| Message ID | 20230421150545.4073324-3-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Fixes for secure boot and | expand |
On 21.04.23 17:05, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This introduces the necessary changes for Debian buster(10) with > inplace encryption. > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > .../files/encrypt_partition.clevis.hook | 20 +++++++++++++++---- > .../files/encrypt_partition.clevis.script | 3 ++- > .../initramfs-crypt-hook_0.1.bb | 5 +++-- > 3 files changed, 21 insertions(+), 7 deletions(-) > > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook > index 5dbc5be..924ee7f 100755 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook > @@ -9,7 +9,7 @@ prereqs() > { > echo "$PREREQ" > } > - That newline should stay. > +set -x > case $1 in > prereqs) > prereqs > @@ -45,15 +45,26 @@ copy_exec /usr/bin/clevis-encrypt-tpm2 || hook_error "/usr/bin/clevis-encrypt-tp > copy_exec /usr/bin/clevis-decrypt-tpm2 || hook_error "/usr/bin/clevis-decrypt-tpm2 not found" > copy_exec /usr/bin/clevis-luks-bind || hook_error "/usr/bin/clevis-luks-bind not found" > copy_exec /usr/bin/clevis-luks-unlock || hook_error "/usr/bin/clevis-luks-unlock not found" > +if [ -x /usr/bin/clevis-luks-list ]; then Trailing whitespaces - could you enable related visualization in your editor? > copy_exec /usr/bin/clevis-luks-list || hook_error "/usr/bin/clevis-luks-list not found" Pleas indent the body. > -copy_exec /usr/bin/clevis-luks-common-functions || hook_error "/usr/bin/clevis-luks-common-functions not found" > +fi > +if [ -x /usr/bin/clevis-luks-common-functions ]; then > + copy_exec /usr/bin/clevis-luks-common-functions || hook_error "/usr/bin/clevis-luks-common-functions not found" > +fi > copy_exec /usr/bin/tpm2_createprimary || hook_error "Unable to copy /usr/bin/tpm2_createprimary" > copy_exec /usr/bin/tpm2_unseal || hook_error "Unable to copy /usr/bin/tpm2_unseal" > copy_exec /usr/bin/tpm2_create || hook_error "Unable to copy /usr/bin/tpm2_create" > copy_exec /usr/bin/tpm2_load || hook_error "Unable to copy /usr/bin/tpm2_load" > -copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" > +if [ -x /usr/bin/tpm2_pcrread ]; then > + copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" > +fi > +if [ -x /usr/bin/tpm2_pcrlist ]; then > + copy_exec /usr/bin/tpm2_pcrlist || hook_error "Unable to copy /usr/bin/tpm2_pcrread" > +fi > copy_exec /usr/bin/tpm2_createpolicy || hook_error "Unable to copy /usr/bin/tpm2_createpolicy" > +if [ -x /usr/bin/tpm2_flushcontext ]; then > copy_exec /usr/bin/tpm2_flushcontext || hook_error "Unable to copy /usr/bin/tpm2_flushcontext" Indention. > +fi > copy_exec /usr/bin/bash || hook_error "Unable to copy /usr/bin/bash" > copy_exec /usr/bin/luksmeta || hook_error "Unable to copy /usr/bin/luksmeta" > copy_exec /usr/bin/jose || hook_error "Unable to copy /usr/bin/jose" > @@ -66,8 +77,9 @@ copy_exec /usr/bin/basename || hook_error "Unable to copy /usr/bin/basename" > copy_exec /usr/bin/seq || hook_error "Unable to copy /usr/bin/seq" > copy_exec /usr/bin/pwmake || hook_error "Unable to copy /usr/bin/pwmake" > copy_exec /usr/bin/file || hook_error "Unable to copy /usr/bin/file " > +copy_exec /usr/lib/gcc/*/*/libgcc_s.so.1 || hook_error "Unable to copy /usr/lib/gcc/*/*/libgcc_s.so.1 " > > -if [ -x cryptsetup-reencrypt ]; then > +if [ -x /usr/sbin/cryptsetup-reencrypt ]; then > copy_exec /usr/sbin/cryptsetup-reencrypt > fi > > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > index 37bb024..bcb5a04 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > @@ -8,6 +8,7 @@ > # Quirin Gylstorff <quirin.gylstorff@siemens.com> > # > # SPDX-License-Identifier: MIT > + > prereqs() > { > # Make sure that this script is run last in local-top > @@ -67,7 +68,7 @@ reencrypt_existing_partition() { > reduced_size_in_byte="$(expr "$reduced_size" \* 512)" > reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" > resize2fs "$1" "${reduced_size_in_kb}" > - if [ -x cryptsetup-reencrypt ]; then > + if [ -x /usr/sbin/cryptsetup-reencrypt ]; then > /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2" > else > /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2" > diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb > index 1436b94..997f469 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb > +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb > @@ -10,11 +10,12 @@ > > inherit dpkg-raw > DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \ > - awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0, e2fsprogs" > + awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \ > + libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs" > > CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools" > > -DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}" > +DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}, libgcc-7-dev" > DEBIAN_DEPENDS:append:bullseye = "${CLEVIS_DEPEND}" > DEBIAN_DEPENDS:append = ", systemd (>= 251) | clevis-tpm2" > Jan
