From patchwork Tue Mar 19 18:18:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13597000 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 950A5CD1280 for ; Tue, 19 Mar 2024 18:20:41 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.23523.1710872431192895745 for ; Tue, 19 Mar 2024 11:20:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=b59YtGxe; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-202403191820280c997bfd04c70957fa-piczlr@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 202403191820280c997bfd04c70957fa for ; Tue, 19 Mar 2024 19:20:28 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=SihjlxuH8eCo+mput6tIaKyWQBDGiv1ic/gp94GvunU=; b=b59YtGxegW26YHRfarzyyJcimgVDc8TPvnK2rR9+VOf3NWWj/ZOp6Xxh4M4VSgPmANaIhA es+m5fgrPY5NgZZ2GZOMa1dke8V1fI4uyJKGB2xXB/pmzJ7VERidD6GcV4x7GzfUg8wMb3wP FXsujSO6kTM9WjILYHUDxX4x8pMK4=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][RFC 1/8] initramfs-crypt-hook: Allow switching between clevis and systemd Date: Tue, 19 Mar 2024 19:18:25 +0100 Message-ID: <20240319182026.1571362-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240319182026.1571362-1-Quirin.Gylstorff@siemens.com> References: <20240319182026.1571362-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 19 Mar 2024 18:20:41 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15366 From: Quirin Gylstorff This allows device which started on Debian 11 to continue using clevis for encryption and decryption. Signed-off-by: Quirin Gylstorff --- .../initramfs-crypt-hook_0.1.bb | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index b275c0f..317ea12 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -1,7 +1,7 @@ # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2020-2023 +# Copyright (c) Siemens AG, 2020-2024 # # Authors: # Quirin Gylstorff @@ -17,7 +17,17 @@ CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools" DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}, libgcc-7-dev" DEBIAN_DEPENDS:append:bullseye = "${CLEVIS_DEPEND}" -DEBIAN_DEPENDS:append = ", systemd (>= 251) | clevis-tpm2" +DEBIAN_DEPENDS:append = "${@encryption_dependency(d)}" + +def encryption_dependency(d): + crypt_backend = d.getVar('CRYPT_BACKEND') + if crypt_backend == 'clevis': + clevis_depends= d.getVar('CLEVIS_DEPEND') + return f"{clevis_depends}, clevis-tpm2" + elif crypt_backend == 'systemd': + return ", systemd (>= 251)" + else: + bb.error("unkown cryptbackend defined") CRYPT_BACKEND:buster = "clevis" CRYPT_BACKEND:bullseye = "clevis" From patchwork Tue Mar 19 18:18:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13596996 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7D87CCD11DC for ; Tue, 19 Mar 2024 18:20:41 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web10.23427.1710872431318583120 for ; Tue, 19 Mar 2024 11:20:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=GkOQHTQm; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-51332-2024031918202884a5c9eb33a828bb7b-dz45hz@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 2024031918202884a5c9eb33a828bb7b for ; Tue, 19 Mar 2024 19:20:28 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=yqlNpChmOvPHuitayu5PdAQTVGO9xrsKLIRb+IZoWSo=; b=GkOQHTQmvzu6hHUmpA6vG+Yddht/aNRTk6qyeIIyg8wgCF2J01zWLDBgjUP+itoDo/i5V6 EhDlJfg3Cri4jB167HtBZkz+69+FxijRxxmc3gfIUeSzfNjV+Ews0S6/X9v6Cb6blqaErc3B Sw6/ry0TuHzerVsyJZce/81PUnEGk=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][RFC 2/8] initramfs-crypt-hook: Align systemd encryption and clevis encryption Date: Tue, 19 Mar 2024 19:18:26 +0100 Message-ID: <20240319182026.1571362-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240319182026.1571362-1-Quirin.Gylstorff@siemens.com> References: <20240319182026.1571362-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 19 Mar 2024 18:20:41 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15369 From: Quirin Gylstorff The following changes were copied from systemd to clevis: - check return of resize command The following changes were copied form clevis to systemd: - check if create_filesystem command is empty - use part_device(/dev/*) instead of disk label(/dev/disk/by-partlabel/*) Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.script | 6 ++++-- .../files/encrypt_partition.systemd.script | 21 +++++++++++-------- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 0318966..4e76c44 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -2,7 +2,7 @@ # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2023 +# Copyright (c) Siemens AG, 2023-2024 # # Authors: # Quirin Gylstorff @@ -82,7 +82,9 @@ reencrypt_existing_partition() { reduced_size="$(expr "$part_size_blocks" - 65536 )" reduced_size_in_byte="$(expr "$reduced_size" \* 512)" reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" - resize2fs "$1" "${reduced_size_in_kb}" + if ! resize2fs "$1" "${reduced_size_in_kb}"; then + panic "reencryption of filesystem $1 cannot continue!" + fi if [ -x /usr/sbin/cryptsetup-reencrypt ]; then /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2" else diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index eeeb55a..f97a461 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -2,7 +2,7 @@ # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2023 +# Copyright (c) Siemens AG, 2023-2024 # # Authors: # Quirin Gylstorff @@ -47,6 +47,9 @@ modprobe loop tpm_device=/dev/tpmrm0 partition_sets="$PARTITIONS" create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" +if [ -z "${create_file_system_cmd}" ]; then + create_file_system_cmd="mke2fs -t ext4" +fi service_watchdog() { for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do @@ -83,8 +86,7 @@ enroll_tpm2_token() { } reencrypt_existing_partition() { - part_device="$(readlink -f "$partition")" - part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$part_device" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)" + part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)" # reduce the filesystem and partition by 32M to fit the LUKS header reduce_device_size=32768 reduced_size="$(expr "$part_size_blocks" - 65536 )" @@ -111,15 +113,16 @@ for partition_set in $partition_sets; do partition=/dev/disk/by-partlabel/"$partition_label" crypt_mount_name="encrypted_$partition_label" decrypted_part=/dev/mapper/"$crypt_mount_name" + part_device=$(readlink -f "$partition") # check if partition is already encrypted with systemd-tpm2 if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ | grep -q "systemd-tpm2"; then - open_tpm2_partition "$partition" if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \ "${rootmnt}${partition_mountpoint}"; then panic "Can't mount encrypted partition '${decrypted_part}'!" fi + open_tpm2_partition "$part_device" continue fi @@ -136,15 +139,15 @@ for partition_set in $partition_sets; do case "${partition_format}" in "reencrypt") - reencrypt_existing_partition "$partition" "$tmp_key" - enroll_tpm2_token "$partition" "$tmp_key" - open_tpm2_partition "$partition" + reencrypt_existing_partition "$part_device" "$tmp_key" + enroll_tpm2_token "$part_device" "$tmp_key" + open_tpm2_partition "$part_device" ;; "format") /usr/sbin/cryptsetup luksFormat --batch-mode \ --type luks2 "$partition" < "$tmp_key" - enroll_tpm2_token "$partition" "$tmp_key" - open_tpm2_partition "$partition" + enroll_tpm2_token "$part_device" "$tmp_key" + open_tpm2_partition "$part_device" eval "${create_file_system_cmd} ${decrypted_part}" ;; *) From patchwork Tue Mar 19 18:18:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13597002 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A0D57CD1281 for ; Tue, 19 Mar 2024 18:20:41 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web10.23428.1710872431643697743 for ; Tue, 19 Mar 2024 11:20:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=RWacj8F7; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-51332-20240319182028b14c679819200105b4-so9yvp@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20240319182028b14c679819200105b4 for ; Tue, 19 Mar 2024 19:20:28 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=NaFR/n2lebjMguG9ktD6vHxvUptZL4wpnpzgeNTZUXs=; b=RWacj8F7FcL1epiHD2oiZaM4Wti5M3SHcZwRG9OAMRVRkKzsgu+WY31HwJMwQtKxmZucgT j2jM0145njQ9vv0z8zT5SOXowulysVradulkZrXtlxzRZZ2vpzgWYLrQF5dcMqQ7P7366GI9 6EkGlGy4SX+MbdcKfuAEIH0CQoijs=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][RFC 3/8] initramfs-crypt-hook: move the mounting of encrypted disks in a seperate function Date: Tue, 19 Mar 2024 19:18:27 +0100 Message-ID: <20240319182026.1571362-4-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240319182026.1571362-1-Quirin.Gylstorff@siemens.com> References: <20240319182026.1571362-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 19 Mar 2024 18:20:41 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15372 From: Quirin Gylstorff This increase the maintainability and avoids missing checks. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.script | 20 +++++++++++-------- .../files/encrypt_partition.systemd.script | 20 +++++++++++-------- 2 files changed, 24 insertions(+), 16 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 4e76c44..0f82c1a 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -92,6 +92,16 @@ reencrypt_existing_partition() { fi } +mount_partition() { + partition_dev_path=$1 + partition_mountpoint=$2 + echo "mount device: '$partition' to '$partition_mountpoint'" + if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \ + "${partition_mountpoint}"; then + panic "Can't mount encrypted partition '${partition_dev_path}'!" + fi +} + if [ ! -e "$tpm_device" ]; then panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" fi @@ -114,10 +124,7 @@ for partition_set in $partition_sets; do if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ | grep -q "clevis"; then open_tpm2_partition "$part_device" - if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \ - "${rootmnt}${partition_mountpoint}"; then - panic "Can't mount encrypted partition '${decrypted_part}'!" - fi + mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" continue fi @@ -150,10 +157,7 @@ for partition_set in $partition_sets; do ;; esac - if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \ - "${rootmnt}${partition_mountpoint}"; then - panic "Can't mount encrypted partition '${decrypted_part}'!" - fi + mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" # delete initial key # afterwards no new keys can be enrolled diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index f97a461..6c6d22e 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -102,6 +102,16 @@ reencrypt_existing_partition() { fi } +mount_partition() { + partition_dev_path=$1 + partition_mountpoint=$2 + echo "mount device: '$partition' to '$partition_mountpoint'" + if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \ + "${partition_mountpoint}"; then + panic "Can't mount encrypted partition '${partition_dev_path}'!" + fi +} + if [ ! -e "$tpm_device" ]; then panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" fi @@ -118,11 +128,8 @@ for partition_set in $partition_sets; do # check if partition is already encrypted with systemd-tpm2 if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ | grep -q "systemd-tpm2"; then - if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \ - "${rootmnt}${partition_mountpoint}"; then - panic "Can't mount encrypted partition '${decrypted_part}'!" - fi open_tpm2_partition "$part_device" + mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" continue fi @@ -155,10 +162,7 @@ for partition_set in $partition_sets; do ;; esac - if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \ - "${rootmnt}${partition_mountpoint}"; then - panic "Can't mount encrypted partition '${decrypted_part}'!" - fi + mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" # delete initial key # afterwards no new keys can be enrolled From patchwork Tue Mar 19 18:18:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13596998 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91133CD11DD for ; Tue, 19 Mar 2024 18:20:41 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.23525.1710872431363291022 for ; Tue, 19 Mar 2024 11:20:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=AsLGiuYW; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-51332-20240319182028fd8da54ff643e20415-m44nip@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20240319182028fd8da54ff643e20415 for ; Tue, 19 Mar 2024 19:20:28 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=Ev0ndv8YVXjys/eTN2FLn7Y0I46jT9PAbXu8Ryc7Vfw=; b=AsLGiuYWZLebY9BJS0qWA7OLRIFZVxvj05+e86XuhGnC8D1+0c88FjVyStjd0BriqBY2+L IYwKync6td87qyzHJjUDtNZw0MECAHv/RAQslY3ykdlD4xcHjaKRt5DLUvquNcFOZvzAn7DC UyS2Csy0FYKURCa+404Wu1ytL0D60=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][RFC 4/8] initramfs-crypt-hook: Check if the TPM device fulfills the given requirements Date: Tue, 19 Mar 2024 19:18:28 +0100 Message-ID: <20240319182026.1571362-5-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240319182026.1571362-1-Quirin.Gylstorff@siemens.com> References: <20240319182026.1571362-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 19 Mar 2024 18:20:41 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15370 From: Quirin Gylstorff This also adds the Crypt hash and Crypt algorithm parameter. and avoids errors to missmatchs between Hardware and software. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.script | 18 +++++++++++++----- .../files/encrypt_partition.env.tmpl | 3 ++- .../files/encrypt_partition.systemd.hook | 4 +++- .../files/encrypt_partition.systemd.script | 15 +++++++++++++-- .../initramfs-crypt-hook_0.1.bb | 7 ++++--- 5 files changed, 35 insertions(+), 12 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 0f82c1a..f271e85 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -43,12 +43,10 @@ modprobe xts # this needs to be probed particularly for re-encryption modprobe loop -# fixed tpm device or do we need to find it -tpm_device=/dev/tpmrm0 partition_sets="$PARTITIONS" create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" -hash_type="$HASH_TYPE" - +pcr_bank_hash_type="$HASH_TYPE" +tpm_key_algorithm="$KEY_ALGORITHM" if [ -z "${create_file_system_cmd}" ]; then create_file_system_cmd="mke2fs -t ext4" fi @@ -69,7 +67,7 @@ open_tpm2_partition() { enroll_tpm2_token() { if [ -x /usr/bin/clevis ]; then - clevis luks bind -d "$1" tpm2 '{"pcr_bank":"'"$hash_type"'","pcr_ids":"7"}' < "$2" + clevis luks bind -d "$1" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$2" else panic "clevis not available cannot enroll tpm2 key!" fi @@ -102,6 +100,16 @@ mount_partition() { fi } +for candidate in /dev/tpm*; do + if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then + continue + fi + if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet 2>/dev/null; then + continue + fi + tpm_device=$candidate +done + if [ ! -e "$tpm_device" ]; then panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" fi diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl index bcc57be..5d28dc5 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl @@ -2,4 +2,5 @@ PARTITIONS="${CRYPT_PARTITIONS}" CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}" SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}" WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}" -HASH_TYPE="${CRYPT_HASH_TYPE}" \ No newline at end of file +HASH_TYPE="${CRYPT_HASH_TYPE}" +KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook index c3b31d6..6e2a211 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook @@ -1,5 +1,5 @@ #!/bin/sh -# Copyright (C) Siemens AG, 2020-2023 +# Copyright (C) Siemens AG, 2020-2024 # # SPDX-License-Identifier: MIT @@ -49,6 +49,8 @@ copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found" copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found" copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenroll not found" copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found" +copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" +copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms" copy_exec /usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so || hook_error "/usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so not found" if [ -x /usr/sbin/cryptsetup-reencrypt ]; then diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index 6c6d22e..ea267ac 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -43,10 +43,10 @@ modprobe xts # this needs to be probed particularly for re-encryption modprobe loop -# fixed tpm device or do we need to find it -tpm_device=/dev/tpmrm0 partition_sets="$PARTITIONS" create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" +pcr_bank_hash_type="$HASH_TYPE" +tpm_key_algorithm="$KEY_ALGORITHM" if [ -z "${create_file_system_cmd}" ]; then create_file_system_cmd="mke2fs -t ext4" fi @@ -71,6 +71,7 @@ enroll_tpm2_token() { systemd_version=$(systemd-cryptenroll --version | \ awk -F " " 'NR==1{print $2 }') # check systemd version and export password if necessary + # systemd version 251 does not suport hash_types if [ "$systemd_version" -ge "251" ]; then PASSWORD=$(cat "$2" ) export PASSWORD @@ -112,6 +113,16 @@ mount_partition() { fi } +for candidate in /dev/tpm*; do + if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then + continue + fi + if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet 2>/dev/null; then + continue + fi + tpm_device=$candidate +done + if [ ! -e "$tpm_device" ]; then panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" fi diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index 317ea12..7f732cf 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -11,7 +11,7 @@ inherit dpkg-raw DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \ awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \ - libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs" + libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs, tpm2-tools" CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools" @@ -49,10 +49,11 @@ CRYPT_SETUP_TIMEOUT ??= "600" INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog" # clevis needs tpm hash algorithm type CRYPT_HASH_TYPE ??= "sha256" - +CRYPT_KEY_ALGORITHM ??= "ecc" TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ - CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE" + CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \ + CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL" TEMPLATE_FILES = "encrypt_partition.env.tmpl" do_install[cleandirs] += " \ From patchwork Tue Mar 19 18:18:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13597001 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC728CD1282 for ; Tue, 19 Mar 2024 18:20:41 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.23522.1710872430978093614 for ; Tue, 19 Mar 2024 11:20:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=WF66on8N; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-202403191820283b51c720193d058422-8_6t9b@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 202403191820283b51c720193d058422 for ; Tue, 19 Mar 2024 19:20:29 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=CoFg0wMqCED5ykVJaT9eFlYsHOsY3vB94cMP8HmO+JA=; b=WF66on8Nc4YVS5JAX4mvNwsC+/g8AlpZMtXu57FZVfA52kXz2uBT4VqBP7bnO+glFnqW+9 raOVFzIHKrZ+XW0MbHWuIvTGye4eDYY8LOcLpPNk335Lo2dPdKgsEx9U9EtMZXpq8KWCtZKk 4kSQ+Nj831VSCgVIJEf2qw/rnU0Ps=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][RFC 5/8] initramfs-crypt-hook: add flag to make encryption optional Date: Tue, 19 Mar 2024 19:18:29 +0100 Message-ID: <20240319182026.1571362-6-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240319182026.1571362-1-Quirin.Gylstorff@siemens.com> References: <20240319182026.1571362-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 19 Mar 2024 18:20:41 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15373 From: Quirin Gylstorff This allows to use same image on device without or with a disabled TPM. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.script | 20 +++++++++++++++++- .../files/encrypt_partition.env.tmpl | 1 + .../files/encrypt_partition.systemd.script | 21 ++++++++++++++++++- .../initramfs-crypt-hook_0.1.bb | 1 + 4 files changed, 41 insertions(+), 2 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index f271e85..6e2713f 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -47,6 +47,7 @@ partition_sets="$PARTITIONS" create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" pcr_bank_hash_type="$HASH_TYPE" tpm_key_algorithm="$KEY_ALGORITHM" +tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL" if [ -z "${create_file_system_cmd}" ]; then create_file_system_cmd="mke2fs -t ext4" fi @@ -111,7 +112,24 @@ for candidate in /dev/tpm*; do done if [ ! -e "$tpm_device" ]; then - panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" + if [ "$tpm_encryption_optional" = "true" ]; then + echo "No tpm_device exists abort optional encryption" + for partition_set in $partition_sets; do + partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" + partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" + partition=/dev/disk/by-partlabel/"$partition_label" + case "${partition_format}" in + "reencrypt") + mount_partition "$partition" "$rootmnt""$partition_mountpoint" + ;; + *) + echo "cannot mount partition '$partition' as it is marked for formatting." + esac + done + exit 0 + fi + panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" fi # clevis needs /dev/fd create it in the initramfs diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl index 5d28dc5..bb93361 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl @@ -4,3 +4,4 @@ SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}" WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}" HASH_TYPE="${CRYPT_HASH_TYPE}" KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}" +ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index ea267ac..2e6691a 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -47,6 +47,7 @@ partition_sets="$PARTITIONS" create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" pcr_bank_hash_type="$HASH_TYPE" tpm_key_algorithm="$KEY_ALGORITHM" +tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL" if [ -z "${create_file_system_cmd}" ]; then create_file_system_cmd="mke2fs -t ext4" fi @@ -124,9 +125,27 @@ for candidate in /dev/tpm*; do done if [ ! -e "$tpm_device" ]; then - panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" + if [ "$tpm_encryption_optional" = "true" ]; then + echo "No tpm_device exists abort optional encryption" + for partition_set in $partition_sets; do + partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" + partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" + partition=/dev/disk/by-partlabel/"$partition_label" + case "${partition_format}" in + "reencrypt") + mount_partition "$partition" "$rootmnt""$partition_mountpoint" + ;; + *) + echo "cannot mount partition '$partition' as it is marked for formatting." + esac + done + exit 0 + fi + panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" fi + for partition_set in $partition_sets; do partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index 7f732cf..54c91fd 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -50,6 +50,7 @@ INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog" # clevis needs tpm hash algorithm type CRYPT_HASH_TYPE ??= "sha256" CRYPT_KEY_ALGORITHM ??= "ecc" +CRYPT_ENCRYPTION_OPTIONAL ??= "false" TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \ From patchwork Tue Mar 19 18:18:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13596999 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 71C46CD11BF for ; Tue, 19 Mar 2024 18:20:41 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web11.23524.1710872431292357602 for ; Tue, 19 Mar 2024 11:20:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=nT64cg2P; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-202403191820299c7c2bf8bf1c3c2c75-_trxn2@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 202403191820299c7c2bf8bf1c3c2c75 for ; Tue, 19 Mar 2024 19:20:29 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=05BhD/qINPIeOPskabF8QakDCUtkBq5OSKpeAoOiVNE=; b=nT64cg2PYl4K+EiPfo2SaMaQJPU+NABb1FRAkZCBh6b5MPu8GX0u09BtFNvmYy4waGqano auut0dYELR5E00Q1qiBJhCuP4fERQMUmXJY8I+vv/n4lmCWjl39mAOx8Zh8czxd18nSg017A r3cb0+FVWV+jPSc5PW5PtiFYAg9yU=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][RFC 6/8] initramfs-crypt-hook: add e2fsck to avoid resize error Date: Tue, 19 Mar 2024 19:18:30 +0100 Message-ID: <20240319182026.1571362-7-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240319182026.1571362-1-Quirin.Gylstorff@siemens.com> References: <20240319182026.1571362-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 19 Mar 2024 18:20:41 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15368 From: Quirin Gylstorff This avoids the following error during resizing a file system: Signed-off-by: Quirin Gylstorff --- .../initramfs-crypt-hook/files/encrypt_partition.clevis.script | 1 + .../initramfs-crypt-hook/files/encrypt_partition.systemd.script | 1 + 2 files changed, 2 insertions(+) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 6e2713f..0bb6720 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -81,6 +81,7 @@ reencrypt_existing_partition() { reduced_size="$(expr "$part_size_blocks" - 65536 )" reduced_size_in_byte="$(expr "$reduced_size" \* 512)" reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" + e2fsck -f "$1" if ! resize2fs "$1" "${reduced_size_in_kb}"; then panic "reencryption of filesystem $1 cannot continue!" fi diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index 2e6691a..9809c87 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -94,6 +94,7 @@ reencrypt_existing_partition() { reduced_size="$(expr "$part_size_blocks" - 65536 )" reduced_size_in_byte="$(expr "$reduced_size" \* 512)" reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" + e2fsck -f "$1" if ! resize2fs "$1" "${reduced_size_in_kb}"; then panic "reencryption of filesystem $1 cannot continue!" fi From patchwork Tue Mar 19 18:18:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13596997 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 903D4CD11DE for ; Tue, 19 Mar 2024 18:20:41 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web11.23526.1710872431419546138 for ; Tue, 19 Mar 2024 11:20:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=IVndewqu; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-51332-202403191820297a4c54bd1a8e9f5af7-icqmyc@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 202403191820297a4c54bd1a8e9f5af7 for ; Tue, 19 Mar 2024 19:20:29 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=ZTixechiK4iqAZkd7QmSm13S3iNgXrasVmkta0xNHxI=; b=IVndewquSBEro5PWxtAdiAiBcpETU8+lWCT5LzvQcGTAVyk+29DLH9+fv147RSscMqOMPu e7tjMyDEVw/Yyzk1wGTZ78yfUq0SL1+DQfuMlxB1Gog4hvDAjfpFichQyePIHipfD2K9M8DT GkUDwipHeQEqpgi67f3xoB2qyL9l0=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH 7/8] initramfs-crypt-hook: split encryption and mounting Date: Tue, 19 Mar 2024 19:18:31 +0100 Message-ID: <20240319182026.1571362-8-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240319182026.1571362-1-Quirin.Gylstorff@siemens.com> References: <20240319182026.1571362-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 19 Mar 2024 18:20:41 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15371 From: Quirin Gylstorff The encryption now occurs before the rootfs is mounted. The file system is mounted after the rootfs. This removes the required order between overlay and disk encryption. Also it allows the encryption of the rootfs. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.script | 27 -------- .../files/encrypt_partition.systemd.script | 27 -------- .../files/mount_crypt_partitions.script | 61 +++++++++++++++++++ .../initramfs-crypt-hook_0.1.bb | 6 +- .../files/overlay.script.tmpl | 2 +- 5 files changed, 67 insertions(+), 56 deletions(-) create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 0bb6720..eec3cf1 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -92,16 +92,6 @@ reencrypt_existing_partition() { fi } -mount_partition() { - partition_dev_path=$1 - partition_mountpoint=$2 - echo "mount device: '$partition' to '$partition_mountpoint'" - if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \ - "${partition_mountpoint}"; then - panic "Can't mount encrypted partition '${partition_dev_path}'!" - fi -} - for candidate in /dev/tpm*; do if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then continue @@ -115,19 +105,6 @@ done if [ ! -e "$tpm_device" ]; then if [ "$tpm_encryption_optional" = "true" ]; then echo "No tpm_device exists abort optional encryption" - for partition_set in $partition_sets; do - partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" - partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" - partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" - partition=/dev/disk/by-partlabel/"$partition_label" - case "${partition_format}" in - "reencrypt") - mount_partition "$partition" "$rootmnt""$partition_mountpoint" - ;; - *) - echo "cannot mount