From patchwork Mon Mar 6 12:39:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13161069 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E5A2C6FD1F for ; Mon, 6 Mar 2023 12:39:34 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.32094.1678106371206793770 for ; Mon, 06 Mar 2023 04:39:32 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=PYgXNwvN; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-202303061239286d53d670e2bc72aadc-yesjbe@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202303061239286d53d670e2bc72aadc for ; Mon, 06 Mar 2023 13:39:28 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=pgauSzp2ExzfRlGpb9EqcfTdKvzR9mXBjnAyESSMwOA=; b=PYgXNwvNQqlpiLkCimaxn9Kk2/3ZhE9wzPO9ErxdFWu7T3A72ljuq+vdE7qYd4UrWkVSym hmfLzoYbUccYy4k222zjA3nxDuYR0JeI4cOKzjaSix88qsCL/srG4050QwGHhiV2mFsrTg60 c5i9i9Df3OdYEyIXBDX526MeFG88s=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v4 1/7] use bullseye backports for systemd-cryptenroll Date: Mon, 6 Mar 2023 13:39:20 +0100 Message-Id: <20230306123926.243471-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230306123926.243471-1-Quirin.Gylstorff@siemens.com> References: <20230306123926.243471-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Mar 2023 12:39:34 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10942 From: Quirin Gylstorff Systemd >= 251 is required for systemd-cryptenroll. This version is part of backports. Signed-off-by: Quirin Gylstorff --- conf/distro/debian-bullseye-backports.list | 1 + .../preferences.bullseye-backports.tpm.conf | 4 ++++ kas/opt/tpm.yml | 20 +++++++++++++++++++ 3 files changed, 25 insertions(+) create mode 100644 conf/distro/debian-bullseye-backports.list create mode 100644 conf/distro/preferences.bullseye-backports.tpm.conf create mode 100644 kas/opt/tpm.yml diff --git a/conf/distro/debian-bullseye-backports.list b/conf/distro/debian-bullseye-backports.list new file mode 100644 index 0000000..3a55e4c --- /dev/null +++ b/conf/distro/debian-bullseye-backports.list @@ -0,0 +1 @@ +deb http://ftp.us.debian.org/debian bullseye-backports main contrib non-free diff --git a/conf/distro/preferences.bullseye-backports.tpm.conf b/conf/distro/preferences.bullseye-backports.tpm.conf new file mode 100644 index 0000000..d61fa64 --- /dev/null +++ b/conf/distro/preferences.bullseye-backports.tpm.conf @@ -0,0 +1,4 @@ +Explanation: Use systemd and its dependencies from debian-backports to support systemd-cryptenroll +Package: libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libpam-systemd libudev* libsystemd* systemd systemd-* udev +Pin: release n=bullseye-backports +Pin-Priority: 801 diff --git a/kas/opt/tpm.yml b/kas/opt/tpm.yml new file mode 100644 index 0000000..0e4dc95 --- /dev/null +++ b/kas/opt/tpm.yml @@ -0,0 +1,20 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2022 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +header: + version: 12 + +local_conf_header: + systemd-cryptenroll: | + DISTRO_APT_SOURCES:append:bullseye = " conf/distro/debian-bullseye-backports.list" + DISTRO_APT_PREFERENCES:append:bullseye = " conf/distro/preferences.bullseye-backports.tpm.conf" + image-option-tpm: | + INITRAMFS_INSTALL += " initramfs-crypt-hook" From patchwork Mon Mar 6 12:39:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13161068 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3A25EC678D4 for ; Mon, 6 Mar 2023 12:39:34 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.32032.1678106370811666623 for ; Mon, 06 Mar 2023 04:39:31 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=Fgp4lRiE; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-20230306123928dbff5976aaa773ecba-ak_lxn@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20230306123928dbff5976aaa773ecba for ; Mon, 06 Mar 2023 13:39:28 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=3/sCv02pbuv2+shh/oJx1DFlUG8AMxv5s06i3mJ3DuM=; b=Fgp4lRiEdRA2N7dqDZAjnmzhr6Okio5U9j00WJkDvDguix2rhJV3YKINVhtsaWx7T/0oLi YhHYeEpXxnBlzrQpOLRmdwnIC1FlnvWZrMzt28Xk0p2YxXlETUFnRR+nsdKV2c0I+We6VPwz gdFef1TgCmXgoK1dJZ4cmd3kTL/vk=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v4 2/7] KConfig: add tpm option Date: Mon, 6 Mar 2023 13:39:21 +0100 Message-Id: <20230306123926.243471-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230306123926.243471-1-Quirin.Gylstorff@siemens.com> References: <20230306123926.243471-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Mar 2023 12:39:34 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10937 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- Kconfig | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Kconfig b/Kconfig index 7d72094..7ce87d0 100644 --- a/Kconfig +++ b/Kconfig @@ -193,4 +193,15 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT +config IMAGE_TPM2_ENCRYPTION + bool "Encrypt partitions on first boot with TPM2 (Demo)" + depends on TARGET_QEMU_AMD64 + help + This enables TPM2 encryption for the partition given in the variable + CRYPT_PARTITIONS from recipes-initramfs/initramfs-crypt-hook. + +config KAS_INCLUDE_TPM2_ENCRYPTION + string + default "kas/opt/tpm.yml" if IMAGE_TPM2_ENCRYPTION + endif From patchwork Mon Mar 6 12:39:22 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13161067 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4263DC61DA4 for ; Mon, 6 Mar 2023 12:39:34 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web10.32034.1678106371782870032 for ; Mon, 06 Mar 2023 04:39:32 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=Qi19I/4f; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-202303061239298550996f740c2fb9a6-o0bzfg@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202303061239298550996f740c2fb9a6 for ; Mon, 06 Mar 2023 13:39:29 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=oLzINN7GsOd+8YvmWFFTLg7SKXlQMd2uGB4bVVgIOlA=; b=Qi19I/4fLJ3Ne50oGwrq6Y+xHs+NPkUxyFlOHD5qzdhBFskmEAzsuQbMkdLW/ZTy34WzgL eAP5wESttIjCjskrZEO+jslZpg6hxVx2TZLfZ7JkFTEP+nAe31Sor0eu4tp0B4w+9KWc4XUA yHBZZaXwpPMs165SMpEKv3pvUx4fQ=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v4 3/7] start-qemu.sh: Create a tpm2 device Date: Mon, 6 Mar 2023 13:39:22 +0100 Message-Id: <20230306123926.243471-4-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230306123926.243471-1-Quirin.Gylstorff@siemens.com> References: <20230306123926.243471-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Mar 2023 12:39:34 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10938 From: Quirin Gylstorff This allows testing the tpm2 encryption with qemu. Signed-off-by: Quirin Gylstorff --- start-qemu.sh | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/start-qemu.sh b/start-qemu.sh index fcfbc5b..7436636 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -28,6 +28,9 @@ if grep -s -q "IMAGE_SECURE_BOOT: true" .config.yaml; then elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then SWUPDATE_BOOT="true" fi +if grep -s -q "IMAGE_TPM2_ENCRYPTION: true" .config.yaml; then + TPM2_ENCRYPTION="true" +fi if [ -n "${QEMU_PATH}" ]; then QEMU_PATH="${QEMU_PATH}/" @@ -143,7 +146,21 @@ QEMU_COMMON_OPTIONS=" \ -m 1G \ -serial mon:stdio \ -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \ - ${QEMU_EXTRA_ARGS}" + " + +if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then + swtpm_dir="/tmp/qemu-swtpm" + mkdir -p "${swtpm_dir}" + rm "${swtpm_dir}"/* + if swtpm socket -d --tpmstate dir="${swtpm_dir}" \ + --ctrl type=unixio,path="${swtpm_dir}"/sock \ + --tpm2; then + QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \ + -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \ + -tpmdev emulator,id=tpm0,chardev=chrtpm \ + -device tpm-tis,tpmdev=tpm0" + fi +fi if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then case "${arch}" in @@ -158,14 +175,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ -drive if=pflash,format=raw,file=${ovmf_vars} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" else ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd} ${QEMU_PATH}${QEMU} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" fi ;; arm64|aarch64|arm|armhf) @@ -174,7 +191,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then ${QEMU_PATH}${QEMU} \ -drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \ -bios ${u_boot_bin} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" ;; rv64|riscv64) opensbi_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-${QEMU_ARCH}/fw_payload.bin} @@ -199,5 +216,5 @@ else -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \ -kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \ -initrd ${INITRD_FILE} \ - ${QEMU_COMMON_OPTIONS} "$@" + ${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@" fi From patchwork Mon Mar 6 12:39:23 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13161066 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 50306C6FA99 for ; Mon, 6 Mar 2023 12:39:34 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web10.32033.1678106371312402264 for ; Mon, 06 Mar 2023 04:39:32 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=qUJXhdxN; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-20230306123929f585e293309f284f8b-vhrjvf@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20230306123929f585e293309f284f8b for ; Mon, 06 Mar 2023 13:39:29 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=YHZjcXK9/DcROCzjWJDajyFnOvGJfEjBLF1op9aR9pM=; b=qUJXhdxNSh5KDrDcrYM7hiEr8neGGgJtn5tXqoN7WfLoPm1JK0I0iu3kB+97DFY6CfaMwg MZw4DI+sHrOYzI060wi8rjXxSzeuVkVZrmNqnjOEMXTfi/hd49k1ujWQK22oEVdXOkWWgE2m 5IcancAtJ8wN63GJmYWuW37oyfgdU=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v4 4/7] Add initramfs hook to encrypt a partition Date: Mon, 6 Mar 2023 13:39:23 +0100 Message-Id: <20230306123926.243471-5-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230306123926.243471-1-Quirin.Gylstorff@siemens.com> References: <20230306123926.243471-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Mar 2023 12:39:34 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10939 From: Quirin Gylstorff This creates a new luks encrypted ext4 partition with a the key stored in the tpm2. The initial key is randomly generated and removed from the LUKS partition. Therefore a new key cannot be added by the user and if the LUKS header is corrupted the data is no longer readable. Add extra-space to /var and /home as the partition size are reduced if they are encrypted. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.env.tmpl | 2 + .../files/encrypt_partition.hook | 53 +++++++ .../files/encrypt_partition.script | 145 ++++++++++++++++++ .../initramfs-crypt-hook_0.1.bb | 40 +++++ wic/x86-efibootguard.wks.in | 5 +- 5 files changed, 243 insertions(+), 2 deletions(-) create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl new file mode 100644 index 0000000..d04be56 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl @@ -0,0 +1,2 @@ +PARTITIONS="${CRYPT_PARTITIONS}" +CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook new file mode 100644 index 0000000..2deee80 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.hook @@ -0,0 +1,53 @@ +#!/bin/sh +# Copyright (C) Siemens AG, 2020-2022 +# +# SPDX-License-Identifier: MIT + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +hook_error() { + echo "(ERROR): $2" >&2 + exit 1 +} + +manual_add_modules tpm +manual_add_modules tpm_tis_core +manual_add_modules tpm_tis +manual_add_modules tpm_crb +manual_add_modules dm_mod +manual_add_modules dm_crypt + +copy_exec /usr/bin/openssl || hook_error "/usr/bin/openssl not found" +copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found" +copy_exec /usr/bin/grep || hook_error "/usr/bin/grep not found" +copy_exec /usr/bin/awk || hook_error "/usr/bin/awk not found" +copy_exec /usr/bin/expr || hook_error "/usr/bin/expr not found" +copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found" +copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found" +copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found" +copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenroll not found" +copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found" + +if [ -x cryptsetup-reencrypt ]; then + copy_exec /usr/sbin/cryptsetup-reencrypt +fi + +for _LIBRARY in /usr/lib/*/libtss2*; do + copy_exec "$_LIBRARY" +done + +copy_file library /usr/share/encrypt_partition/encrypt_partition.env /usr/share/encrypt_partition/encrypt_partition.env diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script new file mode 100644 index 0000000..468b308 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -0,0 +1,145 @@ +#!/bin/sh +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +prereqs() +{ + # Make sure that this script is run last in local-top + local req + for req in "${0%/*}"/*; do + script="${req##*/}" + if [ "$script" != "${0##*/}" ]; then + printf '%s\n' "$script" + fi + done +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions + +# get configuration variables +. /usr/share/encrypt_partition/encrypt_partition.env + +# load necessary kernel modules: +modprobe tpm_tis +modprobe tpm_crb + +# fixed tpm device or do we need to find it +tpm_device=/dev/tpmrm0 +partition_sets="$PARTITIONS" +create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" + +if [ -z "${create_file_system_cmd}" ]; then + create_file_system_cmd = "mke2fs -t ext4" +fi + +open_tpm2_partition() { + if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \ + "$1" - tpm2-device="$tpm_device"; then + panic "Can't decrypt '$1' !" + fi +} + +enroll_tpm2_token() { + #check systemd version and export password if necessary + if [ -x /usr/bin/systemd-cryptenroll ]; then + systemd_version=$(systemd-cryptenroll --version | \ + awk -F " " 'NR==1{print $2 }') + #check systemd version and export password if necessary + if [ "$systemd_version" -ge "251" ]; then + PASSWORD=$(cat "$2" ) + export PASSWORD + /usr/bin/systemd-cryptenroll --tpm2-device="$tpm_device" \ + --tpm2-pcrs=7 "$1" + PASSWORD= + else + panic "Unknown systemd version: '$systemd_version'!" + fi + else + panic "systemd-cryptenroll not available cannot enroll tpm2 key!" + fi +} + +reencrypt_existing_partition() { + part_device=$(readlink -f "$partition") + part_size_blocks=$(cat /sys/class/block/"$(awk -v dev=$part_device 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size) + # reduce the filesystem and partition by 32M to fit the LUKS header + reduce_device_size=32768 + reduced_size=$(expr $part_size_blocks - 65536 ) + reduced_size_in_byte=$(expr $reduced_size \* 512) + reduced_size_in_kb=$(expr $reduced_size_in_byte / 1024)K + resize2fs "$1" "${reduced_size_in_kb}" + if [ -x cryptsetup-reencrypt ]; then + /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k $1 < $2 + else + /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k $1 < $2 + fi + +} + +if [ ! -e "$tpm_device" ]; then + panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" +fi + +for partition_set in $partition_sets; do + partition_label=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[1]}') + partition_mountpoint=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[2]}') + partition_format=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[3]}') + partition=/dev/disk/by-partlabel/$partition_label + crypt_mount_name="encrypted_$partition_label" + decrypted_part=/dev/mapper/"$crypt_mount_name" + + # check if partition is already encrypted with systemd-tpm2 + if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ + | grep -q "systemd-tpm2"; then + open_tpm2_partition "$partition" + if ! mount -t $(get_fstype "${decrypted_part}") "${decrypted_part}" \ + "${rootmnt}${partition_mountpoint}"; then + panic "Can't mount encrypted partition '${decrypted_part}'!" + fi + continue + fi + + # create random password for initial encryption + # this will be dropped after reboot + tmp_key=/tmp/"$partition_label-lukskey" + openssl rand -base64 32 > "$tmp_key" + + case "${partition_format}" in + "reencrypt") + reencrypt_existing_partition "$partition" "$tmp_key" + enroll_tpm2_token "$partition" "$tmp_key" + open_tpm2_partition "$partition" + ;; + "format") + /usr/sbin/cryptsetup luksFormat --batch-mode \ + --type luks2 "$partition" < "$tmp_key" + enroll_tpm2_token "$partition" "$tmp_key" + open_tpm2_partition_tpm2_partition "$partition" + eval "${create_file_system_cmd} ${decrypted_part}" + ;; + *) + panic "Unknown value ${partition_format}. Cannot create a encrypted partition !" + ;; + esac + + if ! mount -t $(get_fstype "${decrypted_part}") "${decrypted_part}" \ + "${rootmnt}${partition_mountpoint}"; then + panic "Can't mount encrypted partition '${decrypted_part}'!" + fi + + # delete initial