From: Quirin Gylstorff <quirin.gylstorff@...>

This encrypts a partition with LUKS and uses the TPM2 to unlock the partition during
boot.

Adapt start-qemu to support tpm2.

Quirin Gylstorff (5):
add tpm.cfg to the kernel
use bullseye backports for systemd-cryptenroll
wic/x86-efibootguard: add partition to encrypted
start-qemu: If swtpm is available create a tpm2 device
Add initramfs hook to encrypt a partition

conf/distro/debian-bullseye-backports.list | 1 +
.../preferences.bullseye-backports.tpm.conf | 3 +
kas/opt/tpm.yml | 20 ++++
.../files/create_crypt_partition.script | 96 +++++++++++++++++++
.../files/crypt-partition.env.tmpl | 1 +
.../initramfs-crypt-hook/files/crypt.hook | 42 ++++++++
.../initramfs-crypt-hook_0.1.bb | 37 +++++++
recipes-kernel/linux/files/tpm.cfg | 13 +++
recipes-kernel/linux/linux-cip-common.inc | 2 +
start-qemu.sh | 23 ++++-
wic/qemu-amd64-efibootguard-secureboot.wks.in | 1 +
wic/x86-efibootguard.wks.in | 1 +
12 files changed, 235 insertions(+), 5 deletions(-)
create mode 100644 conf/distro/debian-bullseye-backports.list
create mode 100644 conf/distro/preferences.bullseye-backports.tpm.conf
create mode 100644 kas/opt/tpm.yml
create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/create_crypt_partition.script
create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/crypt-partition.env.tmpl
create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/crypt.hook
create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
create mode 100644 recipes-kernel/linux/files/tpm.cfg

--
2.39.0