cryptsetup reencrypt --encrypt ${CRYPTSETUP_PARAMS} "$1" < "$2" fi } @@ -296,11 +310,17 @@ for partition_set in $partition_sets; do fi if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \ - | grep -q "luks2"; then + | grep -q "systemd-tpm2\|clevis"; then open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" continue fi + # If partition contains an aborted reencrypt luks header, switch to reencrypt mode: + if /usr/sbin/cryptsetup luksDump --batch-mode "${part_device}" \ + | grep -q "online-reencrypt-v2"; then + partition_format="reencrypt" + fi + # service watchdog in the background during lengthy re-encryption if [ -z "$watchdog_pid" ]; then service_watchdog & From patchwork Thu Mar 20 07:43:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Claudius Heine X-Patchwork-Id: 14023487 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7BB5CC36001 for ; Thu, 20 Mar 2025 07:43:26 +0000 (UTC) Received: from mx.denx.de (mx.denx.de [89.58.32.78]) by mx.groups.io with SMTP id smtpd.web11.2370.1742456603249312751 for ; Thu, 20 Mar 2025 00:43:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@denx.de header.s=mx-20241105 header.b=ba9+Wb8e; spf=pass (domain: denx.de, ip: 89.58.32.78, mailfrom: ch@denx.de) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 601FC101E91CA; Thu, 20 Mar 2025 08:43:21 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=mx-20241105; t=1742456601; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=pS54Bl/DWjS1hhUTL+Gr8Rk9RJbScOGvZFL0TXK2ZS0=; b=ba9+Wb8eXf3k6+KhTqsF3oUouopa9n/CltuqIvXC4uK3xA+6h2uWPhu7k2Ci0ruP5d15N+ dqfdym/RReOfkboeD7rafLqxSMxhjivDxZrEEbVVp2CXawpIlcX41A6irsRDYbX1h7iZ3I yMY64nkexd3lFF5Lp6L6JOe/mEBQzQqIYpWjjjWg7+ruFVnoKQIM0GGvU/WV33vlXYU0el rn0ipnNNrOxjwHMc+ym9Xq9TYKv/0pVlSpicphtrVGi91T8149hJJ5S3K/Py8OPAOP9rMY fYlY2Pr37eIhUkg+xxPQxhoxWP7nPtT5HG56WLiFnCgLqDorSM8QGZBd+WqTnw== From: Claudius Heine Date: Thu, 20 Mar 2025 08:43:07 +0100 Subject: [PATCH v6 3/4] initramfs-crypt-hook: implement 'noencrypt' option MIME-Version: 1.0 Message-Id: <20250320-initramfs-crypt-hook-patches-2-v6-3-ef10c11cad94@denx.de> References: <20250320-initramfs-crypt-hook-patches-2-v6-0-ef10c11cad94@denx.de> In-Reply-To: <20250320-initramfs-crypt-hook-patches-2-v6-0-ef10c11cad94@denx.de> To: cip-dev@lists.cip-project.org Cc: Jan Kiszka , Quirin Gylstorff , Alexander , Claudius Heine X-Mailer: b4 0.14.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 20 Mar 2025 07:43:26 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/18286 In case encryption needs to be enabled via an update, while still allowing the update fall back to work. One update step where encryption is supported, but no reencryption is taking place if the device is not encrypted. For this the `noencrypt` hook is implemented, which requires some restructure/reordering of the `local-top-complete` script. Signed-off-by: Claudius Heine --- doc/README.tpm2.encryption.md | 22 +++++++++++++++++++- .../initramfs-crypt-hook/files/local-top-complete | 24 +++++++++++++++++----- 2 files changed, 40 insertions(+), 6 deletions(-) diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md index 3f7e89f34fa4638a42285989e61370d8970afcde..2256f95a039044313807ab75ce219fa3eb7408b6 100644 --- a/doc/README.tpm2.encryption.md +++ b/doc/README.tpm2.encryption.md @@ -42,11 +42,12 @@ The initramfs-crypt-hook recipe has the following variables which can be overwri ### CRYPT_PARTITIONS The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount it. -Each entry uses the schema `::`. +Each entry uses the schema `::`. - The `partition-idenitifer` is used to identify the partition on the disk, it can contain a partition label, partition UUID or absolute path to the partition device, e.g. `/dev/sda`. - The `mountpoint` is used mount the decrypted partition in the root file system - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount - `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD` +- `noencrypt` will not try to encrypt the partition if it isn't encrypted already, but will open it if it is. See the section [Encrypting the shared partition via an update](#### Encrypting the shared partition via an update) for more information #### Encrypted root file system @@ -58,6 +59,25 @@ The mountpoint is empty as the root partition is mounted by a seperate initramf Both partitions are encrypted during first boot. The initramfs hook opens `${ABROOTFS_PART_UUID_A}` and `${ABROOTFS_PART_UUID_B}` during boot. +#### Encrypting the shared partition via an update + +With the following requirements, special handling is necessary: + +- A/B update scheme is used. +- Both slots have a shared volume that needs to be encrypted as well. +- The system in the field is currently unencrypted, and encryption should be added via an update. +- When the update fails, the fallback system needs to deal with an encrypted data partition. + +In this case, the fallback system needs to support an encrypted shared data partition but would not encrypt it on its own. For this, the `noencrypt` flag can be