From patchwork Mon Jan 30 15:02:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13121298 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 993E1C54EAA for ; Mon, 30 Jan 2023 15:02:18 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.43313.1675090929408667946 for ; Mon, 30 Jan 2023 07:02:10 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=LcG88LAA; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-20230130150206efd74f737fcb10f244-bjdp3g@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20230130150206efd74f737fcb10f244 for ; Mon, 30 Jan 2023 16:02:06 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=W+7Q02x4ft4MkaZ3Qhp0t0ic1iEWJL4jTe3eSPktr0I=; b=LcG88LAAHoXtwv4NIXgsxUW82MdELZM2rtUQ1KD+FzzaKW6Y6FiS0qcqLWNt+bQifcY0NK T9jukRsMvpPbAS5cVHqjA7xjVDIsc2UmTV7RBdFdvnndzBnNi/3iGdoQHSJ92gxsioyqrvcb RpzOt8hVdIiRK8a1S46UjUwFocVno=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, christian.storm@siemens.com Subject: [cip-dev][isar-cip-core][RFC 1/5] add tpm.cfg to the kernel Date: Mon, 30 Jan 2023 16:02:00 +0100 Message-Id: <20230130150204.697758-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230130150204.697758-1-Quirin.Gylstorff@siemens.com> References: <20230130150204.697758-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Jan 2023 15:02:18 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10508 From: Quirin Gylstorff This can be drop after the linux-cip configuration was updated. Signed-off-by: Quirin Gylstorff --- recipes-kernel/linux/files/tpm.cfg | 13 +++++++++++++ recipes-kernel/linux/linux-cip-common.inc | 2 ++ 2 files changed, 15 insertions(+) create mode 100644 recipes-kernel/linux/files/tpm.cfg diff --git a/recipes-kernel/linux/files/tpm.cfg b/recipes-kernel/linux/files/tpm.cfg new file mode 100644 index 0000000..22268ae --- /dev/null +++ b/recipes-kernel/linux/files/tpm.cfg @@ -0,0 +1,13 @@ +CONFIG_AS_SHA256_NI=y +CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_SHA256_SSSE3=y +CONFIG_CRYPTO_SHA256=y +CONFIG_CRYPTO_DRBG_HMAC=y +CONFIG_CRYPTO_LIB_SHA256=y +CONFIG_CRYPTO_XTS=y +CONFIG_SECURITYFS=y +CONFIG_TCG_TPM=m +CONFIG_TCG_TIS_CORE=m +CONFIG_TCG_TIS=m +CONFIG_TCG_TIS_SPI=m +CONFIG_TCG_CRB=m diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc index 9b6cd3b..e4292a6 100644 --- a/recipes-kernel/linux/linux-cip-common.inc +++ b/recipes-kernel/linux/linux-cip-common.inc @@ -23,6 +23,8 @@ SRC_URI_append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-confi if d.getVar('USE_CIP_KERNEL_CONFIG') == '1' else '' \ }" +SRC_URI += "file://tpm.cfg" + SRCREV_cip-kernel-config ?= "ce52837418aea714e780e0cbc8afb9515c12cc1b" S = "${WORKDIR}/linux-cip-${PV}" From patchwork Mon Jan 30 15:02:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13121301 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8545C636CB for ; Mon, 30 Jan 2023 15:02:18 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web10.43227.1675090929384531270 for ; Mon, 30 Jan 2023 07:02:10 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=OfcI8Hyy; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-51332-20230130150206d092424cfcfe6d9fd8-ihjwm4@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20230130150206d092424cfcfe6d9fd8 for ; Mon, 30 Jan 2023 16:02:06 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=SACE9uB+nADL7Lpx0HDplX+DQHCLJ+YCrvGKX8ioWg0=; b=OfcI8HyyvmI6pbGxVJt9D6qWDsWYmOK42aSpGUuc6rYKgWAgFIASDy022rJMlltwcGzhYY 62ClNhMCkgtAbwvJNlJQrnPX8yG7T5zcLLU9kQcQSL1PHQwd0OxMe9tkGSrxNMByUySEpFHq kVy1tALfIJ67z0DtSB/+z6Cy410FI=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, christian.storm@siemens.com Subject: [cip-dev][isar-cip-core][RFC 2/5] use bullseye backports for systemd-cryptenroll Date: Mon, 30 Jan 2023 16:02:01 +0100 Message-Id: <20230130150204.697758-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230130150204.697758-1-Quirin.Gylstorff@siemens.com> References: <20230130150204.697758-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Jan 2023 15:02:18 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10511 From: Quirin Gylstorff Systemd >= 251 is required for systemd-cryptenroll. This version is part of backports. Signed-off-by: Quirin Gylstorff --- conf/distro/debian-bullseye-backports.list | 1 + .../preferences.bullseye-backports.tpm.conf | 3 +++ kas/opt/tpm.yml | 18 ++++++++++++++++++ 3 files changed, 22 insertions(+) create mode 100644 conf/distro/debian-bullseye-backports.list create mode 100644 conf/distro/preferences.bullseye-backports.tpm.conf create mode 100644 kas/opt/tpm.yml diff --git a/conf/distro/debian-bullseye-backports.list b/conf/distro/debian-bullseye-backports.list new file mode 100644 index 0000000..3a55e4c --- /dev/null +++ b/conf/distro/debian-bullseye-backports.list @@ -0,0 +1 @@ +deb http://ftp.us.debian.org/debian bullseye-backports main contrib non-free diff --git a/conf/distro/preferences.bullseye-backports.tpm.conf b/conf/distro/preferences.bullseye-backports.tpm.conf new file mode 100644 index 0000000..0905fbf --- /dev/null +++ b/conf/distro/preferences.bullseye-backports.tpm.conf @@ -0,0 +1,3 @@ +Package: * +Pin: release n=bullseye-backports +Pin-Priority: 801 diff --git a/kas/opt/tpm.yml b/kas/opt/tpm.yml new file mode 100644 index 0000000..03e8e47 --- /dev/null +++ b/kas/opt/tpm.yml @@ -0,0 +1,18 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2022 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +header: + version: 12 + +local_conf_header: + systemd-cryptenroll: | + DISTRO_APT_SOURCES_append_bullseye = " conf/distro/debian-bullseye-backports.list" + DISTRO_APT_PREFERENCES_append_bullseye = " conf/distro/preferences.bullseye-backports.tpm.conf" From patchwork Mon Jan 30 15:02:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13121299 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9941DC61DA4 for ; Mon, 30 Jan 2023 15:02:18 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web10.43226.1675090929210528076 for ; Mon, 30 Jan 2023 07:02:10 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=oz47+E09; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-2023013015020777cfa7159d3b645df2-du6tgd@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 2023013015020777cfa7159d3b645df2 for ; Mon, 30 Jan 2023 16:02:07 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=ON/7djrmdLIMcy0vZwiLadMEN4Sl+GY7vlt+X7VBjS0=; b=oz47+E09eJ+YxsuOdvSdeFF40Z8gM7R2zrFgOxESNDfHIdGqGxFGSUX1yg0htArF2hZXKj RMdinJBkg/uexsI7SViEqsK8lbLYgCwERj3krKfomoB0KdAxFzRXeptqnUosm1Vz1EcT4lyC znkDLAWNpMGo07HDBV4Zu8VFrBYOE=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, christian.storm@siemens.com Subject: [cip-dev][isar-cip-core][RFC 3/5] wic/x86-efibootguard: add partition to encrypted Date: Mon, 30 Jan 2023 16:02:02 +0100 Message-Id: <20230130150204.697758-4-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230130150204.697758-1-Quirin.Gylstorff@siemens.com> References: <20230130150204.697758-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Jan 2023 15:02:18 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10513 From: Quirin Gylstorff This extra partition will store the encrypted file system Signed-off-by: Quirin Gylstorff --- wic/qemu-amd64-efibootguard-secureboot.wks.in | 1 + wic/x86-efibootguard.wks.in | 1 + 2 files changed, 2 insertions(+) diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in index 5c41116..44f9c77 100644 --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in @@ -6,5 +6,6 @@ part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B} # home and var are extra partitions part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024 --size 2G +part /crypt --label crypt-data --align 1024 --fstype=ext4 --size 2G bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=5" diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in