cip-dev@lists.cip-project.org | [isar-cip-core][PATCH v3 8/8] Add README for encrypted partitions

Home Messages Hashtags Subgroups

Date Date 1 - 2 of 2

[isar-cip-core][PATCH v3 8/8] Add README for encrypted partitions

Quirin Gylstorff #10822 From: Quirin Gylstorff <quirin.gylstorff@...> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- doc/README.tpm2.encryption.md \| 39 +++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 doc/README.tpm2.encryption.md diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md new file mode 100644 index 0000000..4b2f18b --- /dev/null +++ b/doc/README.tpm2.encryption.md @@ -0,0 +1,39 @@ +# Encrypted Partitions +By adding the recipe `initramfs-crypt-hook` to the initramfs build user defined partitions will be +encrypted during first boot. The encrypted partition is a LUKS partition and uses a TPM to secure the +passphrase on the device. + +An example for qemu-amd64 can be build with by selecting the option after calling: + +``` +./kas-container menu +``` +or by adding using the following command line build: + +``` +./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/tpm.yml +``` + +# initramfs-crypt-hook configuration + +The initramfs-crypt-hook recipe has the following variables which can be overwritten during image build: +- CRYPT_PARTITIONS +- CRYPT_CREATE_FILE_SYSTEM_CMD + +## CRYPT_PARTITIONS + +The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount. Each entry uses the schema `<partition-label>:<mountpoint>:<reencrypt or format>`. +- The `partition-label` is used to identify the partition on the disk +- The `mountpoint` is used mount the decrypted partition in the root file system +- `reencrypt` uses `cryptsetup reencrypt` to reencrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount +- `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD` + +## CRYPT_CREATE_FILE_SYSTEM_CMD + +The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly +encrypted partition. The Default (`mke2fs -t ext4`) creates an ext4 partition. + +# TPM2 protected LUKS passphrase + +The recipe `initramfs-crypt-hook` uses `systemd-cryptenroll` to enroll a TPM2 protected LUKS passphrase. +The procedure for storing a key is described in https://github.com/systemd/systemd/blob/0254e4d66af7aa893b31b2326335ded5dde48b51/src/shared/tpm2-util.c#L1395. -- 2.39.1
More All Messages By This Member
Jan Kiszka #10862 On 24.02.23 17:28, Quirin Gylstorff wrote: From: Quirin Gylstorff <quirin.gylstorff@...> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- doc/README.tpm2.encryption.md \| 39 +++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 doc/README.tpm2.encryption.md diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md new file mode 100644 index 0000000..4b2f18b --- /dev/null +++ b/doc/README.tpm2.encryption.md @@ -0,0 +1,39 @@ +# Encrypted Partitions +By adding the recipe `initramfs-crypt-hook` to the initramfs build user defined partitions will be +encrypted during first boot. The encrypted partition is a LUKS partition and uses a TPM to secure the +passphrase on the device. + +An example for qemu-amd64 can be build with by selecting the option after calling: + +``` +./kas-container menu +``` +or by adding using the following command line build: + +``` +./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/tpm.yml +``` + +# initramfs-crypt-hook configuration + +The initramfs-crypt-hook recipe has the following variables which can be overwritten during image build: +- CRYPT_PARTITIONS +- CRYPT_CREATE_FILE_SYSTEM_CMD + +## CRYPT_PARTITIONS + +The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount. "...and where to mount it"? Each entry uses the schema `<partition-label>:<mountpoint>:<reencrypt or format>`. +- The `partition-label` is used to identify the partition on the disk +- The `mountpoint` is used mount the decrypted partition in the root file system +- `reencrypt` uses `cryptsetup reencrypt` to reencrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount +- `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD` + +## CRYPT_CREATE_FILE_SYSTEM_CMD + +The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly +encrypted partition. The Default (`mke2fs -t ext4`) creates an ext4 partition. + +# TPM2 protected LUKS passphrase + +The recipe `initramfs-crypt-hook` uses `systemd-cryptenroll` to enroll a TPM2 protected LUKS passphrase. +The procedure for storing a key is described in https://github.com/systemd/systemd/blob/0254e4d66af7aa893b31b2326335ded5dde48b51/src/shared/tpm2-util.c#L1395. And here an explanation regarding the version needs for systemd and readiness of this for production would be good. Jan -- Siemens AG, Technology Competence Center Embedded Linux
More All Messages By This Member

1 - 2 of 2

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms