From patchwork Tue Apr 9 13:05:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13622487 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66E5BCD12A3 for ; Tue, 9 Apr 2024 13:06:51 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web10.135726.1712668002651468818 for ; Tue, 09 Apr 2024 06:06:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=N+NudgR2; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-202404091306399c0703a9d0c6735d18-phi29s@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202404091306399c0703a9d0c6735d18 for ; Tue, 09 Apr 2024 15:06:40 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=SihjlxuH8eCo+mput6tIaKyWQBDGiv1ic/gp94GvunU=; b=N+NudgR2sF1CgEQRnIdMiLqv8XVBn7jwn0If2W7zqfISohm0C6QhR22UejCTdRICcOTTc8 LNr7t/TApr2GY1F85hfVo4yf5i6SmxVofouDjcv3qwHcCS37hnlCA8jU2mUKTHxO2ExuZfRy 61I5+1+JNt2USyt0IzHgjd7dpoyA0=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v3 01/15] initramfs-crypt-hook: Allow switching between clevis and systemd Date: Tue, 9 Apr 2024 15:05:18 +0200 Message-ID: <20240409130638.559398-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> References: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Apr 2024 13:06:51 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15518 From: Quirin Gylstorff This allows device which started on Debian 11 to continue using clevis for encryption and decryption. Signed-off-by: Quirin Gylstorff --- .../initramfs-crypt-hook_0.1.bb | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index b275c0f..317ea12 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -1,7 +1,7 @@ # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2020-2023 +# Copyright (c) Siemens AG, 2020-2024 # # Authors: # Quirin Gylstorff @@ -17,7 +17,17 @@ CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools" DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}, libgcc-7-dev" DEBIAN_DEPENDS:append:bullseye = "${CLEVIS_DEPEND}" -DEBIAN_DEPENDS:append = ", systemd (>= 251) | clevis-tpm2" +DEBIAN_DEPENDS:append = "${@encryption_dependency(d)}" + +def encryption_dependency(d): + crypt_backend = d.getVar('CRYPT_BACKEND') + if crypt_backend == 'clevis': + clevis_depends= d.getVar('CLEVIS_DEPEND') + return f"{clevis_depends}, clevis-tpm2" + elif crypt_backend == 'systemd': + return ", systemd (>= 251)" + else: + bb.error("unkown cryptbackend defined") CRYPT_BACKEND:buster = "clevis" CRYPT_BACKEND:bullseye = "clevis" From patchwork Tue Apr 9 13:05:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13622494 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91C48CD12A8 for ; Tue, 9 Apr 2024 13:06:51 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.136240.1712668002829672516 for ; Tue, 09 Apr 2024 06:06:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=loT178MT; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-51332-202404091306398372c8c81d589ad06d-qfsexu@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202404091306398372c8c81d589ad06d for ; Tue, 09 Apr 2024 15:06:40 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=yqlNpChmOvPHuitayu5PdAQTVGO9xrsKLIRb+IZoWSo=; b=loT178MT/yBcMBCOKB01nKlcHIKELdHpCePyiGMEqgHSwfNOCdjVBBk5zs1Mf+8KrCAGQl s2knkptpUsBPLW0OP7jc9IolyTemklF0rrIiVEiuEMGuFk3pbRw/olr3tj8+tr2cLm4dOxUx ni4rkCFX4TzxCfUqCHZuQPIqHUq20=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v3 02/15] initramfs-crypt-hook: Align systemd encryption and clevis encryption Date: Tue, 9 Apr 2024 15:05:19 +0200 Message-ID: <20240409130638.559398-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> References: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Apr 2024 13:06:51 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15514 From: Quirin Gylstorff The following changes were copied from systemd to clevis: - check return of resize command The following changes were copied form clevis to systemd: - check if create_filesystem command is empty - use part_device(/dev/*) instead of disk label(/dev/disk/by-partlabel/*) Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.script | 6 ++++-- .../files/encrypt_partition.systemd.script | 21 +++++++++++-------- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 0318966..4e76c44 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -2,7 +2,7 @@ # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2023 +# Copyright (c) Siemens AG, 2023-2024 # # Authors: # Quirin Gylstorff @@ -82,7 +82,9 @@ reencrypt_existing_partition() { reduced_size="$(expr "$part_size_blocks" - 65536 )" reduced_size_in_byte="$(expr "$reduced_size" \* 512)" reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" - resize2fs "$1" "${reduced_size_in_kb}" + if ! resize2fs "$1" "${reduced_size_in_kb}"; then + panic "reencryption of filesystem $1 cannot continue!" + fi if [ -x /usr/sbin/cryptsetup-reencrypt ]; then /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2" else diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index eeeb55a..f97a461 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -2,7 +2,7 @@ # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2023 +# Copyright (c) Siemens AG, 2023-2024 # # Authors: # Quirin Gylstorff @@ -47,6 +47,9 @@ modprobe loop tpm_device=/dev/tpmrm0 partition_sets="$PARTITIONS" create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" +if [ -z "${create_file_system_cmd}" ]; then + create_file_system_cmd="mke2fs -t ext4" +fi service_watchdog() { for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do @@ -83,8 +86,7 @@ enroll_tpm2_token() { } reencrypt_existing_partition() { - part_device="$(readlink -f "$partition")" - part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$part_device" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)" + part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)" # reduce the filesystem and partition by 32M to fit the LUKS header reduce_device_size=32768 reduced_size="$(expr "$part_size_blocks" - 65536 )" @@ -111,15 +113,16 @@ for partition_set in $partition_sets; do partition=/dev/disk/by-partlabel/"$partition_label" crypt_mount_name="encrypted_$partition_label" decrypted_part=/dev/mapper/"$crypt_mount_name" + part_device=$(readlink -f "$partition") # check if partition is already encrypted with systemd-tpm2 if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ | grep -q "systemd-tpm2"; then - open_tpm2_partition "$partition" if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \ "${rootmnt}${partition_mountpoint}"; then panic "Can't mount encrypted partition '${decrypted_part}'!" fi + open_tpm2_partition "$part_device" continue fi @@ -136,15 +139,15 @@ for partition_set in $partition_sets; do case "${partition_format}" in "reencrypt") - reencrypt_existing_partition "$partition" "$tmp_key" - enroll_tpm2_token "$partition" "$tmp_key" - open_tpm2_partition "$partition" + reencrypt_existing_partition "$part_device" "$tmp_key" + enroll_tpm2_token "$part_device" "$tmp_key" + open_tpm2_partition "$part_device" ;; "format") /usr/sbin/cryptsetup luksFormat --batch-mode \ --type luks2 "$partition" < "$tmp_key" - enroll_tpm2_token "$partition" "$tmp_key" - open_tpm2_partition "$partition" + enroll_tpm2_token "$part_device" "$tmp_key" + open_tpm2_partition "$part_device" eval "${create_file_system_cmd} ${decrypted_part}" ;; *) From patchwork Tue Apr 9 13:05:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13622491 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F05FCD12A4 for ; Tue, 9 Apr 2024 13:06:51 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web10.135724.1712668002601964028 for ; Tue, 09 Apr 2024 06:06:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=D77eIRET; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-51332-20240409130639412e549b238820a40c-77fsbl@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20240409130639412e549b238820a40c for ; Tue, 09 Apr 2024 15:06:40 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=NaFR/n2lebjMguG9ktD6vHxvUptZL4wpnpzgeNTZUXs=; b=D77eIRETEa+tJFhPLkTLY/pY5j0iM59i40fA7Y1AGoSt6llVYo/vj5O3/QPA0FbFUVGtEM 4Ng7aiSMLyFvwFt+u+NneqHY78+xvHaNOc9ArGJ/Uz7/e7kMA+W4+M9S3x0d1kk6VZl8IE9g f5wp89pZPOR/E6Xx99CJtuCgHzbp0=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v3 03/15] initramfs-crypt-hook: move the mounting of encrypted disks in a seperate function Date: Tue, 9 Apr 2024 15:05:20 +0200 Message-ID: <20240409130638.559398-4-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> References: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Apr 2024 13:06:51 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15519 From: Quirin Gylstorff This increase the maintainability and avoids missing checks. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.script | 20 +++++++++++-------- .../files/encrypt_partition.systemd.script | 20 +++++++++++-------- 2 files changed, 24 insertions(+), 16 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 4e76c44..0f82c1a 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -92,6 +92,16 @@ reencrypt_existing_partition() { fi } +mount_partition() { + partition_dev_path=$1 + partition_mountpoint=$2 + echo "mount device: '$partition' to '$partition_mountpoint'" + if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \ + "${partition_mountpoint}"; then + panic "Can't mount encrypted partition '${partition_dev_path}'!" + fi +} + if [ ! -e "$tpm_device" ]; then panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" fi @@ -114,10 +124,7 @@ for partition_set in $partition_sets; do if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ | grep -q "clevis"; then open_tpm2_partition "$part_device" - if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \ - "${rootmnt}${partition_mountpoint}"; then - panic "Can't mount encrypted partition '${decrypted_part}'!" - fi + mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" continue fi @@ -150,10 +157,7 @@ for partition_set in $partition_sets; do ;; esac - if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \ - "${rootmnt}${partition_mountpoint}"; then - panic "Can't mount encrypted partition '${decrypted_part}'!" - fi + mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" # delete initial key # afterwards no new keys can be enrolled diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index f97a461..6c6d22e 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -102,6 +102,16 @@ reencrypt_existing_partition() { fi } +mount_partition() { + partition_dev_path=$1 + partition_mountpoint=$2 + echo "mount device: '$partition' to '$partition_mountpoint'" + if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \ + "${partition_mountpoint}"; then + panic "Can't mount encrypted partition '${partition_dev_path}'!" + fi +} + if [ ! -e "$tpm_device" ]; then panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" fi @@ -118,11 +128,8 @@ for partition_set in $partition_sets; do # check if partition is already encrypted with systemd-tpm2 if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ | grep -q "systemd-tpm2"; then - if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \ - "${rootmnt}${partition_mountpoint}"; then - panic "Can't mount encrypted partition '${decrypted_part}'!" - fi open_tpm2_partition "$part_device" + mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" continue fi @@ -155,10 +162,7 @@ for partition_set in $partition_sets; do ;; esac - if ! mount -t "$(get_fstype "${decrypted_part}")" "${decrypted_part}" \ - "${rootmnt}${partition_mountpoint}"; then - panic "Can't mount encrypted partition '${decrypted_part}'!" - fi + mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" # delete initial key # afterwards no new keys can be enrolled From patchwork Tue Apr 9 13:05:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13622486 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F5DCCD129E for ; Tue, 9 Apr 2024 13:06:51 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.135725.1712668002644562274 for ; Tue, 09 Apr 2024 06:06:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=VoMs20zA; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-20240409130640237458237183c91c5a-q6hhqz@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20240409130640237458237183c91c5a for ; Tue, 09 Apr 2024 15:06:40 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=/9EchmLfU9nprs/USFX4/6R1U5g1uq/u9eGaTRDxEh0=; b=VoMs20zAC8ksUoakFQ6oGZr3N2pX6hVFUuxmB819MGb7u6KClXkuYNs4mZ8ppSSYTKFWzf NYiNKstRhGWl2RivMEL+5UbjxCgOM/loRogmaQ2dW/cKA41AEzR6edlP9hVLmZqX6TC8jKzJ SkvLJ6OgAq8PW4aaz4W5dDMVr96TE=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v3 04/15] initramfs-crypt-hook: Check if the TPM device fulfills the given requirements Date: Tue, 9 Apr 2024 15:05:21 +0200 Message-ID: <20240409130638.559398-5-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> References: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Apr 2024 13:06:51 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15516 From: Quirin Gylstorff This also adds the Crypt hash and Crypt algorithm parameter and avoids errors on missmatches between Hardware and software. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.hook | 7 ++--- .../files/encrypt_partition.clevis.script | 28 +++++++++++++++---- .../files/encrypt_partition.env.tmpl | 3 +- .../files/encrypt_partition.systemd.hook | 4 ++- .../files/encrypt_partition.systemd.script | 15 ++++++++-- .../initramfs-crypt-hook_0.1.bb | 7 +++-- 6 files changed, 48 insertions(+), 16 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook index d08594c..347551a 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook @@ -66,9 +66,10 @@ copy_exec /usr/bin/tpm2_create || hook_error "Unable to copy /usr/bin/tpm2_creat copy_exec /usr/bin/tpm2_load || hook_error "Unable to copy /usr/bin/tpm2_load" if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/tpm2_pcrread ]; then copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" + copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms" fi if [ "$VERSION_CODENAME" = "buster" ] && [ -x /usr/bin/tpm2_pcrlist ]; then - copy_exec /usr/bin/tpm2_pcrlist || hook_error "Unable to copy /usr/bin/tpm2_pcrread" + copy_exec /usr/bin/tpm2_pcrlist || hook_error "Unable to copy /usr/bin/tpm2_pcrlist" fi copy_exec /usr/bin/tpm2_createpolicy || hook_error "Unable to copy /usr/bin/tpm2_createpolicy" if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/tpm2_flushcontext ]; then @@ -86,9 +87,7 @@ copy_exec /usr/bin/basename || hook_error "Unable to copy /usr/bin/basename" copy_exec /usr/bin/seq || hook_error "Unable to copy /usr/bin/seq" copy_exec /usr/bin/pwmake || hook_error "Unable to copy /usr/bin/pwmake" copy_exec /usr/bin/file || hook_error "Unable to copy /usr/bin/file " -if [ "$VERSION_CODENAME" = "buster" ]; then - copy_exec /usr/lib/*/libgcc_s.so.1 || hook_error "Unable to copy /usr/lib/*/libgcc_s.so.1 " -fi +copy_exec /usr/lib/*/libgcc_s.so.1 || hook_error "Unable to copy /usr/lib/*/libgcc_s.so.1 " if [ -x /usr/sbin/cryptsetup-reencrypt ]; then copy_exec /usr/sbin/cryptsetup-reencrypt fi diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 0f82c1a..8de8015 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -43,12 +43,10 @@ modprobe xts # this needs to be probed particularly for re-encryption modprobe loop -# fixed tpm device or do we need to find it -tpm_device=/dev/tpmrm0 partition_sets="$PARTITIONS" create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" -hash_type="$HASH_TYPE" - +pcr_bank_hash_type="$HASH_TYPE" +tpm_key_algorithm="$KEY_ALGORITHM" if [ -z "${create_file_system_cmd}" ]; then create_file_system_cmd="mke2fs -t ext4" fi @@ -69,7 +67,7 @@ open_tpm2_partition() { enroll_tpm2_token() { if [ -x /usr/bin/clevis ]; then - clevis luks bind -d "$1" tpm2 '{"pcr_bank":"'"$hash_type"'","pcr_ids":"7"}' < "$2" + clevis luks bind -d "$1" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$2" else panic "clevis not available cannot enroll tpm2 key!" fi @@ -102,6 +100,26 @@ mount_partition() { fi } +for candidate in /dev/tpm*; do + if [ -x /usr/bin/tpm2_pcrread ]; then + if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet ; then + continue + fi + elif [ -x /usr/bin/tpm2_pcrlist ]; then + export TPM2TOOLS_DEVICE_FILE="$candidate" + if ! tpm2_pcrlist -L "$pcr_bank_hash_type":7 > /dev/null; then + continue + fi + fi + # Debian buster does not have tpm_testparms + if [ -x /usr/bin/tpm2_testparms ]; then + if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet; then + continue + fi + fi + tpm_device=$candidate +done + if [ ! -e "$tpm_device" ]; then panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" fi diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl index bcc57be..5d28dc5 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl @@ -2,4 +2,5 @@ PARTITIONS="${CRYPT_PARTITIONS}" CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}" SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}" WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}" -HASH_TYPE="${CRYPT_HASH_TYPE}" \ No newline at end of file +HASH_TYPE="${CRYPT_HASH_TYPE}" +KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook index c3b31d6..6e2a211 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook @@ -1,5 +1,5 @@ #!/bin/sh -# Copyright (C) Siemens AG, 2020-2023 +# Copyright (C) Siemens AG, 2020-2024 # # SPDX-License-Identifier: MIT @@ -49,6 +49,8 @@ copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found" copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found" copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenroll not found" copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found" +copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" +copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms" copy_exec /usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so || hook_error "/usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so not found" if [ -x /usr/sbin/cryptsetup-reencrypt ]; then diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index 6c6d22e..ea267ac 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -43,10 +43,10 @@ modprobe xts # this needs to be probed particularly for re-encryption modprobe loop -# fixed tpm device or do we need to find it -tpm_device=/dev/tpmrm0 partition_sets="$PARTITIONS" create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" +pcr_bank_hash_type="$HASH_TYPE" +tpm_key_algorithm="$KEY_ALGORITHM" if [ -z "${create_file_system_cmd}" ]; then create_file_system_cmd="mke2fs -t ext4" fi @@ -71,6 +71,7 @@ enroll_tpm2_token() { systemd_version=$(systemd-cryptenroll --version | \ awk -F " " 'NR==1{print $2 }') # check systemd version and export password if necessary + # systemd version 251 does not suport hash_types if [ "$systemd_version" -ge "251" ]; then PASSWORD=$(cat "$2" ) export PASSWORD @@ -112,6 +113,16 @@ mount_partition() { fi } +for candidate in /dev/tpm*; do + if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then + continue + fi + if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet 2>/dev/null; then + continue + fi + tpm_device=$candidate +done + if [ ! -e "$tpm_device" ]; then panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" fi diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index 317ea12..7f732cf 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -11,7 +11,7 @@ inherit dpkg-raw DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \ awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \ - libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs" + libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs, tpm2-tools" CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools" @@ -49,10 +49,11 @@ CRYPT_SETUP_TIMEOUT ??= "600" INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog" # clevis needs tpm hash algorithm type CRYPT_HASH_TYPE ??= "sha256" - +CRYPT_KEY_ALGORITHM ??= "ecc" TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ - CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE" + CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \ + CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL" TEMPLATE_FILES = "encrypt_partition.env.tmpl" do_install[cleandirs] += " \ From patchwork Tue Apr 9 13:05:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13622483 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 14AA9CD129A for ; Tue, 9 Apr 2024 13:06:51 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web11.136239.1712668002603336526 for ; Tue, 09 Apr 2024 06:06:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=moMwlEOh; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-51332-20240409130640f6d5cd7f5ead3a83b2-svq3jt@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 20240409130640f6d5cd7f5ead3a83b2 for ; Tue, 09 Apr 2024 15:06:40 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=MiUaZV9PYjaEbSBNv/R1ZRB6xdJrJYtGkBVB4cwwb9c=; b=moMwlEOhDoXg/qo3DR2k3KZyhGK6GIfwOHhIlhZT/X7cG4+CIkHa+99dU2dhV8cVJk+BDa qqBTIsRHJb1vpXaKBMnyAUCiQ0Y6bAmSqwsCi1ylGjK2YIta++kxj0R6P31Bvm4gMX16Y/Py 8eUdY/omX5Gpd9KoKhT1RTglDc5CI=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v3 05/15] initramfs-crypt-hook: add flag to make encryption optional Date: Tue, 9 Apr 2024 15:05:22 +0200 Message-ID: <20240409130638.559398-6-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> References: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Apr 2024 13:06:51 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15522 From: Quirin Gylstorff This allows to use same image on devices with and without TPM. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.script | 20 ++++++++++++++++++- .../files/encrypt_partition.env.tmpl | 1 + .../files/encrypt_partition.systemd.script | 20 ++++++++++++++++++- .../initramfs-crypt-hook_0.1.bb | 1 + 4 files changed, 40 insertions(+), 2 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 8de8015..e0fcbf4 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -47,6 +47,7 @@ partition_sets="$PARTITIONS" create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" pcr_bank_hash_type="$HASH_TYPE" tpm_key_algorithm="$KEY_ALGORITHM" +tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL" if [ -z "${create_file_system_cmd}" ]; then create_file_system_cmd="mke2fs -t ext4" fi @@ -121,7 +122,24 @@ for candidate in /dev/tpm*; do done if [ ! -e "$tpm_device" ]; then - panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" + if [ "$tpm_encryption_optional" = "true" ]; then + echo "No tpm_device exists abort optional encryption" + for partition_set in $partition_sets; do + partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" + partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" + partition=/dev/disk/by-partlabel/"$partition_label" + case "${partition_format}" in + "reencrypt") + mount_partition "$partition" "$rootmnt""$partition_mountpoint" + ;; + *) + echo "cannot mount partition '$partition' as it is marked for formatting." + esac + done + exit 0 + fi + panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" fi # clevis needs /dev/fd create it in the initramfs diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl index 5d28dc5..bb93361 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl @@ -4,3 +4,4 @@ SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}" WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}" HASH_TYPE="${CRYPT_HASH_TYPE}" KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}" +ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index ea267ac..48ce999 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -47,6 +47,7 @@ partition_sets="$PARTITIONS" create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" pcr_bank_hash_type="$HASH_TYPE" tpm_key_algorithm="$KEY_ALGORITHM" +tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL" if [ -z "${create_file_system_cmd}" ]; then create_file_system_cmd="mke2fs -t ext4" fi @@ -124,7 +125,24 @@ for candidate in /dev/tpm*; do done if [ ! -e "$tpm_device" ]; then - panic "tpm device '$tpm_device' does not exists - cannot create a encrypted device!" + if [ "$tpm_encryption_optional" = "true" ]; then + echo "No tpm_device exists abort optional encryption" + for partition_set in $partition_sets; do + partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" + partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" + partition=/dev/disk/by-partlabel/"$partition_label" + case "${partition_format}" in + "reencrypt") + mount_partition "$partition" "$rootmnt""$partition_mountpoint" + ;; + *) + echo "cannot mount partition '$partition' as it is marked for formatting." + esac + done + exit 0 + fi + panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" fi for partition_set in $partition_sets; do diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index 7f732cf..54c91fd 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -50,6 +50,7 @@ INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog" # clevis needs tpm hash algorithm type CRYPT_HASH_TYPE ??= "sha256" CRYPT_KEY_ALGORITHM ??= "ecc" +CRYPT_ENCRYPTION_OPTIONAL ??= "false" TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \ From patchwork Tue Apr 9 13:05:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13622493 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 800BCCD12A6 for ; Tue, 9 Apr 2024 13:06:51 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web10.135723.1712668002569467528 for ; Tue, 09 Apr 2024 06:06:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=QQNYBTyN; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-202404091306408e863898d6339c58f5-b3ep_v@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 202404091306408e863898d6339c58f5 for ; Tue, 09 Apr 2024 15:06:40 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=84SeeW0dOuA/Z5FRWvQNGIgk9yS0VOW6y0EvgysVAdo=; b=QQNYBTyNkSAJ5g9g2f3JncfSYDJXFUzLLtThEeHoOZQdodbErzjkh33asqefgdVTiFYZlx EIWIM2lLNH3+SMOXtf/KzoCLZ2RdMIjyOlX61KScmMA/LEi11LdmD7yDs+g8ajo3mOBhDa27 6VHfnEyGVz6G8erxO/eBkWUryfnN8=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v3 06/15] initramfs-crypt-hook: add e2fsck to avoid resize error Date: Tue, 9 Apr 2024 15:05:23 +0200 Message-ID: <20240409130638.559398-7-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> References: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Apr 2024 13:06:51 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15521 From: Quirin Gylstorff This avoids the following error during resizing a file system: `Please run ‘e2fsck -f /dev/’ first` Signed-off-by: Quirin Gylstorff --- .../initramfs-crypt-hook/files/encrypt_partition.clevis.script | 1 + .../initramfs-crypt-hook/files/encrypt_partition.systemd.script | 1 + 2 files changed, 2 insertions(+) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index e0fcbf4..22caa46 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -81,6 +81,7 @@ reencrypt_existing_partition() { reduced_size="$(expr "$part_size_blocks" - 65536 )" reduced_size_in_byte="$(expr "$reduced_size" \* 512)" reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" + e2fsck -f "$1" if ! resize2fs "$1" "${reduced_size_in_kb}"; then panic "reencryption of filesystem $1 cannot continue!" fi diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index 48ce999..85b4fbc 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -94,6 +94,7 @@ reencrypt_existing_partition() { reduced_size="$(expr "$part_size_blocks" - 65536 )" reduced_size_in_byte="$(expr "$reduced_size" \* 512)" reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" + e2fsck -f "$1" if ! resize2fs "$1" "${reduced_size_in_kb}"; then panic "reencryption of filesystem $1 cannot continue!" fi From patchwork Tue Apr 9 13:05:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13622490 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F774CD129F for ; Tue, 9 Apr 2024 13:06:51 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web11.136242.1712668002894217269 for ; Tue, 09 Apr 2024 06:06:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=GknPmGkx; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-20240409130640750e04405a5a893a49-ni6omc@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20240409130640750e04405a5a893a49 for ; Tue, 09 Apr 2024 15:06:40 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=yf0ldTeMP5TGskP4IPyKSq2lrD5E2R1CHF8CJ2crfIY=; b=GknPmGkxI2TBouNjnH5LTEMDQ1PsFoB3wZJhe5FTlTBL+UUVfyBzb2et9piFIVaGQJnTo/ hV9DQhwicjnsdmqBkNgF08w7oXt9Nq0E2hpN8kg5lD3gH1FIyLkoXCxcDmHAD97cTdSCxIL/ JG0JnWBnTOG4PBaGtSfY7gzQz6hJo=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v3 07/15] initramfs-crypt-hook: split encryption and mounting Date: Tue, 9 Apr 2024 15:05:24 +0200 Message-ID: <20240409130638.559398-8-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> References: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Apr 2024 13:06:51 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15517 From: Quirin Gylstorff The encryption now occurs before the rootfs is mounted. The file system is mounted after the rootfs. This removes the required order between overlay and disk encryption. Also it allows the encryption of the rootfs. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.script | 27 -------- .../files/encrypt_partition.systemd.script | 27 -------- .../files/mount_crypt_partitions.script | 61 +++++++++++++++++++ .../initramfs-crypt-hook_0.1.bb | 6 +- .../files/overlay.script.tmpl | 2 +- 5 files changed, 67 insertions(+), 56 deletions(-) create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 22caa46..6aec7b8 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -92,16 +92,6 @@ reencrypt_existing_partition() { fi } -mount_partition() { - partition_dev_path=$1 - partition_mountpoint=$2 - echo "mount device: '$partition' to '$partition_mountpoint'" - if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \ - "${partition_mountpoint}"; then - panic "Can't mount encrypted partition '${partition_dev_path}'!" - fi -} - for candidate in /dev/tpm*; do if [ -x /usr/bin/tpm2_pcrread ]; then if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet ; then @@ -125,19 +115,6 @@ done if [ ! -e "$tpm_device" ]; then if [ "$tpm_encryption_optional" = "true" ]; then echo "No tpm_device exists abort optional encryption" - for partition_set in $partition_sets; do - partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" - partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" - partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" - partition=/dev/disk/by-partlabel/"$partition_label" - case "${partition_format}" in - "reencrypt") - mount_partition "$partition" "$rootmnt""$partition_mountpoint" - ;; - *) - echo "cannot mount partition '$partition' as it is marked for formatting." - esac - done exit 0 fi panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" @@ -150,7 +127,6 @@ fi for partition_set in $partition_sets; do partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" - partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" partition=/dev/disk/by-partlabel/"$partition_label" crypt_mount_name="encrypted_$partition_label" @@ -161,7 +137,6 @@ for partition_set in $partition_sets; do if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ | grep -q "clevis"; then open_tpm2_partition "$part_device" - mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" continue fi @@ -194,8 +169,6 @@ for partition_set in $partition_sets; do ;; esac - mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" - # delete initial key # afterwards no new keys can be enrolled cryptsetup -v luksKillSlot -q "$part_device" 0 diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index 85b4fbc..7f2a6e3 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -105,16 +105,6 @@ reencrypt_existing_partition() { fi } -mount_partition() { - partition_dev_path=$1 - partition_mountpoint=$2 - echo "mount device: '$partition' to '$partition_mountpoint'" - if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \ - "${partition_mountpoint}"; then - panic "Can't mount encrypted partition '${partition_dev_path}'!" - fi -} - for candidate in /dev/tpm*; do if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then continue @@ -128,19 +118,6 @@ done if [ ! -e "$tpm_device" ]; then if [ "$tpm_encryption_optional" = "true" ]; then echo "No tpm_device exists abort optional encryption" - for partition_set in $partition_sets; do - partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" - partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" - partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" - partition=/dev/disk/by-partlabel/"$partition_label" - case "${partition_format}" in - "reencrypt") - mount_partition "$partition" "$rootmnt""$partition_mountpoint" - ;; - *) - echo "cannot mount partition '$partition' as it is marked for formatting." - esac - done exit 0 fi panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" @@ -148,7 +125,6 @@ fi for partition_set in $partition_sets; do partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" - partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" partition=/dev/disk/by-partlabel/"$partition_label" crypt_mount_name="encrypted_$partition_label" @@ -159,7 +135,6 @@ for partition_set in $partition_sets; do if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ | grep -q "systemd-tpm2"; then open_tpm2_partition "$part_device" - mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" continue fi @@ -192,8 +167,6 @@ for partition_set in $partition_sets; do ;; esac - mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" - # delete initial key # afterwards no new keys can be enrolled /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0 diff --git a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script new file mode 100644 index 0000000..3411e70 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script @@ -0,0 +1,61 @@ +#!/bin/sh +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT + +prereqs() +{ + # Make sure that this script is run last in local-top + local req + for req in "${0%/*}"/*; do + script="${req##*/}" + if [ "$script" != "${0##*/}" ]; then + printf '%s\n' "$script" + fi + done +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions + +# get configuration variables +. /usr/share/encrypt_partition/encrypt_partition.env + +mount_partition() { + partition_dev_path=$1 + partition_mountpoint=$2 + echo "mount device: '$partition_dev_path' to '$partition_mountpoint'" + if ! mountpoint -q "${partition_mountpoint}"; then + if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \ + "${partition_mountpoint}"; then + panic "Can't mount partition '${partition_dev_path}'!" + fi + fi +} +partition_sets="$PARTITIONS" +for partition_set in $partition_sets; do + partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" + partition=/dev/disk/by-partlabel/"$partition_label" + part_device=$(readlink -f "$partition") + crypt_mount_name="encrypted_$partition_label" + decrypted_part=/dev/mapper/"$crypt_mount_name" + + if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \ + | grep -q "luks2"; then + mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint" + else + mount_partition "$part_device" "$rootmnt""$partition_mountpoint" + fi +done diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index 54c91fd..4e60c10 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -35,6 +35,7 @@ CRYPT_BACKEND = "systemd" SRC_URI += "file://encrypt_partition.env.tmpl \ file://encrypt_partition.${CRYPT_BACKEND}.script \ + file://mount_crypt_partitions.script \ file://encrypt_partition.${CRYPT_BACKEND}.hook \ file://pwquality.conf" @@ -60,12 +61,15 @@ TEMPLATE_FILES = "encrypt_partition.env.tmpl" do_install[cleandirs] += " \ ${D}/usr/share/initramfs-tools/hooks \ ${D}/usr/share/encrypt_partition \ + ${D}/usr/share/initramfs-tools/scripts/local-top \ ${D}/usr/share/initramfs-tools/scripts/local-bottom" do_install() { install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env" install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.script" \ - "${D}/usr/share/initramfs-tools/scripts/local-bottom/encrypt_partition" + "${D}/usr/share/initramfs-tools/scripts/local-top/encrypt_partition" + install -m 0755 "${WORKDIR}/mount_crypt_partitions.script" \ + "${D}/usr/share/initramfs-tools/scripts/local-bottom/mount_decrypted_partition" install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.hook" \ "${D}/usr/share/initramfs-tools/hooks/encrypt_partition" install -m 0644 "${WORKDIR}/pwquality.conf" "${D}/usr/share/encrypt_partition/pwquality.conf" diff --git a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl index a321490..2563dfd 100644 --- a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl +++ b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl @@ -9,7 +9,7 @@ # Quirin Gylstorff # -PREREQ="encrypt_partition" +PREREQ="" prereqs() { From patchwork Tue Apr 9 13:05:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13622492 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6D039CD12A2 for ; Tue, 9 Apr 2024 13:06:51 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.136241.1712668002836662354 for ; Tue, 09 Apr 2024 06:06:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=ULoOU1G0; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-20240409130640932e873c4c624c97ce-urlkoq@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20240409130640932e873c4c624c97ce for ; Tue, 09 Apr 2024 15:06:41 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=1pG3HVF1ldqHb3ddz9MFXg3NhQQK3GwHO+U2X0XIUXM=; b=ULoOU1G04JbqoaAN97i9oGde2660tL35smtkUAli7MGqZhuNoL55igN2iu6eWNaJ5Lk/Ia DD6MKb+iG6YZ0TV5srjg7OTEgkV6StlCynWb+RKSd0XP73Fc8EYCcUxzFD/NRB+Ff6GaWgEc GIEhtxHxBfDoVIJC8DW7MK3VIScsg=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v3 08/15] initramfs-crypt-hook: Add check if root is part of the mountpoints Date: Tue, 9 Apr 2024 15:05:25 +0200 Message-ID: <20240409130638.559398-9-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> References: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Apr 2024 13:06:51 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15513 From: Quirin Gylstorff If root will be encrypted the ROOT mountpoint will be set to '/dev/mapper/encrypted_'. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.script | 6 ++++++ .../files/encrypt_partition.systemd.script | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 6aec7b8..fdbd9b5 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -127,12 +127,17 @@ fi for partition_set in $partition_sets; do partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" partition=/dev/disk/by-partlabel/"$partition_label" crypt_mount_name="encrypted_$partition_label" decrypted_part=/dev/mapper/"$crypt_mount_name" # clevis does not work with links in /dev/disk* part_device=$(readlink -f "$partition") + # check if we are trying to mount root + if [ "$partition_mountpoint" = "/" ]; then + echo "ROOT=$decrypted_part" >/conf/param.conf + fi if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ | grep -q "clevis"; then @@ -169,6 +174,7 @@ for partition_set in $partition_sets; do ;; esac + # delete initial key # afterwards no new keys can be enrolled cryptsetup -v luksKillSlot -q "$part_device" 0 diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index 7f2a6e3..e0c84ce 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -125,12 +125,17 @@ fi for partition_set in $partition_sets; do partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" partition=/dev/disk/by-partlabel/"$partition_label" crypt_mount_name="encrypted_$partition_label" decrypted_part=/dev/mapper/"$crypt_mount_name" part_device=$(readlink -f "$partition") + # check if we are trying to mount root + if [ "$partition_mountpoint" = "/" ]; then + echo "ROOT=$decrypted_part" >/conf/param.conf + fi # check if partition is already encrypted with systemd-tpm2 if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ | grep -q "systemd-tpm2"; then From patchwork Tue Apr 9 13:05:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13622485 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DAB68CD1296 for ; Tue, 9 Apr 2024 13:06:50 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.135727.1712668003131510768 for ; Tue, 09 Apr 2024 06:06:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=VzVQbokA; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-20240409130641f3b2cbc3b68bfcfffb-monxyl@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20240409130641f3b2cbc3b68bfcfffb for ; Tue, 09 Apr 2024 15:06:41 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=lP8vPta3VBv1pv1h9gXXM2wjvwupA4CkmTLpNinx7gg=; b=VzVQbokAHqG5sXfSCxUMQElLOhskQpBC+BD9KqEPqQIDcjfsO7KNOemiDaG3YPV53ugVrB PQu9oWASL22N+z1BiAK3/JtdSACPsH60P4UU1bSzh0JRuqVikzDRtx34O6bDIQdkhIU5gCzL 0i7oInroC06CV46+wxkGPX3pzyYKI=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v3 09/15] initramfs-crypt-hook: split hook in multiple files Date: Tue, 9 Apr 2024 15:05:26 +0200 Message-ID: <20240409130638.559398-10-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> References: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Apr 2024 13:06:50 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15515 From: Quirin Gylstorff Split the clevis hook in Distro specific files to increase the readability. Signed-off-by: Quirin Gylstorff --- ...pt_partition.clevis.bullseye_or_later.hook | 34 +++++++++++++++++++ .../encrypt_partition.clevis.buster.hook | 30 ++++++++++++++++ .../files/encrypt_partition.clevis.hook | 16 --------- .../initramfs-crypt-hook_0.1.bb | 18 +++++++++- 4 files changed, 81 insertions(+), 17 deletions(-) create mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook create mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook new file mode 100755 index 0000000..b244d45 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook @@ -0,0 +1,34 @@ +#!/bin/sh +# Copyright (C) Siemens AG, 2020-2023 +# +# SPDX-License-Identifier: MIT + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +if [ -f /etc/os-release ]; then + . /etc/os-release +fi +hook_error() { + echo "(ERROR): $1" >&2 + exit 1 +} + +copy_exec /usr/bin/clevis-luks-list || hook_error "/usr/bin/clevis-luks-list not found" +copy_exec /usr/bin/clevis-luks-common-functions || hook_error "/usr/bin/clevis-luks-common-functions not found" +copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" +copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms" +copy_exec /usr/bin/tpm2_flushcontext || hook_error "Unable to copy /usr/bin/tpm2_flushcontext" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook new file mode 100755 index 0000000..fd39c34 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook @@ -0,0 +1,30 @@ +#!/bin/sh +# Copyright (C) Siemens AG, 2020-2023 +# +# SPDX-License-Identifier: MIT + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +if [ -f /etc/os-release ]; then + . /etc/os-release +fi +hook_error() { + echo "(ERROR): $1" >&2 + exit 1 +} +copy_exec /usr/bin/tpm2_pcrlist || hook_error "Unable to copy /usr/bin/tpm2_pcrlist" + diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook index 347551a..1921aba 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook @@ -54,27 +54,11 @@ copy_exec /usr/bin/clevis-encrypt-tpm2 || hook_error "/usr/bin/clevis-encrypt-tp copy_exec /usr/bin/clevis-decrypt-tpm2 || hook_error "/usr/bin/clevis-decrypt-tpm2 not found" copy_exec /usr/bin/clevis-luks-bind || hook_error "/usr/bin/clevis-luks-bind not found" copy_exec /usr/bin/clevis-luks-unlock || hook_error "/usr/bin/clevis-luks-unlock not found" -if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/clevis-luks-list ]; then - copy_exec /usr/bin/clevis-luks-list || hook_error "/usr/bin/clevis-luks-list not found" -fi -if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/clevis-luks-common-functions ]; then - copy_exec /usr/bin/clevis-luks-common-functions || hook_error "/usr/bin/clevis-luks-common-functions not found" -fi copy_exec /usr/bin/tpm2_createprimary || hook_error "Unable to copy /usr/bin/tpm2_createprimary" copy_exec /usr/bin/tpm2_unseal || hook_error "Unable to copy /usr/bin/tpm2_unseal" copy_exec /usr/bin/tpm2_create || hook_error "Unable to copy /usr/bin/tpm2_create" copy_exec /usr/bin/tpm2_load || hook_error "Unable to copy /usr/bin/tpm2_load" -if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/tpm2_pcrread ]; then - copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" - copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms" -fi -if [ "$VERSION_CODENAME" = "buster" ] && [ -x /usr/bin/tpm2_pcrlist ]; then - copy_exec /usr/bin/tpm2_pcrlist || hook_error "Unable to copy /usr/bin/tpm2_pcrlist" -fi copy_exec /usr/bin/tpm2_createpolicy || hook_error "Unable to copy /usr/bin/tpm2_createpolicy" -if [ "$VERSION_CODENAME" != "buster" ] && [ -x /usr/bin/tpm2_flushcontext ]; then - copy_exec /usr/bin/tpm2_flushcontext || hook_error "Unable to copy /usr/bin/tpm2_flushcontext" -fi copy_exec /usr/bin/bash || hook_error "Unable to copy /usr/bin/bash" copy_exec /usr/bin/luksmeta || hook_error "Unable to copy /usr/bin/luksmeta" copy_exec /usr/bin/jose || hook_error "Unable to copy /usr/bin/jose" diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index 4e60c10..dc46ff8 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -29,6 +29,16 @@ def encryption_dependency(d): else: bb.error("unkown cryptbackend defined") +def add_additional_clevis_hooks(d): + base_distro_code_name = d.getVar('BASE_DISTRO_CODENAME') or "" + crypt_backend = d.getVar('CRYPT_BACKEND') or "" + if crypt_backend != 'clevis': + return "" + if base_distro_code_name == "buster": + return f"encrypt_partition.{crypt_backend}.buster.hook" + else: + return f"encrypt_partition.{crypt_backend}.bullseye_or_later.hook" + CRYPT_BACKEND:buster = "clevis" CRYPT_BACKEND:bullseye = "clevis" CRYPT_BACKEND = "systemd" @@ -38,7 +48,8 @@ SRC_URI += "file://encrypt_partition.env.tmpl \ file://mount_crypt_partitions.script \ file://encrypt_partition.${CRYPT_BACKEND}.hook \ file://pwquality.conf" - +ADDITIONAL_CLEVIS_HOOK = "${@add_additional_clevis_hooks(d)}" +SRC_URI += "${@ 'file://' + d.getVar('ADDITIONAL_CLEVIS_HOOK') if d.getVar('ADDITIONAL_CLEVIS_HOOK')else ''}" # CRYPT_PARTITIONS elements are :: CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt" # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem @@ -72,5 +83,10 @@ do_install() { "${D}/usr/share/initramfs-tools/scripts/local-bottom/mount_decrypted_partition" install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.hook" \ "${D}/usr/share/initramfs-tools/hooks/encrypt_partition" + if [ -f "${WORKDIR}"/"${ADDITIONAL_CLEVIS_HOOK}" ]; then + install -m 0755 "${WORKDIR}"/"${ADDITIONAL_CLEVIS_HOOK}" \ + "${D}/usr/share/initramfs-tools/hooks/encrypt_partition.${BASE_DISTRO_CODENAME}" + fi + install -m 0644 "${WORKDIR}/pwquality.conf" "${D}/usr/share/encrypt_partition/pwquality.conf" } From patchwork Tue Apr 9 13:05:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13622495 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8DD1CCD12A5 for ; Tue, 9 Apr 2024 13:06:51 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.136243.1712668003213767565 for ; Tue, 09 Apr 2024 06:06:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=NPi3SYX5; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-20240409130641bd326caf66aefb4a6c-5ikety@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20240409130641bd326caf66aefb4a6c for ; Tue, 09 Apr 2024 15:06:41 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=EsWalcVDNXtkahH9g39M4UbiYdjj0ZKm+HmxLzsxBKk=; b=NPi3SYX5XOrtX321qQiPlNRq5RrQvvsUiiys5uh8wxF8GXshYt+GBahcj0Wd0d+pmCQj2j s58iz4sb31O+Ue2St8YMudUvIBXvlkCrP0b5wwzqca6MxfRIFql/RsynVkvz3W5mVykKzeTv eVJE4aAiPPj3mGfTqZdiUvx1ISyvQ=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v3 10/15] initramfs-crypt-hook: Consolidate clevis and systemd scripts Date: Tue, 9 Apr 2024 15:05:27 +0200 Message-ID: <20240409130638.559398-11-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> References: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Apr 2024 13:06:51 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15520 From: Quirin Gylstorff This reduce the maintaince as the common code is only maintained once. Signed-off-by: Quirin Gylstorff --- .../files/encrypt_partition.clevis.hook | 1 + .../files/encrypt_partition.clevis.script | 177 ++---------------- .../files/encrypt_partition.script | 164 ++++++++++++++++ .../files/encrypt_partition.systemd.hook | 1 + .../files/encrypt_partition.systemd.script | 163 ++-------------- .../initramfs-crypt-hook_0.1.bb | 5 +- 6 files changed, 208 insertions(+), 303 deletions(-) create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook index 1921aba..0bb8ce6 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook @@ -81,4 +81,5 @@ for _LIBRARY in /usr/lib/*/libtss2*; do done copy_file library /usr/share/encrypt_partition/encrypt_partition.env /usr/share/encrypt_partition/encrypt_partition.env +copy_file library /usr/share/encrypt_partition/encrypt_partition_tpm2 /usr/share/encrypt_partition/encrypt_partition_tpm2 copy_file pwmake-config /usr/share/encrypt_partition/pwquality.conf /etc/security/pwquality.conf diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index fdbd9b5..ddb3eab 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -9,177 +9,38 @@ # # SPDX-License-Identifier: MIT -prereqs() -{ - # Make sure that this script is run last in local-top - local req - for req in "${0%/*}"/*; do - script="${req##*/}" - if [ "$script" != "${0##*/}" ]; then - printf '%s\n' "$script" - fi - done -} -case $1 in -prereqs) - prereqs - exit 0 - ;; -esac - -. /scripts/functions - -# get configuration variables -. /usr/share/encrypt_partition/encrypt_partition.env - -# load necessary kernel modules: -modprobe tpm_tis -modprobe tpm_crb - -modprobe ecb -modprobe aes_generic -modprobe xts - -# this needs to be probed particularly for re-encryption -modprobe loop - -partition_sets="$PARTITIONS" -create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" -pcr_bank_hash_type="$HASH_TYPE" -tpm_key_algorithm="$KEY_ALGORITHM" -tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL" -if [ -z "${create_file_system_cmd}" ]; then - create_file_system_cmd="mke2fs -t ext4" -fi - -service_watchdog() { - for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do - printf '\0' - sleep 10 - done > "$WATCHDOG_DEV" -} open_tpm2_partition() { + partition_device="$1" + crypt_mount_name="$2" + #tpm_device="$3" if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \ - -d "$1"; then - panic "Can't decrypt '$1' !" + -d "$partition_device"; then + panic "Can't decrypt '$partition_device' !" fi } enroll_tpm2_token() { + partition_device="$1" + passphrase="$2" + #tpm_device="$3" + tpm_key_algorithm="$4" + pcr_bank_hash_type="$5" if [ -x /usr/bin/clevis ]; then - clevis luks bind -d "$1" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$2" + clevis luks bind -d "$partition_device" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$passphrase" else panic "clevis not available cannot enroll tpm2 key!" fi } -reencrypt_existing_partition() { - part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)" - # reduce the filesystem and partition by 32M to fit the LUKS header - reduce_device_size=32768 - reduced_size="$(expr "$part_size_blocks" - 65536 )" - reduced_size_in_byte="$(expr "$reduced_size" \* 512)" - reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" - e2fsck -f "$1" - if ! resize2fs "$1" "${reduced_size_in_kb}"; then - panic "reencryption of filesystem $1 cannot continue!" - fi - if [ -x /usr/sbin/cryptsetup-reencrypt ]; then - /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2" - else - /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2" +prepare_for_encryption() { + # clevis needs /dev/fd create it in the initramfs + if [ ! -e /dev/fd ]; then + ln -s /proc/self/fd /dev/fd fi } -for candidate in /dev/tpm*; do - if [ -x /usr/bin/tpm2_pcrread ]; then - if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet ; then - continue - fi - elif [ -x /usr/bin/tpm2_pcrlist ]; then - export TPM2TOOLS_DEVICE_FILE="$candidate" - if ! tpm2_pcrlist -L "$pcr_bank_hash_type":7 > /dev/null; then - continue - fi - fi - # Debian buster does not have tpm_testparms - if [ -x /usr/bin/tpm2_testparms ]; then - if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet; then - continue - fi - fi - tpm_device=$candidate -done - -if [ ! -e "$tpm_device" ]; then - if [ "$tpm_encryption_optional" = "true" ]; then - echo "No tpm_device exists abort optional encryption" - exit 0 - fi - panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" -fi - -# clevis needs /dev/fd create it in the initramfs -if [ ! -e /dev/fd ]; then - ln -s /proc/self/fd /dev/fd -fi - -for partition_set in $partition_sets; do - partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" - partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" - partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" - partition=/dev/disk/by-partlabel/"$partition_label" - crypt_mount_name="encrypted_$partition_label" - decrypted_part=/dev/mapper/"$crypt_mount_name" - # clevis does not work with links in /dev/disk* - part_device=$(readlink -f "$partition") - # check if we are trying to mount root - if [ "$partition_mountpoint" = "/" ]; then - echo "ROOT=$decrypted_part" >/conf/param.conf - fi - - if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ - | grep -q "clevis"; then - open_tpm2_partition "$part_device" - continue - fi - - # service watchdog in the background during lengthy re-encryption - if [ -z "$watchdog_pid" ]; then - service_watchdog & - watchdog_pid=$! - fi - - # create random password for initial encryption - # this will be dropped after reboot - tmp_key=/tmp/"$partition_label-lukskey" - openssl rand -base64 32 > "$tmp_key" - - case "${partition_format}" in - "reencrypt") - reencrypt_existing_partition "$part_device" "$tmp_key" - enroll_tpm2_token "$part_device" "$tmp_key" - open_tpm2_partition "$part_device" - ;; - "format") - /usr/sbin/cryptsetup luksFormat --batch-mode \ - --type luks2 "$partition" < "$tmp_key" - enroll_tpm2_token "$part_device" "$tmp_key" - open_tpm2_partition "$part_device" - eval "${create_file_system_cmd} ${decrypted_part}" - ;; - *) - panic "Unknown value ${partition_format}. Cannot create a encrypted partition !" - ;; - esac - - - # delete initial key - # afterwards no new keys can be enrolled - cryptsetup -v luksKillSlot -q "$part_device" 0 -done - -if [ -n "$watchdog_pid" ]; then - kill "$watchdog_pid" -fi +finalize_tpm2_encryption() { + partition_device="$1" + cryptsetup -v luksKillSlot -q "$partition_device" 0 +} diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script new file mode 100644 index 0000000..8763f69 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -0,0 +1,164 @@ +#!/bin/sh +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023-2024 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT + +prereqs() +{ + # Make sure that this script is run last in local-top + local req + for req in "${0%/*}"/*; do + script="${req##*/}" + if [ "$script" != "${0##*/}" ]; then + printf '%s\n' "$script" + fi + done +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions + +# get configuration variables +. /usr/share/encrypt_partition/encrypt_partition.env + +# get the implementation +. /usr/share/encrypt_partition/encrypt_partition_tpm2 +# load necessary kernel modules: +modprobe tpm_tis +modprobe tpm_crb + +modprobe ecb +modprobe aes_generic +modprobe xts + +# this needs to be probed particularly for re-encryption +modprobe loop + +partition_sets="$PARTITIONS" +create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" +pcr_bank_hash_type="$HASH_TYPE" +tpm_key_algorithm="$KEY_ALGORITHM" +tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL" +if [ -z "${create_file_system_cmd}" ]; then + create_file_system_cmd="mke2fs -t ext4" +fi + +service_watchdog() { + for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do + printf '\0' + sleep 10 + done > "$WATCHDOG_DEV" +} + +reencrypt_existing_partition() { + part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)" + # reduce the filesystem and partition by 32M to fit the LUKS header + reduce_device_size=32768 + reduced_size="$(expr "$part_size_blocks" - 65536 )" + reduced_size_in_byte="$(expr "$reduced_size" \* 512)" + reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" + e2fsck -f "$1" + if ! resize2fs "$1" "${reduced_size_in_kb}"; then + panic "reencryption of filesystem $1 cannot continue!" + fi + if [ -x /usr/sbin/cryptsetup-reencrypt ]; then + /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2" + else + /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2" + fi +} +for candidate in /dev/tpm*; do + if [ -x /usr/bin/tpm2_pcrread ]; then + if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet ; then + continue + fi + elif [ -x /usr/bin/tpm2_pcrlist ]; then + export TPM2TOOLS_DEVICE_FILE="$candidate" + if ! tpm2_pcrlist -L "$pcr_bank_hash_type":7 > /dev/null; then + continue + fi + fi + # Debian buster does not have tpm_testparms + if [ -x /usr/bin/tpm2_testparms ]; then + if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet; then + continue + fi + fi + tpm_device=$candidate +done + +if [ ! -e "$tpm_device" ]; then + if [ "$tpm_encryption_optional" = "true" ]; then + echo "No tpm_device exists abort optional encryption" + exit 0 + fi + panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" +fi + +prepare_for_encryption + +for partition_set in $partition_sets; do + partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" + partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" + partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" + partition=/dev/disk/by-partlabel/"$partition_label" + crypt_mount_name="encrypted_$partition_label" + decrypted_part=/dev/mapper/"$crypt_mount_name" + part_device=$(readlink -f "$partition") + # check if we are trying to mount root + if [ "$partition_mountpoint" = "/" ]; then + echo "ROOT=$decrypted_part" >/conf/param.conf + fi + + if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ + | grep -q "token"; then + open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" + continue + fi + + # service watchdog in the background during lengthy re-encryption + if [ -z "$watchdog_pid" ]; then + service_watchdog & + watchdog_pid=$! + fi + + # create random password for initial encryption + # this will be dropped after reboot + tmp_key=/tmp/"$partition_label-lukskey" + openssl rand -base64 32 > "$tmp_key" + + case "${partition_format}" in + "reencrypt") + reencrypt_existing_partition "$part_device" "$tmp_key" + enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type" + open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" + ;; + "format") + /usr/sbin/cryptsetup luksFormat --batch-mode \ + --type luks2 "$partition" < "$tmp_key" + enroll_tpm2_token "$part_device" "$tmp_key" + open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" + eval "${create_file_system_cmd} ${decrypted_part}" + ;; + *) + panic "Unknown value ${partition_format}. Cannot create a encrypted partition !" + ;; + esac + + finalize_tpm2_encryption +done + +if [ -n "$watchdog_pid" ]; then + kill "$watchdog_pid" +fi diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook index 6e2a211..941f0b1 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook @@ -61,4 +61,5 @@ for _LIBRARY in /usr/lib/*/libtss2* /usr/lib/*/libgcc_s.so.1; do copy_exec "$_LIBRARY" done +copy_file library /usr/share/encrypt_partition/encrypt_partition_tpm2 /usr/share/encrypt_partition/encrypt_partition_tpm2 copy_file library /usr/share/encrypt_partition/encrypt_partition.env /usr/share/encrypt_partition/encrypt_partition.env diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script index e0c84ce..611f9cf 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script @@ -9,64 +9,23 @@ # # SPDX-License-Identifier: MIT -prereqs() -{ - # Make sure that this script is run last in local-top - local req - for req in "${0%/*}"/*; do - script="${req##*/}" - if [ "$script" != "${0##*/}" ]; then - printf '%s\n' "$script" - fi - done -} -case $1 in -prereqs) - prereqs - exit 0 - ;; -esac - -. /scripts/functions - -# get configuration variables -. /usr/share/encrypt_partition/encrypt_partition.env - -# load necessary kernel modules: -modprobe tpm_tis -modprobe tpm_crb - -modprobe ecb -modprobe aes_generic -modprobe xts - -# this needs to be probed particularly for re-encryption -modprobe loop - -partition_sets="$PARTITIONS" -create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" -pcr_bank_hash_type="$HASH_TYPE" -tpm_key_algorithm="$KEY_ALGORITHM" -tpm_encryption_optional="$ENCRYPTION_IS_OPTIONAL" -if [ -z "${create_file_system_cmd}" ]; then - create_file_system_cmd="mke2fs -t ext4" -fi - -service_watchdog() { - for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do - printf '\0' - sleep 10 - done > "$WATCHDOG_DEV" -} - open_tpm2_partition() { + partition_device="$1" + crypt_mount_name="$2" + tpm_device="$3" if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \ - "$1" - tpm2-device="$tpm_device"; then - panic "Can't decrypt '$1' !" + "$partition_device" - tpm2-device="$tpm_device"; then + panic "Can't decrypt '$partition_device' !" fi } enroll_tpm2_token() { + partition_device="$1" + passphrase="$2" + tpm_device="$3" + #tpm_key_algorithm="$4" + #pcr_bank_hash_type="$5" + # check systemd version and export password if necessary if [ -x /usr/bin/systemd-cryptenroll ]; then systemd_version=$(systemd-cryptenroll --version | \ @@ -74,10 +33,10 @@ enroll_tpm2_token() { # check systemd version and export password if necessary # systemd version 251 does not suport hash_types if [ "$systemd_version" -ge "251" ]; then - PASSWORD=$(cat "$2" ) + PASSWORD=$(cat "$passphrase" ) export PASSWORD /usr/bin/systemd-cryptenroll --tpm2-device="$tpm_device" \ - --tpm2-pcrs=7 "$1" + --tpm2-pcrs=7 "$partition_device" PASSWORD= else panic "Unknown systemd version: '$systemd_version'!" @@ -87,96 +46,12 @@ enroll_tpm2_token() { fi } -reencrypt_existing_partition() { - part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)" - # reduce the filesystem and partition by 32M to fit the LUKS header - reduce_device_size=32768 - reduced_size="$(expr "$part_size_blocks" - 65536 )" - reduced_size_in_byte="$(expr "$reduced_size" \* 512)" - reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" - e2fsck -f "$1" - if ! resize2fs "$1" "${reduced_size_in_kb}"; then - panic "reencryption of filesystem $1 cannot continue!" - fi - if [ -x /usr/sbin/cryptsetup-reencrypt ]; then - /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2" - else - /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2" - fi +prepare_for_encryption() { + true } -for candidate in /dev/tpm*; do - if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet 2>/dev/null; then - continue - fi - if ! tpm2_testparms -T device:"$candidate" "$tpm_key_algorithm" --quiet 2>/dev/null; then - continue - fi - tpm_device=$candidate -done - -if [ ! -e "$tpm_device" ]; then - if [ "$tpm_encryption_optional" = "true" ]; then - echo "No tpm_device exists abort optional encryption" - exit 0 - fi - panic "No tpm device exists or supports pcr_hash '$pcr_bank_hash_type' or '$tpm_key_algorithm' - cannot create a encrypted device!" -fi - -for partition_set in $partition_sets; do - partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" - partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" - partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" - partition=/dev/disk/by-partlabel/"$partition_label" - crypt_mount_name="encrypted_$partition_label" - decrypted_part=/dev/mapper/"$crypt_mount_name" - part_device=$(readlink -f "$partition") - - # check if we are trying to mount root - if [ "$partition_mountpoint" = "/" ]; then - echo "ROOT=$decrypted_part" >/conf/param.conf - fi - # check if partition is already encrypted with systemd-tpm2 - if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \ - | grep -q "systemd-tpm2"; then - open_tpm2_partition "$part_device" - continue - fi - - # service watchdog in the background during lengthy re-encryption - if [ -z "$watchdog_pid" ]; then - service_watchdog & - watchdog_pid=$! - fi - - # create random password for initial encryption - # this will be dropped after reboot - tmp_key=/tmp/"$partition_label-lukskey" - openssl rand -base64 32 > "$tmp_key" - - case "${partition_format}" in - "reencrypt") - reencrypt_existing_partition "$part_device" "$tmp_key" - enroll_tpm2_token "$part_device" "$tmp_key" - open_tpm2_partition "$part_device" - ;; - "format") - /usr/sbin/cryptsetup luksFormat --batch-mode \ - --type luks2 "$partition" < "$tmp_key" - enroll_tpm2_token "$part_device" "$tmp_key" - open_tpm2_partition "$part_device" - eval "${create_file_system_cmd} ${decrypted_part}" - ;; - *) - panic "Unknown value ${partition_format}. Cannot create a encrypted partition !" - ;; - esac - - # delete initial key - # afterwards no new keys can be enrolled - /usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0 -done +finalize_tpm2_encryption() { + partition_device="$1" +- /usr/bin/systemd-cryptenroll --wipe-slot=0 "$partition_device" +} -if [ -n "$watchdog_pid" ]; then - kill "$watchdog_pid" -fi diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index dc46ff8..1d5a4a7 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -44,6 +44,7 @@ CRYPT_BACKEND:bullseye = "clevis" CRYPT_BACKEND = "systemd" SRC_URI += "file://encrypt_partition.env.tmpl \ + file://encrypt_partition.script \ file://encrypt_partition.${CRYPT_BACKEND}.script \ file://mount_crypt_partitions.script \ file://encrypt_partition.${CRYPT_BACKEND}.hook \ @@ -77,8 +78,10 @@ do_install[cleandirs] += " \ do_install() { install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env" - install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.script" \ + install -m 0755 "${WORKDIR}/encrypt_partition.script" \ "${D}/usr/share/initramfs-tools/scripts/local-top/encrypt_partition" + install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.script" \ + "${D}/usr/share/encrypt_partition/encrypt_partition_tpm2" install -m 0755 "${WORKDIR}/mount_crypt_partitions.script" \ "${D}/usr/share/initramfs-tools/scripts/local-bottom/mount_decrypted_partition" install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.hook" \ From patchwork Tue Apr 9 13:05:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13622482 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EEFE1CD129C for ; Tue, 9 Apr 2024 13:06:50 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web10.135728.1712668003619983950 for ; Tue, 09 Apr 2024 06:06:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=KzdmoGAr; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-51332-202404091306412426775a395b2cd044-2poob8@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 202404091306412426775a395b2cd044 for ; Tue, 09 Apr 2024 15:06:41 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=gyOHq8aO6lkSZ5WPPxkF9fxmpmxTcYVIVUHlHQ1sdJ4=; b=KzdmoGArZVDmTEkhBw2St6vJhDWOzr3Lw3tJe+ffJC7Z7bYtSx4mE4TNRuc/ODgLc0L9PV J6nsL+EgRTlYNfhj/kTuRBkuB242OXbfCRA4UqGzSx3o+wb1cDnBl/RyhoRHSxKkF3u00wI1 +P4HVlaufqjjst7/tQDfKKtsc/gks=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v3 11/15] initramfs-crypt-hook: Increase version Date: Tue, 9 Apr 2024 15:05:28 +0200 Message-ID: <20240409130638.559398-12-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> References: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Apr 2024 13:06:50 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15523 From: Quirin Gylstorff This package had significate changes Signed-off-by: Quirin Gylstorff --- .../{initramfs-crypt-hook_0.1.bb => initramfs-crypt-hook_0.2.bb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt-hook_0.1.bb => initramfs-crypt-hook_0.2.bb} (100%) diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb similarity index 100% rename from recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb rename to recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb From patchwork Tue Apr 9 13:05:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13622484 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23367CD129D for ; Tue, 9 Apr 2024 13:06:51 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.136244.1712668003644038392 for ; Tue, 09 Apr 2024 06:06:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=TtoScH+j; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-2024040913064152f7654f62af90c75a-ibwoek@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 2024040913064152f7654f62af90c75a for ; Tue, 09 Apr 2024 15:06:41 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=vKG0QWWeocWNrOMY/O6gIN+Kmj6q0BWXuIYB8sqm+Xg=; b=TtoScH+jtTRi+uu5UxUN+8aYNx5zm1EMreH7Idzm/u0XPYVMyV4L0NOBo6bkNiBV7zbe7n wVVweJWsbr79Ez2niOs+WpmkJ3zHSE7N08m5XInpuxF33DRvZpdKxr3lYDvSTawIi+F9wlO3 uAOJclo4f0+bq/1EQCKKl7Bzi4fbk=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v3 12/15] README.tpm2.encryption: Add section to switch from clevis to systemd Date: Tue, 9 Apr 2024 15:05:29 +0200 Message-ID: <20240409130638.559398-13-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> References: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Apr 2024 13:06:51 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15524 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- doc/README.tpm2.encryption.