From patchwork Fri Jul 12 12:57:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Koch X-Patchwork-Id: 13731740 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 26153C3DA4D for ; Fri, 12 Jul 2024 12:57:42 +0000 (UTC) Received: from EUR03-VI1-obe.outbound.protection.outlook.com (EUR03-VI1-obe.outbound.protection.outlook.com [40.107.103.56]) by mx.groups.io with SMTP id smtpd.web10.6988.1720789046418024875 for ; Fri, 12 Jul 2024 05:57:27 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@siemens.com header.s=selector2 header.b=FPEkGJIB; spf=pass (domain: siemens.com, ip: 40.107.103.56, mailfrom: stefan-koch@siemens.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Jz5pFp0sAcFfuGM8JEATcUs5uNgUNF7H+qXQCqkhmLhfbH6a6np0jHPgn0f5SUI6yfwUtv1ME2Ab7OPSHThKHxJo3A/mO8fBEuL8UM9QS596sUXjmnBoBJzKFf79bo/AZR4TPxZyabK2IDnN8jrCP0aiJNeDTwTg9eRDrhtpXEKW2pYa8cW6+b3GYK0xMv0xmG9iH1DBkuW2b9/simSJyhTA6vGmu/VRxKZnZoLrq2Wdywol7P3FKtDmeTkdvuBtVIxMwOfYoli4T21S3NjOEK/OaPE16GoEBdHPeO+NCqCFvVePIdMHD48fG7SJebuCki9YtPcqTZYlHpYxH7/GaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=D6z7js6sYnc0wY1YDfaZV088CCCMQo3pre3jHYk9UNY=; b=cpoKh8eDKZWhaj7aLLyS7K7f/SLr19uPUFXZftcz+PYM31WLG4tHT8pB1Se7KDnjzAK6gkS4YE5r4WXL6LAooGqfaZDgsEtMko+wt87xsV6CSMuoCWzz7UejidRqEoO/pAd87i7veu9+M4PRIR8l2Z1JMERNFIJZzRFywQ/wXrbTqUQ9h/ZyCQs0huUYr0qmoXeaQ3KdwpG6XOM0MiIPenFURJnRReJaNH1gM3p6EaDwr1cTek8x2Q+eBPOuR9mVzAT868UgfoK/5Z3Ch1tYiCJ3ju7JHrUKyZTkR5Ut/eMG7fs9oUTRLvM51bJ3NsvpH+H8SK/aWq5rH25UrJDPEQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=D6z7js6sYnc0wY1YDfaZV088CCCMQo3pre3jHYk9UNY=; b=FPEkGJIBTm9De9LzQ7PpayypZunPt9cbF64hjGa8zEfrl9D6mV7CwacpFGRV/5qdl/YNq5XC2z4MPVagGRv3gOQfY7tjn+ClI8f2O8FdujDHp+CwEGIo4iWsIQ/s+9mQ6WTfagmZfasPEZSbD4YzX8Gc9Pdf151QOUlOzk6GIt9kLf/eMYd3FPHDIUUiHTk5VhwnmnL5/4ky/c8yQI0pDfvL0VCEnXp5BmWSV9USJEv9T8kCVjhoTTUVmlRTAB1d6cj0IDl7JJIKmijCdECw1MLfo9PEvAq3Mvsa3S4i1t8dr6KsHSS/4BAuDLhSKbv36P02LoKhOk0X92HGFigBCg== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com; Received: from DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:2c2::14) by AS2PR10MB6750.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:5f1::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7762.22; Fri, 12 Jul 2024 12:57:22 +0000 Received: from DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM ([fe80::f75d:ad6e:d321:cc46]) by DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM ([fe80::f75d:ad6e:d321:cc46%4]) with mapi id 15.20.7762.020; Fri, 12 Jul 2024 12:57:22 +0000 From: Stefan Koch To: cip-dev@lists.cip-project.org CC: jan.kiszka@siemens.com, quirin.gylstorff@siemens.com, christian.storm@siemens.com, michael.adler@siemens.com, simon.sudler@siemens.com, stefan-koch@siemens.com Subject: [PATCH v2 1/4] initramfs-crypt-hook: Do not attempt to repair a partially encrypted filesystem Date: Fri, 12 Jul 2024 14:57:10 +0200 Message-ID: <20240712125713.2066512-1-stefan-koch@siemens.com> X-Mailer: git-send-email 2.39.2 X-ClientProxiedBy: FR2P281CA0182.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:9f::10) To DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:2c2::14) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9PR10MB4953:EE_|AS2PR10MB6750:EE_ X-MS-Office365-Filtering-Correlation-Id: 4c17044b-a37d-4eaf-acf4-08dca2722be8 X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|1800799024|376014; X-Microsoft-Antispam-Message-Info: GlHkRCOErz6Jdwe9UXLNynghBVWfmATZYSaTef40Ybd8EPwxCi1fGbyHpIaSL4V6bNkr6nwoN9Nlv1x0T1z3JCWHYHUlAKx0UWDh+p6nUVckmo7ewPQdF3IyJotSHm3ok3NeOenyxBTGylzA2pAXqr8/nRqRjW1VAcjJ7y5ayRB3go3+IYDbeb0IPkX7sdmx2xukhKrj/TnSR9XPuocJtK7KIM3okWf/Q2S1oRKFOIjfmfcqNlHJ7L0qqyi7lSqOLGdedOUf1QWG2O3MCLAvA6AyHAjRGqqXUYJrIAqqJ2+oHO0tXGrfIpPlGD3LO4NkoeoJWl2KPpd+3EziqDeugzM4ftE9w2Vb8O69SiXZODfBo+tNQiqh9erBbicy3SviGNZTyx9Kls1MXy5WueBP3oZ4vvSv8PcyRCVfUYWRoeHmAy0eEns6XCnsQ7ugRxY3IyWw0crONg/ZvG04DVdjdEwHJetiVkBliVfsrAOg/TTKyNZl/0U77Q7aribZt8TlIQFpVJojPM1gTZ/Z6NPZmzbzydh5tlqFjjGMzf8xED0Qscl3+TUnM3H+YOULY6psQkb20kBleay1yekhu+Nd4xarEzlFq5AbZfJ8TC/qynXINcZ1nt7IuAYekqBkdh+5WuUCZKhHhCZXp1FiPsnjQWGudiAYDDBuIXMrRazh3ehdtHPvEt0I+uGkDJhNWXkZILWkXx+PcF9j+95cdJFPKgcZPpUUpKuRCTccWsnCOBxt3JAFdrNhDwIewgafHIU8FS08DPpu5LlM7e8jTCp7uCg+izIDyXuJ9qYFPwPWvsqsvK1BRTRtZ2muPs4LKDy3azsZwmAVhi2bv5DtRbpZBJumLY8o043HVJva/I/LxHI+hbRinziFHpe+e3kPercz2EizfSFkE3ODYjS8bgxKDsWoIXR9XLDbR9CmDxka3c6Esc2ObzCZFlTVUaDc+qCtUkgPFhRhQgu1E5tjNjfwTxl8ZjTlExoV6PUE6CvY1TJhYxalmJeq3XPCbJe/NVm31OtJpgcBrBVT3p7vfdY0Nd4+thc2i6/zP8+nmcHxtrZOm0ckejUuriKu5u6IEywf9RwQA4VKL2wIVxgUKvzD9hqNkwiFfWMNHUF8gHGtR0y3Aq/iC78e6DX7rLQd6HWVwfT1ODm/tlEs4d9aaH7nN8owx/kPoj/m1UxuK7Dg4Fv5/EPXZHXrFF+hB0LeZ++359gt6zQJHY6dVpHmb9EoBCVKaqx3E01mu9rsfqoEDT73Cxy5YGfuRjzfb6h1cDsczn3wHREeKx7zLLM/3VEhbHZaGBXhy8Vovn5TdbOKEFNUAUwralRZtSDvccOhzMzkLP39FOL7LAvtDsBT3n268A== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: BvJDIl+QqB+uMlB0sxutL0hBk375Vwin0ngZVR/rHFTUlIZG+SDHCai0SYSv5kkLuQpxPVhTI+fxocwfRqxhwI9HbaxoDmU5QtgCGc8juoPm6plsrbWZaJNfdE8L6uHb+CmcXZLPV2xVipcMkuFWQxXz8T7rrDzpliig4TggaZUGyLduvRgfcOnXFIkvptDKC3xXatWqlPPm7lahGLuTc/lNXK8TxlmLrBtOeAGYQU96/U/v2KpwgwbDyXuIGacHkVZlS2NqWYg9/30iv5sI+3wKqWHsot0Xbj43vmCVVUlfqVD+cgZlqLSfyu+bqfCEDN3xMGQa1wqq2IewrhakZl9Fw6TqwXvgE4pF7CIEiVyDLXd7s3mVpqT0eo+EdvvRDMe1yC4txbuIupuIJkYhcDbvwEpO86AAz3ae+PBfaQbiplm6Fkm6R9ogu6hyr+Ou0TlZtmbOe/2o2yfWy1eWEgbZIy1VBd0ayzCv6XSqaY9/4F17VxkjiOlZLCaAg833R4XBPuu0SYp62hNasYi+4TKN1gL8r418FGQNVEwCTD8+cpyrRiNMjtA+9hBNjZtQiXZ4u+oJf5BpQLv3QCsC34977qtRwHf7AldnSo38nFu6SPocAEIj99+e6g/L6wZXMzHDpUZvl5a//XJzhHak7U597DXyEFbq7bY/1d43LvP97gmKBsBHO3VfRpnaLdLBCpWbe30aJHJyyhPf7IcXMsMor8izPJ84YoZSkGsYD9lO2i6W44J+ghlg9t6bTLm3l29aqCDPh3GWNRGWi2oc0HPMN0OsfK22zcbZKavJeuDJaw6IdHP/CbmRce+O5re627BTDDYgfUpPTcxj8R6S1TRzl2ZfIKvXhx6OXdM4fcYqqDBTGnlxlKhFwoU7KJuuTxomx03Ukb5RoiVyTuNbFh7vNqFIlWVM+Xp+NXB2qTMU4x94sPI3T2LKumAiqQAkDVLg8ucByEzlfhmPssbfUeb+ur+CBWLavImkWtrkoiOS4HPZVA6INXZCacXIT5PzeRracKn+LhodbXeFIUjkjtroJ8Cmh68+Xh7jgIgmp5WFUEDxpfsmmJImK+nvRHkhfTnuEwxkuUwt6KYdCvJYPAaeyz5b/h5B9J8o1Mhlr2b4BGzW2WqcuLxbrlMRwvmgfbMrmU3jkAUjOfnPXEWoS1W98L6EyoWOduWUSM26SiffMSOkh2ZMkkUECZJqlDlU0+lhDx+hFWocJO7D5YnDMEpTVV/OQbgIiF6oTplcYvxKU5g7tQKiqaczJE7qyxYAVL6uooET2/VkwaMwiubqZfzm0eQb6wP+zc+y76vikWjvRWiExV/prmI3mNE/L0x4OD62rOWS1PZSKKyOe1e+v20zB5mrhcAqm/4y2sKMz2CMZ5TsVwDF4wdnAm7UD3jic5U9yhy/4TF4hwWgWtI1anCOQD8dHeqtKvN0teRZfT1BC/r5BYun2RSEMdPrIOD/y9I3WMOOJBxfDgXwwyFR5QymGzQibadEb9ndP+IpbOL4tSYAzmFOe7g0E9afT2v9u0A+U7ZX7DRYhnVxHC/S4q7BouQ9OLv8AB7yNqCSamImzCSWFIwvcwfc+mK1RXcaYnELy+JelzxuTIbuK2jmfXdzt0IJ4rCA8Zhzn0MNHl9DNYv0wc9FSvAIbbFm9oOBV9ExTH/XLJnhKMC2Lfd+gg== X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4c17044b-a37d-4eaf-acf4-08dca2722be8 X-MS-Exchange-CrossTenant-AuthSource: DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Jul 2024 12:57:22.8191 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: SvpxOeMZ9DIUd1zPtDO437aAVCdJFO8pzH2cmMJA8UUQQ8yVr4ijbnf1NHLCgIPAu0Qb4ac0Stjd92g5+J4omA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS2PR10MB6750 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Jul 2024 12:57:42 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/16479 Avoids that e2fsck will repair the partially rencrypted filesystem after power-loss while reencryption. In general, cryptsetup is capable to resume a partial encryption, but there is no key available to unlock the partial encrypted data, yet. The key is enrolled only after fully succeeded reencryption, yet. Signed-off-by: Stefan Koch --- .../initramfs-crypt-hook/files/encrypt_partition.script | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script index ff4c135..f943aea 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -77,7 +77,13 @@ reencrypt_existing_partition() { [options] broken_system_clock=true EOF - e2fsck -p -f "$1" + # ensure that filesystem is clean otherwise resize2fs will fail + # do not attempt to repair a partially encrypted filesystem + # ensure that there is no attempt to + # repair a partially encrypted filesystem + if ! cryptsetup luksUUID "$1" &> /dev/null; then + e2fsck -p -f "$1" + fi if ! resize2fs "$1" "${reduced_size_in_kb}"; then panic "reencryption of filesystem $1 cannot continue!" fi From patchwork Fri Jul 12 12:57:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Koch X-Patchwork-Id: 13731741 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18B6AC41513 for ; Fri, 12 Jul 2024 12:57:42 +0000 (UTC) Received: from EUR03-VI1-obe.outbound.protection.outlook.com (EUR03-VI1-obe.outbound.protection.outlook.com [40.107.103.56]) by mx.groups.io with SMTP id smtpd.web10.6988.1720789046418024875 for ; Fri, 12 Jul 2024 05:57:28 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@siemens.com header.s=selector2 header.b=m/TvXijO; spf=pass (domain: siemens.com, ip: 40.107.103.56, mailfrom: stefan-koch@siemens.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=H5Ug3JfMJMxgbcqEUoMwzAr2xoPfnx/qCdc78PmiXba4PEwbr0ao1E5643AGSaJOQ6Ekf/V4gcnJ++FyxSeeQ20tOgWrx7njnzRFHO28AX6670ybx/PbwxK2Iz6VVUhRAZlrNnhQgHNCuK37i0Yumyv/rsB9QywXEyAE9yleRLpZuzSo7qOvQ2j9vgrf5M+sMTBEmgqCtYTv6et/JYKJ3u6jgSDIndAcvmsBvXWu6avqKG5wC7PgIoT6Rf3D0p3+QYu9QjhK9YSpWc5kY9mqeQQS6aTeHA1xREuJiDbu3ziAatkBeoJhuivXx3oGooT78lawEuFiS08jAEqOEJXd3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/vQ/0rcbbzmjTXpMel6be+vxi9sCYrGA37X8c0THVzc=; b=wO8LsBwZQMeAlstVV7x7bCD0yZ7/p/yZOvgOyBbJ4eaBqrwQpvKbJG0pJ29chBkH8E7/2fR93BigTSJaP7kc1Zmc+Ciw9ZBxt1UBlF/2TuBjkp8i4jNf397lfkBAjXRQiHNqcmceK06BbPoe/4Nh3mG00EobPDyN1PyQViEW10Xe79RQ+Zvnx0nTLAC5smnsjP65HoSfzVtod6jmmP4GyZzEiypmkZZEDdDx9+x/OUuk38G/tf3bLylwNbDaTNBdz97NE/b5S+ACBpg6f7yWktTvvg1m4i979FiRnZ8H4JixqDmjTmer4ZVvnKA0BwOxyj7iQHwLPo+SoA19eTRckQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/vQ/0rcbbzmjTXpMel6be+vxi9sCYrGA37X8c0THVzc=; b=m/TvXijOhIiu/fwZP8oVoDevtHQxi9AkQtiawXQgUsbU5zY3vJX7CK7G6J2NlGYRTDlsHwP1/zE81QFsWRrVfI+7/vNMDjnS26R4sF/m5azsM/3EWO+8pZokacW1NIhb3ZOgqMXtAi8WZYgPINOLzPx2stprCErTxKvkIj8DiAKhKe4A+bUV06vmuCIqHLodTVuwI3oYCvAQDKCTuKBX8pTyBSUbdulPzkli4/aj0EkzGqjMzHMjKjA8trb0EvEw4pie24cpDQBviBjbzJkc/vEZKVs6tduFAFrZHOkvrUmRFohS45OBbfdaZ6q90ANQfZ+LlrHp4T9tgwCKgd6Khg== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com; Received: from DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:2c2::14) by AS2PR10MB6750.