| Message ID | 20230309102821.307140-4-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Encrypt Partition in initramfs | expand |
On 09.03.23 11:28, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This allows testing the partition encryption with qemu. > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > start-qemu.sh | 27 ++++++++++++++++++++++----- > 1 file changed, 22 insertions(+), 5 deletions(-) > > diff --git a/start-qemu.sh b/start-qemu.sh > index fcfbc5b..b46b066 100755 > --- a/start-qemu.sh > +++ b/start-qemu.sh > @@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true" .config.yaml; then > elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then > SWUPDATE_BOOT="true" > fi > +if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then > + TPM2_ENCRYPTION="true" > +fi > > if [ -n "${QEMU_PATH}" ]; then > QEMU_PATH="${QEMU_PATH}/" > @@ -143,7 +146,21 @@ QEMU_COMMON_OPTIONS=" \ > -m 1G \ > -serial mon:stdio \ > -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \ > - ${QEMU_EXTRA_ARGS}" > + " > + > +if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then > + swtpm_dir="/tmp/qemu-swtpm" > + mkdir -p "${swtpm_dir}" > + rm "${swtpm_dir}"/* This kills the previous TPM state, preventing to power-cycle the VM. We rather need to persist it aside the disk image. I'm massaging the script in that direction. Unfortunately, the unix socket can't be pushed there as well - path string becomes too long... Jan > + if swtpm socket -d --tpmstate dir="${swtpm_dir}" \ > + --ctrl type=unixio,path="${swtpm_dir}"/sock \ > + --tpm2; then > + QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \ > + -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \ > + -tpmdev emulator,id=tpm0,chardev=chrtpm \ > + -device tpm-tis,tpmdev=tpm0" > + fi > +fi > > if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then > case "${arch}" in > @@ -158,14 +175,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then > -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ > -drive if=pflash,format=raw,file=${ovmf_vars} \ > -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ > - ${QEMU_COMMON_OPTIONS} "$@" > + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" > else > ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd} > > ${QEMU_PATH}${QEMU} \ > -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ > -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ > - ${QEMU_COMMON_OPTIONS} "$@" > + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" > fi > ;; > arm64|aarch64|arm|armhf) > @@ -174,7 +191,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then > ${QEMU_PATH}${QEMU} \ > -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ > -bios ${u_boot_bin} \ > - ${QEMU_COMMON_OPTIONS} "$@" > + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" > ;; > rv64|riscv64) > opensbi_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-${QEMU_ARCH}/fw_payload.bin} > @@ -199,5 +216,5 @@ else > -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \ > -kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \ > -initrd ${INITRD_FILE} \ > - ${QEMU_COMMON_OPTIONS} "$@" > + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" > fi
On 3/13/23 08:08, Jan Kiszka wrote: > On 09.03.23 11:28, Quirin Gylstorff wrote: >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> >> This allows testing the partition encryption with qemu. >> >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> --- >> start-qemu.sh | 27 ++++++++++++++++++++++----- >> 1 file changed, 22 insertions(+), 5 deletions(-) >> >> diff --git a/start-qemu.sh b/start-qemu.sh >> index fcfbc5b..b46b066 100755 >> --- a/start-qemu.sh >> +++ b/start-qemu.sh >> @@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true" .config.yaml; then >> elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then >> SWUPDATE_BOOT="true" >> fi >> +if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then >> + TPM2_ENCRYPTION="true" >> +fi >> >> if [ -n "${QEMU_PATH}" ]; then >> QEMU_PATH="${QEMU_PATH}/" >> @@ -143,7 +146,21 @@ QEMU_COMMON_OPTIONS=" \ >> -m 1G \ >> -serial mon:stdio \ >> -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \ >> - ${QEMU_EXTRA_ARGS}" >> + " >> + >> +if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then >> + swtpm_dir="/tmp/qemu-swtpm" >> + mkdir -p "${swtpm_dir}" >> + rm "${swtpm_dir}"/* > > This kills the previous TPM state, preventing to power-cycle the VM. We > rather need to persist it aside the disk image. I'm massaging the script > in that direction. > This was for debugging purposes as the TPM is no longer accessible after a number of keys entered. Quirin > Unfortunately, the unix socket can't be pushed there as well - path > string becomes too long... > > Jan > >> + if swtpm socket -d --tpmstate dir="${swtpm_dir}" \ >> + --ctrl type=unixio,path="${swtpm_dir}"/sock \ >> + --tpm2; then >> + QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \ >> + -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \ >> + -tpmdev emulator,id=tpm0,chardev=chrtpm \ >> + -device tpm-tis,tpmdev=tpm0" >> + fi >> +fi >> >> if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then >> case "${arch}" in >> @@ -158,14 +175,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then >> -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ >> -drive if=pflash,format=raw,file=${ovmf_vars} \ >> -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ >> - ${QEMU_COMMON_OPTIONS} "$@" >> + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" >> else >> ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd} >> >> ${QEMU_PATH}${QEMU} \ >> -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ >> -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ >> - ${QEMU_COMMON_OPTIONS} "$@" >> + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" >> fi >> ;; >> arm64|aarch64|arm|armhf) >> @@ -174,7 +191,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then >> ${QEMU_PATH}${QEMU} \ >> -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ >> -bios ${u_boot_bin} \ >> - ${QEMU_COMMON_OPTIONS} "$@" >> + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" >> ;; >> rv64|riscv64) >> opensbi_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-${QEMU_ARCH}/fw_payload.bin} >> @@ -199,5 +216,5 @@ else >> -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \ >> -kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \ >> -initrd ${INITRD_FILE} \ >> - ${QEMU_COMMON_OPTIONS} "$@" >> + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" >> fi >
On 13.03.23 09:13, Gylstorff Quirin wrote: > > > On 3/13/23 08:08, Jan Kiszka wrote: >> On 09.03.23 11:28, Quirin Gylstorff wrote: >>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >>> >>> This allows testing the partition encryption with qemu. >>> >>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >>> --- >>> start-qemu.sh | 27 ++++++++++++++++++++++----- >>> 1 file changed, 22 insertions(+), 5 deletions(-) >>> >>> diff --git a/start-qemu.sh b/start-qemu.sh >>> index fcfbc5b..b46b066 100755 >>> --- a/start-qemu.sh >>> +++ b/start-qemu.sh >>> @@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true" >>> .config.yaml; then >>> elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then >>> SWUPDATE_BOOT="true" >>> fi >>> +if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then >>> + TPM2_ENCRYPTION="true" >>> +fi >>> if [ -n "${QEMU_PATH}" ]; then >>> QEMU_PATH="${QEMU_PATH}/" >>> @@ -143,7 +146,21 @@ QEMU_COMMON_OPTIONS=" \ >>> -m 1G \ >>> -serial mon:stdio \ >>> -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \ >>> - ${QEMU_EXTRA_ARGS}" >>> + " >>> + >>> +if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then >>> + swtpm_dir="/tmp/qemu-swtpm" >>> + mkdir -p "${swtpm_dir}" >>> + rm "${swtpm_dir}"/* >> >> This kills the previous TPM state, preventing to power-cycle the VM. We >> rather need to persist it aside the disk image. I'm massaging the script >> in that direction. >> > > This was for debugging purposes as the TPM is no longer accessible after > a number of keys entered. > At least it is possible to encrypt a new image using the TPM state of a previous run, just tested. In which cases exactly does this issue hurt? Jan
On 3/13/23 10:13, Jan Kiszka wrote: > On 13.03.23 09:13, Gylstorff Quirin wrote: >> >> >> On 3/13/23 08:08, Jan Kiszka wrote: >>> On 09.03.23 11:28, Quirin Gylstorff wrote: >>>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >>>> >>>> This allows testing the partition encryption with qemu. >>>> >>>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >>>> --- >>>> start-qemu.sh | 27 ++++++++++++++++++++++----- >>>> 1 file changed, 22 insertions(+), 5 deletions(-) >>>> >>>> diff --git a/start-qemu.sh b/start-qemu.sh >>>> index fcfbc5b..b46b066 100755 >>>> --- a/start-qemu.sh >>>> +++ b/start-qemu.sh >>>> @@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true" >>>> .config.yaml; then >>>> elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then >>>> SWUPDATE_BOOT="true" >>>> fi >>>> +if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then >>>> + TPM2_ENCRYPTION="true" >>>> +fi >>>> if [ -n "${QEMU_PATH}" ]; then >>>> QEMU_PATH="${QEMU_PATH}/" >>>> @@ -143,7 +146,21 @@ QEMU_COMMON_OPTIONS=" \ >>>> -m 1G \ >>>> -serial mon:stdio \ >>>> -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \ >>>> - ${QEMU_EXTRA_ARGS}" >>>> + " >>>> + >>>> +if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then >>>> + swtpm_dir="/tmp/qemu-swtpm" >>>> + mkdir -p "${swtpm_dir}" >>>> + rm "${swtpm_dir}"/* >>> >>> This kills the previous TPM state, preventing to power-cycle the VM. We >>> rather need to persist it aside the disk image. I'm massaging the script >>> in that direction. >>> >> >> This was for debugging purposes as the TPM is no longer accessible after >> a number of keys entered. >> > > At least it is possible to encrypt a new image using the TPM state of a > previous run, just tested. In which cases exactly does this issue hurt? After creating 8 keys/Images the 9th time you want to add a key to a new the TPM will throw a error. Quirin > > Jan >
On 13.03.23 11:29, Gylstorff Quirin wrote: > > > On 3/13/23 10:13, Jan Kiszka wrote: >> On 13.03.23 09:13, Gylstorff Quirin wrote: >>> >>> >>> On 3/13/23 08:08, Jan Kiszka wrote: >>>> On 09.03.23 11:28, Quirin Gylstorff wrote: >>>>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >>>>> >>>>> This allows testing the partition encryption with qemu. >>>>> >>>>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >>>>> --- >>>>> start-qemu.sh | 27 ++++++++++++++++++++++----- >>>>> 1 file changed, 22 insertions(+), 5 deletions(-) >>>>> >>>>> diff --git a/start-qemu.sh b/start-qemu.sh >>>>> index fcfbc5b..b46b066 100755 >>>>> --- a/start-qemu.sh >>>>> +++ b/start-qemu.sh >>>>> @@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true" >>>>> .config.yaml; then >>>>> elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then >>>>> SWUPDATE_BOOT="true" >>>>> fi >>>>> +if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then >>>>> + TPM2_ENCRYPTION="true" >>>>> +fi >>>>> if [ -n "${QEMU_PATH}" ]; then >>>>> QEMU_PATH="${QEMU_PATH}/" >>>>> @@ -143,7 +146,21 @@ QEMU_COMMON_OPTIONS=" \ >>>>> -m 1G \ >>>>> -serial mon:stdio \ >>>>> -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \ >>>>> - ${QEMU_EXTRA_ARGS}" >>>>> + " >>>>> + >>>>> +if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then >>>>> + swtpm_dir="/tmp/qemu-swtpm" >>>>> + mkdir -p "${swtpm_dir}" >>>>> + rm "${swtpm_dir}"/* >>>> >>>> This kills the previous TPM state, preventing to power-cycle the VM. We >>>> rather need to persist it aside the disk image. I'm massaging the >>>> script >>>> in that direction. >>>> >>> >>> This was for debugging purposes as the TPM is no longer accessible after >>> a number of keys entered. >>> >> >> At least it is possible to encrypt a new image using the TPM state of a >> previous run, just tested. In which cases exactly does this issue hurt? > > After creating 8 keys/Images the 9th time you want to add a key to a new > the TPM will throw a error. > So, every boot-strap of a new image will add one key, and that will start to fail after the 8th time. Then we should purge the newly created subfolder in deploydir when performing an image deployment. Jan
diff --git a/start-qemu.sh b/start-qemu.sh index fcfbc5b..b46b066 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true" .config.yaml; then elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then SWUPDATE_BOOT="true" fi +if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then + TPM2_ENCRYPTION="true" +fi if [ -n "${QEMU_PATH}" ]; then QEMU_PATH="${QEMU_PATH}/" @@ -143,7 +146,21 @@ QEMU_COMMON_OPTIONS=" \ -m 1G \ -serial mon:stdio \ -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \ - ${QEMU_EXTRA_ARGS}" + " + +if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then + swtpm_dir="/tmp/qemu-swtpm" + mkdir -p "${swtpm_dir}" + rm "${swtpm_dir}"/* + if swtpm socket -d --tpmstate dir="${swtpm_dir}" \ + --ctrl type=unixio,path="${swtpm_dir}"/sock \ + --tpm2; then + QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \ + -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \ + -tpmdev emulator,id=tpm0,chardev=chrtpm \ + -device tpm-tis,tpmdev=tpm0" + fi +fi if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then case "${arch}" in @@ -158,14 +175,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ -drive if=pflash,format=raw,file=${ovmf_vars} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" else ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd} ${QEMU_PATH}${QEMU} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" fi ;; arm64|aarch64|arm|armhf) @@ -174,7 +191,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then ${QEMU_PATH}${QEMU} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ -bios ${u_boot_bin} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" ;; rv64|riscv64) opensbi_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-${QEMU_ARCH}/fw_payload.bin} @@ -199,5 +216,5 @@ else -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \ -kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \ -initrd ${INITRD_FILE} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" fi