From patchwork Tue Mar 4 13:07:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Claudius Heine X-Patchwork-Id: 14000706 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 31D08C282D3 for ; Tue, 4 Mar 2025 13:07:55 +0000 (UTC) Received: from mx.denx.de (mx.denx.de [89.58.32.78]) by mx.groups.io with SMTP id smtpd.web11.21267.1741093672330494486 for ; Tue, 04 Mar 2025 05:07:52 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@denx.de header.s=mx-20241105 header.b=X7SybDC1; spf=pass (domain: denx.de, ip: 89.58.32.78, mailfrom: ch@denx.de) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 5EDA610382F1F; Tue, 4 Mar 2025 14:07:50 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=mx-20241105; t=1741093670; h=from:subject:date:message-id:to:cc:mime-version: content-transfer-encoding:in-reply-to:references; bh=XgZYliBAkeADOjOHyzGWqeuOgVeufj5+wQZjZF2fIIg=; b=X7SybDC1xTLpaXeiePYxMui8RxuYPi5W3nXCaFgtABHKQxXJvT5v/YW5BxvrbQ4McKxnTz S1nTOhmF1E6Ssrdqcq89fSX/VvdZev7ksGnuVUX0hQ+1zSJeKSuMa3bO34RzIjXJN34HNh YoCshWkLXuZ14GrLHy3m6iEIN7YWidmdpc352G9W4ClEX01NMhepu1y7hMg+x0rigsLlu4 j4uo3E+68KwfRwqrQbLcqqbyCAOfqsabqRdOoXRSzOdH28IzIihoSBsddG0XUAS4x0OZHi +CCg0wh+5JxO/Y6JdExHO3BQ/tVVUS44EeWEGfhR2zc41fnyKsYvI8faizVXGw== From: Claudius Heine To: cip-dev@lists.cip-project.org, Jan Kiszka , Quirin Gylstorff Cc: Claudius Heine Subject: [PATCH v3 1/4] initramfs-crypt-hook: make sure that mount path exists Date: Tue, 4 Mar 2025 14:07:40 +0100 Message-ID: <20250304130743.2812183-2-ch@denx.de> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250304130743.2812183-1-ch@denx.de> References: <20250304130743.2812183-1-ch@denx.de> MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Mar 2025 13:07:55 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/18016 Wherever or not the mount directory (and their parents) gets created seem to be inconsistent; mentioning a missing mount point in the `/etc/fstab` might cause the boot to fail, while using systemd `.mount` units will just create the mount point. Wic creates missing mount points that where mentioned in the `.wks` file; so moving from such a setup to letting `initramfs-crypt-hook` mount the file system at boot inside the ramdisk, the mount would suddenly fail. Therefore creating the mount point for your, if it doesn't exists seem to provide a smoother transition. Signed-off-by: Claudius Heine --- .../initramfs-crypt-hook/files/local-bottom-complete | 1 + 1 file changed, 1 insertion(+) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-bottom-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-bottom-complete index b991cb4..80553d1 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/local-bottom-complete +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-bottom-complete @@ -41,6 +41,7 @@ mount_partition() { partition_mountpoint=$2 [ "$debug" = "y" ] && echo "mount device: '$partition_dev_path' to '$partition_mountpoint'" if ! mountpoint -q "${partition_mountpoint}"; then + mkdir -p "${partition_mountpoint}" if ! mount -t "$(get_fstype "${partition_dev_path}")" "${partition_dev_path}" \ "${partition_mountpoint}"; then panic "Can't mount partition '${partition_dev_path}'!" From patchwork Tue Mar 4 13:07:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Claudius Heine X-Patchwork-Id: 14000707 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3282AC282D6 for ; Tue, 4 Mar 2025 13:07:55 +0000 (UTC) Received: from mx.denx.de (mx.denx.de [89.58.32.78]) by mx.groups.io with SMTP id smtpd.web10.21187.1741093673591260581 for ; Tue, 04 Mar 2025 05:07:54 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@denx.de header.s=mx-20241105 header.b=GDIkWjm/; spf=pass (domain: denx.de, ip: 89.58.32.78, mailfrom: ch@denx.de) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id C8A9310382C18; Tue, 4 Mar 2025 14:07:51 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=mx-20241105; t=1741093672; h=from:subject:date:message-id:to:cc:mime-version: content-transfer-encoding:in-reply-to:references; bh=TZ+E1sUZ1rppZwB9IDQaU0XD3uT5Hss85l9Y3vGtw6I=; b=GDIkWjm/gzonp2/8CHNHnZsVd2hJ3pPQ186cQZO7rrEJNIYErdePZ87cNJKkiWF5R7lDjf 09It70m92DZXVI3gClK+gzdKGyT5sTf+o2qr+qYcIHKjYnec8zSYjR39R9PNXoDB54knHQ DFv2xJvoisHSn23upqv0h9bWQH4wVwD98rYCilY6nk+IWIV/oUKNjb8Ukk12wCrcxFeDka yT0a1gXcEBGAQqSXZHWASjFSx7tHhc4OVU6L2bNbD0olppTc4TjPwGdl5+9mGqDKNGiNXI 3Ev9DJJEZ2fyLYyiJcR4Nm5v0Mah8+pT4otRqSsonYtqstBYKvFYWEj9GR/SAA== From: Claudius Heine To: cip-dev@lists.cip-project.org, Jan Kiszka , Quirin Gylstorff Cc: Claudius Heine Subject: [PATCH v3 2/4] initramfs-crypt-hook: implement 'noencrypt' option Date: Tue, 4 Mar 2025 14:07:41 +0100 Message-ID: <20250304130743.2812183-3-ch@denx.de> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250304130743.2812183-1-ch@denx.de> References: <20250304130743.2812183-1-ch@denx.de> MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Mar 2025 13:07:55 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/18017 In case encryption needs to be enabled via an update, while still allowing the update fall back to work. One update step where encryption is supported, but no reencryption is taking place if the device is not encrypted. For this the `noencrypt` hook is implemented, which requires some restructure/reordering of the `local-top-complete` script. Signed-off-by: Claudius Heine --- doc/README.tpm2.encryption.md | 22 ++++++++++++++++- .../files/local-top-complete | 24 +++++++++++++++---- 2 files changed, 40 insertions(+), 6 deletions(-) diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md index 3f7e89f..a97425c 100644 --- a/doc/README.tpm2.encryption.md +++ b/doc/README.tpm2.encryption.md @@ -42,11 +42,12 @@ The initramfs-crypt-hook recipe has the following variables which can be overwri ### CRYPT_PARTITIONS The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount it. -Each entry uses the schema `::`. +Each entry uses the schema `::`. - The `partition-idenitifer` is used to identify the partition on the disk, it can contain a partition label, partition UUID or absolute path to the partition device, e.g. `/dev/sda`. - The `mountpoint` is used mount the decrypted partition in the root file system - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount - `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD` +- `noencrypt` will not try to encrypt the partition, if it isn't encrypted already, but will open it if it is. See the section [Encrypting the shared partition via an update](#### Encrypting the shared partition via an update) for more information #### Encrypted root file system @@ -58,6 +59,25 @@ The mountpoint is empty as the root partition is mounted by a seperate initramf Both partitions are encrypted during first boot. The initramfs hook opens `${ABROOTFS_PART_UUID_A}` and `${ABROOTFS_PART_UUID_B}` during boot. +#### Encrypting the shared partition via an update + +With the following requirements, special handling is necessary: + +- A/B update scheme is used +- Both slots have a shared volume, that needs to be encrypted as well +- The system in field is currently unencrypted and encryption should be added via an update +- When the update failed, the fallback system needs to deal with an encrypted data partition + +If this case the fallback system needs to support an encrypted shared data partition, but would not encrypt it themselves. For this the `noencrypt` flag can be used. + +The data partition in the fallback system will have the `noencrypt` flag set, while the update system will set the flag to `reencrypt`, this will handle the following case, for example + +- Un-encrypted system on slot A is running, shared data partition has set `noencrypt` flag and is not encrypted +- Update for enabling encryption is applied to slot B, where the shared data partition has the `reencrypt` flag +- System reboots to slot B, encrypting the shared data partition +- Update fails at a later point and is not blessed, system reboots into the fallback system on slot A +- Fallback system now needs to be able to use the shared data partition + ### CRYPT_CREATE_FILE_SYSTEM_CMD The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete index cf49e63..1ef784d 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete @@ -240,18 +240,32 @@ for partition_set in $partition_sets; do if [ ! -e "$part_device" ]; then panic "Could not find device mapped to '$partition' cannot be encrypted!" fi - decrypted_part=/dev/mapper/"$crypt_mount_name" - # check if we are trying to mount root - if [ "$partition_mountpoint" = "/" ]; then - echo "ROOT=$decrypted_part" >/conf/param.conf - fi + # If partition is already encrypted, decrypt and continue with next partition: + decrypted_part=/dev/mapper/"$crypt_mount_name" if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \ | grep -q "luks2"; then open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" + + # check if we are trying to mount root, set ROOT to decrypted partition: + if [ "$partition_mountpoint" = "/" ]; then + echo "ROOT=$decrypted_part" >/conf/param.conf + fi + continue fi + # If partition should not be encrypted, continue with next partition: + if [ "$partition_format" = "noencrypt" ] + then + continue + fi + + # check if we are trying to mount root, set ROOT to decrypted partition: + if [ "$partition_mountpoint" = "/" ]; then + echo "ROOT=$decrypted_part" >/conf/param.conf + fi + # service watchdog in the background during lengthy re-encryption if [ -z "$watchdog_pid" ]; then service_watchdog & From patchwork Tue Mar 4 13:07:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Claudius Heine X-Patchwork-Id: 14000709 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1919AC282D0 for ; Tue, 4 Mar 2025 13:08:05 +0000 (UTC) Received: from mx.denx.de (mx.denx.de [89.58.32.78]) by mx.groups.io with SMTP id smtpd.web11.21270.1741093675033308779 for ; Tue, 04 Mar 2025 05:07:55 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@denx.de header.s=mx-20241105 header.b=Z8+KDU5A; spf=pass (domain: denx.de, ip: 89.58.32.78, mailfrom: ch@denx.de) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 356B210381918; Tue, 4 Mar 2025 14:07:53 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=mx-20241105; t=1741093673; h=from:subject:date:message-id:to:cc:mime-version: content-transfer-encoding:in-reply-to:references; bh=R3L3mqbP73AH+6fVfMiFLchovg8147vR3PSNwqm4sPQ=; b=Z8+KDU5ANkywOgjyMUT5JUBSFXdc2j3Ec6JhX/X7tfXexa/JpL30KIij04kN6O+eJFj+HY dDC8CSbJI2ae8kyQ/4m7I1L4/fPM5lbW97iSTh0D8i1tfjh50S3peuj92+b5YXSnmnw8kq LqjWBshFuOAK2ch+Mgc5H1xkteKtFUhng6MQIvKpkkLC84e6T3A50kldDjxPTWyMqt0rIn fq1OXaUZ0hLW7WuM+/UAM8dMXOlRrBjKme2Gsw6raQTMpWhiaPIjkNhnHF1yggAifeFllI GLS1K4dPMZdR6Zq0TelIueiksN2GVKwZ3/TRVOZVXNpM/eZ2duljbV3plDrHow== From: Claudius Heine To: cip-dev@lists.cip-project.org, Jan Kiszka , Quirin Gylstorff Cc: Claudius Heine Subject: [PATCH v3 3/4] initramfs-crypt-hook: add 'format-if-empty' feature Date: Tue, 4 Mar 2025 14:07:42 +0100 Message-ID: <20250304130743.2812183-4-ch@denx.de> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250304130743.2812183-1-ch@denx.de> References: <20250304130743.2812183-1-ch@denx.de> MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Mar 2025 13:08:05 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/18018 When encryption is enabled from one update to the next there is a difference between flashing a fresh factory image to a empty storage device, which contains an empty fallback partition set and updating it, where the fallback partition contains the actual fallback partitions. In the update case, the update case, the fallback system should be left alone and unencrypted. When doing a factory flash, the fallback partitions can be encrypted. The best marker on in which case the system is booted is, if the partition is empty or not. The 'format-if-empty' option will format the partition with a luks format in case the first 10MiB are empty. Signed-off-by: Claudius Heine --- doc/README.tpm2.encryption.md | 3 ++- .../files/local-top-complete | 16 ++++++++++++++++ .../initramfs-crypt-hook_0.6.bb | 2 +- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md index a97425c..84e6cfe 100644 --- a/doc/README.tpm2.encryption.md +++ b/doc/README.tpm2.encryption.md @@ -42,12 +42,13 @@ The initramfs-crypt-hook recipe has the following variables which can be overwri ### CRYPT_PARTITIONS The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount it. -Each entry uses the schema `::`. +Each entry uses the schema `::`. - The `partition-idenitifer` is used to identify the partition on the disk, it can contain a partition label, partition UUID or absolute path to the partition device, e.g. `/dev/sda`. - The `mountpoint` is used mount the decrypted partition in the root file system - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount - `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD` - `noencrypt` will not try to encrypt the partition, if it isn't encrypted already, but will open it if it is. See the section [Encrypting the shared partition via an update](#### Encrypting the shared partition via an update) for more information +- `format-if-empty` will create a empty LUKS partition and formats it, like the `format` option, but only if the first 10MiB are empty (contain only 0x00). This makes it possible to differentiate if a partition is empty and can be encrypted, because it was freshly flashed via a factory image, or if it might contain an unencrypted fallback system and should be left alone. #### Encrypted root file system diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete index 1ef784d..47533b5 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete @@ -294,6 +294,22 @@ for partition_set in $partition_sets; do eval "${create_file_system_cmd} ${decrypted_part}" log_end_msg ;; + "format-if-empty") + # Check if first 10MiB contain only zeros + if cmp -s -n "$(( 10 * 1024 * 1024 ))" "${part_device}" /dev/zero + then + log_begin_msg "Encryption of ${part_device}" + /usr/sbin/cryptsetup luksFormat --batch-mode \ + --type luks2 "$part_device" < "$tmp_key" + enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type" + open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" + eval "${create_file_system_cmd} ${decrypted_part}" + log_end_msg + else + # If not empty, leave it alone. + continue + fi + ;; *) panic "Unknown value ${partition_format}. Cannot create a encrypted partition !" ;; diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb index df335c9..c9a7f89 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb @@ -41,7 +41,7 @@ HOOK_ADD_MODULES = " \ HOOK_COPY_EXECS = " \ openssl mke2fs grep awk expr seq sleep basename uuidparse mountpoint \ - e2fsck resize2fs cryptsetup \ + e2fsck resize2fs cryptsetup cmp \ tpm2_pcrread tpm2_testparms tpm2_flushcontext \ /usr/lib/*/libgcc_s.so.1" From patchwork Tue Mar 4 13:07:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Claudius Heine X-Patchwork-Id: 14000708 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 17660C021B8 for ; Tue, 4 Mar 2025 13:08:05 +0000 (UTC) Received: from mx.denx.de (mx.denx.de [89.58.32.78]) by mx.groups.io with SMTP id smtpd.web11.21271.1741093676621249586 for ; Tue, 04 Mar 2025 05:07:57 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@denx.de header.s=mx-20241105 header.b=bOquabGb; spf=pass (domain: denx.de, ip: 89.58.32.78, mailfrom: ch@denx.de) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id B8BCA10382C18; Tue, 4 Mar 2025 14:07:54 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=mx-20241105; t=1741093674; h=from:subject:date:message-id:to:cc:mime-version: content-transfer-encoding:in-reply-to:references; bh=gSqnfpSon9/1xTdMsEMwHAutXfXBC5goxjDg9okQREs=; b=bOquabGb9sQzBYTsvephdD4GJnjg8WbKZ7xKuqmtIpSROeB+s/uqaaB0O5mAksCDmFe5Cf srD1XS0v6r4EQFAMJ/JRxbYJNfvP1oMtFjAKaUmB1McAsSAWoytUKW5RfyrBV/ANONeO8p huUh1V5Npsy6bVGjZ8dQheHO0qvtpYDTM2TYQadSX7p8eeMAbZ4SQ5/0r0IMHKZ2Af5flt zm0K6h42Eo8cvX+BTGeub3Or+vpTgwPSnxVKogC7/PIrRTY+YBo/s7vLpud+CxGwPLxMqb i6vAYYgiLq/YtlBZuT0LUgoNek3nUFAFEVmFuefsdX8TT1yM8sVdCLf+oc5zQQ== From: Claudius Heine To: cip-dev@lists.cip-project.org, Jan Kiszka , Quirin Gylstorff Cc: Claudius Heine Subject: [PATCH v3 4/4] initramfs-crypt-hook: add re-encryption recovery Date: Tue, 4 Mar 2025 14:07:43 +0100 Message-ID: <20250304130743.2812183-5-ch@denx.de> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250304130743.2812183-1-ch@denx.de> References: <20250304130743.2812183-1-ch@denx.de> MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Mar 2025 13:08:05 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/18019 Integrate detection and recovery of power failures while a partition is being encrypted. There are possible scenarios: 1. Power-fail happens while the partition is reencrypted: - The LUKS header contains `online-reencrypt-v2` and needs to be repaired with `cryptsetup repair` before it can continue. - Also no resizing of the file system is necessary 2. Power-fail happens before the systemd-tpm2/clevis token can be installed - The LUKS header does not contain 'systemd-tpm2'/'clevis', thus it needs to be registered and the temporary encryption key needs to be removed In both scenarios the system after the reboot needs to have access to the temporary encryption key that was initially used. So using a random one, generated via `openssl rand` is not possible. Since it is only a temporary key and gets removed after the systemd-tpm2/clevis token was installed, a known password can be used. The list of these scenarios is not complete, there might be other instances where a sudden power-fail could be fatal to the system, but these where the most obvious and risky ones. Signed-off-by: Claudius Heine --- .../files/local-top-complete | 33 +++++++++++++++---- .../initramfs-crypt-hook_0.6.bb | 5 ++- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete index 47533b5..e67f26f 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete @@ -72,6 +72,9 @@ reencrypt_existing_partition() { reduced_size="$(expr "$part_size_blocks" - 65536 )" reduced_size_in_byte="$(expr "$reduced_size" \* 512)" reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K" + + CRYPTSETUP_PARAMS="--reduce-device-size ${reduce_device_size}k" + case $partition_fstype in ext*) # reduce the filesystem and partition by 32M to fit the LUKS header @@ -90,14 +93,25 @@ reencrypt_existing_partition() { squashfs|swap|erofs|"") [ "$debug" = "y" ] && echo "skip disk resize as it is not supported or unnecessary for fstype: '$partition_fstype'" ;; + luks) + # Check if reencrypt was aborted + if /usr/sbin/cryptsetup luksDump --batch-mode "$1" \ + | grep -q "online-reencrypt-v2"; then + /usr/sbin/cryptsetup repair --batch-mode "$1" < "$2" || \ + panic "cryptsetup repair was not successful" + fi + + # already luks partition, don't resize + CRYPTSETUP_PARAMS="" + ;; *) panic "cannot resize partition, unsupported fstype: '$partition_fstype'" ;; esac if [ -x /usr/sbin/cryptsetup-reencrypt ]; then - /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2" + /usr/sbin/cryptsetup-reencrypt --new ${CRYPTSETUP_PARAMS} "$1" < "$2" else - /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2" + /usr/sbin/cryptsetup reencrypt --encrypt ${CRYPTSETUP_PARAMS} "$1" < "$2" fi } @@ -244,7 +258,7 @@ for partition_set in $partition_sets; do # If partition is already encrypted, decrypt and continue with next partition: decrypted_part=/dev/mapper/"$crypt_mount_name" if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \ - | grep -q "luks2"; then + | grep -q "systemd-tpm2\|clevis"; then open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" # check if we are trying to mount root, set ROOT to decrypted partition: @@ -255,6 +269,12 @@ for partition_set in $partition_sets; do continue fi + # If partition contains an aborted reencrypt luks header, switch to reencrypt mode: + if /usr/sbin/cryptsetup luksDump --batch-mode "${part_device}" \ + | grep -q "online-reencrypt-v2"; then + partition_format="reencrypt" + fi + # If partition should not be encrypted, continue with next partition: if [ "$partition_format" = "noencrypt" ] then @@ -272,10 +292,11 @@ for partition_set in $partition_sets; do watchdog_pid=$! fi - # create random password for initial encryption - # this will be dropped after reboot + # use partuuid of the partition for initial encryption password, this key + # will be removed after the reencryption has finished and the TPM2 token is + # registered: tmp_key=/tmp/"$(basename "$part_device")-lukskey" - openssl rand -base64 32 > "$tmp_key" + lsblk -no partuuid "$part_device" > "$tmp_key" case "${partition_format}" in "reencrypt") diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb index c9a7f89..5e82521 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb @@ -14,7 +14,6 @@ require recipes-initramfs/initramfs-hook/hook.inc DEBIAN_DEPENDS .= ", \ cryptsetup, \ awk, \ - openssl, \ e2fsprogs, \ tpm2-tools, \ coreutils, \ @@ -40,8 +39,8 @@ HOOK_ADD_MODULES = " \ ecb aes_generic xts" HOOK_COPY_EXECS = " \ - openssl mke2fs grep awk expr seq sleep basename uuidparse mountpoint \ - e2fsck resize2fs cryptsetup cmp \ + mke2fs grep awk expr seq sleep basename uuidparse mountpoint \ + e2fsck resize2fs cryptsetup cmp lsblk \ tpm2_pcrread tpm2_testparms tpm2_flushcontext \ /usr/lib/*/libgcc_s.so.1"