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:5f1::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7762.22; Fri, 12 Jul 2024 12:57:23 +0000 Received: from DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM ([fe80::f75d:ad6e:d321:cc46]) by DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM ([fe80::f75d:ad6e:d321:cc46%4]) with mapi id 15.20.7762.020; Fri, 12 Jul 2024 12:57:23 +0000 From: Stefan Koch To: cip-dev@lists.cip-project.org CC: jan.kiszka@siemens.com, quirin.gylstorff@siemens.com, christian.storm@siemens.com, michael.adler@siemens.com, simon.sudler@siemens.com, stefan-koch@siemens.com Subject: [PATCH v2 2/4] initramfs-crypt-hook: Ensure that full losetup executable is provided Date: Fri, 12 Jul 2024 14:57:11 +0200 Message-ID: <20240712125713.2066512-2-stefan-koch@siemens.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240712125713.2066512-1-stefan-koch@siemens.com> References: <20240712125713.2066512-1-stefan-koch@siemens.com> X-ClientProxiedBy: FR4P281CA0429.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:d1::10) To DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:2c2::14) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9PR10MB4953:EE_|AS2PR10MB6750:EE_ X-MS-Office365-Filtering-Correlation-Id: 494edb73-93d4-4b44-97af-08dca2722c8a X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|1800799024|376014; X-Microsoft-Antispam-Message-Info: 5j/Twb4ak63o0jST5y55v4gpm5qpI9CcMyyed0YhnfOzYikEdhA4K/HDFk3wpaxuAG3fgV6Qh1yEQj4Tvx8ssFjLLyaXkv8JU21axV8KzVpvu7jKsGtA3hyUo+RfOYc7HpgJPxSJSS2CjbNqQwvS82GFNRlG4m7V1oud39z5qeEjcTUiFT3DYuU5bTRoEd+YIfmQ9qt1Uc4jAKa+t68jlVmaBc4VDzoYHFPJfB6hd6osxyTd0vYFJFc2LSp0mZW0XdY2W30AWFjdEFbgqDhoC1KIJjPWMUtuXti1X4jk1yrWXaDdQ0/TH+k/DZRosubjo40kxUdYkDYEqMuHfRGY1cJfxC9axO5N+Kthk7wsjsNw0TnU6I1kRidIVwOFxhmKE7y8wwMVpO/HjoDf0vXRnLTRSqe7wderX/yw8hwQPDIqMgDpngVLKWNkgDqEL6t/582vHXWNyjnTi/0wMZDuqfpjlK07Vc16SfhmmQjWFo8AfzD0Uu/iHjvhueX98rV9XE7I5js0tEpHMpWASu+z5Qar+RQcw9xEoO6KTuiVlItMiOxCMhqr2ghsXVhDXtzABGQqPFEI14hJrYVTXcOO/CrQfCCpqQUEmsJm9PR6P1mGat8MUZIDDA1ie4tobUaZ1AV+zskz268vQfTAWillk+3oUwcIJ4bFT0UqbcHascN0eYjECOAFnQ4dSgJzti7xxCrH+rwCvKds8IzW9HJmd1XhB2cO5t7QQ8iANyHX29TIYXpHWkAZ5s8S1wrn3VcNxhAgVNTKipIZqxH4cMgU096heHlDkpwWJtoBLK57+NmwXn7q1HOYkGVmL7RdteIBGNkhMVTwtTGQ9EL1UsTqjgBIGE3aJl3XPkVYPntEHIgOTsLTp2NLTF5N34d3cq3wkwNHs7HYrIfJmqWD8nDfDtgVSexJWW9agJ73a7vbF+5+kceZJYTIk2mSYRmPiHQWyIViePX166ELXvSgtJ/1BgBTeMuAH6lUIsqQ/AgEMViYZFSphBc+nB3+93aS/gmY0ozPQOYRyuNiHOC237a9jF2XSGlrfx9DtgnCddWWDnRE37jx2D57yD3PM3cTsgcQSRu7ID9mDDn1kmsYDm2nCJb7eqSztJLcK02BuMsoEmDBfriSwSOwfCwBOlh71Bqad27ytSvI2KhVHqPOtidYssFmBbXAVsDLRRBYYv4lMVc+sR86WQaUtuyIsUSUlApweWrmtu/OfEuoFLnlfQl3wb1ScR36oDdI9wMwS87TJ8dNoTswJ3SDurEzGAntLwdiS9KsRwZgAd2dziPD2U+YCWll7+xHkhUGYLvmZw5mFZTnVI/d0e0jg4UzXtUjMmNHowTmEo+4yeFLdH1E6wUljQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: AuMKXAFWW1EVABqm/wiazfpC+5WQKqG15KxIPv72KpwWqU6PKflDxvhIcDKp9UUTnzQ7JCwM27cafCOK99KdMVqMYTF5k9k4ukRDnb27HEf8j6b1bpuWeq2UTVYPpFb3KLdk8vcYeWeXrpBxLM+VyV7AfLB9cGVJxiPpddGkYehKFNPiIpbdJ6jDcVBx4D9hgzKtx4TVTywglhph1AHsDIbtVJemIp81nJCG9H0Q8F3nxz+sQx0toiNy4OMHuZ/eYXDC1TvfiKb284B9lnY2RpON9E2pcZVzZG6PpZxLZ9gX2ZryGRWf2fMikxG9t+AWaPcnAXp711utoUWUw86EN9hRMHNx3lIAYcrjQtDuWR8eN+E3QEcFXnoaV2vNX1o13bIUdmjfR66pvjuJHdBrMoeFGpNr+240uj4hpsVlhlpudbAv3Zb/UCWyWCq0qzqRVzOImSBweMTMJzEPlYDGeLmiXtaBQ5J/XAe6d4jYgPF9j4Z6GhZ/lYRuBKjUeRqIu7KTpAMpUbK/9kgDF91a7DTBHIEuV5nsg5vl3IB8PYEoeqBlrYhgU4iGnD42maQ0PIOOJm3Ddgk+uJ2rx6gdKzBkraaOFG6JCQIRsZdbDi6SW+0YeJ27flS465nWpf/ef86/adXO7XFAuDQu5Lqs76mV1zpBJ3tKGlAreO30dWKufcHjAKJkLCf2vxJRLdmPiUsLxt8F+JCLbeHrCQLfRbUQOCgRrWirLf1mJDoYcMgmuOeFQUF1V8rXDZFnrZWlFj+zuLQ9Hf19BxDTM05sMlc8p9iVFSrgpl9CkGBh3yA1aYHzREmQWIn8enaUe7lL6yDpK4ju+e4YEJm5FkNdH5REhzI+pov+aJ/Nrkn2IhsO0RWm9Uj9/uhjtce7gmM9cnA907e8YUrqhKfjz28GhENUlSWOKsD6W2nML6jWLIzSM4LhsQsZrrQPBR+jt91A/6Du9YeMM+uzdpbcuyEuoBQoM5S+uvyfzBZDs5tW08ytezpyok0mX1nOk/LXKr5BddKPzwnEyNoe4mmtpEEC4NBkx51p0KSl78bHpw1k8DyMPjduW8QBuzDw96u4a09oycLklLqh+ES8cjrwZwx+Y2W/IHxxiQvzxrq6f0zmoQMZbsd2Pe+BGvtS+GI1wn+Fmr8GQIkgzXsh0aYDqFbwucqDJzryPjFen2vh57paNS9nVvbfyKn9eRbGERCXm3U8M1Tm97uhps3uaLD6TNHuPz215TzoADp4269gk8+/Ulp4agOSZ5FJxfvLHvG+sGYfDRThE6PRYmDdTFLFAxXGfLVy7gYZx3+Ez3k5DYvk8lxgRf/bbuzRRJOo/S27wAqfcJwcv6oa2tTQxdRLoxGwP+stoXrz6vN/XjqtU3jweEwU9SFeY1IMH+v9tEa3gKR0b7DR1sEoKcSt+YpfiGUO39LxlbyTsnRLmof+XvFLodAmbXgh/wXERy+VGUlKojPsa7qq6l94wdoTnbuzbH34zW2MRqwBFFThPnzrMNRuiWrW3RsDceEhkfwTDOnNyE+HitUCcs0j7CIZENsCjIUd9kiv4P2RWtFGU/Ipih05lGpVGOAtJ7S2tL2OaWqx5MjPk3ivzS2XpxVrLAS16jOarY6z3VITB7elbXXbwtkv/MQ6xPbn9rxvQCXkJWsubvcYCm9/3VIDAAoIKL4kumwyTw== X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 494edb73-93d4-4b44-97af-08dca2722c8a X-MS-Exchange-CrossTenant-AuthSource: DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Jul 2024 12:57:23.8174 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: vwunAQrPuR8HciMYXyYqpE+K7FQEk5gFKXsQOPSh8LzWVPShpbDRMp2Z59mBXfsJltfcXv8ka+xbM1XsC3WVKg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS2PR10MB6750 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Jul 2024 12:57:42 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/16480 - Avoids that busybox losetup is used that doesn't support the "--sizelimit" parameter. Signed-off-by: Stefan Koch --- .../initramfs-crypt-hook/files/encrypt_partition.env.tmpl | 1 + .../files/encrypt_partition.systemd.hook | 4 ++++ .../initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb | 5 ++++- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl index bb93361..72033d1 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl @@ -5,3 +5,4 @@ WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}" HASH_TYPE="${CRYPT_HASH_TYPE}" KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}" ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}" +LOSETUP_PATH="${CRYPT_LOSETUP_PATH}" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook index be8c117..2ace533 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook @@ -19,6 +19,9 @@ esac . /usr/share/initramfs-tools/hook-functions +# get configuration variables +. /usr/share/encrypt_partition/encrypt_partition.env + hook_error() { echo "(ERROR): $1" >&2 exit 1 @@ -47,6 +50,7 @@ copy_exec /usr/bin/sleep || hook_error "/usr/bin/sleep not found" copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found" copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found" copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found" +copy_exec /usr/sbin/losetup "$LOSETUP_PATH" || hook_error "/usr/sbin/losetup not found" copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenroll not found" copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found" copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb index 72de5b6..1679133 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb @@ -9,7 +9,7 @@ # SPDX-License-Identifier: MIT inherit dpkg-raw -DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \ +DEBIAN_DEPENDS = "initramfs-tools, mount, cryptsetup, \ awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \ libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, \ e2fsprogs, tpm2-tools, coreutils, uuid-runtime" @@ -57,6 +57,8 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt" # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem # in a newly formatted LUKS Partition CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4" +# Path to full (non-busybox) losetup binary +CRYPT_LOSETUP_PATH ??= "/usr/local/sbin/losetup" # Timeout for creating / re-encrypting partitions on first boot CRYPT_SETUP_TIMEOUT ??= "600" # Watchdog to service during the initial setup of the crypto partitions @@ -68,6 +70,7 @@ CRYPT_ENCRYPTION_OPTIONAL ??= "false" TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \ + CRYPT_LOSETUP_PATH \ CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL" TEMPLATE_FILES = "encrypt_partition.env.tmpl" From patchwork Fri Jul 12 12:57:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Koch X-Patchwork-Id: 13731739 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 50EBFC2BD09 for ; Fri, 12 Jul 2024 12:57:32 +0000 (UTC) Received: from EUR03-VI1-obe.outbound.protection.outlook.com (EUR03-VI1-obe.outbound.protection.outlook.com [40.107.103.56]) by mx.groups.io with SMTP id smtpd.web10.6988.1720789046418024875 for ; Fri, 12 Jul 2024 05:57:28 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@siemens.com header.s=selector2 header.b=gFBz+O3e; spf=pass (domain: siemens.com, ip: 40.107.103.56, mailfrom: stefan-koch@siemens.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Q2mmf36+RL/ATlhyXLsDRw8Rl/sTLt8KjtkUuS8cH9qDU0al+bB397wKg93BXGgBxNq+oa1bmE7QJSRvf7/8PRhGqrXbiUa5BmhzvnPTLeGoxUbD33VFcuWjvgauDjdLoLaW+UPyszL+4Kir1egIz8KhdRlFP2Ee/iovWIK6Asuu5FFYSqRjofIIjUyyvOXfdU8XLrtw8lQVBuEdqcn9J4rJgUK6Px16wyZlabSCiPIbJhAfsXbEPv98E3LcJIzXzjGPSx1CbOU+926kG6L9O6DEa2wYOAtylegOZoas8vKTi83Yfzhn5AMlP2yEWU+4DHoBtQ4nZCbK2FfVXzfFmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hYn4JOvIXPthT8iiZXv18HcGcdJ1vjPbsauCGTz7ZeY=; b=JQvYIW9y/OfYzBd/uotr06afj7+5TXcFyZyGLOYnk72vK8fcFVtxMr9yHOWr159++WD3TgFAh3pOcSu4fTuui4zQE023mf5BcjQc73I1sdgBg+kaN6IGMRfosisZIpqq4t6WBM79lfRStRALBlDw3C1EfoflBsoa6XS9w7R1bEJwv4LDIv2vJLlKGIoxg2hgTiKJAy7YcVePUADgDD4dxbQXnk2/BUxaaHpff5WcCpSB0HpCaUGUe7OktinIGQxGvP7U5eU+qJfAdCuLmHjlsCt3WiNn/Watjg06RchFLPY8bcY3fFFtCCPDYw/IrvCa0ZraWzWF2CiAnXonQC4jFQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hYn4JOvIXPthT8iiZXv18HcGcdJ1vjPbsauCGTz7ZeY=; b=gFBz+O3eSlQ9/pqfD7kimhWuhbCK6sHSUr2CZe4/jDTqUJnXqTvedScTEDI2fjTPFU49418z9dxvXB36wezXqvghtg6NIbjw83wnKfVVVB/IYBvPbMYBBgkNTFkp2LMor1t/RZAzovW/s8TrvYEqiQvp0bd5VHEn+hQaTPM3jtcX2OJdGkqVH48uZlPKrVtWW1S+FTF1TGpx9th5AmMZUtYZcmHA7Qrj4SMhx3Oj4twNxmnSYTNfPp6qScEfVF6uS0xBZfeyLyHnNGQZdB9Tk23hlMOxKYkyiXawgV7Lux1+FxnicoFoHAPtt0MmiJBVXd5NsVfM6wK+9eMgX+mj1A== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com; Received: from DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:2c2::14) by AS2PR10MB6750.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:5f1::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7762.22; Fri, 12 Jul 2024 12:57:26 +0000 Received: from DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM ([fe80::f75d:ad6e:d321:cc46]) by DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM ([fe80::f75d:ad6e:d321:cc46%4]) with mapi id 15.20.7762.020; Fri, 12 Jul 2024 12:57:26 +0000 From: Stefan Koch To: cip-dev@lists.cip-project.org CC: jan.kiszka@siemens.com, quirin.gylstorff@siemens.com, christian.storm@siemens.com, michael.adler@siemens.com, simon.sudler@siemens.com, stefan-koch@siemens.com Subject: [PATCH v2 3/4] initramfs-crypt-hook: Allow speed-up of disk-reencryption Date: Fri, 12 Jul 2024 14:57:12 +0200 Message-ID: <20240712125713.2066512-3-stefan-koch@siemens.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240712125713.2066512-1-stefan-koch@siemens.com> References: <20240712125713.2066512-1-stefan-koch@siemens.com> X-ClientProxiedBy: FR4P281CA0433.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:d1::15) To DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:2c2::14) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9PR10MB4953:EE_|AS2PR10MB6750:EE_ X-MS-Office365-Filtering-Correlation-Id: 433fc735-25e5-4b84-2e43-08dca2722e0b X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|1800799024|376014; X-Microsoft-Antispam-Message-Info: +hUy1yBdW/IoJ6P+64Mm0lVW+p0y0/vfw7R2B6WJnLCC8vgp4b4THp3luAQ4dpmmRRuLYddFEfWl5n7E6vkQtBPJwF3zK8KUBqOxMV7csxXsBvabbuURelMUp3NAAtQixRe9JMo9DgGlBfDTeJmhZ75pXw03x6yCmGfzXBbQZglqwq2f7bfaxN4e2CQSMBEJJ/vQ0TF+nllF90U9UjjHp1Lq5iEIXoXLVlgqJ/IDxxqWHc3K/xtAorjOuwNpvJ3u6Hvb0eL0caMxmMo8OxsbNYXQGNA7eUZmMrbDJqeB5jW8orBXqMaH0jcnNwftZd+Q8+MrDINAFdaOKkd7twCI0g94yp74BTapZYAG0H1/KBIooOAkVRZjQX3g1LXhyZJY2WbUwAb5S+nggnChieqMkKeKcWJeFlSMGKEY2xW3d1FGdsU9c7KeYgr2VhbmNjUlOi3MoHfehMDeRglZmjgOHdMerUTGLSTg0QTFBYq/C2EDcWzlDEkiTY5oebq8zIbHoddTR3GY94wHpDf4zhsokZiaAI+k06GEqGweG4mP8nwa0scAusFu98dssSddWgRRkRSNwQR8Egpbs1r1iV6QInI7zn24VvQuMsuCbprWdkBTRn8pkqSI397bBqR0IKfJRUX4ShuaxfmP9Jc/AKHmkCnaQtM+kZALRSllfSShIcE5RpuuVbs6juktVBPQU3rL32zUD4ucHo9J+HnFwyDW//kHknOLhcZj+SLTccIdjbWvkQ+Ff89WF/sUZTOPls/cREg30b6DQpf1oNbTwiq+pX9KSiWB128mNjzRsN8kskkh9ABKBi+B7rCrpwYfD7A2+VjtA3G0Vp2ytXDOCquQl7Oimh+ylGT6NsD1cFtE6C+eI2kVjsXJ4xHE8/fdlzPVWfCb7XH16I2Mxo2YbDHEJFWhQpEX86tkjU9w480cMFGFHPydcWjD/A3AdfRd/RQsR0wXfBfIiEG+JSbMfrWj+B2P2ekXLHbookj68v0IZ+9H+hE1ySUsMYmYCe0m70hbvDWX9zNv8oRY9K0NIM5As9Al85+GmHAWDUn3lfdLcMA+rTnXuup4d4/qBUz45ktPKuP++xl+T6pNdPmINVXndTUa1D22lr9e0/7u9APnhe3Uz0Que/ogIcJJJfLsjGXYB0obk3FXXJud3eTogtZT9SHOXXwiZHjLyVDRQDBT9em7CBMZYcSRIKzymc+eG4lDFtOOCJIUlPkjDN3j7J/KDIGFom0PyGkopkaiM0JoSjI/GnmxR/ybRmR+6LzRPuJRZrlFjNx+DXd9WJC5SgwZ2yloA5WRdhW1euwu1D759bNIae7Q2/vaER72LREHkDse6Lri7CQd4feBTTlqSJFaOQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: lUy/pCStk7tL/sUmIzxEn13BdRAo9LxgNWorFGcvq1L4xB2bHU1DPOxKHTIcIzwl9CtTp81jdC0yKrlYALyDFDRl2s6zb8z6KjG7MANrgNnsNenGBLTAUeI26V5y1722JBJUlHsiZy7vp7r4/T/69agKDFyWE+EwDHyC88HQUKHh7HCTnMrUKo5P0m8C53nt0UMJjLO+eTg3SWrAcS3r21arIV338xPQyiT2SHu2gTBrIVEVMsQanOx6Yc6OpfT4tgVGYw9xN5dUbQ4MYfbtcYXnF/33NSifDfj7CSpQiAhVhgWRl6nHrZ8mkuT2tzakE7/PGHxbavgzdABD5lB64wIOVKPR+KYXMaxsetxzMaR21cs4kmIfroa52eaOSeBs+4JfCU+0TBJ9C6J2KoQL/t044EpKilHLNxUSlfjXwyQAZUtlTZnZJ0CjxadrR8HGadxt6vApE6W05Psu5iGY22hgr7m1DGlYCcsmRjD8VceA5JD7TlirobNYxlfzBjZXzpsx5/XQKTxPpCEmKwdN1wIfCRFvRhRKwtbDrdAZmPENcdBFuilraojlSUHJqRaebR+SgXcjtgM6DPJDt0BVxNZwzJjpZLYua11uyq8CW/oV1A+uU/XdnHzTQ77G1okcm0/YdIz+2Ad1btMuE3iDInhaVvDns9/Ed/ZUaW8tkRDmA4bObVrtTE3pdpHrbtGx+CMuXk2NU0cqldvnTn5FCF946fu5E/MltKJNsJGl84QWKWRzITMaMTAXA+RKPkzyOiPtcZHeUC5+Aav3bmPeQOVmw3TRNQMWaaP+sywoDiLxRcoLlO7Q+YcDi8Ka0AH8rTuziY8gOLiVKPeqP9NDKQ1e5K/yn0hrfaO2Sj5/H+qH9P8AIMaIIu27hOPFJmzHpBnHcBP+D0sH/uVKUu2WT9qUuarlcS6TyqprHrCfNyY9uHbp8rJJhHOEpckae4vvA2hzhIvwpMOnXE7IgQhadiBNojudddQMENJ/G+25hX8Pr/ezTZ2XmR2OZxlYcTiU37J9YyOghrx8U1Wd3+6ypwnlDYzEIu4NMN5FakEgYWHLH47iu3YAE2MzX4cI19myxU+IPGX5wZAZZi418z/dXuRNDTyQelqCm+cLi0MVdriXUfVlIcrcuVvuD85iKgEn8xVfdYQL7tfK3QzdF3GTS4jo64sFuKcD+bxiPoCE9IXDLpfK3wgqJV6nU/+sSglMH4UFiV5s1m7WU+O8O27TZR+DBUmkvtu173NOBe1gefgFD3jIxnQO2VfeWA9/PV6d+bbNbV6vDrWdm9x+9uWYTJ4Alnjyi9JiWsyDG4CntJQ5J2UndhQaTezAordxYPWlNJEOT+59FYlnXvPntvPMiO4cdL+PhudLqZ3K8hENKBtUFn1sfpo1HJXwSsdiVpKE/FWnja3vnf7q9PDIlJE+Npig0cEFsz/snFfPHu4dmkx1svNEZJj8km7NOf7D5OB98QQUXVQj6lJ8EZOputBVYaV8gdP19MhlRfQKsMXl6msnFHpu64PN8GK5/EDLaJp6eqCx3AZuMbI7XHBUbLspcsz3JNzpD/Zrk6cL/v1jS6tZ9MTW9wm3qhbc+qaLVP5a2VYQSZ+k4mX8LNKcRftIV6ftQUXAmqVBCOAEZzy5durc9PPyKy6rIkh9mDLeV+/do8oxWfTjKOHKSuokKINQrQ== X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 433fc735-25e5-4b84-2e43-08dca2722e0b X-MS-Exchange-CrossTenant-AuthSource: DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Jul 2024 12:57:26.3027 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: /J8hnzSol4ma5P96qrmPQcflZfutx5nkJ20HhSzFLwESfLwi8yYWoSmUSngUP2dbmZit8OZndkODZUpVfhPo8w== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS2PR10MB6750 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Jul 2024 12:57:32 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/16481 As the reencrypt mechanism doesn't work at file system level so it wouldn't detect used and free blocks. This means that the block-wise reencryption process could take a very long time depending on the partition size. Using the format mechanism instead of the reencrypt one would delete all existing data (without wiping). This would be very fast, because it doesn't matter whether a block is used or free. Set CRYPT_FAST_REENCRYPTION to "1" to speed-up the reencrypt process. So, this would be done: - Obtain used space of the unencrypted userdata partition - Shrink the partition and resize it to the size of used space (minimum size) - reencrypt the userdata partition now with smaller size - Expand the encrypted userdata partition back to the maximum possible size Some disk encryption implementations like within the Debian installer will overwrite the entire partition with random data for security reasons (e.g. wiping old already deleted data, hiding metadata, etc.). However, this speed-up lacks the described security benefit of implicit data overwrite. So for security reasons, it behaves identical to the format option (there is no support for explicit random overwrite within initramfs-crypt-hook). Keep in mind that a power loss while reencryption will cause data loss (with or without fast reencryption). The key is only enrolled after fully succeeded reencryption, yet. So, no recovery from already encrypted data would be possible. Signed-off-by: Stefan Koch --- .../files/encrypt_partition.env.tmpl | 1 + .../files/encrypt_partition.script | 50 ++++++++++++++++--- .../initramfs-crypt-hook_0.2.bb | 9 +++- 3 files changed, 52 insertions(+), 8 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl index 72033d1..9f3df4f 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl @@ -6,3 +6,4 @@ HASH_TYPE="${CRYPT_HASH_TYPE}" KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}" ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}" LOSETUP_PATH="${CRYPT_LOSETUP_PATH}" +FAST_REENCRYPTION="${CRYPT_FAST_REENCRYPTION}" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script index f943aea..e768b54 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -62,13 +62,16 @@ service_watchdog() { } reencrypt_existing_partition() { + reencrypt_device="$1" part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)" - # reduce the filesystem and partition by 32M to fit the LUKS header + part_size_in_kb="$(expr "$part_size_blocks" / 2)" # blocksize 512 byte + partition_fstype=$(get_fstype "${1}") + # reduce the filesystem and partition by 32M to fit the LUKS header reduce_device_size=32768 - reduced_size="$(expr "$part_size_blocks" - 65536 )" - reduced_size_in_byte="$(expr "$reduced_size" \* 512)" - reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" + reduce_device_size_blocks="$(expr "$reduce_device_size" \* 2)" # 512 byte blocks + reduced_size="$(expr "$part_size_blocks" - "$reduce_device_size_blocks" )" + reduced_size_in_kb="$(expr "$reduced_size" / 2)" # blocksize 512 byte case $partition_fstype in ext*) # reduce the filesystem and partition by 32M to fit the LUKS header @@ -84,9 +87,31 @@ EOF if ! cryptsetup luksUUID "$1" &> /dev/null; then e2fsck -p -f "$1" fi - if ! resize2fs "$1" "${reduced_size_in_kb}"; then + # shrink partition temporarily to minimum + min_size_fsblocks="$(resize2fs "$1" -P | awk -F ": " '{ print $2 }')" + if [ "$FAST_REENCRYPTION" = "1" ] && loop_device="$("$LOSETUP_PATH" -f)" && [ -n "$min_size_fsblocks" ]; then + # set encrypted size for expanding step + encrypted_size_in_kb="$reduced_size_in_kb" + # minimum partition size + min_size_in_kb="$(expr "$min_size_fsblocks" \* 4)" # blocksize 4096 byte + # shrinked partition size (reduce_size + minimum partition size) + reduced_size_in_kb="$(expr "$reduce_device_size" + "$min_size_in_kb")" + # set loop device as reencrypt device + reencrypt_device="$loop_device" + else + # continue with default reencryption in failure case + FAST_REENCRYPTION="0" + fi + + if ! resize2fs "$1" "${reduced_size_in_kb}K"; then panic "reencryption of filesystem $1 cannot continue!" fi + + if [ "$FAST_REENCRYPTION" = "1" ]; then + # use temporarily loop device to simulate shrinked device + # because cryptsetup uses device size at reducing + "$LOSETUP_PATH" --sizelimit "${reduced_size_in_kb}K" "$loop_device" "$1" + fi ;; squashfs|swap|"") [ "$debug" = "y" ] && echo "skip disk resize as it is not supported or unnecessary for fstype: '$partition_fstype'" @@ -96,9 +121,14 @@ EOF ;; esac if [ -x /usr/sbin/cryptsetup-reencrypt ]; then - /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2" + /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$reencrypt_device" < "$2" else - /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2" + /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$reencrypt_device" < "$2" + fi + + if [ "$FAST_REENCRYPTION" = "1" ]; then + # remove temporarily loop device + "$LOSETUP_PATH" -d "$loop_device" fi } for candidate in /dev/tpm*; do @@ -182,6 +212,12 @@ for partition_set in $partition_sets; do reencrypt_existing_partition "$part_device" "$tmp_key" enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type" open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" + if [ "$FAST_REENCRYPTION" = "1" ]; then + # expand encrypted partition to maximum + /usr/sbin/cryptsetup resize "$decrypted_part" + # expand filesystem within encrypted layer to maximum + resize2fs "$decrypted_part" "${encrypted_size_in_kb}K" + fi log_end_msg ;; "format") diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb index 1679133..6ac77a2 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb @@ -59,6 +59,13 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt" CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4" # Path to full (non-busybox) losetup binary CRYPT_LOSETUP_PATH ??