-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Help with squash root encryption please #55
Comments
okay so I figured this out (mostly) Had to do two things:
from /etc/veritiy-squash-root/config.ini:
While this works, it's less than ideal. The reason I was using the It seems the dracut I would much prefer to use the crypttab file instead of having to hardcode the UUID. At least this is partially working. Solid 2 days to get here ha. |
Hi, thank you very much for the feedback.
Does this work for you? |
Thanks for the pointer. Didn't know you could do that. (I have since tried, and didn't work) I guess the problem I have is that I want the UKI to be portable, so I can't specify the UUID in the kernel params. That's why I was hoping to use a label from /etc/crypttab Whatever I do, I can't seem to get dracut to respect the /etc/crypttab file. systemd-cryptsetup-generator only seems to work with kernel params, which are missing the label option. I guess the other problem, is tht even if I get the crypttab file working, there is no way to exclude it from the squashfs, as it will generate an error if it's in both initramfs and root fs. I'll keep hacking away. Edit: On a test system with /etc/crypttab, If I run the following, it looks to generate the correct systemd unit file:
I just need to figure how to get dracut crypt to run it |
Interesting. The
|
I got this working, welll, kind of :P After trawling through To me, it seems like the dracut crypt module has been built with the assumption that the crypttab file is for local builds only - I believe this doesn't always hold true (my usecase); using labels in the crypttab, it's portable. I think in the interim, to get it to build, I'll modify the crypt module with an override to generate the crypttab file regardless of hostonly. I have to do more digging on this next part, I'm not sure how the
I will test again with the above removed on another build and see if it still works. To get it to boot, I had to hack I guess it wouldn't be hard to make the excludes more generic, where it stats the target and checks if it's a file or a dir, if a file, just exclude it, or if a directory, do the current operation?
My Usecase: I'm running software on untrusted hardware, where an "operator" would install the software and the secure boot keys and thats it. It would run autonomously, more like an embedded system. I need to validate the state of the system, and ensure it hasn't been tampered with, hence why verity-squash-root is a really good fit. There are many of these "systems" all with different hardware, so it has to be generic. What I'm doing, is on a build system, building the UKI and squashfs. Then I'll distribute the UKI, squashfs and secure boot certificates, and keep the keys private. I'm going to start playing with using verity-squash-root and debootstrap / chroot. The only other problem I'm having is installing the pk.auth file with Thanks for your help - and again, appreciate the great software. |
@MorningLightMountain713
The code excludes everything in the directory, so the directory will be included in the image. This is a workaround for a issue in Your use-case sounds really interesting and verity-squash-root a good fit. If it will be open-source, I'd love to have a look. Feel free to contact me via mail if you want to chat about it.
I don't have a lot of knowledge about the |
I have just got back from vacation myself. Thanks for the info. Yes, it's open source. I'm just working on a distributable ISO at the moment. I'll drop you a line via email once I have something workable and share some code. Cheers! |
H ithere, thanks for this great package.
I have this same config working for verity-squash-root without encryption.
However I just can't figure out how to get encryption working with a tpm2 on the squashfs partition.
System:
I can get encryption working if I do the following:
add_dracutmodules+=" tpm2-tss crypt "
in the dracut config files.Reboot and the encrypted drive is unlocked via tpm.
However, when I choose the verity-squash-root current from the efi boot menu, instead of the above, it hangs.
Here are my config files:
verity-squash-root config:
/etc/crypttab (and /etc/crypttab.initramfs):
fstab:
ids:
Choosing the writeable overlay (note encryption works fine with the top option)
Gets stuck during boot timing out waiting for the /dev/mapper/root to unlock (LABEL=root)
What can I do to get this working?
Thanks
The text was updated successfully, but these errors were encountered: