| Message ID | 20241021185359.927395-2-alexander.heinisch@siemens.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Fixing dependency of package expand-on-first-boot on cryptsetup and tss2 (tpm2) libraries when building with disk encryption enabled. | expand |
On 10/21/24 8:53 PM, alexander.heinisch@siemens.com wrote: > From: Alexander Heinisch <alexander.heinisch@siemens.com> > > To fix dependencies of packages (in this specific case expand-on-first-boot in upstream isar) > we specified additional package dependencies used for disk encryption. > When building with disk encryption enabled (kas/opt/encrypt-*.yml) the initramfs encrypts > the specified disks if it detects unencrypted disks. > In case of a fresh installation this happens during first boot of the device. > Unfortunately, expand-on-first-boot (kas/opt/expand-on-first-boot.yml) is executed > after the initramfs already encrypted the data partition (in case of *-efibootguard-*.wks.in /var). > > Checking if the disk to expand is encrypted got already handled by > https://github.com/ilbers/isar/commit/c44c088cd224e44a401410c860bd625f28950ac3 > but dependencies are not automatically set for the package. > Since expand-on-first-boot is hosted in isar and disk encryption features are enabled with > encrypt-partitions override in isar-cip-core, we extended the recipe in isar > (see: https://github.com/ilbers/isar/commit/8b30a4f86cb3ea3369bff3884141872c3a7d9979) to > enable downstream to set additional dependencies accordingly. > > While the dependency for cryptsetup is obvious, the other dependencies are not! > Here is why: > > - bookworm (systemd as cryptbackend): > > From cryptsetup 2.4.0 release notes: > " > Cryptsetup 2.4 adds the possibility to implement token handlers > in external libraries (possibly provided by other projects). > ... > As of cryptsetup 2.4.0 release systemd project already merged upstream > native cryptsetup token handler for its systemd-tpm2 LUKS2 token > released originally in systemd-v248. The token can be created using > systemd-cryptenroll utility and devices may be manipulated either by > systemd-cryptsetup cli or by cryptsetup for actions listed above. > " > ("actions above" include `resize` - see https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/docs/v2.4.0-ReleaseNotes) > Proof: https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/lib/luks2/luks2_token.c#L170 > > For the disk encryption method we use a token `systemd-tpm2` is added to the luks header. > Thus, `cryptsetup resize` uses libcryptsetup-token-systemd-tpm2.so to handle this token > which comes with package `systemd`. > > Following source gives the dependencies on libs: https://github.com/systemd/systemd/blob/a3f17a8f88f7332d0bef67a2d523c41f23f164b6/src/shared/tpm2-util.c#L114 > libtss2-esys.so.0 -> in package libtss2-esys-3.0.2-0 > libtss2-rc.so.0 -> in package libtss2-rc0 > libtss2-mu.so.0 -> in package libtss2-mu0 > > - bullseye, buster (clevis as cryptbackend) > Since we are using clevis as cryptbackend the luks header resolves to "clevis" instead of "systemd-tpm2" > Thus, cryptsetup resolves the library to be used to libcryptsetup-token-clevis. > > Unfortunately, I could not find such library anywhere! - Therefore, expand on first boot and similar, > still won't work for current disk encryption implementations for buster and bullseye. There is no clevis library as clevis is more or less a bunch of shell scripts. If you want use expand-on-first boot with clevis a solution would be to extract the passphrase, see [1], from the tpm2 partition enter it via a environment variable. [1]: https://gitlab.com/cip-project/cip-core/isar-cip-core/-/blob/master/doc/README.tpm2.encryption.md?ref_type=heads#steps-to-convert-clevis-to-systemd Quirin > > Signed-off-by: Alexander Heinisch <alexander.heinisch@siemens.com> > --- > conf/distro/cip-core-common.inc | 13 +++++++++++++ > 1 file changed, 13 insertions(+) > > diff --git a/conf/distro/cip-core-common.inc b/conf/distro/cip-core-common.inc > index 4bd4b84..7006713 100644 > --- a/conf/distro/cip-core-common.inc > +++ b/conf/distro/cip-core-common.inc > @@ -23,3 +23,16 @@ PREFERRED_VERSION_linux-cip-kbuildtarget ?= "${PREFERRED_VERSION_linux-cip}" > > PREFERRED_VERSION_linux-cip-rt-native ?= "${PREFERRED_VERSION_linux-cip-rt}" > PREFERRED_VERSION_linux-cip-rt-kbuildtarget ?= "${PREFERRED_VERSION_linux-cip-rt}" > + > +ADDITIONAL_DISK_ENCRYPTION_PACKAGES ?= "" > +ADDITIONAL_DISK_ENCRYPTION_PACKAGES:encrypt-partitions ?= "\ > + cryptsetup, \ > + libtss2-esys-3.0.2-0, \ > + libtss2-rc0, \ > + libtss2-mu0 \ > + " > + > +ADDITIONAL_DISK_ENCRYPTION_PACKAGES:encrypt-partitions:buster ?= "\ > + cryptsetup, \ > + libtss2-esys0 \ > + "
> > Unfortunately, I could not find such library anywhere! - Therefore, expand on first boot and similar, > > still won't work for current disk encryption implementations for buster and bullseye. > > There is no clevis library as clevis is more or less a bunch of shell scripts. If you want use expand-on-first boot with clevis a solution would be to extract the passphrase, see [1], from the tpm2 partition enter it via a environment variable. > > [1]: > https://gitlab.com/cip-project/cip-core/isar-cip-core/-/blob/master/doc/README.tpm2.encryption.md?ref_type=heads#steps-to-convert-clevis-to-systemd > That means a bigger effort on `expand-on-first-boot` script than just setting the correct package dependencies! Currently, we are using systemd based cryptenroll in our project. So there is not too much motivation digging into clevis for that use case. Still, I think fixing the issue for bookworm (systemd-tmp2) is better than not fixing it at all. > > +ADDITIONAL_DISK_ENCRYPTION_PACKAGES ?= "" > > +ADDITIONAL_DISK_ENCRYPTION_PACKAGES:encrypt-partitions ?= "\ > > + cryptsetup, \ > > + libtss2-esys-3.0.2-0, \ > > + libtss2-rc0, \ > > + libtss2-mu0 \ > > + " > > + > > +ADDITIONAL_DISK_ENCRYPTION_PACKAGES:encrypt-partitions:buster ?= "\ > > + cryptsetup, \ > > + libtss2-esys0 \ > > + " If we fix it only for systemd-tpm2, it's questionable if the additional dependencies for bullseye and buster should be added to `ADDITIONAL_DISK_ENCRYPTION_PACKAGES`. BR Alexander
diff --git a/conf/distro/cip-core-common.inc b/conf/distro/cip-core-common.inc index 4bd4b84..7006713 100644 --- a/conf/distro/cip-core-common.inc +++ b/conf/distro/cip-core-common.inc @@ -23,3 +23,16 @@ PREFERRED_VERSION_linux-cip-kbuildtarget ?= "${PREFERRED_VERSION_linux-cip}" PREFERRED_VERSION_linux-cip-rt-native ?= "${PREFERRED_VERSION_linux-cip-rt}" PREFERRED_VERSION_linux-cip-rt-kbuildtarget ?= "${PREFERRED_VERSION_linux-cip-rt}" + +ADDITIONAL_DISK_ENCRYPTION_PACKAGES ?= "" +ADDITIONAL_DISK_ENCRYPTION_PACKAGES:encrypt-partitions ?= "\ + cryptsetup, \ + libtss2-esys-3.0.2-0, \ + libtss2-rc0, \ + libtss2-mu0 \ + " + +ADDITIONAL_DISK_ENCRYPTION_PACKAGES:encrypt-partitions:buster ?= "\ + cryptsetup, \ + libtss2-esys0 \ + "