@@ -42,12 +42,13 @@ The initramfs-crypt-hook recipe has the following variables which can be overwri
### CRYPT_PARTITIONS
The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount it.
-Each entry uses the schema `<partition-identifier>:<mountpoint>:<reencrypt | format | noencrypt>`.
+Each entry uses the schema `<partition-identifier>:<mountpoint>:<reencrypt | format | noencrypt | format-if-empty>`.
- The `partition-idenitifer` is used to identify the partition on the disk, it can contain a partition label, partition UUID or absolute path to the partition device, e.g. `/dev/sda`.
- The `mountpoint` is used mount the decrypted partition in the root file system
- `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount
- `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD`
- `noencrypt` will not try to encrypt the partition if it isn't encrypted already, but will open it if it is. See the section [Encrypting the shared partition via an update](#### Encrypting the shared partition via an update) for more information
+- `format-if-empty` will create an empty LUKS partition and format it, like the `format` option, but only if the first 10 MiB are empty (contain only 0x00). This makes it possible to differentiate if a partition is empty and can be encrypted, because it was freshly flashed via a factory image, or if it might contain an unencrypted fallback system and should be left alone.
#### Encrypted root file system
@@ -78,6 +79,8 @@ The data partition in the fallback system will have the `noencrypt` flag set, wh
- Update fails at a later point and is not blessed; system reboots into the fallback system on slot A.
- Fallback system now needs to be able to use the shared data partition.
+In this case, where encryption is added via an update, the `format-if-empty` option is also useful. The system with encryption enabled has the `format-if-empty` option set for the partition(s) in the inactive update slot. This will cause both sets of partitions in both slots to be encrypted after the first boot on a fresh factory flashed system, but will not disturb existing data of any fallback system if booted after an update.
+
### CRYPT_CREATE_FILE_SYSTEM_CMD
The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly
@@ -316,6 +316,22 @@ for partition_set in $partition_sets; do
eval "${create_file_system_cmd} ${decrypted_part}"
log_end_msg
;;
+ "format-if-empty")
+ # Check if first 10MiB contain only zeros
+ if cmp -s -n "$(( 10 * 1024 * 1024 ))" "${part_device}" /dev/zero
+ then
+ log_begin_msg "Encryption of ${part_device}"
+ /usr/sbin/cryptsetup luksFormat --batch-mode \
+ --type luks2 "$part_device" < "$tmp_key"
+ enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type"
+ open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
+ eval "${create_file_system_cmd} ${decrypted_part}"
+ log_end_msg
+ else
+ # If not empty, leave it alone.
+ continue
+ fi
+ ;;
*)
panic "Unknown value ${partition_format}. Cannot create a encrypted partition !"
;;
@@ -40,7 +40,7 @@ HOOK_ADD_MODULES = " \
HOOK_COPY_EXECS = " \
mke2fs grep awk expr seq sleep basename uuidparse mountpoint \
- e2fsck resize2fs cryptsetup \
+ e2fsck resize2fs cryptsetup cmp \
tpm2_pcrread tpm2_testparms tpm2_flushcontext \
/usr/lib/*/libgcc_s.so.1"
With the A/B update scheme, the goal is to have two (mostly) independent system slots, one that is active and one that is inactive. The active system slot writes updates to the inactive system slot and switches the active and inactive slot via a reboot. Late when booting the new system, it will decide if the current system is stable and then 'bless' it in the bootloader, or it will consider the update failed and the system reboots, without the updated system slot being blessed. In the last case, the system in the old slot will work as a fallback system, that reports the failed update back to the backend, and continue the service, as it has before the update was applied. It is important here that the update does not modify the fallback system in any avoidable way, because doing so might break the fallback and make the system not remotely recoverable. If encryption is added via an update, there are two cases to consider: 1. Update is applied to the inactive update slot via the normal update procedure. In this case the fallback system should not be modified. 2. A system that uses encryption is flashed via a factory flash. In this case there is no fallback system and all partitions of both update slots need to be encrypted. To differentiate between these cases, the content of each fallback partition can be looked at, if they contain data, we are in case (1) and these partitions should be left alone, if they contain only 0x00, they can be formatted, because we are in case (2). The `format-if-empty` option is implemented here, will look if the first 10 MiB of each partition marked with this option contains 0x00 or not and will either format it or leave it alone. Signed-off-by: Claudius Heine <ch@denx.de> --- doc/README.tpm2.encryption.md | 5 ++++- .../initramfs-crypt-hook/files/local-top-complete | 16 ++++++++++++++++ .../initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb | 2 +- 3 files changed, 21 insertions(+), 2 deletions(-)