key + # afterwards no new keys can be enrolled + /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0 +done diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb new file mode 100644 index 0000000..30c89a2 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -0,0 +1,40 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020-2022 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT + + +inherit dpkg-raw + +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, systemd(>= 251), \ + awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0, e2fsprogs" + +SRC_URI += "file://encrypt_partition.hook \ + file://encrypt_partition.script \ + file://encrypt_partition.env.tmpl" + +# CRYPT_PARTITIONS elements are :: +CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt" +# CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem +# in a newly formatted LUKS Partition +CRYPT_CREATE_FILE_SYSTEM_CMD ??= "mke2fs -t ext4" + +TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD" +TEMPLATE_FILES = "encrypt_partition.env.tmpl" + +do_install[cleandirs] += " \ + ${D}/usr/share/initramfs-tools/hooks \ + ${D}/usr/share/encrypt_partition \ + ${D}/usr/share/initramfs-tools/scripts/local-bottom" +do_install() { + install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env" + install -m 0755 "${WORKDIR}/encrypt_partition.script" \ + "${D}/usr/share/initramfs-tools/scripts/local-bottom/encrypt_partition" + install -m 0755 "${WORKDIR}/encrypt_partition.hook" \ + "${D}/usr/share/initramfs-tools/hooks/encrypt_partition" +} diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in index b635a8b..24b4387 100644 --- a/wic/x86-efibootguard.wks.in +++ b/wic/x86-efibootguard.wks.in @@ -7,7 +7,8 @@ part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1 part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" # home and var are extra partitions -part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G -part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024 --size 2G + +part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G --extra-space=100M +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024 --size 2G --extra-space=100M bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk" From patchwork Mon Mar 6 12:39:24 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13161073 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 789BCC6FD1D for ; Mon, 6 Mar 2023 12:39:34 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web10.32036.1678106372691492448 for ; Mon, 06 Mar 2023 04:39:33 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=qNnaSr+c; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-51332-20230306123929812435ba8fd57b57cc-b3pyqx@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20230306123929812435ba8fd57b57cc for ; Mon, 06 Mar 2023 13:39:30 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=3dMvYUVMOid6+jVVUtJrj++qcM6+J+sP39Go8KpCH4c=; b=qNnaSr+c1sQk2hJ6t9vsmF4Nw8689LPiyHYgvJjyyc8bBUcOsJt6B0YCSsTWGoIMzxXtMi ulDCl4UcJfWe9Zj26Bxvgbgn53FZHfhEyJD6iTgz3P+iaQxCdakQ/JHVZzlX9JMuzi1RerFw jEihP6PkiOYaXkuu9HEgkJdnZ/uCk=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v4 5/7] overlay: add prerequisite 'encrypt_partition' Date: Mon, 6 Mar 2023 13:39:24 +0100 Message-Id: <20230306123926.243471-6-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230306123926.243471-1-Quirin.Gylstorff@siemens.com> References: <20230306123926.243471-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Mar 2023 12:39:34 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10943 From: Quirin Gylstorff If /var shall be encrypted encrypt_partition needs to be executed before the overlay script. If the prerequisite is not available the overlay script will be executed. Signed-off-by: Quirin Gylstorff --- .../initramfs-overlay-hook/files/overlay.hook | 1 + .../initramfs-overlay-hook/files/overlay.script.tmpl | 12 +++++++----- .../initramfs-overlay-hook_0.1.bb | 2 +- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook b/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook index 5bec258..8b00ecf 100644 --- a/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook +++ b/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook @@ -23,4 +23,5 @@ esac . /usr/share/initramfs-tools/hook-functions manual_add_modules overlay +copy_exec /usr/bin/mountpoint copy_exec /usr/bin/awk diff --git a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl index 87ec72f..71d2599 100644 --- a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl +++ b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl @@ -9,7 +9,7 @@ # Quirin Gylstorff # -PREREQ="" +PREREQ="encrypt_partition" prereqs() { @@ -33,10 +33,12 @@ ovl_lower_dirs="${INITRAMFS_OVERLAY_PATHS}" root_mount_storage=${rootmnt}${ovl_storage_path} -if ! mount -t $(get_fstype /dev/disk/by-label/${ovl_partition_label}) \ - /dev/disk/by-label/${ovl_partition_label} \ - ${rootmnt}/${ovl_partition_label}; then - panic "Can't mount /${ovl_partition_label} partition - overlay will not work!" +if ! mountpoint -q "${rootmnt}/${ovl_partition_label}"; then + if ! mount -t $(get_fstype /dev/disk/by-label/${ovl_partition_label}) \ + /dev/disk/by-label/${ovl_partition_label} \ + ${rootmnt}/${ovl_partition_label}; then + panic "Can't mount /${ovl_partition_label} partition - overlay will not work!" + fi fi for ovl_lower_dir in ${ovl_lower_dirs}; do diff --git a/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb b/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb index 78831ba..566bd15 100644 --- a/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb +++ b/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb @@ -26,7 +26,7 @@ TEMPLATE_VARS += " INITRAMFS_OVERLAY_STORAGE_PATH \ INITRAMFS_OVERLAY_PATHS \ INITRAMFS_OVERLAY_STORAGE_PARTITION_LABEL" -DEBIAN_DEPENDS = "initramfs-tools, awk, coreutils" +DEBIAN_DEPENDS = "initramfs-tools, awk, coreutils, util-linux" do_install[cleandirs] += " \ ${D}/usr/share/initramfs-tools/hooks \ From patchwork Mon Mar 6 12:39:25 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13161072 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5AE2AC6FD1E for ; Mon, 6 Mar 2023 12:39:34 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.32035.1678106371974482548 for ; Mon, 06 Mar 2023 04:39:32 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=T0KHGO6M; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-202303061239309c4daeab8d93078102-wr5nds@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 202303061239309c4daeab8d93078102 for ; Mon, 06 Mar 2023 13:39:30 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=SdZkjJGfjCoHvhflmvOfbp9Gx3Tiv49EDnta8EdGaWo=; b=T0KHGO6MMbpI+ZPNniW3twzWBQuzjHCWjwd7/KPFfO63uW7pSUj0QcPfedFfndNcZIx0UY dc2ZK11gSR5HaRxwM7Fj6g8ikO260KvyBqEEOcSEUeDD0okxjQRVTuHXtp4w2iTpC9tH1k51 HMiwkgQOmPI9qobD5WyJwgmaYvGHo=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v4 6/7] .gitlabci: Add ci build Date: Mon, 6 Mar 2023 13:39:25 +0100 Message-Id: <20230306123926.243471-7-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230306123926.243471-1-Quirin.Gylstorff@siemens.com> References: <20230306123926.243471-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Mar 2023 12:39:34 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10940 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- .gitlab-ci.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f51b64b..1ef13ea 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -19,6 +19,7 @@ variables: release: bullseye extension: none use_rt: enable + tpm: disable wic_targz: enable targz: disable dtb: none @@ -55,6 +56,7 @@ default: - if [ "${release}" = "buster" ]; then base_yaml="${base_yaml}:kas/opt/buster.yml"; fi - if [ "${release}" = "bullseye" ]; then base_yaml="${base_yaml}:kas/opt/bullseye.yml"; fi - if [ "${release}" = "sid-ports" ]; then base_yaml="${base_yaml}:kas/opt/sid-ports.yml"; fi + - if [ "${tpm}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/tpm.yml"; fi - echo "Building ${base_yaml}" - kas build ${base_yaml} - if [ "${deploy}" = "enable" ]; then scripts/deploy-cip-core.sh ${release} ${target} ${extension} ${dtb} ${CI_COMMIT_REF_SLUG}; fi @@ -224,6 +226,17 @@ build:qemu-amd64-secure-boot: wic_targz: disable deploy: disable +build:qemu-amd64-secure-boot-tpm: + extends: + - .build_base + variables: + target: qemu-amd64 + extension: ebg-secure-boot-snakeoil + use_rt: disable + wic_targz: disable + deploy: disable + tpm: enable + build:qemu-amd64-swupdate: extends: - .build_base From patchwork Mon Mar 6 12:39:26 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13161071 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57218C6FD1C for ; Mon, 6 Mar 2023 12:39:34 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.32031.1678106370750532338 for ; Mon, 06 Mar 2023 04:39:32 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=BDaCDz8h; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-202303061239305f40acbf8486e08f8a-ipdwfc@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 202303061239305f40acbf8486e08f8a for ; Mon, 06 Mar 2023 13:39:30 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=/rRDDkBDYXvnK6t0nBUSNigjm5ySGyiqHzGeJwbmYm8=; b=BDaCDz8hW+wAxAAMuhwQmNHNkJ/tsr3VcgFjkFGGUrfO9faZ+w7GR9VB0p2R7qac9tJlqU nOkdMaoLbzOyQS8onZD8ohPsty+ZdyRI902aO08BWgMSjmkabJzkz/Cv8llUrxfXqvM4e+Wn CHzV3qM+qWBNz89xxEt9Xm+tHC+lk=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, christian.storm@siemens.com, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v4 7/7] Add README for encrypted partitions Date: Mon, 6 Mar 2023 13:39:26 +0100 Message-Id: <20230306123926.243471-8-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230306123926.243471-1-Quirin.Gylstorff@siemens.com> References: <20230306123926.243471-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Mar 2023 12:39:34 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10941 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- doc/README.tpm2.encryption.md | 55 +++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 doc/README.tpm2.encryption.md diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md new file mode 100644 index 0000000..58ebb8a --- /dev/null +++ b/doc/README.tpm2.encryption.md @@ -0,0 +1,55 @@ +# Encrypted Partitions + +By adding the recipe `initramfs-crypt-hook` to the initramfs build user defined partitions will be +encrypted during first boot. The encrypted partition is a LUKS partition and uses a TPM to secure the +passphrase on the device. + +## Requirements + +To enroll the keys Debian 12(bookworm) or Debian 11(bullseye) with backports is required. +The implementation in Debian 11 is for *demonstration purpose only* as we need backports for +systemd >= 248. [systemd version 248](https://github.com/systemd/systemd/blob/a41ac8ac407a1a58612059a45229f0d440f58e28/NEWS#L3391) adds the necessary systemd-cryptenroll functionality. + +Testing with qemu-amd64 requires the package `swtpm`. Under Debian/Ubuntu this can be installed + +``` shell +apt-get install swtpm +``` + +## TPM2 protected LUKS passphrase + +The recipe `initramfs-crypt-hook` uses `systemd-cryptenroll` to enroll a TPM2 protected LUKS passphrase. +The procedure for storing a key is described in [systemd/src/shared/tpm2-util.c](https://github.com/systemd/systemd/blob/0254e4d66af7aa893b31b2326335ded5dde48b51/src/shared/tpm2-util.c#L1395). + +## How to build an QEMU image with TPM encryption +An example for qemu-amd64 can be build with by selecting the option after calling: + +``` +./kas-container menu +``` +or by adding using the following command line build: + +``` +./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/tpm.yml +``` +## initramfs-crypt-hook configuration + +The initramfs-crypt-hook recipe has the following variables which can be overwritten during image build: +- CRYPT_PARTITIONS +- CRYPT_CREATE_FILE_SYSTEM_CMD + +### CRYPT_PARTITIONS + +The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount it. +Each entry uses the schema `::`. +- The `partition-label` is used to identify the partition on the disk +- The `mountpoint` is used mount the decrypted partition in the root file system +- `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount +- `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD` + +### CRYPT_CREATE_FILE_SYSTEM_CMD + +The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly +encrypted partition. The Default (`mke2fs -t ext4`) creates an ext4 partition. + +