partition '$partition' as it is marked for formatting." - esac - done exit 0 fi panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" @@ -140,7 +117,6 @@ fi for partition_set in $partition_sets; do partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" - partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" partition=/dev/disk/by-partlabel/"$partition_label" crypt_mount_name="encrypted_$partition_label" @@ -151,7 +127,6 @@ for partition_set in $partition_sets; do if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ | grep -q "clevis"; then open_tpm2_partition "$part_device" - mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" continue fi @@ -184,8 +159,6 @@ for partition_set in $partition_sets; do ;; esac - mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" - # delete initial key # afterwards no new keys can be enrolled cryptsetup -v luksKillSlot -q "$part_device" 0 diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index 9809c87..c7822f2 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -105,16 +105,6 @@ reencrypt_existing_partition() { fi } -mount_partition() { - partition_dev_path=$1 - partition_mountpoint=$2 - echo "mount device: '$partition' to '$partition_mountpoint'" - if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \ - "${partition_mountpoint}"; then - panic "Can't mount encrypted partition '${partition_dev_path}'!" - fi -} - for candidate in /dev/tpm*; do if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then continue @@ -128,19 +118,6 @@ done if [ ! -e "$tpm_device" ]; then if [ "$tpm_encryption_optional" = "true" ]; then echo "No tpm_device exists abort optional encryption" - for partition_set in $partition_sets; do - partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" - partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" - partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" - partition=/dev/disk/by-partlabel/"$partition_label" - case "${partition_format}" in - "reencrypt") - mount_partition "$partition" "$rootmnt""$partition_mountpoint" - ;; - *) - echo "cannot mount partition '$partition' as it is marked for formatting." - esac - done exit 0 fi panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" @@ -149,7 +126,6 @@ fi for partition_set in $partition_sets; do partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" - partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" partition=/dev/disk/by-partlabel/"$partition_label" crypt_mount_name="encrypted_$partition_label" @@ -160,7 +136,6 @@ for partition_set in $partition_sets; do if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ | grep -q "systemd-tpm2"; then open_tpm2_partition "$part_device" - mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" continue fi @@ -193,8 +168,6 @@ for partition_set in $partition_sets; do ;; esac - mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" - # delete initial key # afterwards no new keys can be enrolled /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0 diff --git a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script new file mode 100644 index 0000000..1d3eb6c --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script @@ -0,0 +1,61 @@ +#!/bin/sh +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT + +prereqs() +{ + # Make sure that this script is run last in local-top + local req + for req in "${0%/*}"/*; do + script="${req##*/}" + if [ "$script" != "${0##*/}" ]; then + printf '%s\n' "$script" + fi + done +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions + +# get configuration variables +. /usr/share/encrypt_partition/encrypt_partition.env + +mount_partition() { + partition_dev_path=$1 + partition_mountpoint=$2 + echo "mount device: '$partition' to '$partition_mountpoint'" + if ! mountpoint -q "${partition_mountpoint}"; then + if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \ + "${partition_mountpoint}"; then + panic "Can't mount encrypted partition '${partition_dev_path}'!" + fi + fi +} +partition_sets="$PARTITIONS" +for partition_set in $partition_sets; do + partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" + partition=/dev/disk/by-partlabel/"$partition_label" + part_device=$(readlink -f "$partition") + crypt_mount_name="encrypted_$partition_label" + decrypted_part=/dev/mapper/"$crypt_mount_name" + + if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ + | grep -q "systemd-tpm2"; then + mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" + else + mount_partition "$part_device" "$rootmnt""$partition_mountpoint" + fi +done diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index 54c91fd..4e60c10 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -35,6 +35,7 @@ CRYPT_BACKEND = "systemd" SRC_URI += "file://encrypt_partition.env.tmpl \ file://encrypt_partition.${CRYPT_BACKEND}.script \ + file://mount_crypt_partitions.script \ file://encrypt_partition.