From patchwork Wed Feb 26 09:59:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Claudius Heine X-Patchwork-Id: 13991951 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B448BC021B8 for ; Wed, 26 Feb 2025 09:59:29 +0000 (UTC) Received: from mx.denx.de (mx.denx.de [89.58.32.78]) by mx.groups.io with SMTP id smtpd.web11.2482.1740563968515040482 for ; Wed, 26 Feb 2025 01:59:28 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@denx.de header.s=mx-20241105 header.b=Egyrg8Y6; spf=pass (domain: denx.de, ip: 89.58.32.78, mailfrom: ch@denx.de) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id AB24E10382F1A; Wed, 26 Feb 2025 10:59:26 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=mx-20241105; t=1740563966; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=W+xzEjT5emgbheG9IELoItqRXrqdYmW7em51Rx8N+vc=; b=Egyrg8Y6+hIWdwsE4XNRjKzdbrnnlW+oHFgQi7KPNGEZEnvem+OxRqmDO3/ITK/FECa6Hi eWTN0gabr4hk8+jJe15PGKFgoKFGjr6blxLFtUYulHRwhwC8Gp9eYwfOzjgplLGqxCsYDv JPBKi29mUqfNwTRo+fzfttlAMM39MuKbYoHYmDEtmvsOGkZ6Ykl6M/cq53JN/dAI7ccqI4 P2gn84tH4G7r0oofkIxWyPJNhDVwyzmVNUqZO0R5yJzsIoAqOLcswnWXrpbita8wzVrYrT CoeBNmonOY4eNSFRz64TvRQR3HNipajlZP8W2CSkX/0ZHw4FGiNDU7Wu3eSRHA== From: Claudius Heine To: cip-dev@lists.cip-project.org Cc: Claudius Heine Subject: [PATCH 1/5] initramfs-crypt-hook: make sure that mount path exists Date: Wed, 26 Feb 2025 10:59:17 +0100 Message-ID: <20250226095921.168962-2-ch@denx.de> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250226095921.168962-1-ch@denx.de> References: <20250226095921.168962-1-ch@denx.de> MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 26 Feb 2025 09:59:29 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17919 In case the mount path does not exist, try to create it instead of failing. Signed-off-by: Claudius Heine --- .../initramfs-crypt-hook/files/local-bottom-complete | 1 + 1 file changed, 1 insertion(+) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-bottom-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-bottom-complete index b991cb4..80553d1 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/local-bottom-complete +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-bottom-complete @@ -41,6 +41,7 @@ mount_partition() { partition_mountpoint=$2 [ "$debug" = "y" ] && echo "mount device: '$partition_dev_path' to '$partition_mountpoint'" if ! mountpoint -q "${partition_mountpoint}"; then + mkdir -p "${partition_mountpoint}" if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \ "${partition_mountpoint}"; then panic "Can't mount partition '${partition_dev_path}'!" From patchwork Wed Feb 26 09:59:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Claudius Heine X-Patchwork-Id: 13991954 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 955E4C3DA4A for ; Wed, 26 Feb 2025 09:59:39 +0000 (UTC) Received: from mx.denx.de (mx.denx.de [89.58.32.78]) by mx.groups.io with SMTP id smtpd.web11.2484.1740563969796677223 for ; Wed, 26 Feb 2025 01:59:30 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@denx.de header.s=mx-20241105 header.b=OWJU1FPJ; spf=pass (domain: denx.de, ip: 89.58.32.78, mailfrom: ch@denx.de) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id CCB2210382F1E; Wed, 26 Feb 2025 10:59:27 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=mx-20241105; t=1740563967; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8ZKMzHSvCRLoZ8jfxDRhG2Yaxu0iWINbUtPlGp4Yz2E=; b=OWJU1FPJqQcSb7IeEtiTmxbuKdwTH43BxzqQkjQPnh3/IMUEnRBCMcSgWeu2Sl4lEyRJMz 2vU0pl27U+HbCj4nRPyC1zn3UG93JIm73Rs9b/QjhVZzU7vVsUIfMDht7yKV61WBCMLxkA woqTnkwt7gxQ+tuh2RXcZq6fdRd6oAlCCI7NQyxZ1VMJc2gN8fcVBAbFrUYEUjw5KpI+2K 6Qz7c8hxfx73NQglcEiApd4xDITJt3+gkqZS1GxG7U2AL5k2wA/gZrGGBbjxub6YKp1hQb 6tR5wSstZn/9uUR3S/L4ChfUoSt2iq9pRhUPLzj6savMcckQg6fR0HSDnY9I6A== From: Claudius Heine To: cip-dev@lists.cip-project.org Cc: Claudius Heine Subject: [PATCH 2/5] initramfs-crypt-hook: fix inconsistent whitespace Date: Wed, 26 Feb 2025 10:59:18 +0100 Message-ID: <20250226095921.168962-3-ch@denx.de> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250226095921.168962-1-ch@denx.de> References: <20250226095921.168962-1-ch@denx.de> MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 26 Feb 2025 09:59:39 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17920 Signed-off-by: Claudius Heine --- recipes-initramfs/initramfs-crypt-hook/files/local-top-complete | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete index 54b8a6e..f1aa0d7 