| Message ID | 20230309085321.17167-1-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Encrypt Partition in initramfs | expand |
On 09.03.23 09:53, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This encrypts a partition with LUKS and uses the TPM2 to unlock the partition during > boot. > > Adapt start-qemu to support tpm2. > > The implementation uses systemd-cryptenroll to add the TPM protected > passphrase to the LUKS header. systemd-cryptenroll was added with systemd version > 248. > > The following table shows the support of systemd-cryptenroll in Debian > release. > > | Debian version | systemd-cryptenroll suppported | > | Buster(10) | No | > | Bullseye(11) | with backports | > | Bookworm(12) | yes | > > I am currently testing a adaptation for Debian 11 (Bullseye) with > clevis instead of systemd-cryptenroll. If clevis works I will sent a > additional patch. > > Changes v2: > - rewrite for multiple partition > - add rencrypt for populated partitions > - encrypt /var and /home > > Changes v3: > - remove additional partition crypt_data > - add Readme > - fix KConfig > - only systemd is from backports > - start-qemu now checks .config.yaml for TPM2 support > - correct whitespaces > > Changes v4: > - whitespaces > - README add requirements for systemd 248 > - Kconfig add help information > - adapt commit message of patch 4 (add information about extra-space) > > Changes v5: > - rebase on origin/next > - rename kas/opt/tpm.yml to kas/opt/encrypt-partitions.yml > - Kconfig change help text and option name from IMAGE_TPM_ENCRYPTION > to IMAGE_DATA_ENCRYPTION > > > Quirin Gylstorff (6): > KConfig: add option to encrypt data partitions > start-qemu.sh: Create a tpm2 device > Add initramfs hook to encrypt a partition > overlay: add prerequisite 'encrypt_partition' > .gitlabci: Add ci build > Add README for encrypted partitions > > .gitlab-ci.yml | 13 ++ > Kconfig | 10 ++ > doc/README.tpm2.encryption.md | 55 +++++++ > kas/opt/encrypt-partitions.yml | 3 +- > .../cip-core-initramfs/cip-core-initramfs.bb | 2 + > .../files/encrypt_partition.env.tmpl | 2 + > .../files/encrypt_partition.hook | 53 +++++++ > .../files/encrypt_partition.script | 145 ++++++++++++++++++ > .../initramfs-crypt-hook_0.1.bb | 40 +++++ > .../initramfs-overlay-hook/files/overlay.hook | 1 + > .../files/overlay.script.tmpl | 12 +- > .../initramfs-overlay-hook_0.1.bb | 2 +- > start-qemu.sh | 27 +++- > wic/x86-efibootguard.wks.in | 5 +- > 14 files changed, 356 insertions(+), 14 deletions(-) > create mode 100644 doc/README.tpm2.encryption.md > create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl > create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook > create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script > create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb > Thanks, merged to next with some massaging. I'm still open to resolve the backports issue with an alternative before the release if there is a working solution. Jan
From: Quirin Gylstorff <quirin.gylstorff@siemens.com> This encrypts a partition with LUKS and uses the TPM2 to unlock the partition during boot. Adapt start-qemu to support tpm2. The implementation uses systemd-cryptenroll to add the TPM protected passphrase to the LUKS header. systemd-cryptenroll was added with systemd version > 248. The following table shows the support of systemd-cryptenroll in Debian release. | Debian version | systemd-cryptenroll suppported | | Buster(10) | No | | Bullseye(11) | with backports | | Bookworm(12) | yes | I am currently testing a adaptation for Debian 11 (Bullseye) with clevis instead of systemd-cryptenroll. If clevis works I will sent a additional patch. Changes v2: - rewrite for multiple partition - add rencrypt for populated partitions - encrypt /var and /home Changes v3: - remove additional partition crypt_data - add Readme - fix KConfig - only systemd is from backports - start-qemu now checks .config.yaml for TPM2 support - correct whitespaces Changes v4: - whitespaces - README add requirements for systemd 248 - Kconfig add help information - adapt commit message of patch 4 (add information about extra-space) Changes v5: - rebase on origin/next - rename kas/opt/tpm.yml to kas/opt/encrypt-partitions.yml - Kconfig change help text and option name from IMAGE_TPM_ENCRYPTION to IMAGE_DATA_ENCRYPTION Quirin Gylstorff (6): KConfig: add option to encrypt data partitions start-qemu.sh: Create a tpm2 device Add initramfs hook to encrypt a partition overlay: add prerequisite 'encrypt_partition' .gitlabci: Add ci build Add README for encrypted partitions .gitlab-ci.yml | 13 ++ Kconfig | 10 ++ doc/README.tpm2.encryption.md | 55 +++++++ kas/opt/encrypt-partitions.yml | 3 +- .../cip-core-initramfs/cip-core-initramfs.bb | 2 + .../files/encrypt_partition.env.tmpl | 2 + .../files/encrypt_partition.hook | 53 +++++++ .../files/encrypt_partition.script | 145 ++++++++++++++++++ .../initramfs-crypt-hook_0.1.bb | 40 +++++ .../initramfs-overlay-hook/files/overlay.hook | 1 + .../files/overlay.script.tmpl | 12 +- .../initramfs-overlay-hook_0.1.bb | 2 +- start-qemu.sh | 27 +++- wic/x86-efibootguard.wks.in | 5 +- 14 files changed, 356 insertions(+), 14 deletions(-) create mode 100644 doc/README.tpm2.encryption.md create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb