From patchwork Tue May 2 15:37:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13229073 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 486C0C7EE26 for ; Tue, 2 May 2023 15:38:08 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web10.1465.1683041883939292390 for ; Tue, 02 May 2023 08:38:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=B2hZR9co; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-20230502153800a1060d409c02e8c7ee-o0x1gm@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20230502153800a1060d409c02e8c7ee for ; Tue, 02 May 2023 17:38:01 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=OyZjQdNrnGEgxybFXh2HNb9GUmL5aHuujuFD8HYsQE8=; b=B2hZR9coRm5Sydc8D7ecICJedrT+szLDTww5CTD+34+zjgorZuviGpG3Bzgfqe4fpKOYO+ yE4Ro05xUe0vm8Z7m2Fsb41oI1a9UcN91S9mVc3tdseGEcR4sTJ3htrg2RLB5vX5GJr0ehLc yZEWr7LjOUpDMA/eNtKwJCw7yNmGE=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v4 1/7] secure-boot-secrets: Use distro specific snakeoil certs and keys Date: Tue, 2 May 2023 17:37:53 +0200 Message-Id: <20230502153759.1284906-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230502153759.1284906-1-Quirin.Gylstorff@siemens.com> References: <20230502153759.1284906-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 02 May 2023 15:38:08 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/11381 From: Quirin Gylstorff This fixes the boot of Debian buster(10) with secure boot enabled. Signed-off-by: Quirin Gylstorff --- .../secure-boot-secrets/files/bookworm | 1 + .../files/{ => bullseye}/PkKek-1-snakeoil.key | 0 .../files/{ => bullseye}/PkKek-1-snakeoil.pem | 0 .../files/buster/PkKek-1-snakeoil.key | 28 +++++++++++++++++++ .../files/buster/PkKek-1-snakeoil.pem | 19 +++++++++++++ .../secure-boot-snakeoil_0.1.bb | 4 +-- 6 files changed, 50 insertions(+), 2 deletions(-) create mode 120000 recipes-devtools/secure-boot-secrets/files/bookworm rename recipes-devtools/secure-boot-secrets/files/{ => bullseye}/PkKek-1-snakeoil.key (100%) rename recipes-devtools/secure-boot-secrets/files/{ => bullseye}/PkKek-1-snakeoil.pem (100%) create mode 100644 recipes-devtools/secure-boot-secrets/files/buster/PkKek-1-snakeoil.key create mode 100644 recipes-devtools/secure-boot-secrets/files/buster/PkKek-1-snakeoil.pem diff --git a/recipes-devtools/secure-boot-secrets/files/bookworm b/recipes-devtools/secure-boot-secrets/files/bookworm new file mode 120000 index 0000000..2b77534 --- /dev/null +++ b/recipes-devtools/secure-boot-secrets/files/bookworm @@ -0,0 +1 @@ +bullseye/ \ No newline at end of file diff --git a/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key b/recipes-devtools/secure-boot-secrets/files/bullseye/PkKek-1-snakeoil.key similarity index 100% rename from recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key rename to recipes-devtools/secure-boot-secrets/files/bullseye/PkKek-1-snakeoil.key diff --git a/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem b/recipes-devtools/secure-boot-secrets/files/bullseye/PkKek-1-snakeoil.pem similarity index 100% rename from recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem rename to recipes-devtools/secure-boot-secrets/files/bullseye/PkKek-1-snakeoil.pem diff --git a/recipes-devtools/secure-boot-secrets/files/buster/PkKek-1-snakeoil.key b/recipes-devtools/secure-boot-secrets/files/buster/PkKek-1-snakeoil.key new file mode 100644 index 0000000..b9e42c7 --- /dev/null +++ b/recipes-devtools/secure-boot-secrets/files/buster/PkKek-1-snakeoil.