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook index 5dbc5be..924ee7f 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook @@ -9,7 +9,7 @@ prereqs() { echo "$PREREQ" } - +set -x case $1 in prereqs) prereqs @@ -45,15 +45,26 @@ copy_exec /usr/bin/clevis-encrypt-tpm2 || hook_error "/usr/bin/clevis-encrypt-tp copy_exec /usr/bin/clevis-decrypt-tpm2 || hook_error "/usr/bin/clevis-decrypt-tpm2 not found" copy_exec /usr/bin/clevis-luks-bind || hook_error "/usr/bin/clevis-luks-bind not found" copy_exec /usr/bin/clevis-luks-unlock || hook_error "/usr/bin/clevis-luks-unlock not found" +if [ -x /usr/bin/clevis-luks-list ]; then copy_exec /usr/bin/clevis-luks-list || hook_error "/usr/bin/clevis-luks-list not found" -copy_exec /usr/bin/clevis-luks-common-functions || hook_error "/usr/bin/clevis-luks-common-functions not found" +fi +if [ -x /usr/bin/clevis-luks-common-functions ]; then + copy_exec /usr/bin/clevis-luks-common-functions || hook_error "/usr/bin/clevis-luks-common-functions not found" +fi copy_exec /usr/bin/tpm2_createprimary || hook_error "Unable to copy /usr/bin/tpm2_createprimary" copy_exec /usr/bin/tpm2_unseal || hook_error "Unable to copy /usr/bin/tpm2_unseal" copy_exec /usr/bin/tpm2_create || hook_error "Unable to copy /usr/bin/tpm2_create" copy_exec /usr/bin/tpm2_load || hook_error "Unable to copy /usr/bin/tpm2_load" -copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" +if [ -x /usr/bin/tpm2_pcrread ]; then + copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" +fi +if [ -x /usr/bin/tpm2_pcrlist ]; then + copy_exec /usr/bin/tpm2_pcrlist || hook_error "Unable to copy /usr/bin/tpm2_pcrread" +fi copy_exec /usr/bin/tpm2_createpolicy || hook_error "Unable to copy /usr/bin/tpm2_createpolicy" +if [ -x /usr/bin/tpm2_flushcontext ]; then copy_exec /usr/bin/tpm2_flushcontext || hook_error "Unable to copy /usr/bin/tpm2_flushcontext" +fi copy_exec /usr/bin/bash || hook_error "Unable to copy /usr/bin/bash" copy_exec /usr/bin/luksmeta || hook_error "Unable to copy /usr/bin/luksmeta" copy_exec /usr/bin/jose || hook_error "Unable to copy /usr/bin/jose" @@ -66,8 +77,9 @@ copy_exec /usr/bin/basename || hook_error "Unable to copy /usr/bin/basename" copy_exec /usr/bin/seq || hook_error "Unable to copy /usr/bin/seq" copy_exec /usr/bin/pwmake || hook_error "Unable to copy /usr/bin/pwmake" copy_exec /usr/bin/file || hook_error "Unable to copy /usr/bin/file " +copy_exec /usr/lib/gcc/*/*/libgcc_s.so.1 || hook_error "Unable to copy /usr/lib/gcc/*/*/libgcc_s.so.1 " -if [ -x cryptsetup-reencrypt ]; then +if [ -x /usr/sbin/cryptsetup-reencrypt ]; then copy_exec /usr/sbin/cryptsetup-reencrypt fi diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 37bb024..bcb5a04 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -8,6 +8,7 @@ # Quirin Gylstorff <quirin.gylstorff@siemens.com> # # SPDX-License-Identifier: MIT + prereqs() { # Make sure that this script is run last in local-top @@ -67,7 +68,7 @@ reencrypt_existing_partition() { reduced_size_in_byte="$(expr "$reduced_size" \* 512)" reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" resize2fs "$1" "${reduced_size_in_kb}" - if [ -x cryptsetup-reencrypt ]; then + if [ -x /usr/sbin/cryptsetup-reencrypt ]; then /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2" else /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2" diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index 1436b94..997f469 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -10,11 +10,12 @@ inherit dpkg-raw DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \ - awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0, e2fsprogs" + awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \ + libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs" CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools" -DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}" +DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}, libgcc-7-dev" DEBIAN_DEPENDS:append:bullseye = "${CLEVIS_DEPEND}" DEBIAN_DEPENDS:append = ", systemd (>= 251) | clevis-tpm2"