index b635a8b..bad6ff5 100644 --- a/wic/x86-efibootguard.wks.in +++ b/wic/x86-efibootguard.wks.in @@ -9,5 +9,6 @@ part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B} # home and var are extra partitions part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024 --size 2G +part /crypt --label crypt-data --align 1024 --fstype=ext4 --size 2G bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk" From patchwork Mon Jan 30 15:02:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13121302 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AE836C636D0 for ; Mon, 30 Jan 2023 15:02:18 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.43314.1675090929538566960 for ; Mon, 30 Jan 2023 07:02:10 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=Ba0WOggW; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-51332-2023013015020712a7f443b018f25d92-nmhbhg@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 2023013015020712a7f443b018f25d92 for ; Mon, 30 Jan 2023 16:02:07 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=REBGU6DgipeEGNtUL4tSo3GyD/S0Sdy6aRQdw2mL4z0=; b=Ba0WOggW5TAr3XpV2ez6oXAL85v3oOPG6ep0cEQAbmvWQktxcEy27ORqOYZa+ZopsNtUXg /hA0JEISJv0BkrdoETz6qOXiYTTdSKyTiQZ253mj46fi+HYknjbZzmXvE15sNWbjC/Ky5GKV nT3A++7ewHPjf6Ey8ws9pbMV1Q77c=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, christian.storm@siemens.com Subject: [cip-dev][isar-cip-core][RFC 4/5] start-qemu: If swtpm is available create a tpm2 device Date: Mon, 30 Jan 2023 16:02:03 +0100 Message-Id: <20230130150204.697758-5-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230130150204.697758-1-Quirin.Gylstorff@siemens.com> References: <20230130150204.697758-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Jan 2023 15:02:18 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10510 From: Quirin Gylstorff This allows testing the tpm2 encryption with qemu. Signed-off-by: Quirin Gylstorff --- start-qemu.sh | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/start-qemu.sh b/start-qemu.sh index dd16aed..3ef2acc 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -139,11 +139,24 @@ QEMU_COMMON_OPTIONS=" \ -m 1G \ -serial mon:stdio \ -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \ - ${QEMU_EXTRA_ARGS}" + " if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then case "${arch}" in x86|x86_64|amd64) + if [ -x /usr/bin/swtpm ]; then + swtpm_dir="/tmp/qemu-swtpm" + mkdir -p ${swtpm_dir} + rm ${swtpm_dir}/* + if swtpm socket -d --tpmstate dir=${swtpm_dir} \ + --ctrl type=unixio,path=${swtpm_dir}/sock \ + --tpm2; then + QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \ + -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \ + -tpmdev emulator,id=tpm0,chardev=chrtpm \ + -device tpm-tis,tpmdev=tpm0" + fi + fi if [ -n "${SECURE_BOOT}" ]; then ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secboot.fd} ovmf_vars=${OVMF_VARS:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_VARS_4M.snakeoil.fd} @@ -154,14 +167,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ -drive if=pflash,format=raw,file=${ovmf_vars} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" else ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd} ${QEMU_PATH}${QEMU} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" fi ;; arm64|aarch64|arm|armhf) @@ -170,7 +183,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then ${QEMU_PATH}${QEMU} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ -bios ${u_boot_bin} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" ;; *) echo "Unsupported architecture: ${arch}" @@ -187,5 +200,5 @@ else -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \ -kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \ -initrd ${INITRD_FILE} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" fi From patchwork Mon Jan 30 