From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com,
johnxw@amazon.com, felix.moessbauer@siemens.com
Subject: [cip-dev][isar-cip-core][PATCH v3 6/9] Kconfig: Add option to encrypt the rootfs
Date: Thu, 25 Apr 2024 13:50:34 +0200 [thread overview]
Message-ID: <20240425115119.813384-7-Quirin.Gylstorff@siemens.com> (raw)
In-Reply-To: <20240425115119.813384-1-Quirin.Gylstorff@siemens.com>
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This allows to setup a full encrypted system.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Kconfig | 20 ++++++++++++++++++--
kas/opt/encrypt-all.yml | 23 +++++++++++++++++++++++
2 files changed, 41 insertions(+), 2 deletions(-)
create mode 100644 kas/opt/encrypt-all.yml
diff --git a/Kconfig b/Kconfig
index 9478a06..42e6b67 100644
--- a/Kconfig
+++ b/Kconfig
@@ -202,15 +202,31 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT
default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
+
+menuconfig DISK_ENCRYPTION
+ bool
+ prompt "disk encryption"
+ select IMAGE_SECURE_BOOT
+
config IMAGE_DATA_ENCRYPTION
bool "Encrypt data partitions on first boot"
- depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM
- select IMAGE_SECURE_BOOT
+ depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
help
This enables LUKS encryption for the partitions /var and /home.
+config IMAGE_FULL_ENCRYPTION
+ bool "Encrypt rootfs and data partitions"
+ depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
+ select IMAGE_DATA_ENCRYPTION
+ help
+ This enables LUKS encryption for all partitions.
+
config KAS_INCLUDE_DATA_ENCRYPTION
string
default "kas/opt/encrypt-data.yml" if IMAGE_DATA_ENCRYPTION
+config KAS_INCLUDE_FULL_ENCRYPTION
+ string
+ default "kas/opt/encrypt-all.yml" if IMAGE_FULL_ENCRYPTION
+
endif
diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml
new file mode 100644
index 0000000..b6d4041
--- /dev/null
+++ b/kas/opt/encrypt-all.yml
@@ -0,0 +1,23 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 14
+ includes:
+ - kas/opt/encrypt-data.yml
+local_conf_header:
+ encrypted_root: |
+ # Do not set mount points for systema and systemb as they are mounted by the
+ # abrootfs/verity initramfs
+ # As we use a weak default assignment in the intramfs-crypt-hook recipe we need
+ # to set all partitions
+ CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt ${ABROOTFS_PART_UUID_B}::reencrypt \
+ home:/home:reencrypt var:/var:reencrypt"
--
2.43.0
next prev parent reply other threads:[~2024-04-25 11:51 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-25 11:50 [cip-dev][isar-cip-core][PATCH v3 0/9] Add option to encrypt the rootfs Quirin Gylstorff
2024-04-25 11:50 ` [cip-dev][isar-cip-core][PATCH v3 1/9] wic/*: Add part-labels to system partition Quirin Gylstorff
2024-04-25 11:50 ` [cip-dev][isar-cip-core][PATCH v3 2/9] initramfs: allow empty mountpoint for crypt hooks Quirin Gylstorff
2024-04-25 11:50 ` [cip-dev][isar-cip-core][PATCH v3 3/9] initramfs-crypt: Only resize partition if ext* formatted Quirin Gylstorff
2024-04-25 11:50 ` [cip-dev][isar-cip-core][PATCH v3 4/9] fix: use luks2 to identify encrypted partition Quirin Gylstorff
2024-04-25 12:06 ` MOESSBAUER, Felix
2024-04-25 12:08 ` Gylstorff Quirin
2024-04-25 11:50 ` [cip-dev][isar-cip-core][PATCH v3 5/9] Rename encrypt-partitions to encrypt-data Quirin Gylstorff
2024-04-25 11:50 ` Quirin Gylstorff [this message]
2024-04-25 12:16 ` [cip-dev][isar-cip-core][PATCH v3 6/9] Kconfig: Add option to encrypt the rootfs MOESSBAUER, Felix
2024-04-25 11:50 ` [cip-dev][isar-cip-core][PATCH v3 7/9] crypt-hook: Extend partition selection Quirin Gylstorff
2024-04-25 11:50 ` [cip-dev][isar-cip-core][PATCH v3 8/9] README: Add rootfs encryption Quirin Gylstorff
2024-04-25 11:50 ` [cip-dev][isar-cip-core][PATCH v3 9/9] README.swupdate: Add section about partition selection Quirin Gylstorff
2024-04-25 12:28 ` MOESSBAUER, Felix
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240425115119.813384-7-Quirin.Gylstorff@siemens.com \
--to=quirin.gylstorff@siemens.com \
--cc=cip-dev@lists.cip-project.org \
--cc=felix.moessbauer@siemens.com \
--cc=jan.kiszka@siemens.com \
--cc=johnxw@amazon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).