| Message ID | 3e0c558a5b9b0643012484839a1dbf671c4708fb.1688630668.git.jan.kiszka@siemens.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | Service watchdog in initramfs-crypto-hook, harden watchdog settings | expand |
On 7/6/23 10:04, Jan Kiszka wrote: > From: Jan Kiszka <jan.kiszka@siemens.com> > > These operations can take longer than the watchdog timeout normally > needed for booting Linux up to systemd. Add a background loop to both > scripts then triggers the watchdog every 10 s, but only up to a > configurable limit. Also the watchdog device can be configured, though > the default /dev/watchdog should be fine in almost all cases. > > Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> > --- > .../files/encrypt_partition.clevis.script | 17 +++++++++++++++++ > .../files/encrypt_partition.env.tmpl | 2 ++ > .../files/encrypt_partition.systemd.hook | 2 ++ > .../files/encrypt_partition.systemd.script | 17 +++++++++++++++++ > .../initramfs-crypt-hook_0.1.bb | 7 ++++++- > 5 files changed, 44 insertions(+), 1 deletion(-) > > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > index 9a1c37ba..c38c0e94 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > @@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then > create_file_system_cmd="mke2fs -t ext4" > fi > > +service_watchdog() { > + for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do > + printf '\0' > + sleep 10 > + done > "$WATCHDOG_DEV" > +} > + > open_tpm2_partition() { > if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \ > -d "$1"; then > @@ -104,6 +111,12 @@ for partition_set in $partition_sets; do > continue > fi > > + # service watchdog in the background during lengthy re-encryption > + if [ -z "$watchdog_pid" ]; then > + service_watchdog & > + watchdog_pid=$! > + fi > + > # create random password for initial encryption > # this will be dropped after reboot > tmp_key=/tmp/"$partition_label-lukskey" > @@ -136,3 +149,7 @@ for partition_set in $partition_sets; do > # afterwards no new keys can be enrolled > cryptsetup -v luksKillSlot -q "$part_device" 0 > done > + > +if [ -n "$watchdog_pid" ]; then > + kill "$watchdog_pid" > +fi > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl > index d04be56c..382fe45f 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl > @@ -1,2 +1,4 @@ > PARTITIONS="${CRYPT_PARTITIONS}" > CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}" > +SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}" > +WATCHDOG_DEV="${WATCHDOG_DEVICE}" > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook > index fa37b57a..08ea631a 100755 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook > @@ -36,6 +36,8 @@ copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found" > copy_exec /usr/bin/grep || hook_error "/usr/bin/grep not found" > copy_exec /usr/bin/awk || hook_error "/usr/bin/awk not found" > copy_exec /usr/bin/expr || hook_error "/usr/bin/expr not found" > +copy_exec /usr/bin/seq || hook_error "/usr/bin/seq not found" > +copy_exec /usr/bin/sleep || hook_error "/usr/bin/sleep not found" > copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found" > copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found" > copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found" > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script > index eefac4bd..cf513dfe 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script > @@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then > create_file_system_cmd="mke2fs -t ext4" > fi > > +service_watchdog() { > + for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do > + printf '\0' > + sleep 10 > + done > "$WATCHDOG_DEV" > +} > + > open_tpm2_partition() { > if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \ > "$1" - tpm2-device="$tpm_device"; then > @@ -111,6 +118,12 @@ for partition_set in $partition_sets; do > continue > fi > > + # pet watchdog in the background during lengthy re-encryption > + if [ -z "$watchdog_pid" ]; then > + service_watchdog & > + watchdog_pid=$! > + fi > + > # create random password for initial encryption > # this will be dropped after reboot > tmp_key=/tmp/"$partition_label-lukskey" > @@ -143,3 +156,7 @@ for partition_set in $partition_sets; do > # afterwards no new keys can be enrolled > /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0 > done > + > +if [ -n "$watchdog_pid" ]; then > + kill "$watchdog_pid" > +fi > diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb > index 997f469d..db65ea40 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb > +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb > @@ -33,8 +33,13 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt" > # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem > # in a newly formatted LUKS Partition > CRYPT_CREATE_FILE_SYSTEM_CMD ??