| Message ID | 20240319182026.1571362-2-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Rework disk encryption | expand |
On 19.03.24 19:18, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This allows device which started on Debian 11 to continue using > clevis for encryption and decryption. > Would an upgrade to systemd tooling be possible as well? Create a new key with systemd in the TPM and add that to dm-crypt container? This is just out of the concern if we may have to maintain that clevis path forever. Jan > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > .../initramfs-crypt-hook_0.1.bb | 14 ++++++++++++-- > 1 file changed, 12 insertions(+), 2 deletions(-) > > diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb > index b275c0f..317ea12 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb > +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb > @@ -1,7 +1,7 @@ > # > # CIP Core, generic profile > # > -# Copyright (c) Siemens AG, 2020-2023 > +# Copyright (c) Siemens AG, 2020-2024 > # > # Authors: > # Quirin Gylstorff <quirin.gylstorff@siemens.com> > @@ -17,7 +17,17 @@ CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools" > > DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}, libgcc-7-dev" > DEBIAN_DEPENDS:append:bullseye = "${CLEVIS_DEPEND}" > -DEBIAN_DEPENDS:append = ", systemd (>= 251) | clevis-tpm2" > +DEBIAN_DEPENDS:append = "${@encryption_dependency(d)}" > + > +def encryption_dependency(d): > + crypt_backend = d.getVar('CRYPT_BACKEND') > + if crypt_backend == 'clevis': > + clevis_depends= d.getVar('CLEVIS_DEPEND') > + return f"{clevis_depends}, clevis-tpm2" > + elif crypt_backend == 'systemd': > + return ", systemd (>= 251)" > + else: > + bb.error("unkown cryptbackend defined") > > CRYPT_BACKEND:buster = "clevis" > CRYPT_BACKEND:bullseye = "clevis"
On 3/19/24 7:33 PM, Jan Kiszka wrote: > On 19.03.24 19:18, Quirin Gylstorff wrote: >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> >> This allows device which started on Debian 11 to continue using >> clevis for encryption and decryption. >> > > Would an upgrade to systemd tooling be possible as well? Create a new > key with systemd in the TPM and add that to dm-crypt container? I need to try this. We need a passphrase to add additional keys. So we would need to store the passphrase for the encryption somewhere on the system. A possible solution would be to encrypt the passphrase with the TPM chip and store it somewhere on the system. Quirin > > This is just out of the concern if we may have to maintain that clevis > path forever. > > Jan > >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> --- >> .../initramfs-crypt-hook_0.1.bb | 14 ++++++++++++-- >> 1 file changed, 12 insertions(+), 2 deletions(-) >> >> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb >> index b275c0f..317ea12 100644 >> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb >> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb >> @@ -1,7 +1,7 @@ >> # >> # CIP Core, generic profile >> # >> -# Copyright (c) Siemens AG, 2020-2023 >> +# Copyright (c) Siemens AG, 2020-2024 >> # >> # Authors: >> # Quirin Gylstorff <quirin.gylstorff@siemens.com> >> @@ -17,7 +17,17 @@ CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools" >> >> DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}, libgcc-7-dev" >> DEBIAN_DEPENDS:append:bullseye = "${CLEVIS_DEPEND}" >> -DEBIAN_DEPENDS:append = ", systemd (>= 251) | clevis-tpm2" >> +DEBIAN_DEPENDS:append = "${@encryption_dependency(d)}" >> + >> +def encryption_dependency(d): >> + crypt_backend = d.getVar('CRYPT_BACKEND') >> + if crypt_backend == 'clevis': >> + clevis_depends= d.getVar('CLEVIS_DEPEND') >> + return f"{clevis_depends}, clevis-tpm2" >> + elif crypt_backend == 'systemd': >> + return ", systemd (>= 251)" >> + else: >> + bb.error("unkown cryptbackend defined") >> >> CRYPT_BACKEND:buster = "clevis" >> CRYPT_BACKEND:bullseye = "clevis" >
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index b275c0f..317ea12 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -1,7 +1,7 @@ # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2020-2023 +# Copyright (c) Siemens AG, 2020-2024 # # Authors: # Quirin Gylstorff <quirin.gylstorff@siemens.com> @@ -17,7 +17,17 @@ CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools" DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}, libgcc-7-dev" DEBIAN_DEPENDS:append:bullseye = "${CLEVIS_DEPEND}" -DEBIAN_DEPENDS:append = ", systemd (>= 251) | clevis-tpm2" +DEBIAN_DEPENDS:append = "${@encryption_dependency(d)}" + +def encryption_dependency(d): + crypt_backend = d.getVar('CRYPT_BACKEND') + if crypt_backend == 'clevis': + clevis_depends= d.getVar('CLEVIS_DEPEND') + return f"{clevis_depends}, clevis-tpm2" + elif crypt_backend == 'systemd': + return ", systemd (>= 251)" + else: + bb.error("unkown cryptbackend defined") CRYPT_BACKEND:buster = "clevis" CRYPT_BACKEND:bullseye = "clevis"