[isar-cip-core,v2,00/13] Rework disk encryption

Message ID	20240322100605.4129226-1-Quirin.Gylstorff@siemens.com (mailing list archive)
Headers	show Return-Path: <quirin.gylstorff@siemens.com> ip: 185.136.64.228, mailfrom: fm-51332-202403221006064c11c90233dff34cc3-9nzdy3@rts-flowmailer.siemens.com) From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com> To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v2 00/13] Rework disk encryption Date: Fri, 22 Mar 2024 11:05:10 +0100 Message-ID: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Feedback-ID: 519:519-51332:519-21489:flowmailer
Series	Rework disk encryption \| expand [isar-cip-core,v2,00/13] Rework disk encryption [isar-cip-core,v2,01/13] initramfs-crypt-hook: Allow switching between clevis and systemd [isar-cip-core,v2,02/13] initramfs-crypt-hook: Align systemd encryption and clevis encryption [isar-cip-core,v2,03/13] initramfs-crypt-hook: move the mounting of encrypted disks in a seperate f… [isar-cip-core,v2,04/13] initramfs-crypt-hook: Check if the TPM device fulfills the given requireme… [isar-cip-core,v2,05/13] initramfs-crypt-hook: add flag to make encryption optional [isar-cip-core,v2,06/13] initramfs-crypt-hook: add e2fsck to avoid resize error [isar-cip-core,v2,07/13] initramfs-crypt-hook: split encryption and mounting [isar-cip-core,v2,08/13] initramfs-crypt-hook: Add check if root is part of the mountpoints [isar-cip-core,v2,09/13] initramfs-crypt-hook: split hook in multiple files [isar-cip-core,v2,10/13] initramfs-crypt-hook: Consolidate clevis and systemd scripts [isar-cip-core,v2,11/13] initramfs-crypt-hook: Increase version [isar-cip-core,v2,12/13] README.tpm2.encryption: Add section to switch from clevis to systemd [isar-cip-core,v2,13/13] Add example to encrypt the rootfs

Message ID

20240322100605.4129226-1-Quirin.Gylstorff@siemens.com (mailing list archive)

Headers

From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: jan.kiszka@siemens.com,
	cip-dev@lists.cip-project.org,
	johnxw@amazon.com
Subject: [cip-dev][isar-cip-core][PATCH v2 00/13] Rework disk encryption
Date: Fri, 22 Mar 2024 11:05:10 +0100
Message-ID: <20240322100605.4129226-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Feedback-ID: 519:519-51332:519-21489:flowmailer

Series

Rework disk encryption | expand

Message

Gylstorff Quirin March 22, 2024, 10:05 a.m. UTC

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This patchset is a cleanup of the initramfs-crypt-hook:
 - Aligns the systemd and clevis implementation
 - consolidate script in a main, clevis and systemd part
 - split clevis hook for readability
 - Adds some checks for TPM parameter
 - Remove the dependency in the overlay
 - Adds an example to encrypt the rootfs
 - Add readme to switch from clevis based encryption to systemd


Changes v2:
 - fix typos in commit messages
 - some fixes for Debian buster
 - split clevis hook for readability
 - consolidate script in a main, clevis and systemd part
 - Add readme to switch from clevis based encryption to systemd
 - Increase version of the hook
 - The disk encryption now sets the root mount if necessary


Quirin Gylstorff (13):
  initramfs-crypt-hook: Allow switching between clevis and systemd
  initramfs-crypt-hook: Align systemd encryption and clevis encryption
  initramfs-crypt-hook: move the mounting of encrypted disks in a
    seperate function
  initramfs-crypt-hook: Check if the TPM device fulfills the given
    requirements
  initramfs-crypt-hook: add flag to make encryption optional
  initramfs-crypt-hook: add e2fsck to avoid resize error
  initramfs-crypt-hook: split encryption and mounting
  initramfs-crypt-hook: Add check if root is part of the mountpoints
  initramfs-crypt-hook: split hook in multiple files
  initramfs-crypt-hook: Consolidate clevis and systemd scripts
  initramfs-crypt-hook: Increase version
  README.tpm2.encryption: Add section to switch from clevis to systemd
  Add example to encrypt the rootfs

