From patchwork Fri Feb 24 16:28:25 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13151506 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F2D9C7EE33 for ; Fri, 24 Feb 2023 16:28:41 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.22281.1677256116410212789 for ; Fri, 24 Feb 2023 08:28:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=d+sLHWQS; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-51332-202302241628333e7eaef06ff0cb3e80-scrxm7@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 202302241628333e7eaef06ff0cb3e80 for ; Fri, 24 Feb 2023 17:28:34 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=hhqRL1NRwMqNVDJNshsuOiHUEuW40R+hltrGCBnd0OE=; b=d+sLHWQSS+tqyAffmwGWpGRrgXUzz4uyA0QdJe5UoJYfoZC0OOjMI9dQ7NSIyHk2pJpyRR T51rhCTOvTZjBFYKYpYI8su3oKxW0Xk5Odja/5sVijN+zQTKPXjVG3+mcYWYJzpwNUnHff2Z grNLUTuqJV/o+nuPowE9XE8rRYAkw=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v3 1/8] linux-cip: update kernel configuration for tpm2 support Date: Fri, 24 Feb 2023 17:28:25 +0100 Message-Id: <20230224162832.327030-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230224162832.327030-1-Quirin.Gylstorff@siemens.com> References: <20230224162832.327030-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Feb 2023 16:28:41 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10815 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- recipes-kernel/linux/linux-cip-common.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc index 7148a98..6dda973 100644 --- a/recipes-kernel/linux/linux-cip-common.inc +++ b/recipes-kernel/linux/linux-cip-common.inc @@ -23,6 +23,6 @@ SRC_URI:append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-confi if d.getVar('USE_CIP_KERNEL_CONFIG') == '1' else '' \ }" -SRCREV_cip-kernel-config ?= "ce52837418aea714e780e0cbc8afb9515c12cc1b" +SRCREV_cip-kernel-config ?= "351538952cfa7c6336e83bf66ca4f3bbdc06f89b" S = "${WORKDIR}/linux-cip-${PV}" From patchwork Fri Feb 24 16:28:26 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13151500 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4E4AFC7EE32 for ; Fri, 24 Feb 2023 16:28:41 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.22280.1677256116372769025 for ; Fri, 24 Feb 2023 08:28:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=LgN6srp9; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-20230224162834825f8350ba4dd96717-yqiaul@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20230224162834825f8350ba4dd96717 for ; Fri, 24 Feb 2023 17:28:34 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=Hq5QHqfjIuUGtAvXYXluhVOZ/6chTyU3w61TJ2Sn6HI=; b=LgN6srp9T7TqAiKrV7Q7n+jyJ4W8x7JAbMpzwbKCgaSdSyymPkKnNCJLvn9qZE3U1c0sgY O85tk4Jf0Q+QCYs51Sdl/rolj2xNUY9RMpd7MHCEN8vBJhrXMucw2n+3HU3QK/6D0Ee0Di+E AEimE+KEjGxp/LDwJRUJe81PGsRF8=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v3 2/8] use bullseye backports for systemd-cryptenroll Date: Fri, 24 Feb 2023 17:28:26 +0100 Message-Id: <20230224162832.327030-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230224162832.327030-1-Quirin.Gylstorff@siemens.com> References: <20230224162832.327030-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Feb 2023 16:28:41 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10816 From: Quirin Gylstorff Systemd >= 251 is required for systemd-cryptenroll. This version is part of backports. Signed-off-by: Quirin Gylstorff --- conf/distro/debian-bullseye-backports.list | 1 + .../preferences.bullseye-backports.tpm.conf | 40 +++++++++++++++++++ kas/opt/tpm.yml | 20 ++++++++++ 3 files changed, 61 insertions(+) create mode 100644 conf/distro/debian-bullseye-backports.list create mode 100644 conf/distro/preferences.bullseye-backports.tpm.conf create mode 100644 kas/opt/tpm.yml diff --git a/conf/distro/debian-bullseye-backports.list b/conf/distro/debian-bullseye-backports.list new file mode 100644 index 0000000..3a55e4c --- /dev/null +++ b/conf/distro/debian-bullseye-backports.list @@ -0,0 +1 @@ +deb http://ftp.us.debian.org/debian bullseye-backports main contrib non-free diff --git a/conf/distro/preferences.bullseye-backports.tpm.conf b/conf/distro/preferences.bullseye-backports.tpm.conf new file mode 100644 index 0000000..918745f --- /dev/null +++ b/conf/distro/preferences.bullseye-backports.tpm.conf @@ -0,0 +1,40 @@ +Package: libnss-myhostname +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libnss-mymachines +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libnss-resolve +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libnss-systemd +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libpam-systemd +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libudev* +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libsystemd* +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: systemd +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: systemd-* +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: udev +Pin: release n=bullseye-backports +Pin-Priority: 801 + diff --git a/kas/opt/tpm.yml b/kas/opt/tpm.yml new file mode 100644 index 0000000..0e4dc95 --- /dev/null +++ b/kas/opt/tpm.yml @@ -0,0 +1,20 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2022 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +header: + version: 12 + +local_conf_header: + systemd-cryptenroll: | + DISTRO_APT_SOURCES:append:bullseye = " conf/distro/debian-bullseye-backports.list" + DISTRO_APT_PREFERENCES:append:bullseye = " conf/distro/preferences.bullseye-backports.tpm.conf" + image-option-tpm: | + INITRAMFS_INSTALL += " initramfs-crypt-hook" From patchwork Fri Feb 24 16:28:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13151498 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D64BC7EE23 for ; Fri, 24 Feb 2023 16:28:41 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.22282.1677256116517469882 for ; Fri, 24 Feb 2023 08:28:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=SiDy8K2x; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-51332-20230224162834352c86ddd391037ece-heltbz@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20230224162834352c86ddd391037ece for ; Fri, 24 Feb 2023 17:28:34 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=eltllsOFwPoUHY2nn/Y6HC4Vt+r7Q0cWSnoUmgVqJ80=; b=SiDy8K2xj8nCLQ36hrG0xzhtFE8VkxhC9SXhlcxug9+2Zfxojc43BHXBR69VbfqohriQ5O 7+uT6+VzY7f1ePngxgRlT5tKIh76HlbswnG3ZGPUoeQZmtgWI3DnByG/M5LLTymU+ZnfM3in j2vUdnnPfan2xalBjNt3KNm6QpH/0=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v3 3/8] KConfig: add tpm option Date: Fri, 24 Feb 2023 17:28:27 +0100 Message-Id: <20230224162832.327030-4-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230224162832.327030-1-Quirin.Gylstorff@siemens.com> References: <20230224162832.327030-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Feb 2023 16:28:41 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10817 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- Kconfig | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Kconfig b/Kconfig index cd24ce2..b8fa16a 100644 --- a/Kconfig +++ b/Kconfig @@ -189,4 +189,12 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT +config IMAGE_TPM2_ENCRYPTION + bool "Encrypt partitions on first boot with TPM2" + depends on TARGET_QEMU_AMD64 + +config KAS_INCLUDE_TPM2_ENCRYPTION + string + default "kas/opt/tpm.yml" if IMAGE_TPM2_ENCRYPTION + endif From patchwork Fri Feb 24 16:28:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13151503 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3C4A5C7EE2E for ; Fri, 24 Feb 2023 16:28:41 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web11.22283.1677256117994463321 for ; Fri, 24 Feb 2023 08:28:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=inPP3FyK; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-202302241628355e5d31bd3016bf9d91-gtcuvg@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 202302241628355e5d31bd3016bf9d91 for ; Fri, 24 Feb 2023 17:28:35 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=ymyEsNn12C7PdtQ0I6+QF4YJZdrY77TkelbzuByNVM8=; b=inPP3FyKQg0g6Fjk5dmRP7OUnyQi38pLl9xl4V9w30YLd+7nlri1ncV5dnfF8yUFpm9nLr 7PsAHHxHRQvAhbCd2XJSaSTDTNbsGrj/FYwOovgdohZsjy+tM42BrYWCEf/T4RXYV3sirsyP qBzBrBHhJscubzoRU1ayo2W3lV0z4=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v3 4/8] start-qemu.sh: Create a tpm2 device Date: Fri, 24 Feb 2023 17:28:28 +0100 Message-Id: <20230224162832.327030-5-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230224162832.327030-1-Quirin.Gylstorff@siemens.com> References: <20230224162832.327030-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Feb 2023 16:28:41 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10820 From: Quirin Gylstorff This allows testing the tpm2 encryption with qemu. Signed-off-by: Quirin Gylstorff --- start-qemu.sh | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/start-qemu.sh b/start-qemu.sh index dd16aed..c06d21e 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true" .config.yaml; then elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then SWUPDATE_BOOT="true" fi +if grep -s -q "IMAGE_TPM2_ENCRYPTION: true" .config.yaml; then + TPM2_ENCRYPTION="true" +fi if [ -n "${QEMU_PATH}" ]; then QEMU_PATH="${QEMU_PATH}/" @@ -139,7 +142,21 @@ QEMU_COMMON_OPTIONS=" \ -m 1G \ -serial mon:stdio \ -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \ - ${QEMU_EXTRA_ARGS}" + " + +if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then + swtpm_dir="/tmp/qemu-swtpm" + mkdir -p "${swtpm_dir}" + rm "${swtpm_dir}"/* + if swtpm socket -d --tpmstate dir="${swtpm_dir}" \ + --ctrl type=unixio,path="${swtpm_dir}"/sock \ + --tpm2; then + QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \ + -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \ + -tpmdev emulator,id=tpm0,chardev=chrtpm \ + -device tpm-tis,tpmdev=tpm0" + fi +fi if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then case "${arch}" in @@ -154,14 +171,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ -drive if=pflash,format=raw,file=${ovmf_vars} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" else ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd} ${QEMU_PATH}${QEMU} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" fi ;; arm64|aarch64|arm|armhf) @@ -170,7 +187,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then ${QEMU_PATH}${QEMU} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ -bios ${u_boot_bin} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" ;; *) echo "Unsupported architecture: ${arch}" @@ -187,5 +204,5 @@ else -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \ -kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \ -initrd ${INITRD_FILE} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" fi From patchwork Fri Feb 24 16:28:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13151502 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3C5A5C7EE31 for ; Fri, 24 Feb 2023 16:28:41 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web10.22334.1677256117483137933 for ; Fri, 24 Feb 2023 08:28:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=AorBVpJC; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-51332-20230224162835d0d9b9e18f1d7d39e6-_acf_6@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20230224162835d0d9b9e18f1d7d39e6 for ; Fri, 24 Feb 2023 17:28:35 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=WnQMyPC35c1N+mdP/kK7H+BjkZhalBoY3RnslvFN/qY=; b=AorBVpJC4RKiRhqZg0IADPMDRxoEfaXBPoOHRBG1l+UuBvRYNqOrvjLaT1iYkTZ/x6NHrY th7ycA4RJwj6VfYyT9Iukvxi1W5uo2WhC0mDburQy/kDzKh7SQ7NvgTPYMSngNPjKwOmQh0V 3oknwaGSOTZ7v2mUvYdHwrhY8Si28=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v3 5/8] Add initramfs hook to encrypt a partition Date: Fri, 24 Feb 2023 17:28:29 +0100 Message-Id: <20230224162832.327030-6-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230224162832.327030-1-Quirin.Gylstorff@siemens.com> References: <20230224162832.327030-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Feb 2023 16:28:41 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10818 From: Quirin Gylstorff This creates a new luks encrypted ext4 partition with a the key stored in the tpm2. The initial key is randomly generated and removed from the LUKS partition. Therefore a new key cannot be added by the user and if the LUKS header is corrupted the data is no longer readable. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.env.tmpl | 2 + .../files/encrypt_partition.hook | 53 +++++++ .../files/encrypt_partition.script | 145 ++++++++++++++++++ .../initramfs-crypt-hook_0.1.bb | 40 +++++ wic/x86-efibootguard.wks.in | 5 +- 5 files changed, 243 insertions(+), 2 deletions(-) create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl new file mode 100644 index 0000000..d04be56 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl @@ -0,0 +1,2 @@ +PARTITIONS="${CRYPT_PARTITIONS}" +CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook new file mode 100644 index 0000000..2deee80 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook @@ -0,0 +1,53 @@ +#!