| Message ID | 20230224162832.327030-3-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | Encrypt Partition in initramfs | expand |
On 24.02.23 17:28, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > Systemd >= 251 is required for systemd-cryptenroll. This version > is part of backports. > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > conf/distro/debian-bullseye-backports.list | 1 + > .../preferences.bullseye-backports.tpm.conf | 40 +++++++++++++++++++ > kas/opt/tpm.yml | 20 ++++++++++ > 3 files changed, 61 insertions(+) > create mode 100644 conf/distro/debian-bullseye-backports.list > create mode 100644 conf/distro/preferences.bullseye-backports.tpm.conf > create mode 100644 kas/opt/tpm.yml > > diff --git a/conf/distro/debian-bullseye-backports.list b/conf/distro/debian-bullseye-backports.list > new file mode 100644 > index 0000000..3a55e4c > --- /dev/null > +++ b/conf/distro/debian-bullseye-backports.list > @@ -0,0 +1 @@ > +deb http://ftp.us.debian.org/debian bullseye-backports main contrib non-free > diff --git a/conf/distro/preferences.bullseye-backports.tpm.conf b/conf/distro/preferences.bullseye-backports.tpm.conf > new file mode 100644 > index 0000000..918745f > --- /dev/null > +++ b/conf/distro/preferences.bullseye-backports.tpm.conf > @@ -0,0 +1,40 @@ > +Package: libnss-myhostname You can add multiple packages whitespace-separated to this line. Will make the file more readable. > +Pin: release n=bullseye-backports > +Pin-Priority: 801 > + > +Package: libnss-mymachines > +Pin: release n=bullseye-backports > +Pin-Priority: 801 > + > +Package: libnss-resolve > +Pin: release n=bullseye-backports > +Pin-Priority: 801 > + > +Package: libnss-systemd > +Pin: release n=bullseye-backports > +Pin-Priority: 801 > + > +Package: libpam-systemd > +Pin: release n=bullseye-backports > +Pin-Priority: 801 > + > +Package: libudev* > +Pin: release n=bullseye-backports > +Pin-Priority: 801 > + > +Package: libsystemd* > +Pin: release n=bullseye-backports > +Pin-Priority: 801 > + > +Package: systemd > +Pin: release n=bullseye-backports > +Pin-Priority: 801 > + > +Package: systemd-* > +Pin: release n=bullseye-backports > +Pin-Priority: 801 > + > +Package: udev > +Pin: release n=bullseye-backports > +Pin-Priority: 801 > + > diff --git a/kas/opt/tpm.yml b/kas/opt/tpm.yml > new file mode 100644 > index 0000000..0e4dc95 > --- /dev/null > +++ b/kas/opt/tpm.yml > @@ -0,0 +1,20 @@ > +# > +# CIP Core, generic profile > +# > +# Copyright (c) Siemens AG, 2022 > +# > +# Authors: > +# Quirin Gylstorff <quirin.gylstorff@siemens.com> > +# > +# SPDX-License-Identifier: MIT > +# > + > +header: > + version: 12 > + > +local_conf_header: > + systemd-cryptenroll: | > + DISTRO_APT_SOURCES:append:bullseye = " conf/distro/debian-bullseye-backports.list" > + DISTRO_APT_PREFERENCES:append:bullseye = " conf/distro/preferences.bullseye-backports.tpm.conf" > + image-option-tpm: | > + INITRAMFS_INSTALL += " initramfs-crypt-hook" Two-sides sword: The one hand, we don't need to compile our own systemd. On the other, the question is if the choice of backports for such a central and potentially security-critical package would be a good idea for a production deployment. I don't think so. At some place, we should leave a comment that this is for demonstration only, not for production. Only bookworm will change that. Or some alternative to systemd-cryptenroll. Jan
diff --git a/conf/distro/debian-bullseye-backports.list b/conf/distro/debian-bullseye-backports.list new file mode 100644 index 0000000..3a55e4c --- /dev/null +++ b/conf/distro/debian-bullseye-backports.list @@ -0,0 +1 @@ +deb http://ftp.us.debian.org/debian bullseye-backports main contrib non-free diff --git a/conf/distro/preferences.bullseye-backports.tpm.conf b/conf/distro/preferences.bullseye-backports.tpm.conf new file mode 100644 index 0000000..918745f --- /dev/null +++ b/conf/distro/preferences.bullseye-backports.tpm.conf @@ -0,0 +1,40 @@ +Package: libnss-myhostname +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libnss-mymachines +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libnss-resolve +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libnss-systemd +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libpam-systemd +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libudev* +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libsystemd* +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: systemd +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: systemd-* +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: udev +Pin: release n=bullseye-backports +Pin-Priority: 801 + diff --git a/kas/opt/tpm.yml b/kas/opt/tpm.yml new file mode 100644 index 0000000..0e4dc95 --- /dev/null +++ b/kas/opt/tpm.yml @@ -0,0 +1,20 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2022 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# + +header: + version: 12 + +local_conf_header: + systemd-cryptenroll: | + DISTRO_APT_SOURCES:append:bullseye = " conf/distro/debian-bullseye-backports.list" + DISTRO_APT_PREFERENCES:append:bullseye = " conf/distro/preferences.bullseye-backports.tpm.conf" + image-option-tpm: | + INITRAMFS_INSTALL += " initramfs-crypt-hook"