15:02:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13121303 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8B91C636D3 for ; Mon, 30 Jan 2023 15:02:18 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.43315.1675090929824297304 for ; Mon, 30 Jan 2023 07:02:10 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=fMx/GR7V; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-202301301502078900137594c40547d6-zv4xuj@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202301301502078900137594c40547d6 for ; Mon, 30 Jan 2023 16:02:08 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=8Ft5WaySTWMLhAwveneM0xJmbQQkMzoLnTsO9N+8KS8=; b=fMx/GR7Vo7DDVQ2o2spzebSfbW/xAdfPXytFBWk6i7qRbAizbmfVPDdea05fL9dNt7OLE2 RECCvRohlr7/QAtZG3G7qZWicKY3b9rj+dF51vFjF79/qhVV1PNWpseZzxMHyj/jDzxcbfFz Fu02cLqKBHm5VNMrnyvRv2RAolbW4=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, christian.storm@siemens.com Subject: [cip-dev][isar-cip-core][RFC 5/5] Add initramfs hook to encrypt a partition Date: Mon, 30 Jan 2023 16:02:04 +0100 Message-Id: <20230130150204.697758-6-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230130150204.697758-1-Quirin.Gylstorff@siemens.com> References: <20230130150204.697758-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Jan 2023 15:02:18 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10512 From: Quirin Gylstorff This creates a new luks encrypted ext4 partition with a the key stored in the tpm2. The initial key is randomly generated and removed from the LUKS partition. Therefore a new key cannot be added by the user and if the LUKS header is corrupted the data is no longer readable. Signed-off-by: Quirin Gylstorff --- kas/opt/tpm.yml | 2 + .../files/create_crypt_partition.script | 96 +++++++++++++++++++ .../files/crypt-partition.env.tmpl | 1 + .../initramfs-crypt-hook/files/crypt.hook | 42 ++++++++ .../initramfs-crypt-hook_0.1.bb | 37 +++++++ 5 files changed, 178 insertions(+) create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/create_crypt_partition.script create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/crypt-partition.env.tmpl create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/crypt.hook create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb diff --git a/kas/opt/tpm.yml b/kas/opt/tpm.yml index 03e8e47..a77a2be 100644 --- a/kas/opt/tpm.yml +++ b/kas/opt/tpm.yml @@ -16,3 +16,5 @@ local_conf_header: systemd-cryptenroll: | DISTRO_APT_SOURCES_append_bullseye = " conf/distro/debian-bullseye-backports.list" DISTRO_APT_PREFERENCES_append_bullseye = " conf/distro/preferences.bullseye-backports.tpm.conf" + image-option-tpm: | + INITRAMFS_INSTALL += " initramfs-crypt-hook" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/create_crypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/create_crypt_partition.script new file mode 100644 index 0000000..a30dc59 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/create_crypt_partition.script @@ -0,0 +1,96 @@ +#!/bin/sh +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +prereqs() +{ + # Make sure that this script is run last in local-top + local req + for req in "${0%/*}"/*; do + script="${req##*/}" + if [ "$script" != "${0##*/}" ]; then + printf '%s\n' "$script" + fi + done +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions + +. /usr/share/crypt/crypt-partition.env + +# fixed tpm device or do we need to find it +tpm_device=/dev/tpmrm0 +partition="$PARTITION" +partition_label=$(echo "$partition" | awk -F "/" '{print $NF}') +crypt_mount_name="encrypted_$partition_label" +decrypted_part=/dev/mapper/"$crypt_mount_name" + +if [ ! -e "$partition" ]; then + panic "$partition does not exist!" +fi + +modprobe tpm_tis +modprobe tpm_crb + +if [ ! -e "$tpm_device" ]; then + panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" +fi + +# check if partition is already encrypted with systemd-tpm2 +if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ + | grep -q "systemd-tpm2"; then + if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \ + "$partition" - tpm2-device="$tpm_device"; then + panic "Can't decrypt '$partition' !" + fi + return +fi + +# create random password for initial encryption +# this will be dropped after reboot + +tmp_key=/tmp/"$partition_label-lukskey" +openssl rand -base64 32 > "$tmp_key" + +/usr/sbin/cryptsetup luksFormat --batch-mode \ + --type luks2 "$partition" < "$tmp_key" + +#check systemd version and export password if necessary +if [ -x /usr/bin/systemd-cryptenroll ]; then + systemd_version=$(systemd-cryptenroll --version | \ + awk -F " " 'NR==1{print $2 }') + #check systemd version and export password if necessary + if [ "$systemd_version" -ge "251" ]; then + PASSWORD=$(cat "$tmp_key" ) + export PASSWORD + /usr/bin/systemd-cryptenroll --tpm2-device="$tpm_device" \ + --tpm2-pcrs=7 "$partition" + PASSWORD= + else + panic "Unknown systemd version: '$systemd_version'!" + fi +fi + +wait_for_udev 10 + +if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \ + "$partition" - tpm2-device="$tpm_device"; then + panic "Can't decrypt '$partition' !" +fi + +mke2fs -t ext4 "${decrypted_part}" + +# delete initial key +/usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0 diff --git a/recipes-initramfs/initramfs-crypt-hook/files/crypt-partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/crypt-partition.env.tmpl new file mode 100644 index 0000000..04c4123 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/crypt-partition.env.tmpl @@ -0,0 +1 @@ +PARTITION=${CRYPT_PARTITION} diff --git a/recipes-initramfs/initramfs-crypt-hook/files/crypt.hook b/recipes-initramfs/initramfs-crypt-hook/files/crypt.hook new file mode 100644 index 0000000..38fff49 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/crypt.hook @@ -0,0 +1,42 @@ +#!/bin/sh +# Copyright (C) Siemens AG, 2020-2022 +# +# SPDX-License-Identifier: MIT + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/scripts/functions +. /usr/share/initramfs-tools/hook-functions + +manual_add_modules tpm +manual_add_modules tpm_tis_core +manual_add_modules tpm_tis +manual_add_modules tpm_crb +manual_add_modules dm_mod +manual_add_modules dm_crypt + +copy_exec /usr/bin/openssl +copy_exec /usr/sbin/mke2fs +copy_exec /usr/bin/grep +copy_exec /usr/bin/awk +copy_exec /usr/sbin/cryptsetup +copy_exec /usr/bin/systemd-cryptenroll +copy_exec /usr/lib/systemd/systemd-cryptsetup + +for _LIBRARY in /usr/lib/*/libtss2*; do + copy_exec "$_LIBRARY" +done + +copy_file library /usr/share/crypt/crypt-partition.env /usr/share/crypt/crypt-partition.env diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb new file mode 100644 index 0000000..024ff68 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -0,0 +1,37 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020-2022 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT + + +inherit dpkg-raw + +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, systemd(>= 251), \ + awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0, e2fsprogs" + +SRC_URI += "file://crypt.hook \ + file://create_crypt_partition.script \ + file://crypt-partition.env.tmpl" + +CRYPT_PARTITION ??= "/dev/disk/by-partlabel/crypt-data" +CRYPT_MOUNT_POINT ??= "/data" + +TEMPLATE_VARS = "CRYPT_PARTITION CRYPT_MOUNT_POINT" +TEMPLATE_FILES = "crypt-partition.env.tmpl" + +do_install[cleandirs] += " \ + ${D}/usr/share/initramfs-tools/hooks \ + ${D}/usr/share/crypt \ + ${D}/usr/share/initramfs-tools/scripts/local-top" +do_install() { + install -m 0600 "${WORKDIR}/crypt-partition.env" "${D}/usr/share/crypt/crypt-partition.env" + install -m 0755 "${WORKDIR}/create_crypt_partition.script" \ + "${D}/usr/share/initramfs-tools/scripts/local-top/crypt" + install -m 0755 "${WORKDIR}/crypt.hook" \ + "${D}/usr/share/initramfs-tools/hooks/crypt" +}