/bin/sh +# Copyright (C) Siemens AG, 2020-2022 +# +# SPDX-License-Identifier: MIT + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +hook_error() { + echo "(ERROR): $2" >&2 + exit 1 +} + +manual_add_modules tpm +manual_add_modules tpm_tis_core +manual_add_modules tpm_tis +manual_add_modules tpm_crb +manual_add_modules dm_mod +manual_add_modules dm_crypt + +copy_exec /usr/bin/openssl || hook_error "/usr/bin/openssl not found" +copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found" +copy_exec /usr/bin/grep || hook_error "/usr/bin/grep not found" +copy_exec /usr/bin/awk || hook_error "/usr/bin/awk not found" +copy_exec /usr/bin/expr || hook_error "/usr/bin/expr not found" +copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found" +copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found" +copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found" +copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenroll not found" +copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found" + +if [ -x cryptsetup-reencrypt ]; then + copy_exec /usr/sbin/cryptsetup-reencrypt +fi + +for _LIBRARY in /usr/lib/*/libtss2*; do + copy_exec "$_LIBRARY" +done + +copy_file library /usr/share/encrypt_partition/encrypt_partition.env /usr/share/encrypt_partition/encrypt_partition.env diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script new file mode 100644 index 0000000..a53e517 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -0,0 +1,145 @@ +#!/bin/sh +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +prereqs() +{ + # Make sure that this script is run last in local-top + local req + for req in "${0%/*}"/*; do + script="${req##*/}" + if [ "$script" != "${0##*/}" ]; then + printf '%s\n' "$script" + fi + done +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions + +# get configuration variables +. /usr/share/encrypt_partition/encrypt_partition.env + +# load necessary kernel modules: +modprobe tpm_tis +modprobe tpm_crb + +# fixed tpm device or do we need to find it +tpm_device=/dev/tpmrm0 +partition_sets="$PARTITIONS" +create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" + +if [ -z "${create_file_system_cmd}" ];then + create_file_system_cmd = "mke2fs -t ext4" +fi + +open_tpm2_partition() { + if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \ + "$1" - tpm2-device="$tpm_device"; then + panic "Can't decrypt '$1' !" + fi +} + +enroll_tpm2_token() { + #check systemd version and export password if necessary + if [ -x /usr/bin/systemd-cryptenroll ]; then + systemd_version=$(systemd-cryptenroll --version | \ + awk -F " " 'NR==1{print $2 }') + #check systemd version and export password if necessary + if [ "$systemd_version" -ge "251" ]; then + PASSWORD=$(cat "$2" ) + export PASSWORD + /usr/bin/systemd-cryptenroll --tpm2-device="$tpm_device" \ + --tpm2-pcrs=7 "$1" + PASSWORD= + else + panic "Unknown systemd version: '$systemd_version'!" + fi + else + panic "systemd-cryptenroll not available cannot enroll tpm2 key!" + fi +} + +reencrypt_existing_partition() { + part_device=$(readlink -f "$partition") + part_size_blocks=$(cat /sys/class/block/"$(awk -v dev=$part_device 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size) + # reduce the filesystem and partition by 32M to fit the LUKS header + reduce_device_size=32768 + reduced_size=$(expr $part_size_blocks - 65536 ) + reduced_size_in_byte=$(expr $reduced_size \* 512) + reduced_size_in_kb=$(expr $reduced_size_in_byte / 1024)K + resize2fs "$1" "${reduced_size_in_kb}" + if [ -x cryptsetup-reencrypt ]; then + /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k $1 < $2 + else + /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k $1 < $2 + fi + +} + +if [ ! -e "$tpm_device" ]; then + panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" +fi + +for partition_set in $partition_sets; do + partition_label=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[1]}') + partition_mountpoint=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[2]}') + partition_format=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[3]}') + partition=/dev/disk/by-partlabel/$partition_label + crypt_mount_name="encrypted_$partition_label" + decrypted_part=/dev/mapper/"$crypt_mount_name" + + # check if partition is already encrypted with systemd-tpm2 + if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ + | grep -q "systemd-tpm2"; then + open_tpm2_partition "$partition" + if ! mount -t $(get_fstype "${decrypted_part}") "${decrypted_part}" \ + "${rootmnt}${partition_mountpoint}"; then + panic "Can't mount encrypted partition '${decrypted_part}'!" + fi + continue + fi + + # create random password for initial encryption + # this will be dropped after reboot + tmp_key=/tmp/"$partition_label-lukskey" + openssl rand -base64 32 > "$tmp_key" + + case "${partition_format}" in + "reencrypt") + reencrypt_existing_partition "$partition" "$tmp_key" + enroll_tpm2_token "$partition" "$tmp_key" + open_tpm2_partition "$partition" + ;; + "format") + /usr/sbin/cryptsetup luksFormat --batch-mode \ + --type luks2 "$partition" < "$tmp_key" + enroll_tpm2_token "$partition" "$tmp_key" + open_tpm2_partition_tpm2_partition "$partition" + eval "${create_file_system_cmd} ${decrypted_part}" + ;; + *) + panic "Unknown value ${partition_format}. Cannot create a encrypted partition !" + ;; + esac + + if ! mount -t $(get_fstype "${decrypted_part}") "${decrypted_part}" \ + "${rootmnt}${partition_mountpoint}"; then + panic "Can't mount encrypted partition '${decrypted_part}'!" + fi + + # delete initial key + # afterwards no new keys can be enrolled + /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0 +done diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb new file mode 100644 index 0000000..30c89a2 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -0,0 +1,40 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020-2022 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT + + +inherit dpkg-raw + +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, systemd(>= 251), \ + awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0, e2fsprogs" + +SRC_URI += "file://encrypt_partition.hook \ + file://encrypt_partition.script \ + file://encrypt_partition.env.tmpl" + +# CRYPT_PARTITIONS elements are :: +CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt" +# CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem +# in a newly formatted LUKS Partition +CRYPT_CREATE_FILE_SYSTEM_CMD ??= "mke2fs -t ext4" + +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD" +TEMPLATE_FILES = "encrypt_partition.env.tmpl" + +do_install[cleandirs] += " \ + ${D}/usr/share/initramfs-tools/hooks \ + ${D}/usr/share/encrypt_partition \ + ${D}/usr/share/initramfs-tools/scripts/local-bottom" +do_install() { + install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env" + install -m 0755 "${WORKDIR}/encrypt_partition.script" \ + "${D}/usr/share/initramfs-tools/scripts/local-bottom/encrypt_partition" + install -m 0755 "${WORKDIR}/encrypt_partition.hook" \ + "${D}/usr/share/initramfs-tools/hooks/encrypt_partition" +} diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in index b635a8b..24b4387 100644 --- a/wic/x86-efibootguard.wks.in +++ b/wic/x86-efibootguard.wks.in @@ -7,7 +7,8 @@ part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1 part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" # home and var are extra partitions -part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G -part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024 --size 2G + +part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G --extra-space=100M +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024 --size 2G --extra-space=100M bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk" From patchwork Fri Feb 24 16:28:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13151504 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3F60DC7EE30 for ; Fri, 24 Feb 2023 16:28:41 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web10.22335.1677256117721168577 for ; Fri, 24 Feb 2023 08:28:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=LOLlWKx6; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-51332-2023022416283594341068cc56250848-aidl6r@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 