= "mke2fs -t ext4" > +# Timeout for creating / re-encrypting partitions on first boot > +CRYPT_SETUP_TIMEOUT ??= "600" > +# Watchdog to service during the initial setup of the crypto partitions > +WATCHDOG_DEVICE ??= "/dev/watchdog" Should there a prefix? > > -TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD" > +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ > + CRYPT_SETUP_TIMEOUT WATCHDOG_DEVICE" This indentation looks wrong. Quirin > TEMPLATE_FILES = "encrypt_partition.env.tmpl" > > do_install[cleandirs] += " \
On 10.07.23 11:11, Gylstorff Quirin wrote: > > > On 7/6/23 10:04, Jan Kiszka wrote: >> From: Jan Kiszka <jan.kiszka@siemens.com> >> >> These operations can take longer than the watchdog timeout normally >> needed for booting Linux up to systemd. Add a background loop to both >> scripts then triggers the watchdog every 10 s, but only up to a >> configurable limit. Also the watchdog device can be configured, though >> the default /dev/watchdog should be fine in almost all cases. >> >> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> >> --- >> .../files/encrypt_partition.clevis.script | 17 +++++++++++++++++ >> .../files/encrypt_partition.env.tmpl | 2 ++ >> .../files/encrypt_partition.systemd.hook | 2 ++ >> .../files/encrypt_partition.systemd.script | 17 +++++++++++++++++ >> .../initramfs-crypt-hook_0.1.bb | 7 ++++++- >> 5 files changed, 44 insertions(+), 1 deletion(-) >> >> diff --git >> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script >> index 9a1c37ba..c38c0e94 100644 >> --- >> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script >> +++ >> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script >> @@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then >> create_file_system_cmd="mke2fs -t ext4" >> fi >> +service_watchdog() { >> + for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do >> + printf '\0' >> + sleep 10 >> + done > "$WATCHDOG_DEV" >> +} >> + >> open_tpm2_partition() { >> if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \ >> -d "$1"; then >> @@ -104,6 +111,12 @@ for partition_set in $partition_sets; do >> continue >> fi >> + # service watchdog in the background during lengthy re-encryption >> + if [ -z "$watchdog_pid" ]; then >> + service_watchdog & >> + watchdog_pid=$! >> + fi >> + >> # create random password for initial encryption >> # this will be dropped after reboot >> tmp_key=/tmp/"$partition_label-lukskey" >> @@ -136,3 +149,7 @@ for partition_set in $partition_sets; do >> # afterwards no new keys can be enrolled >> cryptsetup -v luksKillSlot -q "$part_device" 0 >> done >> + >> +if [ -n "$watchdog_pid" ]; then >> + kill "$watchdog_pid" >> +fi >> diff --git >> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl >> index d04be56c..382fe45f 100644 >> --- >> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl >> +++ >> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl >> @@ -1,2 +1,4 @@ >> PARTITIONS="${CRYPT_PARTITIONS}" >> CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}" >> +SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}" >> +WATCHDOG_DEV="${WATCHDOG_DEVICE}" >> diff --git >> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook >> index fa37b57a..08ea631a 100755 >> --- >> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook >> +++ >> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook >> @@ -36,6 +36,8 @@ copy_exec /usr/sbin/mke2fs || hook_error >> "/usr/sbin/mke2fs not found" >> copy_exec /usr/bin/grep || hook_error "/usr/bin/grep not found" >> copy_exec /usr/bin/awk || hook_error "/usr/bin/awk not found" >> copy_exec /usr/bin/expr || hook_error "/usr/bin/expr not found" >> +copy_exec /usr/bin/seq || hook_error "/usr/bin/seq not found" >> +copy_exec /usr/bin/sleep || hook_error "/usr/bin/sleep not found" >> copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found" >> copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not >> found" >> copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup >> not found" >> diff --git >> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script >> index eefac4bd..cf513dfe 100644 >> --- >> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script >> +++ >> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script >> @@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then >> create_file_system_cmd="mke2fs -t ext4" >> fi >> +service_watchdog() { >> + for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do >> + printf '\0' >> + sleep 10 >> + done > "$WATCHDOG_DEV" >> +} >> + >> open_tpm2_partition() { >> if ! /usr/lib/systemd/systemd-cryptsetup attach >> "$crypt_mount_name" \ >> "$1" - tpm2-device="$tpm_device"; then >> @@ -111,6 +118,12 @@ for partition_set in $partition_sets; do >> continue >> fi >> + # pet watchdog in the background during lengthy re-encryption >> + if [ -z "$watchdog_pid" ]; then >> + service_watchdog & >> + watchdog_pid=$! >> + fi >> + >> # create random password for initial encryption >> # this will be dropped after reboot >> tmp_key=/tmp/"$partition_label-lukskey" >> @@ -143,3 +156,7 @@ for partition_set in $partition_sets; do >> # afterwards no new keys can be enrolled >> /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0 >> done >> + >> +if [ -n "$watchdog_pid" ]; then >> + kill "$watchdog_pid" >> +fi >> diff --git >> a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb >> b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb >> index 997f469d..db65ea40 100644 >> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb >> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb >> @@ -33,8 +33,13 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt >> var:/var:reencrypt" >> # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create >> the filesystem >> # in a newly formatted LUKS Partition >> CRYPT_CREATE_FILE_SYSTEM_CMD ??= "mke2fs -t ext4" >> +# Timeout for creating / re-encrypting partitions on first boot >> +CRYPT_SETUP_TIMEOUT ??= "600" >> +# Watchdog to service during the initial setup of the crypto partitions >> +WATCHDOG_DEVICE ??= "/dev/watchdog" > Should there a prefix? "CRYPT_WATCHDOG_DEVICE" sounded wrong to me - the watchdog is not crypt-related. Better suggestions? >> -TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD" >> +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ >> + CRYPT_SETUP_TIMEOUT WATCHDOG_DEVICE" > This indentation looks wrong. Hmm, 4 spaces - what would you have expected? Jan
On 7/10/23 12:14, Jan Kiszka wrote: > On 10.07.23 11:11, Gylstorff Quirin wrote: >> >> >> On 7/6/23 10:04, Jan Kiszka wrote: >>> From: Jan Kiszka <jan.kiszka@siemens.com> >>> >>> These operations can take longer than the watchdog timeout normally >>> needed for booting Linux up to systemd. Add a background loop to both >>> scripts then triggers the watchdog every 10 s, but only up to a >>> configurable limit. Also the watchdog device can be configured, though >>> the default /dev/watchdog should be fine in almost all cases. >>> >>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> >>> --- >>> .../files/encrypt_partition.clevis.script | 17 +++++++++++++++++ >>> .../files/encrypt_partition.env.tmpl | 2 ++ >>> .../files/encrypt_partition.systemd.hook | 2 ++ >>> .../files/encrypt_partition.systemd.script | 17 +++++++++++++++++ >>> .../initramfs-crypt-hook_0.1.bb | 7 ++++++- >>> 5 files changed, 44 insertions(+), 1 deletion(-) >>> >>> diff --git >>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script >>> index 9a1c37ba..c38c0e94 100644 >>> --- >>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script >>> +++ >>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script >>> @@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then >>> create_file_system_cmd="mke2fs -t ext4" >>> fi >>> +service_watchdog() { >>> + for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do >>> + printf '\0' >>> + sleep 10 >>> + done > "$WATCHDOG_DEV" >>> +} >>> + >>> open_tpm2_partition() { >>> if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \ >>> -d "$1"; then >>> @@ -104,6 +111,12 @@ for partition_set in $partition_sets; do >>> continue >>> fi >>> + # service watchdog in the background during lengthy re-encryption >>> + if [ -z "$watchdog_pid" ]; then >>> + service_watchdog & >>> + watchdog_pid=$! >>> + fi >>> + >>> # create random password for initial encryption >>> # this will be dropped after reboot >>> tmp_key=/tmp/"$partition_label-lukskey" >>> @@ -136,3 +149,7 @@ for partition_set in $partition_sets; do >>> # afterwards no new keys can be enrolled >>> cryptsetup -v luksKillSlot -q "$part_device" 0 >>> done >>> + >>> +if [ -n "$watchdog_pid" ]; then >>> + kill "$watchdog_pid" >>> +fi >>> diff --git >>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl >>> index d04be56c..382fe45f 100644 >>> --- >>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl >>> +++ >>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl >>> @@ -1,2 +1,4 @@ >>> PARTITIONS="${CRYPT_PARTITIONS}" >>> CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}" >>> +SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}" >>> +WATCHDOG_DEV="${WATCHDOG_DEVICE}" >>> diff --git >>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook >>> index fa37b57a..08ea631a 100755 >>> --- >>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook >>> +++ >>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook >>> @@ -36,6 +36,8 @@ copy_exec /usr/sbin/mke2fs || hook_error >>> "/usr/sbin/mke2fs not found" >>> copy_exec /usr/bin/grep || hook_error "/usr/bin/grep not found" >>> copy_exec /usr/bin/awk || hook_error "/usr/bin/awk not found" >>> copy_exec /usr/bin/expr || hook_error "/usr/bin/expr not found" >>> +copy_exec /usr/bin/seq || hook_error "/usr/bin/seq not found" >>> +copy_exec /usr/bin/sleep || hook_error "/usr/bin/sleep not found" >>> copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found" >>> copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not >>> found" >>> copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup >>> not found" >>> diff --git >>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script >>> index eefac4bd..cf513dfe 100644 >>> --- >>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script >>> +++ >>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script >>> @@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then >>> create_file_system_cmd="mke2fs -t ext4" >>> fi >>> +service_watchdog() { >>> + for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do >>> + printf '\0' >>> + sleep 10 >>> + done > "$WATCHDOG_DEV" >>> +} >>> + >>> open_tpm2_partition() { >>> if ! /usr/lib/systemd/systemd-cryptsetup attach >>> "$crypt_mount_name" \ >>> "$1" - tpm2-device="$tpm_device"; then >>> @@ -111,6 +118,12 @@ for partition_set in $partition_sets; do >>> continue >>> fi >>> + # pet watchdog in the background during lengthy re-encryption >>> + if [ -z "$watchdog_pid" ]; then >>> + service_watchdog & >>> + watchdog_pid=$! >>> + fi >>> + >>> # create random password for initial encryption >>> # this will be dropped after reboot >>> tmp_key=/tmp/"$partition_label-lukskey" >>> @@ -143,3 +156,7 @@ for partition_set in $partition_sets; do >>> # afterwards no new keys can be enrolled >>> /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0 >>> done >>> + >>> +if [ -n "$watchdog_pid" ]; then >>> + kill "$watchdog_pid" >>> +fi >>> diff --git >>> a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb >>> b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb >>> index 997f469d..db65ea40 100644 >>> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb >>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb >>> @@ -33,8 +33,13 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt >>> var:/var:reencrypt" >>> # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create >>> the filesystem >>> # in a newly formatted LUKS Partition >>> CRYPT_CREATE_FILE_SYSTEM_CMD ??= "mke2fs -t ext4" >>> +# Timeout for creating / re-encrypting partitions on first boot >>> +CRYPT_SETUP_TIMEOUT ??= "600" >>> +# Watchdog to service during the initial setup of the crypto partitions >>> +WATCHDOG_DEVICE ??= "/dev/watchdog" >> Should there a prefix? > > "CRYPT_WATCHDOG_DEVICE" sounded wrong to me - the watchdog is not > crypt-related. Better suggestions? > INITRD_WATCHDOG_DEVICE as it only applies to the initrd. >>> -TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD" >>> +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ >>> + CRYPT_SETUP_TIMEOUT WATCHDOG_DEVICE" >> This indentation looks wrong. > > Hmm, 4 spaces - what would you have expected? In git it looks fine. Something with my mail client settings. Quirin
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 9a1c37ba..c38c0e94 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then create_file_system_cmd="mke2fs -t ext4" fi +service_watchdog() { + for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do + printf '\0' + sleep 10 + done > "$WATCHDOG_DEV" +} + open_tpm2_partition() { if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \ -d "$1"; then @@ -104,6 +111,12 @@ for partition_set in $partition_sets; do continue fi + # service watchdog in the background during lengthy re-encryption + if [ -z "$watchdog_pid" ]; then + service_watchdog & + watchdog_pid=$! + fi + # create random password for initial encryption # this will be dropped after reboot tmp_key=/tmp/"$partition_label-lukskey" @@ -136,3 +149,7 @@ for partition_set in $partition_sets; do # afterwards no new keys can be enrolled cryptsetup -v luksKillSlot -q "$part_device" 0 done + +if [ -n "$watchdog_pid" ]; then + kill "$watchdog_pid" +fi diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl index d04be56c..382fe45f 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl @@ -1,2 +1,4 @@ PARTITIONS="${CRYPT_PARTITIONS}" CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}" +SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}" +WATCHDOG_DEV="${WATCHDOG_DEVICE}" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook index fa37b57a..08ea631a 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook @@ -36,6 +36,8 @@ copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found" copy_exec /usr/bin/grep || hook_error "/usr/bin/grep not found" copy_exec /usr/bin/awk || hook_error "/usr/bin/awk not found" copy_exec /usr/bin/expr || hook_error "/usr/bin/expr not found" +copy_exec /usr/bin/seq || hook_error "/usr/bin/seq not found" +copy_exec /usr/bin/sleep || hook_error "/usr/bin/sleep not found" copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found" copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found" copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index eefac4bd..cf513dfe 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then create_file_system_cmd="mke2fs -t ext4" fi +service_watchdog() { + for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do + printf '\0' + sleep 10 + done > "$WATCHDOG_DEV" +} + open_tpm2_partition() { if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \ "$1" - tpm2-device="$tpm_device"; then @@ -111,6 +118,12 @@ for partition_set in $partition_sets; do continue fi + # pet watchdog in the background during lengthy re-encryption + if [ -z "$watchdog_pid" ]; then + service_watchdog & + watchdog_pid=$! + fi + # create random password for initial encryption # this will be dropped after reboot tmp_key=/tmp/"$partition_label-lukskey" @@ -143,3 +156,7 @@ for partition_set in $partition_sets; do # afterwards no new keys can be enrolled /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0 done + +if [ -n "$watchdog_pid" ]; then + kill "$watchdog_pid" +fi diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index 997f469d..db65ea40 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -33,8 +33,13 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt" # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem # in a newly formatted LUKS Partition CRYPT_CREATE_FILE_SYSTEM_CMD ??= "mke2fs -t ext4" +# Timeout for creating / re-encrypting partitions on first boot +CRYPT_SETUP_TIMEOUT ??= "600" +# Watchdog to service during the initial setup of the crypto partitions +WATCHDOG_DEVICE ??= "/dev/watchdog" -TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD" +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ + CRYPT_SETUP_TIMEOUT WATCHDOG_DEVICE" TEMPLATE_FILES = "encrypt_partition.env.tmpl" do_install[cleandirs] += " \