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete @@ -262,7 +262,7 @@ for partition_set in $partition_sets; do ;; *) panic "Unknown value ${partition_format}. Cannot create a encrypted partition !" - ;; + ;; esac finalize_tpm2_encryption "$part_device" From patchwork Wed Feb 26 09:59:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Claudius Heine X-Patchwork-Id: 13991952 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 90292C021B8 for ; Wed, 26 Feb 2025 09:59:39 +0000 (UTC) Received: from mx.denx.de (mx.denx.de [89.58.32.78]) by mx.groups.io with SMTP id smtpd.web10.2409.1740563970878594479 for ; Wed, 26 Feb 2025 01:59:31 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@denx.de header.s=mx-20241105 header.b=aOg376R0; spf=pass (domain: denx.de, ip: 89.58.32.78, mailfrom: ch@denx.de) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 344DF10382D2E; Wed, 26 Feb 2025 10:59:29 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=mx-20241105; t=1740563969; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=g6Ayz7HfW8PkAGpgVd5BwPGF739Jsaq2VfEeaKksXwE=; b=aOg376R0xzEzWtjoduScnReswvi5TaG5MYWGMiu/Uqg+WecYfu689SU20f2zC+PoBDA0SG tEY3lwSmu9IqtHxYU86jPMe1uwtCc6C3PoNV9HFPyt+t2/dMefPj/PPlyE0eS1tSqGygeb miNFFDDZ2xqlME1D0LuGdxtfV+kNdVJT3TY6lOiAQqXBspfrw6tWHb0wabl2DUV10xsOhY 4QrsmMSsgdFCiDZ3SORQ1K7OZG/W0NXbbqdSfb5+R5VR8EIQoilln0k1pURd6HKmFgyFJA r+v7WK/OceUdbjDeSvSDm75aHvXKSeGm/0hX5VQ+7/XQt0I0G/iG7TG7YEmL7A== From: Claudius Heine To: cip-dev@lists.cip-project.org Cc: Claudius Heine Subject: [PATCH 3/5] initramfs-crypt-hook: use real device path in luksFormat case Date: Wed, 26 Feb 2025 10:59:19 +0100 Message-ID: <20250226095921.168962-4-ch@denx.de> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250226095921.168962-1-ch@denx.de> References: <20250226095921.168962-1-ch@denx.de> MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 26 Feb 2025 09:59:39 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17921 In the 'format' case the `$partition` variable is used instead of `$part_device`, which is likely an error, because all other cases use `$part_device`. `$part_device` is the real path to the block device, while `$partition` is the 'name' of the partition in the `$PARITIONS` variable, as defined in the recipe. This fixes an inconsistency, it shouldn't be a bug here, but could result in bugs when this script is adapted in product layers, etc. Signed-off-by: Claudius Heine --- recipes-initramfs/initramfs-crypt-hook/files/local-top-complete | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete index f1aa0d7..b907ea7 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete @@ -254,7 +254,7 @@ for partition_set in $partition_sets; do "format") log_begin_msg "Encryption of ${part_device}" /usr/sbin/cryptsetup luksFormat --batch-mode \ - --type luks2 "$partition" < "$tmp_key" + --type luks2 "$part_device" < "$tmp_key" enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type" open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" eval "${create_file_system_cmd} ${decrypted_part}" From patchwork Wed Feb 26 09:59:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Claudius Heine X-Patchwork-Id: 13991953 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 95198C021BC for ; Wed, 26 Feb 2025 09:59:39 +0000 (UTC) Received: from mx.denx.de (mx.denx.de [89.58.32.78]) by mx.groups.io with SMTP id smtpd.web11.2485.1740563971947700820 for ; Wed, 26 Feb 2025 01:59:32 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@denx.de header.s=mx-20241105 header.b=B8IPfKhr; spf=pass (domain: denx.de, ip: 89.58.32.78, mailfrom: ch@denx.de) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 4057710382F1A; Wed, 26 Feb 2025 10:59:30 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=mx-20241105; t=1740563970; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rmLRxzJxKbY4TgEp2wDK5dBL1uZvv7xEIJdFZzF1ut4=; b=B8IPfKhrp3pAYN8JWNqUREC0G2vXf8/HMme977+qN5+7Q2IKcDmgu1apeuBHhwl5eMed5x 4RwhzrxjaJNWv+PF6dqL1AGMS9FbJrlH2XReZTTqChmnORKvDFyCZaF1oM/z7wmTEnxv8L cbBsqG3N/tY/hhTnAav7b7o6hXycHqzijzHzSgNizFfmoL6m80EyZjcPOPGLMauMjlUU6A pT/GQCi4r4XLEm3PIOCpQ/0Ii0l+IWU7h7PCmDa4ca/aQKZrlSmFd39XE2c5fa3nnhXGTH uVb2oGDcXHznMt3YdWKWN+bXmaxGYMNhzDgHV1IsSPe+ixqPClxn3tjq9qexhg== From: Claudius Heine To: cip-dev@lists.cip-project.org Cc: Claudius Heine Subject: [PATCH 4/5] initramfs-crypt-hook: implement 'noencrypt' option Date: Wed, 26 Feb 2025 10:59:20 +0100 Message-ID: <20250226095921.168962-5-ch@denx.de> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250226095921.168962-1-ch@denx.de> References: <20250226095921.168962-1-ch@denx.de> MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 26 Feb 2025 09:59:39 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17922 In case encryption needs to be enabled via an update, while still allowing the update fall back to work. One update step where encryption is supported, but no reencryption is taking place if the device is not encrypted. For this the `noencrypt` hook is implemented, which requires some restructure/reordering of the `local-top-complete` script. Signed-off-by: Claudius Heine --- doc/README.tpm2.encryption.md | 3 +- .../files/local-top-complete | 29 +++++++++++++++---- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md index 3f7e89f..515348a 100644 --- a/doc/README.tpm2.encryption.md +++ b/doc/README.tpm2.encryption.md @@ -42,11 +42,12 @@ The initramfs-crypt-hook recipe has the following variables which can be overwri ### CRYPT_PARTITIONS The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount it. -Each entry uses the schema `::`. +Each entry uses the schema `::`. - The `partition-idenitifer` is used to identify the partition on the disk, it can contain a partition label, partition UUID or absolute path to the partition device, e.g. `/dev/sda`. - The `mountpoint` is used mount the decrypted partition in the root file system - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount - `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD` +- `noencrypt` will not try to encrypt the partition, it it isn't encrypted already, but will open it if it is. This makes it possible for an image to support encrypted systems, while not encrypting anything on their own. Useful when updating from a system that is unencrypted to one that is, while supporting a fallback system. #### Encrypted root file system diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete index b907ea7..1214a63 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete @@ -216,22 +216,41 @@ for partition_set in $partition_sets; do if [ ! -e "$part_device" ]; then panic "Could not find device mapped to '$partition' cannot be encrypted!" fi - decrypted_part=/dev/mapper/"$crypt_mount_name" - # check if we are trying to mount root - if [ "$partition_mountpoint" = "/" ]; then - echo "ROOT=$decrypted_part" >/conf/param.conf - fi if [ "$partition_expand" = "expand" ]; then expand_partition $part_device fi + # If partition is already encrypted, decrypt and continue with next partition: + decrypted_part=/dev/mapper/"$crypt_mount_name" if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \ | grep -q "luks2"; then open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" + + # check if we are trying to mount root, set ROOT to decrypted partition: + if [ "$partition_mountpoint" = "/" ]; then + echo "ROOT=$decrypted_part" >/conf/param.conf + fi + continue fi + # If partition should not be encrypted, continue with next partition: + if [ "$partition_format" = "noencrypt" ] + then + # check if we are trying to mount root, set ROOT to plain partition: + if [ "$partition_mountpoint" = "/" ]; then + echo "ROOT=$part_device" >/conf/param.conf + fi + + continue + fi + + # check if we are trying to mount root, set ROOT to decrypted partition: + if [ "$partition_mountpoint" = "/" ]; then + echo "ROOT=$decrypted_part" >/conf/param.conf + fi + # service watchdog in the background during lengthy re-encryption if [ -z "$watchdog_pid" ]; then service_watchdog & From patchwork Wed Feb 26 09:59:21 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Claudius Heine X-Patchwork-Id: 13991955 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9F825C19777 for ; Wed, 26 Feb 2025 09:59:39 +0000 (UTC) Received: from mx.denx.de (mx.denx.de [89.58.32.78]) by mx.groups.io with SMTP id smtpd.web11.2487.1740563973107301887 for ; Wed, 26 Feb 2025 01:59:33 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@denx.de header.s=mx-20241105 header.b=Ue0ChJkd; spf=pass (domain: denx.de, ip: 89.58.32.78, mailfrom: ch@denx.de) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 5A22B10382D2E; Wed, 26 Feb 2025 10:59:31 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=mx-20241105; t=1740563971; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nz/5EGwKwI0PGEuTPIc5979bd4BCxVtjjzyWakKRvdg=; b=Ue0ChJkdiQyhVHg8kpopnR9qA19JUc4Qlx7xISe0lrksYneEiYMhKTyAQen9xLkaoq+yW3 