2023022416283594341068cc56250848 for ; Fri, 24 Feb 2023 17:28:36 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=HyFnQelvr7Es0a9yqm5fjkjXr9znD++K0Qw1zVvNBHE=; b=LOLlWKx6PKT/p0i5OsoznvbyqH2sxbnPEmFynGThOZ6DXOzjJpkSR2CIKOIsJgFH2Jmtjo vBPO+DC3Sdh/ilQ9z35c8MBkOIz559rGLccVu726oz04ZwZAIerW92Pg5slMsvsiJMHCvPH8 3e7T1TYygA/ok9Od6MLkec6Zq3tWQ=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v3 6/8] overlay: add prerequisite 'encrypt_partition' Date: Fri, 24 Feb 2023 17:28:30 +0100 Message-Id: <20230224162832.327030-7-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230224162832.327030-1-Quirin.Gylstorff@siemens.com> References: <20230224162832.327030-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Feb 2023 16:28:41 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10819 From: Quirin Gylstorff If /var shall be encrypted encrypt_partition needs to be executed before the overlay script. If the prerequisite is not available the overlay script will be executed. Signed-off-by: Quirin Gylstorff --- .../initramfs-overlay-hook/files/overlay.hook | 1 + .../initramfs-overlay-hook/files/overlay.script.tmpl | 12 +++++++----- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook b/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook index 5bec258..bc6a682 100644 --- a/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook +++ b/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook @@ -23,4 +23,5 @@ esac . /usr/share/initramfs-tools/hook-functions manual_add_modules overlay +copy_exec /usr/bin/grep copy_exec /usr/bin/awk diff --git a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl index 87ec72f..9739197 100644 --- a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl +++ b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl @@ -9,7 +9,7 @@ # Quirin Gylstorff # -PREREQ="" +PREREQ="encrypt_partition" prereqs() { @@ -33,10 +33,12 @@ ovl_lower_dirs="${INITRAMFS_OVERLAY_PATHS}" root_mount_storage=${rootmnt}${ovl_storage_path} -if ! mount -t $(get_fstype /dev/disk/by-label/${ovl_partition_label}) \ - /dev/disk/by-label/${ovl_partition_label} \ - ${rootmnt}/${ovl_partition_label}; then - panic "Can't mount /${ovl_partition_label} partition - overlay will not work!" +if ! grep -q "${rootmnt}/${ovl_partition_label}" /proc/mounts ; then + if ! mount -t $(get_fstype /dev/disk/by-label/${ovl_partition_label}) \ + /dev/disk/by-label/${ovl_partition_label} \ + ${rootmnt}/${ovl_partition_label}; then + panic "Can't mount /${ovl_partition_label} partition - overlay will not work!" + fi fi for ovl_lower_dir in ${ovl_lower_dirs}; do From patchwork Fri Feb 24 16:28:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13151505 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 529C5C7EE37 for ; Fri, 24 Feb 2023 16:28:41 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.22336.1677256118156618563 for ; Fri, 24 Feb 2023 08:28:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=O5BiLda5; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-20230224162836a3d32fda3931dfd41c-fpvxhr@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20230224162836a3d32fda3931dfd41c for ; Fri, 24 Feb 2023 17:28:36 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=T/hhPSQAcdMqab9E1iWpL9Ze51OROa7Wq9z/klpU7Gw=; b=O5BiLda5I/YEJ0bRKE0qLBc6xmZI+QUC4J5/Xm7sWiIDxJ2MMq2YwPqWe40zPVyARAAg11 G5fLBdwAV0Lf5u7SMPygQN9pqF9s8ati6aIB+XvtVG9GgzEZ/fvc1XaBvFgpD/mW6hUaukCJ 1kZCgyDi3xDR5aKaRXBKlyzRzDKZg=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v3 7/8] .gitlabci: Add ci build Date: Fri, 24 Feb 2023 17:28:31 +0100 Message-Id: <20230224162832.327030-8-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230224162832.327030-1-Quirin.Gylstorff@siemens.com> References: <20230224162832.327030-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Feb 2023 16:28:41 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10821 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- .gitlab-ci.