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDNQOknAPMOkujb +K1VFKC39BZFiT9iNp7l9u6OK2rvddgu4Nn79Z/lTrOk5/J/Nf+XlHQoJX1dhQkXj +tASY0KehamDdxF1GvL7cUhi12c0rXnUBnYvvg4jiwxfVqRIT4x9kWB08Vyb6fS4m +BC69FgbJhpHo3XBuEn/aI45tr6xsrJxoqIvV9KOKnZyuIcD/TlxhKiZ1RP6tNRkA +sV0JC45T6BfxGqGZ9ujxUQTsykTeeu8ehxAAWmHJiAbyNp2OCDKYTuxARkasGo6v +AwMeK1umgY2U4jZV0WAvmNEoe4HrWIKSpOZJa5LiVs4QmaazqGFCdOe7/Irs7c0R +Z6AA8yu1AgMBAAECggEBAKUb9THx+pObrAM6TYKvOqdSBkxubIYvCPDSs1EseXlB +z1WlSOwx6ofcDVUfGbGmk9mFTaCSeGj9ddkg453GI0Ken0NmBZ60kFgNFmGazgd4 +GWluQbYvOjsnsxGlyqwCxSrkEsiKVwmjDy93p91lTZppTRBkqV9yNDTW62jiqzJT +CzWimHWyPlK7MjfOyV/X/GD8rugr0F/ikugzVJXCIuhnO62ouU1Imo+Agb3jJM5h +26CWerha8Nd6z6lvHM0g014gzL40JrxehqOkYp/6VF6qX37sTHyAw9J4RUQROC/L +L+XYAAQZMv3GBJhkn6FOBlKuBmJLw01mTKXuNyGf1EECgYEA6cShh7uPJHeqqHpm +ddt0DBgwFueH3pXPv1a6sDBt8P3PJ376p8X1QpoL30sZYc+cEXJcicoaq5NqrkJA +NltHg00sHqyfEfaDS2sr38e5qWoD41BsFdbNmfe2SaunXmSZ7d/QD810l+UaRNCR +doZcmeCFpcXRs0N1nc2C0w+Ya/ECgYEA4MYPCZ43lB1qeShUcaY/WFiWnJrNdoJR +p9S7xhPAqpXmG19utc+geTvN+y8YqOVg1ICaXpfYV7BG7VdD3mLQTIxdai98Rl4r +EBKrSGV6cyXkghaGeZHL2M9/FLxCZrfEpbzl82kacCJHCaiQiu9IVTsOabwoW68x +Evfz1FHaEAUCgYAmPrc2n6bhjnprKetNaOPpfqOPe72s2tGsOiI85Q93l+6mRY34 +mNhxVwaON5kleXPNHuqo2FnYrDuN2uTqf7CJeLy5IAC+TZhZZGU/LUvgval5LRUh +1Yy5nd9C2kR9mvPcCPvfOfvTRfYwP/csbvsDacozvtN6ApVhhdfbc/e54QKBgFZV +PGlhT8+gDMlEaErOo/326MJ14vzlyR9BYm4OIC5lLODOouNKQETQZ6lWyY31rF9y +ldhHUl0748I9hl/gbEk6kJa8bmtIuBmQUiGYeJPJth8RL8155mX8LL92H7r8Upem +GlyHvhPb1pUrHXl/trSl3j9WedndTGgQvKKMXclRAoGBAKCwevyJrlhnvbZQzjyV +zWPyy3028370nsTYnOBh2yVtPThcOCewp9THEy0FAVkMYqE1sdpAN51PdD5UPGFo +RkXd/5HQTSDkVGHhO7VohXM/H/nNQgtotoDRSMkxTymQTHad5LNesi3dCEqa1gTC +gyh89dCjF1p+mnLi0xITtkoA +-----END PRIVATE KEY----- diff --git a/recipes-devtools/secure-boot-secrets/files/buster/PkKek-1-snakeoil.pem b/recipes-devtools/secure-boot-secrets/files/buster/PkKek-1-snakeoil.pem new file mode 100644 index 0000000..73936f7 --- /dev/null +++ b/recipes-devtools/secure-boot-secrets/files/buster/PkKek-1-snakeoil.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCTCCAfGgAwIBAgIUSbJC1oRCJUbGkwfWHscBeZrRHZcwDQYJKoZIhvcNAQEL +BQAwFDESMBAGA1UECgwJU25ha2UgT2lsMB4XDTE5MTEwMTIyMDI1NVoXDTE5MTIw +MTIyMDI1NVowFDESMBAGA1UECgwJU25ha2UgT2lsMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAzUDpJwDzDpLo2ytVRSgt/QWRYk/Yjae5fbujitq73XYL +uDZ+/Wf5U6zpOfyfzX/l5R0KCV9XYUJF47QEmNCnoWpg3cRdRry+3FIYtdnNK151 +AZ2L74OI4sMX1akSE+MfZFgdPFcm+n0uJgQuvRYGyYaR6N1wbhJ/2iOOba+sbKyc +aKiL1fSjip2criHA/05cYSomdUT+rTUZALFdCQuOU+gX8Rqhmfbo8VEE7MpE3nrv +HocQAFphyYgG8jadjggymE7sQEZGrBqOrwMDHitbpoGNlOI2VdFgL5jRKHuB61iC +kqTmSWuS4lbOEJmms6hhQnTnu/yK7O3NEWegAPMrtQIDAQABo1MwUTAdBgNVHQ4E +FgQUFD7OXb2T6sOysRo3hj2f15SX8I8wHwYDVR0jBBgwFoAUFD7OXb2T6sOysRo3 +hj2f15SX8I8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANZRB +NFVUVZVehpj3QGbbSjp77m0V6JrEYn6u/XjLRFsUNw5Hh35UCR0HkKZ0cLgrVKb/ +8yL6LaYLOY6yDwEFWMtLXiF2S4noO8raEgW6A7DHawb2Y4ZNFRO4oBkyWbtd36Uu +UfSszs2av048wb5J/pNedRSx8I/FiCNWummzpkBHzx023TdLPd8fmkmG7ZBpStN0 +Y//EE4DKTfHxAwt5w7WdZF5EY/KHPopnR+WSrdutRIK6zT+/+vKihtHYZbrv+7Ap +K7xOM/zJ6E9vUROmuOhL3YL3MuLn5qHEvhM0eMxEAlCnSJlFkQE4/RXhDpZJYbR7 +x+PQllgoo4H6W30Dew== +-----END CERTIFICATE----- diff --git a/recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb b/recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb index 24a5352..a446987 100644 --- a/recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb +++ b/recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb @@ -11,7 +11,7 @@ require secure-boot-secrets.inc -SB_KEY = "PkKek-1-snakeoil.key" -SB_CERT = "PkKek-1-snakeoil.pem" +SB_KEY = "${BASE_DISTRO_CODENAME}/PkKek-1-snakeoil.key" +SB_CERT = "${BASE_DISTRO_CODENAME}/PkKek-1-snakeoil.pem" DEBIAN_CONFLICTS = "secure-boot-key" From patchwork Tue May 2 15:37:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13229075 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5F13FC7EE29 for ; Tue, 2 May 2023 15:38:08 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web10.1462.1683041883647172246 for ; Tue, 02 May 2023 