DXRl+FW5BcnTFA02chltjdl0agHVle4wUz8a5tIA/ukNrPrH92ORzmAVXnRxPr2fHk2Prt 9VHknSsKRJmev2zzvlPO3QCWzOztVSpphMHXUut2kp9TTsWisiMNRQ4XDVOUrZKBj2E/qh hbCaTX/eSsXVN7tus3dLthhSLoEkGqwrc78vkI6huF8Og92hFvX4qbLXH4PuPhJ7N1svi9 jyFZCqU7ZRAf3VAqTkonOR+L6i5HNEsE0AH8QmX4H4OQK0TRU8hnuZI5XmXd9A== From: Claudius Heine To: cip-dev@lists.cip-project.org Cc: Claudius Heine Subject: [PATCH 5/5] initramfs-crypt-hook: add 'format-if-empty' feature Date: Wed, 26 Feb 2025 10:59:21 +0100 Message-ID: <20250226095921.168962-6-ch@denx.de> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250226095921.168962-1-ch@denx.de> References: <20250226095921.168962-1-ch@denx.de> MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 26 Feb 2025 09:59:39 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17923 When encryption is enabled from one update to the next there is a difference between flashing a fresh factory image to a empty storage device, which contains an empty fallback partition set and updating it, where the fallback partition contains the actual fallback partitions. In the update case, the update case, the fallback system should be left alone and unencrypted. When doing a factory flash, the fallback partitions can be encrypted. The best marker on in which case the system is booted is, if the partition is empty or not. The 'format-if-empty' option will format the partition with a luks format in case the first 10MiB are empty. Signed-off-by: Claudius Heine --- doc/README.tpm2.encryption.md | 3 ++- .../files/local-top-complete | 16 ++++++++++++++++ .../initramfs-crypt-hook_0.6.bb | 2 +- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md index 515348a..5fe195d 100644 --- a/doc/README.tpm2.encryption.md +++ b/doc/README.tpm2.encryption.md @@ -42,12 +42,13 @@ The initramfs-crypt-hook recipe has the following variables which can be overwri ### CRYPT_PARTITIONS The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount it. -Each entry uses the schema `::`. +Each entry uses the schema `::`. - The `partition-idenitifer` is used to identify the partition on the disk, it can contain a partition label, partition UUID or absolute path to the partition device, e.g. `/dev/sda`. - The `mountpoint` is used mount the decrypted partition in the root file system - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount - `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD` - `noencrypt` will not try to encrypt the partition, it it isn't encrypted already, but will open it if it is. This makes it possible for an image to support encrypted systems, while not encrypting anything on their own. Useful when updating from a system that is unencrypted to one that is, while supporting a fallback system. +- `format-if-empty` will create a empty LUKS partition and formats it, like the `format` option, but only if the first 10MiB are empty (contain only 0x00). This makes it possible to differenciate if a partition is empty and can be encrypted, because it was freshly flashed via a factory image, or if it might contain an unencrypted fallback system and should be left alone. #### Encrypted root file system diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete index 1214a63..41598c4 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete @@ -279,6 +279,22 @@ for partition_set in $partition_sets; do eval "${create_file_system_cmd} ${decrypted_part}" log_end_msg ;; + "format-if-empty") + # Check if first 10MiB contain only zeros + if cmp -s -n "$(( 10 * 1024 * 1024 ))" "${part_device}" /dev/zero + then + log_begin_msg "Encryption of ${part_device}" + /usr/sbin/cryptsetup luksFormat --batch-mode \ + --type luks2 "$part_device" < "$tmp_key" + enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type" + open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" + eval "${create_file_system_cmd} ${decrypted_part}" + log_end_msg + else + # If not empty, leave it alone. + continue + fi + ;; *) panic "Unknown value ${partition_format}. Cannot create a encrypted partition !" ;; diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb index df335c9..c9a7f89 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb @@ -41,7 +41,7 @@ HOOK_ADD_MODULES = " \ HOOK_COPY_EXECS = " \ openssl mke2fs grep awk expr seq sleep basename uuidparse mountpoint \ - e2fsck resize2fs cryptsetup \ + e2fsck resize2fs cryptsetup cmp \ tpm2_pcrread tpm2_testparms tpm2_flushcontext \ /usr/lib/*/libgcc_s.so.1"