Add support for TPM- and Tang-based disk encryption #1560
Conversation
|
Thanks! When a package from Gentoo needs no changes, it should be in portage-stable. The profile file can be used for simple tweaks. If the package needs changes, we have it in coreos-overlay but in two commits: the first "syncs from Gentoo" which is deleting any files in the package folder and brings in new upstream files, and the second commit "applies Flatcar changes" and this is where commented changes are introduced. Only then we can correctly update the package. |
|
Build action triggered: https://github.com/flatcar/scripts/actions/runs/8295485348 |
simoncampion
force-pushed
the
add-clevis-krish
branch
from
6d75693 to
d6a7aff
Compare
|
Thanks for the speedy comment, @pothos !
That makes sense 👍 I reworked the Git history accordingly and cleaned things up a bit. Let me know if there's more to change; I did my best to infer how things are done from existing commits, but might have missed some bits. If I see correctly, Krish found some of the packages we need ( |
|
Hi @simoncampion , From my understanding based on my internship with the team, coreos-overlay should be where you put the packages from GURU (to be maintained by the Flatcar team), and portage-stable is where you should put packages (mostly unmodified and synced) from upstream Gentoo's portage tree. In terms of the commit message, I'm not too sure. But the location as to where they're placed does help. |
simoncampion
force-pushed
the
add-clevis-krish
branch
from
d6a7aff to
76bbbba
Compare
|
Okay, I moved the packages from GURU to @pothos If there is anything else I can do for this PR, let me know. |
| </maintainer> | ||
| <upstream> | ||
| <remote-id type="github">latchset/clevis</remote-id> | ||
| </upstream> | ||
| <use> | ||
| <flag name="luks">Enable LUKS support</flag> | ||
| <flag name="tpm">Enable TPM support</flag> | ||
| <flag name="dracut">Enable dracut support</flag> |
There was a problem hiding this comment.
I don't think we need a new use flag here but can directly depend on dracut
There was a problem hiding this comment.
Sounds good. I removed the use flag.
|
Looks ok but needs some cleanup: All unmodified ebuild folders should go under (This replaces #909) |
|
Hello @simoncampion, can you please rebase on top of flatcar/scripts main branch so that we can trigger a CI run too? Thanks. |
@ader1990 Will do! I suggest we wait for the associated changes of the bootengine to be finalized. I'll then update this PR to point to the correct version of |
simoncampion
force-pushed
the
add-clevis-krish
branch
from
76bbbba to
8d6f2a3
Compare
I moved all unmodified ebuild folders (all but I also rebased on |
sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut.patch
Show resolved
Hide resolved
simoncampion
temporarily deployed
to
development
GitHub Actions
Inactive
|
The CI failed with |
Yes, packages that the added packages depend on have been moved, and therefore the added packages now fail to install. I'm working on fixing this by redoing all the package-adding commits with the most up-to-date versions of the packages. |
simoncampion
force-pushed
the
add-clevis-krish
branch
from
8d6f2a3 to
80cc749
Compare
simoncampion
temporarily deployed
to
development
GitHub Actions
Inactive
sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild
Outdated
Show resolved
Hide resolved
simoncampion
force-pushed
the
add-clevis-krish
branch
from
80cc749 to
36f93ca
Compare
|
Before we hit merge, I'd like to see the new tests for disk encryption pass on the most recent version of this PR. The QEMU image I built locally hangs in boot, failing to modprobe btrfs ("Too many levels of symbolic links") and therefore failing to mount the OEM partition, which has recently been switched to btrfs. This is probably an issue with my local build / setup. I'll troubleshoot this and report back once I see the tests passing. |
@simoncampion I think you also hit this bug flatcar/Flatcar#1389. |
|
Can you rebase once more? There is still a conflict with the bootengine ebuild |
It's from Gentoo commit 2f6a333fb9bed9c7ab9b5a49065d157b62e48420
It's from Gentoo commit 2f6a333fb9bed9c7ab9b5a49065d157b62e48420
It's from Gentoo commit 2f6a333fb9bed9c7ab9b5a49065d157b62e48420
It's from Gentoo commit 2f6a333fb9bed9c7ab9b5a49065d157b62e48420
It's from Gentoo commit 2f6a333fb9bed9c7ab9b5a49065d157b62e48420
It's from Gentoo commit 2f6a333fb9bed9c7ab9b5a49065d157b62e48420
It's from Gentoo commit 2f6a333fb9bed9c7ab9b5a49065d157b62e48420
It's from Gentoo commit 2f6a333fb9bed9c7ab9b5a49065d157b62e48420
It's from Gentoo commit 2f6a333fb9bed9c7ab9b5a49065d157b62e48420
It's from GURU commit 05abdcd720bc767a152082750d9c7a044d638059
It's from GURU commit 05abdcd720bc767a152082750d9c7a044d638059
app-crypt/clevis includes dracut modules that must be installed before the initramfs is built
simoncampion
force-pushed
the
add-clevis-krish
branch
from
36f93ca to
2a5917d
Compare
|
@simoncampion Thanks for working on this (much-requested!) feature. In the beginning we didn't really know how it would look and thanks to the willingness to do some extra explorations we now have something that's quite clean and also integrates well with systemd upstream tooling :) |
|
I forgot that we could have (temporarily) used the mantle PR container image ref to get things tested already. The arm64 case needs some fixes: flatcar/mantle#509 Note that the systemd 255 update that was done in parallel also created a regression that couldn't be caught before merging because that branch wasn't using the new mantle tests yet even though it for testing it was rebased on this branch here. |
Add support for TPM- and Tang-based disk encryption
This PR adds support for TPM- and Tang-based disk encryption, by adding an
app-crypt/clevispackage and dependencies and an updated version ofsys-kernel/bootengine. It is accompanied by PRs in the bootengine and mantle repositories. It includes work by @krishjainx towards supporting these features, plus a few further changes that I needed to make for the features to fully work. I left changes by @krishjainx largely untouched where no modifications were needed to make it work, but I'm happy to address comments about any of the changes in this PR.How to use
With these changes the
luks.clevis.tpm2andluks.clevis.tangIgnition options should be fully supported. See the automated tests in the mantle pull request for examples.I have no prior experience making changes to Flatcar and look forward to hearing how to do things better. One specific aspect that I'd like feedback on is the following issue: When encrypting the ROOT partition, it must be decrypted in the initramfs before the root pivot. However, Ignition will add an
/etc/crypttabentry for the ROOT partition, leading to the generation of asystemd-cryptsetupservice for the encrypted root. Unfortunately, due to how this service is configured, it will fail if the root disk is already decrypted. This is a well-known issue. This does not impact the correct functioning of the system, but is annoying and also leads to the kola tests for root disk encryption to fail since the test system always checks for failed services. I'm unsure how to best fix this issue and would be thankful for suggestions.Testing done
I tested the
luks.clevis.tpm2andluks.clevis.tangconfig options for the ROOT partition and non-root disks using the new tests in kola.changelog/directory (user-facing change, bug fix, security fix, update)/bootand/usrsize, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.Once this is merged, I'd also be happy to update the documentation and create a new Butane spec for the newly supported config options.