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md index cb3f640..69a18dd 100644 --- a/doc/README.tpm2.encryption.md +++ b/doc/README.tpm2.encryption.md @@ -48,3 +48,23 @@ Each entry uses the schema `:: The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly encrypted partition. The Default (`mke2fs -t ext4`) creates an ext4 partition. + +# Convert clevis based encryption to systemd-cryptenroll +## Prerequisites +The following packages are necessary to convert a clevis based encryption to a systemd-cryptenroll +based encryption: + - clevis-luks + - clevis-tpm2 + - cryptsetup + - jq + +## steps to convert clevis to systemd +The following script shows how to enroll a systemd-tpm2 token with a existinng clevis based encryption: +```bash +export device=/dev/sda6 +export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots | first' | head -n1) +if [ -n "$keyslot" ]; then + export PASSWORD=$(clevis luks pass -d "$device" -s"$keyslot") + systemd-cryptenroll --tpm2-device="$tpm_device" --tpm2-pcrs=7 "$device" +fi +``` From patchwork Tue Apr 9 13:05:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13622488 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37725CD12A0 for ; Tue, 9 Apr 2024 13:06:51 +0000 (UTC) Received: from mta-65-228.siemens.flowmailer.net (mta-65-228.siemens.flowmailer.net [185.136.65.228]) by mx.groups.io with SMTP id smtpd.web11.136246.1712668004002445160 for ; Tue, 09 Apr 2024 06:06:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=U2iQhwio; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.228, mailfrom: fm-51332-2024040913064129eb205e007bbe35ee-ljz5p3@rts-flowmailer.siemens.com) Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id 2024040913064129eb205e007bbe35ee for ; Tue, 09 Apr 2024 15:06:42 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=mQOtiWxET8I9g/YPFf7X1Ze077cmG0qlkWB9eFHbhtE=; b=U2iQhwio0pfXHdSc7cixN7POjLqaV4ukkpxRTLibmXF1p+SrX3kADtFA7+RquZNPZCYcbr B6IN8TkCbGQoVEZYhdUXINTI09ZoFRcEZ5X9ueCOzpgmjkiCyUQsRAV4MrFpvZPw1Jb6W3WR XpvuyMUwZLIM3yvfbitGhf5Nierx8=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v3 13/15] Add example to encrypt the rootfs Date: Tue, 9 Apr 2024 15:05:30 +0200 Message-ID: <20240409130638.559398-14-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> References: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Apr 2024 13:06:51 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15525 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- kas/opt/encrypt_rootfs.yml | 25 +++++++++++++++++++++++++ wic/x86_64-encryption.wks.in | 16 ++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 kas/opt/encrypt_rootfs.yml create mode 100644 wic/x86_64-encryption.wks.in diff --git a/kas/opt/encrypt_rootfs.yml b/kas/opt/encrypt_rootfs.yml new file mode 100644 index 0000000..9e284b4 --- /dev/null +++ b/kas/opt/encrypt_rootfs.yml @@ -0,0 +1,25 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +header: + version: 14 + +local_conf_header: + encrypted_root: | + WKS_FILE = "x86_64-encryption.wks.in" + CRYPT_PARTITIONS = "platform:/:reencrypt home:/home:reencrypt var:/var:reencrypt" + IMAGE_FSTYPES = "wic" + IMAGER_INSTALL:wic += "systemd-boot" + CIP_IMAGE_OPTIONS:append:qemu-amd64 = " recipes-core/images/deploy-ovmf.inc" + INITRAMFS_RECIPE ?= "cip-core-initramfs" + INITRAMFS_INSTALL:append = " initramfs-crypt-hook" + INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img" + do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build" diff --git a/wic/x86_64-encryption.wks.in b/wic/x86_64-encryption.wks.in new file mode 100644 index 0000000..800b56d --- /dev/null +++ b/wic/x86_64-encryption.wks.in @@ -0,0 +1,16 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# SPDX-License-Identifier: MIT +# + +part /boot --source bootimg-efi-isar --sourceparams "loader=systemd-boot,initrd=${INITRD_IMAGE}" --label efi --part-type EF00 --align 1024 --fsuuid 0x4321dcba --uuid cf142945-6fa1-4945-b0f2-b8d6226298c0 + +part / --source rootfs --fstype ext4 --mkfs-extraopts "-T default" --label platform --align 1024 --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid f225331b-2d9c-45a2-bcfe-4a6e86287dfb +# home and var are extra partitions +part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --extra-space=100M --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 +part /var --fstype=ext4 --label var --align 1024 --fixed-size 2G --fsuuid 96be3374-4258-11ee-be56-0242ac120002 + +bootloader --ptable gpt --timeout 2 --append "console=ttyS0,115200" From patchwork Tue Apr 9 13:05:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13622481 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D5BE5CD1284 for ; Tue, 9 Apr 2024 13:06:50 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.136247.1712668004111352957 for ; Tue, 09 Apr 2024 06:06:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=gnRPMPpU; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-51332-20240409130642c879588d59a498f30e-4y8b0q@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20240409130642c879588d59a498f30e for ; Tue, 09 Apr 2024 15:06:42 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=WabpgPSBOaIxOcdMBd0mE4a/lwIxyQCmvKEILAwxOHA=; b=gnRPMPpUW7i3erEfvjHr45Bv+NmaudlVOJJqpU8sX7acletmXF2s0tw2m6xhOA0RNUYHff 148vyRrXO/oxLGMjRV9NSwIMaXo2xvM3tOMx0L9DM6XqzYIN4mTkT+xUDIPDnXg72BPyQt3t InIrqC3c6MZKK5au+qOJ9XplmdhHA=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v3 14/15] Kconfig: Add option to encrypt the rootfs Date: Tue, 9 Apr 2024 15:05:31 +0200 Message-ID: <20240409130638.559398-15-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> References: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Apr 2024 13:06:50 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15526 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- Kconfig | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Kconfig b/Kconfig index 7c19640..8e96865 100644 --- a/Kconfig +++ b/Kconfig @@ -212,5 +212,19 @@ config IMAGE_DATA_ENCRYPTION config KAS_INCLUDE_DATA_ENCRYPTION string default "kas/opt/encrypt-partitions.yml" if IMAGE_DATA_ENCRYPTION +endif + +if IMAGE_FLASH && !IMAGE_DATA_ENCRYPTION && !IMAGE_SECURE_BOOT && !IMAGE_SWUPDATE + +config IMAGE_ROOTFS_ENCRYPTION + bool "Encrypt rootfs and data partitions" + depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || !IMAGE_SWUPDATE || !IMAGE_SECURE_BOOT + help + This enables LUKS encryption for all partition. This is currently incompatible + with efibootguard, secure boot and SWUpdate. + +config KAS_INCLUDE_ROOTFS_ENCRYPTION + string + default "kas/opt/encrypt_rootfs.yml" if IMAGE_ROOTFS_ENCRYPTION endif From patchwork Tue Apr 9 13:05:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13622489 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 584A5CD12A1 for ; Tue, 9 Apr 2024 13:06:51 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web10.135729.1712668004309119386 for ; Tue, 09 Apr 2024 06:06:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=kd1lPH6r; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-51332-20240409130642b74e1f0c3bb2d33644-jqekmf@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20240409130642b74e1f0c3bb2d33644 for ; Tue, 09 Apr 2024 15:06:42 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=6rtzSXTdif3zEhZlD9ZuguyGAo5QEudm/It/z1iPNKk=; b=kd1lPH6rwJ8W+ei4i/K0niL7nAKEHfphA+z0vdqU8of+sKDyKJA4dZP6G+sD2TUHA85rtb /6w1cho9kqdyiwibg2Mc3FLcTfAsBOdJMN34+g6shTVJ0RmKQiBj01+d9m8HmetrAox1F83H XEkF80zk5OcDVYP/A1AENE9NcDWdU=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com Subject: [cip-dev][isar-cip-core][PATCH v3 15/15] start-qemu.sh: Support encrypted rootfs Date: Tue, 9 Apr 2024 15:05:32 +0200 Message-ID: <20240409130638.559398-16-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> References: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Apr 2024 13:06:51 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/15527 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- start-qemu.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/start-qemu.sh b/start-qemu.sh index 9ec0f1c..83d1274 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -21,6 +21,7 @@ usage() echo " QEMU_PATH use a locally built QEMU version" echo " SWUPDATE_BOOT boot swupdate image" echo " SECURE_BOOT start a secure boot environment" + echo " TPM2_ENCRYPTION starts swtpm to encrypt the disk partitions" echo " DISTRO_RELEASE select a specific Debian release" echo " TARGET_IMAGE select a specific image type" exit 1 @@ -35,6 +36,10 @@ if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then TPM2_ENCRYPTION="true" fi +if grep -s -q "IMAGE_ROOTFS_ENCRYPTION: true" .config.yaml; then + TPM2_ENCRYPTION="true" +fi + if [ -n "${QEMU_PATH}" ]; then QEMU_PATH="${QEMU_PATH}/" fi @@ -187,7 +192,7 @@ QEMU_COMMON_OPTIONS=" \ ${QEMU_EXTRA_ARGS} \ " -if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then +if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}${TPM2_ENCRYPTION}" ]; then case "${arch}" in x86|x86_64|amd64) if [ -n "${SECURE_BOOT}" ]; then