diff mbox series

[isar-cip-core,RFC,1/8] initramfs-crypt-hook: Allow switching between clevis and systemd

Message ID 20240319182026.1571362-2-Quirin.Gylstorff@siemens.com (mailing list archive)
State Superseded
Headers show
Series Rework disk encryption | expand

Commit Message

Gylstorff Quirin March 19, 2024, 6:18 p.m. UTC
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This allows device which started on Debian 11 to continue using
clevis for encryption and decryption.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../initramfs-crypt-hook_0.1.bb                    | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

Comments

Jan Kiszka March 19, 2024, 6:33 p.m. UTC | #1
On 19.03.24 19:18, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This allows device which started on Debian 11 to continue using
> clevis for encryption and decryption.
> 

Would an upgrade to systemd tooling be possible as well? Create a new
key with systemd in the TPM and add that to dm-crypt container?

This is just out of the concern if we may have to maintain that clevis
path forever.

Jan

> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  .../initramfs-crypt-hook_0.1.bb                    | 14 ++++++++++++--
>  1 file changed, 12 insertions(+), 2 deletions(-)
> 
> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
> index b275c0f..317ea12 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
> @@ -1,7 +1,7 @@
>  #
>  # CIP Core, generic profile
>  #
> -# Copyright (c) Siemens AG, 2020-2023
> +# Copyright (c) Siemens AG, 2020-2024
>  #
>  # Authors:
>  #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> @@ -17,7 +17,17 @@ CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools"
>  
>  DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}, libgcc-7-dev"
>  DEBIAN_DEPENDS:append:bullseye = "${CLEVIS_DEPEND}"
> -DEBIAN_DEPENDS:append = ", systemd (>= 251) | clevis-tpm2"
> +DEBIAN_DEPENDS:append = "${@encryption_dependency(d)}"
> +
> +def encryption_dependency(d):
> +    crypt_backend = d.getVar('CRYPT_BACKEND')
> +    if crypt_backend == 'clevis':
> +        clevis_depends= d.getVar('CLEVIS_DEPEND')
> +        return f"{clevis_depends}, clevis-tpm2"
> +    elif crypt_backend == 'systemd':
> +        return ", systemd (>= 251)"
> +    else:
> +        bb.error("unkown cryptbackend defined")
>  
>  CRYPT_BACKEND:buster = "clevis"
>  CRYPT_BACKEND:bullseye = "clevis"
Gylstorff Quirin March 20, 2024, 11:27 a.m. UTC | #2
On 3/19/24 7:33 PM, Jan Kiszka wrote:
> On 19.03.24 19:18, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This allows device which started on Debian 11 to continue using
>> clevis for encryption and decryption.
>>
> 
> Would an upgrade to systemd tooling be possible as well? Create a new
> key with systemd in the TPM and add that to dm-crypt container?

I need to try this. We need a passphrase to add additional keys. So we 
would need to store the passphrase for the encryption somewhere on the 
system. A possible solution would be to encrypt the passphrase with
the TPM chip and store it somewhere on the system.

Quirin
> 
> This is just out of the concern if we may have to maintain that clevis
> path forever.
> 
> Jan
> 
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>   .../initramfs-crypt-hook_0.1.bb                    | 14 ++++++++++++--
>>   1 file changed, 12 insertions(+), 2 deletions(-)
>>
>> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>> index b275c0f..317ea12 100644
>> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
>> @@ -1,7 +1,7 @@
>>   #
>>   # CIP Core, generic profile
>>   #
>> -# Copyright (c) Siemens AG, 2020-2023
>> +# Copyright (c) Siemens AG, 2020-2024
>>   #
>>   # Authors:
>>   #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> @@ -17,7 +17,17 @@ CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools"
>>   
>>   DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}, libgcc-7-dev"
>>   DEBIAN_DEPENDS:append:bullseye = "${CLEVIS_DEPEND}"
>> -DEBIAN_DEPENDS:append = ", systemd (>= 251) | clevis-tpm2"
>> +DEBIAN_DEPENDS:append = "${@encryption_dependency(d)}"
>> +
>> +def encryption_dependency(d):
>> +    crypt_backend = d.getVar('CRYPT_BACKEND')
>> +    if crypt_backend == 'clevis':
>> +        clevis_depends= d.getVar('CLEVIS_DEPEND')
>> +        return f"{clevis_depends}, clevis-tpm2"
>> +    elif crypt_backend == 'systemd':
>> +        return ", systemd (>= 251)"
>> +    else:
>> +        bb.error("unkown cryptbackend defined")
>>   
>>   CRYPT_BACKEND:buster = "clevis"
>>   CRYPT_BACKEND:bullseye = "clevis"
>
diff mbox series

Patch

diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
index b275c0f..317ea12 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -1,7 +1,7 @@ 
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2020-2023
+# Copyright (c) Siemens AG, 2020-2024
 #
 # Authors:
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
@@ -17,7 +17,17 @@  CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools"
 
 DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}, libgcc-7-dev"
 DEBIAN_DEPENDS:append:bullseye = "${CLEVIS_DEPEND}"
-DEBIAN_DEPENDS:append = ", systemd (>= 251) | clevis-tpm2"
+DEBIAN_DEPENDS:append = "${@encryption_dependency(d)}"
+
+def encryption_dependency(d):
+    crypt_backend = d.getVar('CRYPT_BACKEND')
+    if crypt_backend == 'clevis':
+        clevis_depends= d.getVar('CLEVIS_DEPEND')
+        return f"{clevis_depends}, clevis-tpm2"
+    elif crypt_backend == 'systemd':
+        return ", systemd (>= 251)"
+    else:
+        bb.error("unkown cryptbackend defined")
 
 CRYPT_BACKEND:buster = "clevis"
 CRYPT_BACKEND:bullseye = "clevis"