08:38:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=DI1haR7S; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-20230502153801f367ff030a6687e832-zv7oa8@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20230502153801f367ff030a6687e832 for ; Tue, 02 May 2023 17:38:01 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=mdVUQ7Uj6HXViHfr9vgw7BJfkJuKAqRCXrOlucLFx0M=; b=DI1haR7SdAx9Ymv2Nn25kxYwogpIJQccWXVZ9OClNpBNL5QuWuZMKb7BDAxDclOte2iBdQ QE3OSIUIMdi5SiTX1ySBLIpWxSGP74hCTlwhp6SP25zzBkTqW5Uw6IscvkdRZ9RFcAnKU7fw /V73b15LH0MXU3M184tKA39avf7/c=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v4 2/7] initramfs-crypt-hook: Add support for buster Date: Tue, 2 May 2023 17:37:54 +0200 Message-Id: <20230502153759.1284906-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230502153759.1284906-1-Quirin.Gylstorff@siemens.com> References: <20230502153759.1284906-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 02 May 2023 15:38:08 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/11384 From: Quirin Gylstorff This introduces the necessary changes for Debian buster(10) with inplace encryption. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.hook | 28 +++++++++++++++---- .../files/encrypt_partition.clevis.script | 3 +- .../initramfs-crypt-hook_0.1.bb | 5 ++-- 3 files changed, 27 insertions(+), 9 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook index 5dbc5be..a034d5d 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook @@ -19,6 +19,9 @@ esac . /usr/share/initramfs-tools/hook-functions +if [ -f /etc/os-release ]; then + . /etc/os-release +fi hook_error() { echo "(ERROR): $2" >&2 exit 1 @@ -45,15 +48,26 @@ copy_exec /usr/bin/clevis-encrypt-tpm2 || hook_error "/usr/bin/clevis-encrypt-tp copy_exec /usr/bin/clevis-decrypt-tpm2 || hook_error "/usr/bin/clevis-decrypt-tpm2 not found" copy_exec /usr/bin/clevis-luks-bind || hook_error "/usr/bin/clevis-luks-bind not found" copy_exec /usr/bin/clevis-luks-unlock || hook_error "/usr/bin/clevis-luks-unlock not found" -copy_exec /usr/bin/clevis-luks-list || hook_error "/usr/bin/clevis-luks-list not found" -copy_exec /usr/bin/clevis-luks-common-functions || hook_error "/usr/bin/clevis-luks-common-functions not found" +if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/clevis-luks-list ]; then + copy_exec /usr/bin/clevis-luks-list || hook_error "/usr/bin/clevis-luks-list not found" +fi +if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/clevis-luks-common-functions ]; then + copy_exec /usr/bin/clevis-luks-common-functions || hook_error "/usr/bin/clevis-luks-common-functions not found" +fi copy_exec /usr/bin/tpm2_createprimary || hook_error "Unable to copy /usr/bin/tpm2_createprimary" copy_exec /usr/bin/tpm2_unseal || hook_error "Unable to copy /usr/bin/tpm2_unseal" copy_exec /usr/bin/tpm2_create || hook_error "Unable to copy /usr/bin/tpm2_create" copy_exec /usr/bin/tpm2_load || hook_error "Unable to copy /usr/bin/tpm2_load" -copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" +if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/tpm2_pcrread ]; then + copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" +fi +if [ "$VERSION_CODENAME" = "buster" ] && [ -x /usr/bin/tpm2_pcrlist ]; then + copy_exec /usr/bin/tpm2_pcrlist || hook_error "Unable to copy /usr/bin/tpm2_pcrread" +fi copy_exec /usr/bin/tpm2_createpolicy || hook_error "Unable to copy /usr/bin/tpm2_createpolicy" -copy_exec /usr/bin/tpm2_flushcontext || hook_error "Unable to copy /usr/bin/tpm2_flushcontext" +if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/tpm2_flushcontext ]; then + copy_exec /usr/bin/tpm2_flushcontext || hook_error "Unable to copy /usr/bin/tpm2_flushcontext" +fi copy_exec /usr/bin/bash || hook_error "Unable to copy /usr/bin/bash" copy_exec /usr/bin/luksmeta || hook_error "Unable to copy /usr/bin/luksmeta" copy_exec /usr/bin/jose || hook_error "Unable to copy /usr/bin/jose" @@ -66,8 +80,10 @@ copy_exec /usr/bin/basename || hook_error "Unable to copy /usr/bin/basename" copy_exec /usr/bin/seq || hook_error "Unable to copy /usr/bin/seq" copy_exec /usr/bin/pwmake || hook_error "Unable to copy /usr/bin/pwmake" copy_exec /usr/bin/file || hook_error "Unable to copy /usr/bin/file " - -if [ -x cryptsetup-reencrypt ]; then +if [ "$VERSION_CODENAME" = "buster" ]; then + copy_exec /usr/lib/*/libgcc_s.so.1 || hook_error "Unable to copy /usr/lib/*/libgcc_s.so.1 " +fi +if [ -x /usr/sbin/cryptsetup-reencrypt ]; then copy_exec /usr/sbin/cryptsetup-reencrypt fi diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 37bb024..bcb5a04 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -8,6 +8,7 @@ # Quirin Gylstorff # # SPDX-License-Identifier: MIT + prereqs() { # Make sure that this script is run last in local-top @@ -67,7 +68,7 @@ reencrypt_existing_partition() { reduced_size_in_byte="$(expr "$reduced_size" \* 512)" reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" resize2fs "$1" "${reduced_size_in_kb}" - if [ -x cryptsetup-reencrypt ]; then + if [ -x /usr/sbin/cryptsetup-reencrypt ]; then /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2" else /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2" diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index 1436b94..997f469 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -10,11 +10,12 @@ inherit dpkg-raw DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \ - awk, openssl, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0, e2fsprogs" + awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \ + libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs" CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools" -DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}" +DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}, libgcc-7-dev" DEBIAN_DEPENDS:append:bullseye = "${CLEVIS_DEPEND}" DEBIAN_DEPENDS:append = ", systemd (>= 251) | clevis-tpm2" From patchwork Tue May 2 15:37:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13229076 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 72746C7EE2F for ; Tue, 2 May 2023 15:38:08 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.1466.1683041883943133690 for ; Tue, 02 May 2023 08:38:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=LvGLUcB7; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-20230502153801ed96cb530afe6c22c6-tnc7mc@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20230502153801ed96cb530afe6c22c6 for ; Tue, 02 May 2023 17:38:01 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=GZBYDY0BzNZoXj7iR9WLtOBjsHbZZwx3NOQHBM6ashQ=; b=LvGLUcB74aVLHAHXhOT286pgCtO9jCwgyO7slfBJwrWZgeer3m0pLyaCKuLSfvoDr1fr+V yrn0XZ/3hyawiB5sXJXR7l9sYJvxR9uVEhX672jVs2bgnv9Mjti8+E8yrU8qm9OOqZkmmW0/ blY3Yms5NhOVGJfPHG7Xi05TYE6UM=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v4 3/7] linux: Add missing kernel option for LUKS2 encrpyted partitions on buster Date: Tue, 2 May 2023 17:37:55 +0200 Message-Id: <20230502153759.1284906-4-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230502153759.1284906-1-Quirin.Gylstorff@siemens.com> References: <20230502153759.1284906-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 02 May 2023 15:38:08 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/11387 From: Quirin Gylstorff cryptsetup uses the user api of `CONFIG_CRYPTO_USER_API_SKCIPHER` to generate the keys. Signed-off-by: Quirin Gylstorff --- recipes-kernel/linux/linux-cip-common.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc index 2d878a1..a700d30 100644 --- a/recipes-kernel/linux/linux-cip-common.inc +++ b/recipes-kernel/linux/linux-cip-common.inc @@ -23,6 +23,6 @@ SRC_URI:append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-confi if d.getVar('USE_CIP_KERNEL_CONFIG') == '1' else '' \ }" -SRCREV_cip-kernel-config ?