used. + +The data partition in the fallback system will have the `noencrypt` flag set, while the update system will set the flag to `reencrypt`. This will handle the following case: + +- Unencrypted system on slot A is running; the shared data partition has set the `noencrypt` flag and is not encrypted. +- Update for enabling encryption is applied to slot B, where the shared data partition has the `reencrypt` flag. +- System reboots to slot B, encrypting the shared data partition. +- Update fails at a later point and is not blessed; system reboots into the fallback system on slot A. +- Fallback system now needs to be able to use the shared data partition. + ### CRYPT_CREATE_FILE_SYSTEM_CMD The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete index 6df4cccee9c99653fa9869ca2e46ead549d6fc2d..19df9ac9e22fde09dda8ea3ad76f7ff763d3cf1b 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete @@ -303,15 +303,18 @@ for partition_set in $partition_sets; do if [ ! -e "$part_device" ]; then panic "Could not find device mapped to '$partition' cannot be encrypted!" fi - decrypted_part=/dev/mapper/"$crypt_mount_name" - # check if we are trying to mount root - if [ "$partition_mountpoint" = "/" ]; then - echo "ROOT=$decrypted_part" >/conf/param.conf - fi + # If partition is already encrypted, decrypt and continue with next partition: + decrypted_part=/dev/mapper/"$crypt_mount_name" if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \ | grep -q "systemd-tpm2\|clevis"; then open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" + + # check if we are trying to mount root, set ROOT to decrypted partition: + if [ "$partition_mountpoint" = "/" ]; then + echo "ROOT=$decrypted_part" >/conf/param.conf + fi + continue fi @@ -321,6 +324,17 @@ for partition_set in $partition_sets; do partition_format="reencrypt" fi + # If partition should not be encrypted, continue with next partition: + if [ "$partition_format" = "noencrypt" ] + then + continue + fi + + # check if we are trying to mount root, set ROOT to decrypted partition: + if [ "$partition_mountpoint" = "/" ]; then + echo "ROOT=$decrypted_part" >/conf/param.conf + fi + # service watchdog in the background during lengthy re-encryption if [ -z "$watchdog_pid" ]; then service_watchdog & From patchwork Thu Mar 20 07:43:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Claudius Heine X-Patchwork-Id: 14023489 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8E04BC36005 for ; Thu, 20 Mar 2025 07:43:26 +0000 (UTC) Received: from mx.denx.de (mx.denx.de [89.58.32.78]) by mx.groups.io with SMTP id smtpd.web11.2371.1742456604553540992 for ; Thu, 20 Mar 2025 00:43:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@denx.de header.s=mx-20241105 header.b=AuAm3QnY; spf=pass (domain: denx.de, ip: 89.58.32.78, mailfrom: ch@denx.de) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id A178E101E90E2; Thu, 20 Mar 2025 08:43:22 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=mx-20241105; t=1742456602; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=ZsHCm/sKFEJJaokhIsRmdK2mcNqa98D6gak3dd+kfso=; b=AuAm3QnYPmmmuDJANgkBo6POT4gD/rqOLZV+Ln5h0mXlkPRabMd86Iydc0VMV1rnDUncFK OySG1RfYLkt9wD5A15VPiZFOpAD+QSoV6F6JJh2vD+4QDkRscSyKiWlCeAQkCXJhu+qVWi fiVQwmBpwLQuGp0vwjaQfh98SMQDoAoIvct+YciZLdredIeef1GOh0TAlIPS5AOnj5mWmR m+5qUb5thDnNTrENtSreD9hB7F9lBksbonvd6gJhZQHJEFJyWyq6ysie62wRZQ4Io3Haff jErd1iNTOl1vCfd2Vnhy3GDa7mp0/zVigDEQRcRiITcOurNt6GNAQvp/gZzYbg== From: Claudius Heine Date: Thu, 20 Mar 2025 08:43:08 +0100 Subject: [PATCH v6 4/4] initramfs-crypt-hook: add 'format-if-empty' feature MIME-Version: 1.0 Message-Id: <20250320-initramfs-crypt-hook-patches-2-v6-4-ef10c11cad94@denx.de> References: <20250320-initramfs-crypt-hook-patches-2-v6-0-ef10c11cad94@denx.de> In-Reply-To: <20250320-initramfs-crypt-hook-patches-2-v6-0-ef10c11cad94@denx.de> To: cip-dev@lists.cip-project.org Cc: Jan Kiszka , Quirin Gylstorff , Alexander , Claudius Heine X-Mailer: b4 0.14.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 20 Mar 2025 07:43:26 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/18287 With the A/B update scheme, the goal is to have two (mostly) independent system slots, one that is active and one that is inactive. The active system slot writes updates to the inactive system slot and switches the active and inactive slot via a reboot. Late when booting the new system, it will decide if the current system is stable and then 'bless' it in the bootloader, or it will consider the update failed and the system reboots, without the updated system slot being blessed. In the last case, the system in the old slot will work as a fallback system, that reports the failed update back to the backend, and continue the service, as it has before the update was applied. It is important here that the update does not modify the fallback system in any avoidable way, because doing so might break the fallback and make the system not remotely recoverable. If encryption is added via an update, there are two cases to consider: 1. Update is applied to the inactive update slot via the normal update procedure. In this case the fallback system should not be modified. 2. A system that uses encryption is flashed via a factory flash. In this case there is no fallback system and all partitions of both update slots need to be encrypted. To differentiate between these cases, the content of each fallback partition can be looked at, if they contain data, we are in case (1) and these partitions should be left alone, if they contain only 0x00, they can be formatted, because we are in case (2). The `format-if-empty` option is implemented here, will look if the first 10 MiB of each partition marked with this option contains 0x00 or not and will either format it or leave it alone. Signed-off-by: Claudius Heine --- doc/README.tpm2.encryption.md | 5 ++++- .../initramfs-crypt-hook/files/local-top-complete | 21 +++++++++++++++++++++ .../initramfs-crypt-hook_0.7.bb | 2 +- 3 files changed, 26 insertions(+), 2 deletions(-) diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md index 2256f95a039044313807ab75ce219fa3eb7408b6..3c29381209c5bec8aa0b031d941d23b7bf0cfd95 100644 --- a/doc/README.tpm2.encryption.md +++ b/doc/README.tpm2.encryption.md @@ -42,12 +42,13 @@ The initramfs-crypt-hook recipe has the following variables which can be overwri ### CRYPT_PARTITIONS The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount it. -Each entry uses the schema `::`. +Each entry uses the schema `::`. - The `partition-idenitifer` is used to identify the partition on the disk, it can contain a partition label, partition UUID or absolute path to the partition device, e.g. `/dev/sda`. - The `mountpoint` is used mount the decrypted partition in the root file system - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount - `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD` - `noencrypt` will not try to encrypt the partition if it isn't encrypted already, but will open it if it is. See the section [Encrypting the shared partition via an update](#### Encrypting the shared partition via an update) for more information +- `format-if-empty` will create an empty LUKS partition and format it, like the `format` option, but only if the first 10 MiB are empty (contain only 0x00). This makes it possible to differentiate if a partition is empty and can be encrypted, because it was freshly flashed via a factory image, or if it might contain an unencrypted fallback system and should be left alone. #### Encrypted root file system @@ -78,6 +79,8 @@ The data partition in the fallback system will have the `noencrypt` flag set, wh - Update fails at a later point and is not blessed; system reboots into the fallback system on slot A. - Fallback system now needs to be able to use the shared data partition. +In this case, where encryption is added via an update, the `format-if-empty` option is also useful. The system with encryption enabled has the `format-if-empty` option set for the partition(s) in the inactive update slot. This will cause both sets of partitions in both slots to be encrypted after the first boot on a fresh factory flashed system, but will not disturb existing data of any fallback system if booted after an update. + ### CRYPT_CREATE_FILE_SYSTEM_CMD The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete index 19df9ac9e22fde09dda8ea3ad76f7ff763d3cf1b..58a6cbcbb5b0880cb93d08a4b64b8b0635927702 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete @@ -365,6 +365,27 @@ for partition_set in $partition_sets; do eval "${create_file_system_cmd} ${decrypted_part}" log_end_msg ;; + "format-if-empty") + # Check if first 10MiB contain only zeros, or if it contains a luks + # header, but no TPM2 token + if cmp -s -n "$(( 10 * 1024 * 1024 ))" "${part_device}" /dev/zero || \ + ( [ "$(get_fstype "${part_device}")" = "luks" ] && \ + ! ( /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" | + grep -q "systemd-tpm2\|clevis" ) ) + then + log_begin_msg "Encryption of ${part_device}" + /usr/sbin/cryptsetup luksFormat --batch-mode \ + --type luks2 "$part_device" < "$tmp_key" + enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type" + tpm2_key_del + open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" + eval "${create_file_system_cmd} ${decrypted_part}" + log_end_msg + else + # If not empty, leave it alone. + continue + fi + ;; *) panic "Unknown value ${partition_format}. Cannot create a encrypted partition !" ;; diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb index cde6582fe07981c78d646fe592e0c53ef46a2fb4..a6a33eb4496124e059f673d90261c628834ae68f 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb @@ -40,7 +40,7 @@ HOOK_ADD_MODULES = " \ HOOK_COPY_EXECS = " \ mke2fs grep awk expr seq sleep basename uuidparse mountpoint \ - e2fsck resize2fs cryptsetup head tr rm \ + e2fsck resize2fs cryptsetup head tr rm cmp \ tpm2_pcrread tpm2_testparms tpm2_flushcontext tpm2_startauthsession \ tpm2_policypcr tpm2_createprimary tpm2_create tpm2_load tpm2_evictcontrol \ tpm2_unseal tpm2_getcap \