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 777840b..1506252 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -5,6 +5,7 @@ variables: release: bullseye extension: none use_rt: enable + tpm: disable wic_targz: enable targz: disable dtb: none @@ -37,6 +38,7 @@ default: - if [ "${targz}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/targz-img.yml"; fi - if [ "${release}" = "buster" ]; then base_yaml="${base_yaml}:kas/opt/buster.yml"; fi - if [ "${release}" = "bullseye" ]; then base_yaml="${base_yaml}:kas/opt/bullseye.yml"; fi + - if [ "${tpm}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/tpm.yml"; fi - echo "Building ${base_yaml}" - kas build ${base_yaml} - if [ "${deploy}" = "enable" ]; then scripts/deploy-cip-core.sh ${release} ${target} ${extension} ${dtb} ${CI_COMMIT_REF_SLUG}; fi @@ -206,6 +208,17 @@ build:qemu-amd64-secure-boot: wic_targz: disable deploy: disable +build:qemu-amd64-secure-boot-tpm: + extends: + - .build_base + variables: + target: qemu-amd64 + extension: ebg-secure-boot-snakeoil + use_rt: disable + wic_targz: disable + deploy: disable + tpm: enable + build:qemu-amd64-swupdate: extends: - .build_base From patchwork Fri Feb 24 16:28:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13151499 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2E4FBC7EE2F for ; Fri, 24 Feb 2023 16:28:41 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web10.22337.1677256118508473076 for ; Fri, 24 Feb 2023 08:28:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=aNm3AWC1; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-2023022416283694cfb22c2d9bbddb0a-qfi5ak@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 2023022416283694cfb22c2d9bbddb0a for ; Fri, 24 Feb 2023 17:28:36 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=KBxPo186S6Ar5dBudrj+kGIoXqcT7IgZBIb8xMSHh9Q=; b=aNm3AWC10g36eyuvUSTTedVPMFqvVB/sZxXKtERFlCjKFt6dQwJJh1HX9GxWnVM0MzCpSS S7wmcZKoRzXSrzNrZPdHRcbNPK2dMb3+IpyyKW0MKpPWHbrnfvpXLWjVjywGj9M3XKh+xF0K PZshqgbec373NtPmEgfwT6MDCBdOs=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v3 8/8] Add README for encrypted partitions Date: Fri, 24 Feb 2023 17:28:32 +0100 Message-Id: <20230224162832.327030-9-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230224162832.327030-1-Quirin.Gylstorff@siemens.com> References: <20230224162832.327030-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Feb 2023 16:28:41 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10822 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- doc/README.tpm2.encryption.md | 39 +++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 doc/README.tpm2.encryption.md diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md new file mode 100644 index 0000000..4b2f18b --- /dev/null +++ b/doc/README.tpm2.encryption.md @@ -0,0 +1,39 @@ +# Encrypted Partitions +By adding the recipe `initramfs-crypt-hook` to the initramfs build user defined partitions will be +encrypted during first boot. The encrypted partition is a LUKS partition and uses a TPM to secure the +passphrase on the device. + +An example for qemu-amd64 can be build with by selecting the option after calling: + +``` +./kas-container menu +``` +or by adding using the following command line build: + +``` +./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/tpm.yml +``` + +# initramfs-crypt-hook configuration + +The initramfs-crypt-hook recipe has the following variables which can be overwritten during image build: +- CRYPT_PARTITIONS +- CRYPT_CREATE_FILE_SYSTEM_CMD + +## CRYPT_PARTITIONS + +The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount. Each entry uses the schema `::`. +- The `partition-label` is used to identify the partition on the disk +- The `mountpoint` is used mount the decrypted partition in the root file system +- `reencrypt` uses `cryptsetup reencrypt` to reencrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount +- `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD` + +## CRYPT_CREATE_FILE_SYSTEM_CMD + +The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly +encrypted partition. The Default (`mke2fs -t ext4`) creates an ext4 partition. + +# TPM2 protected LUKS passphrase + +The recipe `initramfs-crypt-hook` uses `systemd-cryptenroll` to enroll a TPM2 protected LUKS passphrase. +The procedure for storing a key is described in https://github.com/systemd/systemd/blob/0254e4d66af7aa893b31b2326335ded5dde48b51/src/shared/tpm2-util.c#L1395.