[isar-cip-core,v3,8/9] README: Add rootfs encryption

Message ID	20240425115119.813384-9-Quirin.Gylstorff@siemens.com (mailing list archive)
State	Superseded
Headers	show Return-Path: <quirin.gylstorff@siemens.com> ip: 185.136.64.226, mailfrom: fm-51332-20240425115122fa52e7d6b35215215a-pctno2@rts-flowmailer.siemens.com) From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com> To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com, felix.moessbauer@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v3 8/9] README: Add rootfs encryption Date: Thu, 25 Apr 2024 13:50:36 +0200 Message-ID: <20240425115119.813384-9-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240425115119.813384-1-Quirin.Gylstorff@siemens.com> References: <20240425115119.813384-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Feedback-ID: 519:519-51332:519-21489:flowmailer
Series	Add option to encrypt the rootfs \| expand [isar-cip-core,v3,0/9] Add option to encrypt the rootfs [isar-cip-core,v3,1/9] wic/: Add part-labels to system partition [isar-cip-core,v3,2/9] initramfs: allow empty mountpoint for crypt hooks [isar-cip-core,v3,3/9] initramfs-crypt: Only resize partition if ext formatted [isar-cip-core,v3,4/9] fix: use luks2 to identify encrypted partition [isar-cip-core,v3,5/9] Rename encrypt-partitions to encrypt-data [isar-cip-core,v3,6/9] Kconfig: Add option to encrypt the rootfs [isar-cip-core,v3,7/9] crypt-hook: Extend partition selection [isar-cip-core,v3,8/9] README: Add rootfs encryption [isar-cip-core,v3,9/9] README.swupdate: Add section about partition selection

Message ID

20240425115119.813384-9-Quirin.Gylstorff@siemens.com (mailing list archive)

State

Superseded

Headers

From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: cip-dev@lists.cip-project.org,
	jan.kiszka@siemens.com,
	johnxw@amazon.com,
	felix.moessbauer@siemens.com
Subject: [cip-dev][isar-cip-core][PATCH v3 8/9] README: Add rootfs encryption
Date: Thu, 25 Apr 2024 13:50:36 +0200
Message-ID: <20240425115119.813384-9-Quirin.Gylstorff@siemens.com>
In-Reply-To: <20240425115119.813384-1-Quirin.Gylstorff@siemens.com>
References: <20240425115119.813384-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Feedback-ID: 519:519-51332:519-21489:flowmailer

Series

Add option to encrypt the rootfs | expand

Commit Message

Quirin Gylstorff April 25, 2024, 11:50 a.m. UTC

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 doc/README.tpm2.encryption.md | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md
index c5ac6c4..fdfa8da 100644
--- a/doc/README.tpm2.encryption.md
+++ b/doc/README.tpm2.encryption.md
@@ -38,12 +38,22 @@  The initramfs-crypt-hook recipe has the following variables which can be overwri
 ### CRYPT_PARTITIONS
 
 The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount it.
-Each entry uses the schema `<partition-label>:<mountpoint>:<reencrypt or format>`.
-- The `partition-label` is used to identify the partition on the disk
+Each entry uses the schema `<partition-identifier>:<mountpoint>:<reencrypt or format>`.
+- The `partition-idenitifer` is used to identify the partition on the disk, it can contain a partition label, partition UUID or absolute path to the partition device, e.g. `/dev/sda`.
 - The `mountpoint` is used mount the decrypted partition in the root file system
 - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount
 - `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD`
 
+#### Encrypted root file system
+
+To encrypt the root file system the variable `CRYPT_PARTITIONS` needs to be set to:
+```
+CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt ${ABROOTFS_PART_UUID_B}::reencrypt"
+```
+The mountpoint is empty as the root partition is mounted by another initramfs service.
+Both partitions are encrypted during first boot. The initramfs opens `${ABROOTFS_PART_UUID_A}` and `${ABROOTFS_PART_UUID_B}`
+during boot.
+
 ### CRYPT_CREATE_FILE_SYSTEM_CMD
 
 The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly
@@ -59,7 +69,7 @@  based encryption:
  - jq
 
 ## steps to convert clevis to systemd
-The following script shows how to enroll a systemd-tpm2 token with a existinng clevis based encryption:
+The following script shows how to enroll a systemd-tpm2 token with a existing clevis based encryption:
 ```bash
 export device=/dev/sda6
 export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots | first' | head -n1)

[isar-cip-core,v3,8/9] README: Add rootfs encryption

Commit Message

Patch