${CRYPT_BACKEND}.hook \ file://pwquality.conf" @@ -60,12 +61,15 @@ TEMPLATE_FILES = "encrypt_partition.env.tmpl" do_install[cleandirs] += " \ ${D}/usr/share/initramfs-tools/hooks \ ${D}/usr/share/encrypt_partition \ + ${D}/usr/share/initramfs-tools/scripts/local-top \ ${D}/usr/share/initramfs-tools/scripts/local-bottom" do_install() { install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env" install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.script" \ - "${D}/usr/share/initramfs-tools/scripts/local-bottom/encrypt_partition" + "${D}/usr/share/initramfs-tools/scripts/local-top/encrypt_partition" + install -m 0755 "${WORKDIR}/mount_crypt_partitions.script" \ + "${D}/usr/share/initramfs-tools/scripts/local-bottom/mount_decrypted_partition" install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.hook" \ "${D}/usr/share/initramfs-tools/hooks/encrypt_partition" install -m 0644 "${WORKDIR}/pwquality.conf" "${D}/usr/share/encrypt_partition/pwquality.conf" diff --git a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl index a321490..2563dfd 100644 --- a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl +++ b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl @@ -9,7 +9,7 @@ # Quirin Gylstorff # -PREREQ="encrypt_partition" +PREREQ="" prereqs() { From patchwork Tue Mar 19 18:18:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13597003 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C2643CD11DF for ; Tue, 19 Mar 2024 18:20:41 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web10.23429.1710872431756278895 for ; Tue, 19 Mar 2024 11:20:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=Z58nE/dw; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-51332-2024031918202922be0774f1a14ef5b6-hdu1ur@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 2024031918202922be0774f1a14ef5b6 for ; Tue, 19 Mar 2024 19:20:29 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=GAeKVjVSXCIG30rWMZpQSRyWEj0Fct1L3P4UF4E3vrk=; b=Z58nE/dwtRkybmsma0sUBLVEmLhG0pMKOhwNea3qrEwb+vITXZbu2kNHezfHrkDNZH2C9B rnZQLSAmEKF0XeSUNw3j+S+2uFJTTdebQWj9LUJXDkQbmwyJJJNdlRcj12f+SwWAFlyLDCKP OpDqpd1jeOhMnqVjSp2BcRlnxENSY=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][RFC 8/8] Add example to encrypt the rootfs Date: Tue, 19 Mar 2024 19:18:32 +0100 Message-ID: <20240319182026.1571362-9-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240319182026.1571362-1-Quirin.Gylstorff@siemens.com> References: <20240319182026.1571362-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 19 Mar 2024 18:20:41 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15367 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- This is a rough example to show that rootfs encryption is possible. kas/opt/encrypt_rootfs.yml | 24 ++++++++++++++++++++++++ wic/x86_64-encryption.wks.in | 18 ++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 kas/opt/encrypt_rootfs.yml create mode 100644 wic/x86_64-encryption.wks.in diff --git a/kas/opt/encrypt_rootfs.yml b/kas/opt/encrypt_rootfs.yml new file mode 100644 index 0000000..4001c75 --- /dev/null +++ b/kas/opt/encrypt_rootfs.yml @@ -0,0 +1,24 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +header: + version: 14 + +local_conf_header: + encrypted_root: | + WKS_FILE = "x86_64-encryption.wks.in" + CRYPT_PARTITIONS = "platform:/:reencrypt home:/home:reencrypt var:/var:reencrypt" + IMAGE_FSTYPES = "wic" + IMAGER_INSTALL:wic += "systemd-boot" + CIP_IMAGE_OPTIONS:append:qemu-amd64 = " recipes-core/images/deploy-ovmf.inc" + INITRAMFS_RECIPE ?= "cip-core-initramfs" + INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img" + do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build" diff --git a/wic/x86_64-encryption.wks.in b/wic/x86_64-encryption.wks.in new file mode 100644 index 0000000..c143500 --- /dev/null +++ b/wic/x86_64-encryption.wks.in @@ -0,0 +1,18 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# SPDX-License-Identifier: MIT +# + +part /boot --source bootimg-efi-isar --sourceparams "loader=systemd-boot,initrd=${INITRD_IMAGE}" --label efi --part-type EF00 --align 1024 --fsuuid 0x4321dcba --uuid cf142945-6fa1-4945-b0f2-b8d6226298c0 + +# Not nice use the source param label to supress the root commandline +part / --source rootfs --fstype ext4 --sourceparams "label=BOOT" --mkfs-extraopts "-T default" --label platform --align 1024 --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid f225331b-2d9c-45a2-bcfe-4a6e86287dfb +# home and var are extra partitions +part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --extra-space=100M --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 +part /var --fstype=ext4 --label var --align 1024 --fixed-size 2G --fsuuid 96be3374-4258-11ee-be56-0242ac120002 + +# This works as we know how that the luks device will be named encrypted_