= "0188d9a54615767c00b77116146409edfa35497c" +SRCREV_cip-kernel-config ?= "d1efa37258380c7f4f39a8dee1bdb4d85f1c0199" S = "${WORKDIR}/linux-cip-${PV}" From patchwork Tue May 2 15:37:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13229072 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5DF42C7EE2A for ; Tue, 2 May 2023 15:38:08 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.1464.1683041883871308870 for ; Tue, 02 May 2023 08:38:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=hSlDSeI9; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-202305021538022996717724c8542760-yvnwm7@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 202305021538022996717724c8542760 for ; Tue, 02 May 2023 17:38:02 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=uvP8jQTC2dAgxB+xy4LPqpMlNs8B8YSPKnqc3O6Iwe8=; b=hSlDSeI992PZjgjqAmNd8Jn4LBvm+2uYeZvmhnY8QUz2cCZnU6HIf8gXh9QjzDJraGEXj7 qVp+ZHdjiH00iGEnvtAIbHVFf/2OvpRMLtoVCzYn9DEyCRyf+PY57eWmVF4mL5aTD/iC2xhd TFXXYzIuaVtEstn9WjdJifEnAKXns=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v4 4/7] initramfs-crypt-hook: Add libcryptsetup-token-systemd-tpm2.so Date: Tue, 2 May 2023 17:37:56 +0200 Message-Id: <20230502153759.1284906-5-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230502153759.1284906-1-Quirin.Gylstorff@siemens.com> References: <20230502153759.1284906-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 02 May 2023 15:38:08 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/11386 From: Quirin Gylstorff This fixes the boot of bookworm with encrypted partitions. With systemd (251.5-2) the libcryptsetup library are used see https://salsa.debian.org/systemd-team/systemd/-/blob/debian/master/debian/changelog#L258 Signed-off-by: Quirin Gylstorff --- .../initramfs-crypt-hook/files/encrypt_partition.systemd.hook | 1 + 1 file changed, 1 insertion(+) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook index a535736..4f7263b 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook @@ -42,6 +42,7 @@ copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found" copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenroll not found" copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found" +copy_exec /usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so || hook_error "/usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so not found" if [ -x cryptsetup-reencrypt ]; then copy_exec /usr/sbin/cryptsetup-reencrypt fi From patchwork Tue May 2 15:37:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13229074 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5DED8C7EE25 for ; Tue, 2 May 2023 15:38:08 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.1534.1683041884354577091 for ; Tue, 02 May 2023 08:38:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=Z5J9XvwH; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-51332-2023050215380277c1d4ad8b8e5a845d-t0v_ph@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 2023050215380277c1d4ad8b8e5a845d for ; Tue, 02 May 2023 17:38:02 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=BCVYt7Q1qEXCsHADukbJVNNx9CdHu/kVpyjkaAqI9W4=; b=Z5J9XvwHYroSHiPjQD60agxY8yny4PWrSMI4Xo5Dh82awYIICnLy7bA3xuY46RA6lly3HY LP5la4s8AjQo1BHCNagZKqIQxD3FAoSHFrVObmBn0vUQ9Ik5LjhlOiUZgN8/W2sN01PoaHHI a148h2hLM2TS105hHOm6UVfeMkDKc=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v4 5/7] initramfs-crypt-hook/systemd: Address shellcheck findings Date: Tue, 2 May 2023 17:37:57 +0200 Message-Id: <20230502153759.1284906-6-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230502153759.1284906-1-Quirin.Gylstorff@siemens.com> References: <20230502153759.1284906-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 02 May 2023 15:38:08 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/11385 From: Quirin Gylstorff Mostly quoting errors but also a non working assignment and missing paths to executables. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.systemd.hook | 2 +- .../files/encrypt_partition.systemd.script | 28 +++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook index 4f7263b..077f43a 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook @@ -43,7 +43,7 @@ copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenro copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found" copy_exec /usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so || hook_error "/usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so not found" -if [ -x cryptsetup-reencrypt ]; then +if [ -x /usr/sbin/cryptsetup-reencrypt ]; then copy_exec /usr/sbin/cryptsetup-reencrypt fi diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index 468b308..927184c 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -41,7 +41,7 @@ partition_sets="$PARTITIONS" create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" if [ -z "${create_file_system_cmd}" ]; then - create_file_system_cmd = "mke2fs -t ext4" + create_file_system_cmd="mke2fs -t ext4" fi open_tpm2_partition() { @@ -73,17 +73,17 @@ enroll_tpm2_token() { reencrypt_existing_partition() { part_device=$(readlink -f "$partition") - part_size_blocks=$(cat /sys/class/block/"$(awk -v dev=$part_device 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size) + part_size_blocks=$(cat /sys/class/block/"$(awk -v dev="$part_device" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size) # reduce the filesystem and partition by 32M to fit the LUKS header reduce_device_size=32768 - reduced_size=$(expr $part_size_blocks - 65536 ) - reduced_size_in_byte=$(expr $reduced_size \* 512) - reduced_size_in_kb=$(expr $reduced_size_in_byte / 1024)K + reduced_size=$(expr "$part_size_blocks" - 65536 ) + reduced_size_in_byte=$(expr "$reduced_size" \* 512) + reduced_size_in_kb=$(expr "$reduced_size_in_byte" / 1024)K resize2fs "$1" "${reduced_size_in_kb}" - if [ -x cryptsetup-reencrypt ]; then - /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k $1 < $2 + if [ -x /usr/sbin/cryptsetup-reencrypt ]; then + /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2" else - /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k $1 < $2 + /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2" fi } @@ -93,10 +93,10 @@ if [ ! -e "$tpm_device" ]; then fi for partition_set in $partition_sets; do - partition_label=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[1]}') - partition_mountpoint=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[2]}') - partition_format=$(awk -v var=$partition_set 'BEGIN{split(var,a,":"); print a[3]}') - partition=/dev/disk/by-partlabel/$partition_label + partition_label=$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}') + partition_mountpoint=$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}') + partition_format=$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}') + partition=/dev/disk/by-partlabel/"$partition_label" crypt_mount_name="encrypted_$partition_label" decrypted_part=/dev/mapper/"$crypt_mount_name" @@ -104,7 +104,7 @@ for partition_set in $partition_sets; do if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ | grep -q "systemd-tpm2"; then open_tpm2_partition "$partition" - if ! mount -t $(get_fstype "${decrypted_part}") "${decrypted_part}" \ + if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \ "${rootmnt}${partition_mountpoint}"; then panic "Can't mount encrypted partition '${decrypted_part}'!" fi @@ -134,7 +134,7 @@ for partition_set in $partition_sets; do ;; esac - if ! mount -t $(get_fstype "${decrypted_part}") "${decrypted_part}" \ + if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \ "${rootmnt}${partition_mountpoint}"; then panic "Can't mount encrypted partition '${decrypted_part}'!" fi From patchwork Tue May 2 15:37:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13229070 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 418E0C77B7E for ; Tue, 2 May 2023 15:38:08 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web11.1535.1683041885277495506 for ; Tue, 02 May 2023 08:38:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=X/Ioi/yL; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-51332-20230502153802d8ff01de2e1f56ac45-qyzd1f@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20230502153802d8ff01de2e1f56ac45 for ; Tue, 02 May 2023 17:38:02 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=W8Z+TQ3yOt87nb5sqlCgemWV3rHfIneQRsU0PhU1RNU=; b=X/Ioi/yLw6U5GqPf1JsgF7pIuL7tdzAQIp4XDxKAgIuVh7PF6/AW6RzXUGQ9CLeW/qd0Xh Ty78vR/2H9DMZLxvbg4Bp3eiEetEtJlXL/A+NDvCWu6GkzF56HB1peSekaESx5GscvtF91De 2BjBeg13hl0AQiMOeNImEvhdYVGjI=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v4 6/7] .gitlabci: Enable encryption for on buster Date: Tue, 2 May 2023 17:37:58 +0200 Message-Id: <20230502153759.1284906-7-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230502153759.1284906-1-Quirin.Gylstorff@siemens.com> References: <20230502153759.1284906-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 02 May 2023 15:38:08 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/11388 From: Quirin Gylstorff Ensures the build of the buster encryption. Signed-off-by: Quirin Gylstorff --- .gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 09b6338..bd400cf 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -313,6 +313,7 @@ build:qemu-amd64-secure-boot-buster: use_rt: disable wic_targz: disable deploy: disable + encrypt: enable # riscv64 (sid-ports) build:qemu-riscv64: From patchwork Tue May 2 15:37:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13229071 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 477FFC7EE23 for ; Tue, 2 May 2023 15:38:08 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web10.1467.1683041884671857776 for ; Tue, 02 May 2023 08:38:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=VBIzIQr0; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-20230502153802c5608b159e5128748e-k0ovkt@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20230502153802c5608b159e5128748e for ; Tue, 02 May 2023 17:38:03 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=olexPfnGvi5UUgfptqM5cvHR3x1AqKu+kaXmkYJB/gY=; b=VBIzIQr0sFsxiqM8BsC7gI3Ii6zF6F+eFKv0eo8zt0O5mZSmtJxU6z2ilq9P3Sz/sWtVBZ cvl8MZCf/J9EjSwwHr/11CNIMSQgwCFc4xlBrXb1jPGIGkqFaJi9I3j8OU8ILh3h5gHVsnDj QcfKcK0TnPjYrlRfkRHgJoACFDAjk=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v4 7/7] doc/README.tpm2.encryption: Correct kas option Date: Tue, 2 May 2023 17:37:59 +0200 Message-Id: <20230502153759.1284906-8-Quirin.Gylstorff@siemens.com> In-Reply-To: <20230502153759.1284906-1-Quirin.Gylstorff@siemens.com> References: <20230502153759.1284906-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 02 May 2023 15:38:08 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/11383 From: Quirin Gylstorff The kas option was renamed from kas/opt/tpm2.yml to kas/opt/encrypt-partitions.yml. Signed-off-by: Quirin Gylstorff --- doc/README.tpm2.encryption.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md index 0df7f39..cb3f640 100644 --- a/doc/README.tpm2.encryption.md +++ b/doc/README.tpm2.encryption.md @@ -27,7 +27,7 @@ An example for qemu-amd64 can be build with by selecting the option after callin or by adding using the following command line build: ``` -./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/tpm.yml +./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/encrypt-partitions.yml ``` ## initramfs-crypt-hook configuration