From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, johnxw@amazon.com
Subject: [cip-dev][isar-cip-core][PATCH v3 00/15] Rework disk encryption
Date: Tue, 9 Apr 2024 15:05:17 +0200 [thread overview]
Message-ID: <20240409130638.559398-1-Quirin.Gylstorff@siemens.com> (raw)
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This patchset is a cleanup of the initramfs-crypt-hook:
- Aligns the systemd and clevis implementation
- consolidate script in a main, clevis and systemd part
- split clevis hook for readability
- Adds some checks for TPM parameter
- Remove the dependency in the overlay
- Adds an example to encrypt the rootfs
- Add readme to switch from clevis based encryption to systemd
Changes v3:
- Add Kconfig entry for encrypted rootfs
- Adapt start-qemu.sh for a encrypted rootfs
- Add the missing initramfs-hook for the encrypted rootfs example
Changes v2:
- fix typos in commit messages
- some fixes for Debian buster
- split clevis hook for readability
- consolidate script in a main, clevis and systemd part
- Add readme to switch from clevis based encryption to systemd
- Increase version of the hook
- The disk encryption now sets the root mount if necessary
Quirin Gylstorff (15):
initramfs-crypt-hook: Allow switching between clevis and systemd
initramfs-crypt-hook: Align systemd encryption and clevis encryption
initramfs-crypt-hook: move the mounting of encrypted disks in a
seperate function
initramfs-crypt-hook: Check if the TPM device fulfills the given
requirements
initramfs-crypt-hook: add flag to make encryption optional
initramfs-crypt-hook: add e2fsck to avoid resize error
initramfs-crypt-hook: split encryption and mounting
initramfs-crypt-hook: Add check if root is part of the mountpoints
initramfs-crypt-hook: split hook in multiple files
initramfs-crypt-hook: Consolidate clevis and systemd scripts
initramfs-crypt-hook: Increase version
README.tpm2.encryption: Add section to switch from clevis to systemd
Add example to encrypt the rootfs
Kconfig: Add option to encrypt the rootfs
start-qemu.sh: Support encrypted rootfs
Kconfig | 14 ++
doc/README.tpm2.encryption.md | 20 +++
kas/opt/encrypt_rootfs.yml | 25 +++
...pt_partition.clevis.bullseye_or_later.hook | 34 ++++
.../encrypt_partition.clevis.buster.hook | 30 ++++
.../files/encrypt_partition.clevis.hook | 20 +--
.../files/encrypt_partition.clevis.script | 157 +++--------------
.../files/encrypt_partition.env.tmpl | 4 +-
.../files/encrypt_partition.script | 164 ++++++++++++++++++
.../files/encrypt_partition.systemd.hook | 5 +-
.../files/encrypt_partition.systemd.script | 152 +++-------------
.../files/mount_crypt_partitions.script | 61 +++++++
...ook_0.1.bb => initramfs-crypt-hook_0.2.bb} | 49 +++++-
.../files/overlay.script.tmpl | 2 +-
start-qemu.sh | 7 +-
wic/x86_64-encryption.wks.in | 16 ++
16 files changed, 463 insertions(+), 297 deletions(-)
create mode 100644 kas/opt/encrypt_rootfs.yml
create mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook
create mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook
create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt-hook_0.1.bb => initramfs-crypt-hook_0.2.bb} (54%)
create mode 100644 wic/x86_64-encryption.wks.in
--
2.43.0
next reply other threads:[~2024-04-09 13:06 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-09 13:05 Quirin Gylstorff [this message]
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 01/15] initramfs-crypt-hook: Allow switching between clevis and systemd Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 02/15] initramfs-crypt-hook: Align systemd encryption and clevis encryption Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 03/15] initramfs-crypt-hook: move the mounting of encrypted disks in a seperate function Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 04/15] initramfs-crypt-hook: Check if the TPM device fulfills the given requirements Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 05/15] initramfs-crypt-hook: add flag to make encryption optional Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 06/15] initramfs-crypt-hook: add e2fsck to avoid resize error Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 07/15] initramfs-crypt-hook: split encryption and mounting Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 08/15] initramfs-crypt-hook: Add check if root is part of the mountpoints Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 09/15] initramfs-crypt-hook: split hook in multiple files Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 10/15] initramfs-crypt-hook: Consolidate clevis and systemd scripts Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 11/15] initramfs-crypt-hook: Increase version Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 12/15] README.tpm2.encryption: Add section to switch from clevis to systemd Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 13/15] Add example to encrypt the rootfs Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 14/15] Kconfig: Add option " Quirin Gylstorff
2024-04-09 13:05 ` [cip-dev][isar-cip-core][PATCH v3 15/15] start-qemu.sh: Support encrypted rootfs Quirin Gylstorff
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240409130638.559398-1-Quirin.Gylstorff@siemens.com \
--to=quirin.gylstorff@siemens.com \
--cc=cip-dev@lists.cip-project.org \
--cc=jan.kiszka@siemens.com \
--cc=johnxw@amazon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).