| Message ID | 20240319182026.1571362-6-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Rework disk encryption | expand |
On 19.03.24 19:18, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This allows to use same image on device without or with a disabled > TPM. "device with and without TPM"? > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > .../files/encrypt_partition.clevis.script | 20 +++++++++++++++++- > .../files/encrypt_partition.env.tmpl | 1 + > .../files/encrypt_partition.systemd.script | 21 ++++++++++++++++++- > .../initramfs-crypt-hook_0.1.bb | 1 + > 4 files changed, 41 insertions(+), 2 deletions(-) > > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > index f271e85..6e2713f 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > @@ -47,6 +47,7 @@ partition_sets="$PARTITIONS" > create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" > pcr_bank_hash_type="$HASH_TYPE" > tpm_key_algorithm="$KEY_ALGORITHM" > +tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL" > if [ -z "${create_file_system_cmd}" ]; then > create_file_system_cmd="mke2fs -t ext4" > fi > @@ -111,7 +112,24 @@ for candidate in /dev/tpm*; do > done > > if [ ! -e "$tpm_device" ]; then > - panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" > + if [ "$tpm_encryption_optional" = "true" ]; then > + echo "No tpm_device exists abort optional encryption" > + for partition_set in $partition_sets; do > + partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" > + partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" > + partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" > + partition=/dev/disk/by-partlabel/"$partition_label" > + case "${partition_format}" in > + "reencrypt") > + mount_partition "$partition" "$rootmnt""$partition_mountpoint" > + ;; > + *) > + echo "cannot mount partition '$partition' as it is marked for formatting." > + esac > + done > + exit 0 > + fi > + panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" > fi > > # clevis needs /dev/fd create it in the initramfs > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl > index 5d28dc5..bb93361 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl > @@ -4,3 +4,4 @@ SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}" > WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}" > HASH_TYPE="${CRYPT_HASH_TYPE}" > KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}" > +ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}" > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script > index ea267ac..2e6691a 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script > @@ -47,6 +47,7 @@ partition_sets="$PARTITIONS" > create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" > pcr_bank_hash_type="$HASH_TYPE" > tpm_key_algorithm="$KEY_ALGORITHM" > +tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL" > if [ -z "${create_file_system_cmd}" ]; then > create_file_system_cmd="mke2fs -t ext4" > fi > @@ -124,9 +125,27 @@ for candidate in /dev/tpm*; do > done > > if [ ! -e "$tpm_device" ]; then > - panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" > + if [ "$tpm_encryption_optional" = "true" ]; then > + echo "No tpm_device exists abort optional encryption" > + for partition_set in $partition_sets; do > + partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" > + partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" > + partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" > + partition=/dev/disk/by-partlabel/"$partition_label" > + case "${partition_format}" in > + "reencrypt") > + mount_partition "$partition" "$rootmnt""$partition_mountpoint" > + ;; > + *) > + echo "cannot mount partition '$partition' as it is marked for formatting." > + esac > + done > + exit 0 > + fi > + panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" > fi > > + Extra newline. > for partition_set in $partition_sets; do > partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" > partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" > diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb > index 7f732cf..54c91fd 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb > +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb > @@ -50,6 +50,7 @@ INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog" > # clevis needs tpm hash algorithm type > CRYPT_HASH_TYPE ??= "sha256" > CRYPT_KEY_ALGORITHM ??= "ecc" > +CRYPT_ENCRYPTION_OPTIONAL ??= "false" > > TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ > CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \ Jan
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index f271e85..6e2713f 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -47,6 +47,7 @@ partition_sets="$PARTITIONS" create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" pcr_bank_hash_type="$HASH_TYPE" tpm_key_algorithm="$KEY_ALGORITHM" +tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL" if [ -z "${create_file_system_cmd}" ]; then create_file_system_cmd="mke2fs -t ext4" fi @@ -111,7 +112,24 @@ for candidate in /dev/tpm*; do done if [ ! -e "$tpm_device" ]; then - panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" + if [ "$tpm_encryption_optional" = "true" ]; then + echo "No tpm_device exists abort optional encryption" + for partition_set in $partition_sets; do + partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" + partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" + partition=/dev/disk/by-partlabel/"$partition_label" + case "${partition_format}" in + "reencrypt") + mount_partition "$partition" "$rootmnt""$partition_mountpoint" + ;; + *) + echo "cannot mount partition '$partition' as it is marked for formatting." + esac + done + exit 0 + fi + panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" fi # clevis needs /dev/fd create it in the initramfs diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl index 5d28dc5..bb93361 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl @@ -4,3 +4,4 @@ SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}" WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}" HASH_TYPE="${CRYPT_HASH_TYPE}" KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}" +ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index ea267ac..2e6691a 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -47,6 +47,7 @@ partition_sets="$PARTITIONS" create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" pcr_bank_hash_type="$HASH_TYPE" tpm_key_algorithm="$KEY_ALGORITHM" +tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL" if [ -z "${create_file_system_cmd}" ]; then create_file_system_cmd="mke2fs -t ext4" fi @@ -124,9 +125,27 @@ for candidate in /dev/tpm*; do done if [ ! -e "$tpm_device" ]; then - panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" + if [ "$tpm_encryption_optional" = "true" ]; then + echo "No tpm_device exists abort optional encryption" + for partition_set in $partition_sets; do + partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" + partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" + partition=/dev/disk/by-partlabel/"$partition_label" + case "${partition_format}" in + "reencrypt") + mount_partition "$partition" "$rootmnt""$partition_mountpoint" + ;; + *) + echo "cannot mount partition '$partition' as it is marked for formatting." + esac + done + exit 0 + fi + panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" fi + for partition_set in $partition_sets; do partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index 7f732cf..54c91fd 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -50,6 +50,7 @@ INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog" # clevis needs tpm hash algorithm type CRYPT_HASH_TYPE ??= "sha256" CRYPT_KEY_ALGORITHM ??= "ecc" +CRYPT_ENCRYPTION_OPTIONAL ??= "false" TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \