@@ -42,12 +42,13 @@ The initramfs-crypt-hook recipe has the following variables which can be overwri
### CRYPT_PARTITIONS
The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount it.
-Each entry uses the schema `<partition-identifier>:<mountpoint>:<reencrypt | format | noencrypt>`.
+Each entry uses the schema `<partition-identifier>:<mountpoint>:<reencrypt | format | noencrypt | format-if-empty>`.
- The `partition-idenitifer` is used to identify the partition on the disk, it can contain a partition label, partition UUID or absolute path to the partition device, e.g. `/dev/sda`.
- The `mountpoint` is used mount the decrypted partition in the root file system
- `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount
- `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD`
- `noencrypt` will not try to encrypt the partition, if it isn't encrypted already, but will open it if it is. This makes it possible for an system to support encrypted partitions, while not encrypting anything on their own. Useful when updating from a system that is unencrypted to one that is, while supporting a fallback system. For example, with a shared data partition, the fallback system would have the `noencrypt` option, while the encrypted system would have the `reencrypt` option set for it. Now the fallback system can still open the data partition if the update to the encrypted system failed.
+- `format-if-empty` will create a empty LUKS partition and formats it, like the `format` option, but only if the first 10MiB are empty (contain only 0x00). This makes it possible to differentiate if a partition is empty and can be encrypted, because it was freshly flashed via a factory image, or if it might contain an unencrypted fallback system and should be left alone.
#### Encrypted root file system
@@ -269,6 +269,22 @@ for partition_set in $partition_sets; do
eval "${create_file_system_cmd} ${decrypted_part}"
log_end_msg
;;
+ "format-if-empty")
+ # Check if first 10MiB contain only zeros
+ if cmp -s -n "$(( 10 * 1024 * 1024 ))" "${part_device}" /dev/zero
+ then
+ log_begin_msg "Encryption of ${part_device}"
+ /usr/sbin/cryptsetup luksFormat --batch-mode \
+ --type luks2 "$part_device" < "$tmp_key"
+ enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type"
+ open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
+ eval "${create_file_system_cmd} ${decrypted_part}"
+ log_end_msg
+ else
+ # If not empty, leave it alone.
+ continue
+ fi
+ ;;
*)
panic "Unknown value ${partition_format}. Cannot create a encrypted partition !"
;;
@@ -41,7 +41,7 @@ HOOK_ADD_MODULES = " \
HOOK_COPY_EXECS = " \
openssl mke2fs grep awk expr seq sleep basename uuidparse mountpoint \
- e2fsck resize2fs cryptsetup \
+ e2fsck resize2fs cryptsetup cmp \
tpm2_pcrread tpm2_testparms tpm2_flushcontext \
/usr/lib/*/libgcc_s.so.1"
When encryption is enabled from one update to the next there is a difference between flashing a fresh factory image to a empty storage device, which contains an empty fallback partition set and updating it, where the fallback partition contains the actual fallback partitions. In the update case, the update case, the fallback system should be left alone and unencrypted. When doing a factory flash, the fallback partitions can be encrypted. The best marker on in which case the system is booted is, if the partition is empty or not. The 'format-if-empty' option will format the partition with a luks format in case the first 10MiB are empty. Signed-off-by: Claudius Heine <ch@denx.de> --- doc/README.tpm2.encryption.md | 3 ++- .../files/local-top-complete | 16 ++++++++++++++++ .../initramfs-crypt-hook_0.6.bb | 2 +- 3 files changed, 19 insertions(+), 2 deletions(-)