= "/usr/local/sbin/losetup" +# Fast reencryption state +# It uses temporary partition resize, +# consider security and data reliablity aspects when enabling +# (e.g. wiping old already deleted data, hiding metadata, etc.) +# Keep in mind that a power loss while reencryption will cause data loss +# (with or without fast reencryption). +CRYPT_FAST_REENCRYPTION ??= "0" # Timeout for creating / re-encrypting partitions on first boot CRYPT_SETUP_TIMEOUT ??= "600" # Watchdog to service during the initial setup of the crypto partitions @@ -70,7 +77,7 @@ CRYPT_ENCRYPTION_OPTIONAL ??= "false" TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \ - CRYPT_LOSETUP_PATH \ + CRYPT_LOSETUP_PATH CRYPT_FAST_REENCRYPTION \ CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL" TEMPLATE_FILES = "encrypt_partition.env.tmpl" From patchwork Fri Jul 12 12:57:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Koch X-Patchwork-Id: 13731742 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 17874C2BD09 for ; Fri, 12 Jul 2024 12:57:42 +0000 (UTC) Received: from EUR05-AM6-obe.outbound.protection.outlook.com (EUR05-AM6-obe.outbound.protection.outlook.com [40.107.22.54]) by mx.groups.io with SMTP id smtpd.web11.7061.1720789051607481907 for ; Fri, 12 Jul 2024 05:57:31 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@siemens.com header.s=selector2 header.b=fQQlj60K; spf=pass (domain: siemens.com, ip: 40.107.22.54, mailfrom: stefan-koch@siemens.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=BtiZJZYEWI+/4I9Nms+csUIx0yMSCSuXJ630iujWWwNEckILupbHMem3SfmHPaZ5jc0/shiBIpK1vxwz9O7Oh5Htbrugcm2eixxDkcM1p6V0Zz2KuP2B0oisoy4Hm6sOCgAI/I08N67WycCeau9v+aTfbyqOlDKc1qGo3hM04e28ejy1kgg476wU1N7c1J5Dsv3wUGsXZ5SRC8mX0Ju0I2q44vC0laIleBgm2PjBXhgfBHvlNPtxWjlwJ0Iq0om3p/Mp0CIcU3Htywj6FDMx6+nP+iQYWkLqEPz7D4yWK3UXTwcdNp7b2nrmZmllbJd1wQqH0hDeJlspHNh14lsqJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Vh23SGjVeAGUQ7fYmDH/4QReXYbWs7qDEPWCrtZ+yXU=; b=WzFx3FGXkqpgenrhuvxhGI5ha6Fg9rQDi5PqkXFNlF5V2VibY6G0vXanKNelaqI/RIxCbWmdWd/bqQDRre/zLTViNykaZ2OjTvjMwEnNW6uKKtXKEZ55fGbXVDMaYPVS3Q4GbDDm+mWIIy/5KYJH//Go5f2AFsSa98IvLb/fJmRzF/ifixG8xGGFzWmTWZSAsljiimjGuOYLkEsushSrAq1fGHex2cy/qOMU0SEOT6BE9bAie3C9kFfRu4Mia+tdJ2TgCdPS5XvQ1HeSOlk/+c/lNqRaxHSCc4Ta1gvP5Ij3hN47cHIM7kgEIY8XQfl1LIXK77+KQ2Xx+zeXhsbz9g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Vh23SGjVeAGUQ7fYmDH/4QReXYbWs7qDEPWCrtZ+yXU=; b=fQQlj60KMjmYfKZJ++nzzsOParlSy6SovEc1PiZH0sMrbRmoiJRlFnxw4f3CdGiHOm0CbNqUaW0U766aXNEeHK3nZX58k+IbEsUsLQX/Jpm6crBVYGXmQNMAz96wtZMmlK05ZIfGtJtWg6h995kqlT6yvsIpC04D0M0EqNbILmjnP/kKQZ/WQkfzlVtSOt+JF2ob2RzwujLuxtc8uHFMS92UTz0IpID1VMrELx/5/TLtQXRxJjj+9pOWUukO4lGMRdSv/QEI6KwqsXX9bTQe4QGINReUVfFKbPHdGzqhP+PSwHt77r1TJCsFDB6zsNVxUfutLCW5XU6H9FF8w8CI/w== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com; Received: from DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:2c2::14) by AM7PR10MB3175.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:dd::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7762.23; Fri, 12 Jul 2024 12:57:28 +0000 Received: from DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM ([fe80::f75d:ad6e:d321:cc46]) by DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM ([fe80::f75d:ad6e:d321:cc46%4]) with mapi id 15.20.7762.020; Fri, 12 Jul 2024 12:57:28 +0000 From: Stefan Koch To: cip-dev@lists.cip-project.org CC: jan.kiszka@siemens.com, quirin.gylstorff@siemens.com, christian.storm@siemens.com, michael.adler@siemens.com, simon.sudler@siemens.com, stefan-koch@siemens.com Subject: [PATCH v2 4/4] initramfs-crypt-hook: Extend README.md for CRYPT_FAST_REENCRYPTION mechanism Date: Fri, 12 Jul 2024 14:57:13 +0200 Message-ID: <20240712125713.2066512-4-stefan-koch@siemens.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240712125713.2066512-1-stefan-koch@siemens.com> References: <20240712125713.2066512-1-stefan-koch@siemens.com> X-ClientProxiedBy: FR4P281CA0082.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:cd::12) To DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:2c2::14) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9PR10MB4953:EE_|AM7PR10MB3175:EE_ X-MS-Office365-Filtering-Correlation-Id: 8b2dfb3f-c124-4cfa-fae3-08dca2722f56 X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|1800799024|366016; X-Microsoft-Antispam-Message-Info: iEDbWgiOZexGIPqc3MjDKIrDlHJxLWn3Np82SUAeFdV1o4PWf396Jw67k4XYSmOD9IysqbJBHHUhMsAdPZpfv5FMeMoUAUwkwqYBTGpBKpTn+9u86Ndh3aWBimoPjTYLlRQ217aSKRPXaoJ+4AiqyAwwgefjmLftl3ZZxAYnEhhmFqPqe4r9/og3QWyZIx7ECXg5NuIK8BRFNq4gSrDjnmlM5Jgoj70nkofOnMV9hjGFvi/Yp7pSIxkFsfL9GpH9dKePVgDt5IXmX2Kn7qDFBANkSiYvE7TdR2e+MpPs7HAvvkmd0x5Wc4x64TwD39Yc79SwfLp2Z4eae3hDAJ/5wydmjwfsIXxOc8J/xShEgW51M/einYy2CUkEiL0D5fu0M4nztn/3NhDCPrzUF9jnjKg1kN11DXkFiBKBov5ThmlWl//hIu/53Pcew5Gr4XCCN9tZ+5nNQkrfQxcjRVdT7SL5GKOSpb1Vf0H83//GbiY4xESDdRb5ALvAvPTXUHwHVdxTYT5f4oRofctAmY/CFIdHZG1uMPyozJrJpGvYJ5oDvJpKOUJXs5LUrpa035ys7ZoLKHf7O/v68oukqzVqf47ljnzHPNsHl6uM8JQhou5UFCarGzgc/QvsLdXwF+SHFn6tQGvMeoimk+ILzbrOIatVsxDhyHn3JGpYD8eBgFb6EIwv61adONH/HHF4y5mI31PbZC/25wp0HlKvzS4vlsdhjB2woa2z0ETI7+2KP4E8aZrsNx0wuVQ7I83iBIM4x3S40/7Mz8UUHdlQoW2HcSaMhvGouZKnUdLz1FTagm5yt890lIKWJoC9xSuAKOH3uSIGYZ2whIZzzbkzH5OipcWNFAqYat3BAJDiCe7OUV+MdVWRxE7gj6+1tM27rx73NWZqSOskEvn32l8IOf9n8aQ+kndKKwbBzjd+y09tZqlC2mYE9uJvYZWLCAWPVPXv8J9EWvqGlJazxS22BF+CqJ5rXsCIPmOX6uSS3cqMeNKwG+pLdpXZ885q6NxUbP5ICUbhaKilTZVRAOH30JLNVNluikhdqYGiA4z+/c/B/a4HRjG4UwbBJVOMYUvBe8YysfcGF2HZLhf/C4g2dKP25ulaOP2/9gVJKmSBaAEAcT4XDhoKNaF8RH38eOmWagxXfshK0N3mio7Fpz+HnuuHea3iwoWOKn+Gtr8TjHOn4Lz5PXjMzDDVrprW7cmnzhuP/Tifk4Bmw720xfk5jDhGFuosHOwUNMFOF40Ja/HBd0o0XjFkLdt7pdrpV81RvSkwj0W5KHRu+R5vO3h0dpMIXW8l9R8hPPtZusLqtUAhfJfHVV142ICBhhOtq1uEyJ3U4NzMBLx7xDv8T6gEY9XSeg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 