From patchwork Thu Feb 27 14:30:21 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Claudius Heine X-Patchwork-Id: 13994697 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B4A5C282C5 for ; Thu, 27 Feb 2025 14:30:50 +0000 (UTC) Received: from mx.denx.de (mx.denx.de [89.58.32.78]) by mx.groups.io with SMTP id smtpd.web11.11653.1740666646670078645 for ; Thu, 27 Feb 2025 06:30:47 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@denx.de header.s=mx-20241105 header.b=JzF1m/Ge; spf=pass (domain: denx.de, ip: 89.58.32.78, mailfrom: ch@denx.de) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id E540810382F1A; Thu, 27 Feb 2025 15:30:44 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=mx-20241105; t=1740666645; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TyCGvOMMsrEezKfnuWMGQWvyRy1cz1zc0PuVpSSRR6w=; b=JzF1m/GeHDK1ngkq+VlsLJOHEtc8OXcZP5mQ77EIPZW/tneyS/FxpbBBNkgsCobQUImFxr Q/ovDMBmEY8tJsfGcKE4dhGcKAeHi7gRN/91XbiMSHgfxv00EL/N40WBCd1NJ7KcnB8mB7 HRgI9hV6uLSLJT/NZLp+GHXZs0xiY8AHvEqLB5PrHdweQVP3kR3v7ZWxjOYRJt3TEcFu52 2JrLRtgDK7rRHlW4vQY1//SjvyyIPJSWb3bN+/1eWty6TzEZxDvClA7qWyUwURjJK0rdEG N3sQJKKl6SL/IrGJkEoQswltunnzrWPYk9GEAWfw7wLrPPfhOC2poKgqa76LhQ== From: Claudius Heine To: cip-dev@lists.cip-project.org, Jan Kiszka , Quirin Gylstorff Cc: Claudius Heine Subject: [PATCH v2 3/4] initramfs-crypt-hook: add 'format-if-empty' feature Date: Thu, 27 Feb 2025 15:30:21 +0100 Message-ID: <20250227143022.323950-4-ch@denx.de> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250227143022.323950-1-ch@denx.de> References: <20250227143022.323950-1-ch@denx.de> MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 27 Feb 2025 14:30:50 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17944 When encryption is enabled from one update to the next there is a difference between flashing a fresh factory image to a empty storage device, which contains an empty fallback partition set and updating it, where the fallback partition contains the actual fallback partitions. In the update case, the update case, the fallback system should be left alone and unencrypted. When doing a factory flash, the fallback partitions can be encrypted. The best marker on in which case the system is booted is, if the partition is empty or not. The 'format-if-empty' option will format the partition with a luks format in case the first 10MiB are empty. Signed-off-by: Claudius Heine --- doc/README.tpm2.encryption.md | 3 ++- .../files/local-top-complete | 16 ++++++++++++++++ .../initramfs-crypt-hook_0.6.bb | 2 +- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md index a503095..01b6033 100644 --- a/doc/README.tpm2.encryption.md +++ b/doc/README.tpm2.encryption.md @@ -42,12 +42,13 @@ The initramfs-crypt-hook recipe has the following variables which can be overwri ### CRYPT_PARTITIONS The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount it. -Each entry uses the schema `::`. +Each entry uses the schema `::`. - The `partition-idenitifer` is used to identify the partition on the disk, it can contain a partition label, partition UUID or absolute path to the partition device, e.g. `/dev/sda`. - The `mountpoint` is used mount the decrypted partition in the root file system - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount - `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD` - `noencrypt` will not try to encrypt the partition, if it isn't encrypted already, but will open it if it is. This makes it possible for an system to support encrypted partitions, while not encrypting anything on their own. Useful when updating from a system that is unencrypted to one that is, while supporting a fallback system. For example, with a shared data partition, the fallback system would have the `noencrypt` option, while the encrypted system would have the `reencrypt` option set for it. Now the fallback system can still open the data partition if the update to the encrypted system failed. +- `format-if-empty` will create a empty LUKS partition and formats it, like the `format` option, but only if the first 10MiB are empty (contain only 0x00). This makes it possible to differentiate if a partition is empty and can be encrypted, because it was freshly flashed via a factory image, or if it might contain an unencrypted fallback system and should be left alone. #### Encrypted root file system diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete index 67722fc..4b6451a 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete @@ -269,6 +269,22 @@ for partition_set in $partition_sets; do eval "${create_file_system_cmd} ${decrypted_part}" log_end_msg ;; + "format-if-empty") + # Check if first 10MiB contain only zeros + if cmp -s -n "$(( 10 * 1024 * 1024 ))" "${part_device}" /dev/zero + then + log_begin_msg "Encryption of ${part_device}" + /usr/sbin/cryptsetup luksFormat --batch-mode \ + --type luks2 "$part_device" < "$tmp_key" + enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type" + open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" + eval "${create_file_system_cmd} ${decrypted_part}" + log_end_msg + else + # If not empty, leave it alone. + continue + fi + ;; *) panic "Unknown value ${partition_format}. Cannot create a encrypted partition !" ;; diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb index df335c9..c9a7f89 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb @@ -41,7 +41,7 @@ HOOK_ADD_MODULES = " \ HOOK_COPY_EXECS = " \ openssl mke2fs grep awk expr seq sleep basename uuidparse mountpoint \ - e2fsck resize2fs cryptsetup \ + e2fsck resize2fs cryptsetup cmp \ tpm2_pcrread tpm2_testparms tpm2_flushcontext \ /usr/lib/*/libgcc_s.so.1"