 doc/README.tpm2.encryption.md                 |  20 +++
 kas/opt/encrypt_rootfs.yml                    |  24 +++
 ...pt_partition.clevis.bullseye_or_later.hook |  34 ++++
 .../encrypt_partition.clevis.buster.hook      |  30 ++++
 .../files/encrypt_partition.clevis.hook       |  20 +--
 .../files/encrypt_partition.clevis.script     | 157 +++--------------
 .../files/encrypt_partition.env.tmpl          |   4 +-
 .../files/encrypt_partition.script            | 164 ++++++++++++++++++
 .../files/encrypt_partition.systemd.hook      |   5 +-
 .../files/encrypt_partition.systemd.script    | 152 +++-------------
 .../files/mount_crypt_partitions.script       |  61 +++++++
 ...ook_0.1.bb => initramfs-crypt-hook_0.2.bb} |  49 +++++-
 .../files/overlay.script.tmpl                 |   2 +-
 wic/x86_64-encryption.wks.in                  |  16 ++
 14 files changed, 442 insertions(+), 296 deletions(-)
 create mode 100644 kas/opt/encrypt_rootfs.yml
 create mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook
 create mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook
 create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
 create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
 rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt-hook_0.1.bb => initramfs-crypt-hook_0.2.bb} (54%)
 create mode 100644 wic/x86_64-encryption.wks.in

Comments

Jan Kiszka April 8, 2024, 5:40 p.m. UTC | #1

On 22.03.24 11:05, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
> 
> This patchset is a cleanup of the initramfs-crypt-hook:
>  - Aligns the systemd and clevis implementation
>  - consolidate script in a main, clevis and systemd part
>  - split clevis hook for readability
>  - Adds some checks for TPM parameter
>  - Remove the dependency in the overlay
>  - Adds an example to encrypt the rootfs
>  - Add readme to switch from clevis based encryption to systemd
> 
> 
> Changes v2:
>  - fix typos in commit messages
>  - some fixes for Debian buster
>  - split clevis hook for readability
>  - consolidate script in a main, clevis and systemd part
>  - Add readme to switch from clevis based encryption to systemd
>  - Increase version of the hook
>  - The disk encryption now sets the root mount if necessary
> 
> 
> Quirin Gylstorff (13):
>   initramfs-crypt-hook: Allow switching between clevis and systemd
>   initramfs-crypt-hook: Align systemd encryption and clevis encryption
>   initramfs-crypt-hook: move the mounting of encrypted disks in a
>     seperate function
>   initramfs-crypt-hook: Check if the TPM device fulfills the given
>     requirements
>   initramfs-crypt-hook: add flag to make encryption optional
>   initramfs-crypt-hook: add e2fsck to avoid resize error
>   initramfs-crypt-hook: split encryption and mounting
>   initramfs-crypt-hook: Add check if root is part of the mountpoints
>   initramfs-crypt-hook: split hook in multiple files
>   initramfs-crypt-hook: Consolidate clevis and systemd scripts
>   initramfs-crypt-hook: Increase version
>   README.tpm2.encryption: Add section to switch from clevis to systemd
>   Add example to encrypt the rootfs
> 
>  doc/README.tpm2.encryption.md                 |  20 +++
>  kas/opt/encrypt_rootfs.yml                    |  24 +++
>  ...pt_partition.clevis.bullseye_or_later.hook |  34 ++++
>  .../encrypt_partition.clevis.buster.hook      |  30 ++++
>  .../files/encrypt_partition.clevis.hook       |  20 +--
>  .../files/encrypt_partition.clevis.script     | 157 +++--------------
>  .../files/encrypt_partition.env.tmpl          |   4 +-
>  .../files/encrypt_partition.script            | 164 ++++++++++++++++++
>  .../files/encrypt_partition.systemd.hook      |   5 +-
>  .../files/encrypt_partition.systemd.script    | 152 +++-------------
>  .../files/mount_crypt_partitions.script       |  61 +++++++
>  ...ook_0.1.bb => initramfs-crypt-hook_0.2.bb} |  49 +++++-
>  .../files/overlay.script.tmpl                 |   2 +-
>  wic/x86_64-encryption.wks.in                  |  16 ++
>  14 files changed, 442 insertions(+), 296 deletions(-)
>  create mode 100644 kas/opt/encrypt_rootfs.yml
>  create mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook
>  create mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook
>  create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
>  create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
>  rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt-hook_0.1.bb => initramfs-crypt-hook_0.2.bb} (54%)
>  create mode 100644 wic/x86_64-encryption.wks.in
> 

I heard no further comments (but also no "works for me"), so I applied
this now.

Jan