8wnXU/1Oyh2o7qLQ9cfy7Z8a2Ec6jmXJ7bAog4O4hVFZ25MUUDVLctUp2egl5XPKU6KJX1MpNfIHjM73sdpMks5/k6FSjX6CabnssUfwt8WKiWrk8vLTFp5Jo8DzDCoLE741MmT3pcqVSKm4HjBCGNHUipgEiAG2ihanMTNUi7EO7jkXe7KfIsTaJQyj+JyrgJAzB6AryCH2Qd5OHlYhnWSoHcbi0548RwkQCq9IYOx28WGG1W6HMM2yRLz0zuAhcPGqpcpSe4Pvmka/knuA/726Tp32SzGkFf0ISysOQzTM0od+B3ASRJvt8+h8z10uPn5rqVZjCzAoeYddDZ8K6+VGzAbxqBOEwwB9BvT7t98MtPHModP+PtHZsk/BF2hM5RTq+cQqczSX8p3od4eFUN5W6PYUVKmdKHs5jhUXY2s346WQ9ZJnYHme4iwnX8wIdAReOs1Gx0EUFOxXSLGRqe/nCwJ6/h04uQrt/6XxDy0VntwW99Rgwk0fgbIzGoZ/SilvEopBw2QuXFUKZ+SUWxZjVdp5Mbp2m0SDYtxU9VrL6efj1Yc+WQ6Wt6pzLRdiYv1tCL2vZ9fnBdTb90Bv00RvSVmzeJvK85R1QnMi+4zccLoY9PN3FYnmVan+AXrlNxpHVqJhD3wLQmb0Y7VoRlLUMbWPueCpSpVjiJJfPGSnENhgxY3X3v7GFQFMIRmTWlW2yAjWdmc+cSTlQsxFktIXnmneXBlpt14hW6dP2GPX5J7gX0dyBOhXaJD+IzW8zRGzAbtoh+LtRj0NXcpMLOAzrChrnIpQjB/GSYE2dKS3JqIOyY22hmIQOyC3+B4V0ARx/EwMdSCyc3SEuKCtMrcoDWOayi9c6L7emVuMdClo/4SJ1yuTTctZvY6XUCccQnHwlPqpAcK0T8/VJnpCbg6SwyYOB4ym3aFh0weRN3N5ZsK7FFaiq2dQOgaSoTM7TolMW1FYp3g0/G4j5nFa651nut0iMXtAn7OA5b/GS+G5n+akMLJutZ7tQdA2vM2wpypvo1wpJ2XMeiryegTU1LJ4+QiKGccHPNz77WeMAsJGq+VQkT/5bqlwzQpEi7C2K0aEMmxTnV48oz0v3TaEXt2Dmy8HtzGoVOI/KNhfrlUraCNii4xgYwo5mxvcgxMhxIiXIXzhdJh5x7MS8oMb9HwicQycqZscPFkrh0TqRZt7HnFnqLTFhFoN44iuA94gWs+L1Dl3N9h7l7DOJ/PvzEP5BF92RbkiicWANncAc7elqTIg/tLBT6EvbT3g2NfqC6j935vVf3PIerezk04Cjk4M4K1+U7khw5XadBsTpW7/LE5v4QSPxE6LUPQuIXTQwO4r2podtrFaV4XvOQKN1fI0QyEgb+prGr+vnwZEfz2J7jQkNw36BIOweBcrCPDSKkGs+vbc+ZVROU/79I1nMtMNT3wgZgsgKp4dROkzFPPdIy/AOAzpEVtnFfHlh/yGe6ieZc9bMiqIPr38ovVGCqL6prswc13r2h60EGs+0TDWUDvtvBEXl4MxgBokDGKCVQ6btoiveGfKYT2nriYXQ69tYUtoi8nXCKjv+DQ/r9gMNxMEY+Eq+VS3OToWA7WNBKg+qfSI0WDo4vK5DPygQz5Zuab6ojK5Pw9pX/Fo9HqLTH/DEXu3gGYk+m9QENkuam+DmY/Ey5/4pyyyIboqVQ== X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8b2dfb3f-c124-4cfa-fae3-08dca2722f56 X-MS-Exchange-CrossTenant-AuthSource: DB9PR10MB4953.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Jul 2024 12:57:28.5020 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: /1bcbzXuiuwPC9xmCB4D2TMcO9Whv9RgyoTKTW1YM3+JILduiqxqicPvOoU/0OZNfO8Oud9v9q7OjxW9hdwfqw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR10MB3175 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Jul 2024 12:57:42 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/16482 Signed-off-by: Stefan Koch --- doc/README.tpm2.encryption.md | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md index 3f7e89f..a1e6dd3 100644 --- a/doc/README.tpm2.encryption.md +++ b/doc/README.tpm2.encryption.md @@ -38,6 +38,7 @@ or by adding using the following command line build: The initramfs-crypt-hook recipe has the following variables which can be overwritten during image build: - CRYPT_PARTITIONS - CRYPT_CREATE_FILE_SYSTEM_CMD +- CRYPT_FAST_REENCRYPTION ### CRYPT_PARTITIONS @@ -58,6 +59,36 @@ The mountpoint is empty as the root partition is mounted by a seperate initramf Both partitions are encrypted during first boot. The initramfs hook opens `${ABROOTFS_PART_UUID_A}` and `${ABROOTFS_PART_UUID_B}` during boot. +#### Speed-up disk-reencryption (`CRYPT_FAST_REENCRYPTION`) + +As the `reencrypt` mechanism doesn't work at file system level +so it wouldn't detect used and free blocks. +This means that the block-wise reencryption process could +take a very long time depending on the partition size. + +Using the `format` mechanism instead of the `reencrypt` one +would delete all existing data (without wiping). This would be very fast, +because it doesn't matter whether a block is used or free. + +Set `CRYPT_FAST_REENCRYPTION` to `"1"` to speed-up the `reencrypt` process. +So, this would be done: +- Obtain used space of the unencrypted userdata partition +- Shrink the partition and resize it to the size of used space (minimum size) +- reencrypt the userdata partition now with smaller size +- Expand the encrypted userdata partition back to the maximum possible size + +Some disk encryption implementations like within the Debian installer +will overwrite the entire partition with random data for security reasons +(e.g. wiping old already deleted data, hiding metadata, etc.). + +However, this speed-up lacks the described security benefit of implicit data overwrite. +So for security reasons, it behaves identical to the `format` option +(there is no support for explicit random overwrite within initramfs-crypt-hook). + +Keep in mind that a power loss while reencryption will cause data loss. +The key is only enrolled after fully succeeded reencryption, yet. +So, no recovery from already encrypted data would be possible. + ### CRYPT_CREATE_FILE_SYSTEM_CMD The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly