verity-squash-root
verity-squash-root copied to clipboard
brandsimon
Help with squash root encryption please
H ithere, thanks for this great package.
I have this same config working for verity-squash-root without encryption.
However I just can't figure out how to get encryption working with a tpm2 on the squashfs partition.
System:
davew@porridge:~$ uname -a
Linux porridge 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64 GNU/Linux
I can get encryption working if I do the following:
- use verity-squash-root to generate sb keys, then load these.
- sign the kernel with verity-squash root so secure boot works
- use dracut to build an initramfs, with
add_dracutmodules+=" tpm2-tss crypt "in the dracut config files. - use systemd-cryptenroll --tpm2-device auto --tpm2-pcrs "0+7" /dev/sda2 to load key
- enable systemd boot
- setup /etc/crypttab
Reboot and the encrypted drive is unlocked via tpm.
However, when I choose the verity-squash-root current from the efi boot menu, instead of the above, it hangs.
Here are my config files:
verity-squash-root config:
root@porridge:~# cat /etc/verity_squash_root/config.ini
[DEFAULT]
# If CMDLINE is not configured, use /etc/kernel/cmdline
CMDLINE = root=LABEL=root
EFI_STUB = /usr/lib/systemd/boot/efi/linuxx64.efi.stub
DECRYPT_SECURE_BOOT_KEYS_CMD = age -d -o {} /etc/verity_squash_root/keys.tar.age
# DECRYPT_SECURE_BOOT_KEYS_CMD =
# openssl enc -aes-256-cbc -pbkdf2 -d
# -in /etc/verity_squash_root/keys.tar.openssl -out {}
# DECRYPT_SECURE_BOOT_KEYS_CMD = cp /etc/verity_squash_root/keys.tar {}
EXCLUDE_DIRS = /home,/opt,/srv,/var/!(lib|log)
EFI_PARTITION = /boot/efi
ROOT_MOUNT = /mnt/root
IGNORE_KERNEL_EFIS =
[EXTRA_SIGN]
# These files will be signed when called with sign_extra_files
# The format is: `NAME = SOURCE_PATH => DESTINATION_PATH`
# Be careful to not sign files from untrusted sources,
# e.g. the ESP partition. An attacker could exchange these
# files.
systemd = /usr/lib/systemd/boot/efi/systemd-bootx64.efi => /boot/efi/EFI/systemd/systemd-bootx64.efi
nix = /vmlinuz => /boot/efi/f314a67efb344947bba5f1273222b637/6.1.0-21-amd64/linux
/etc/crypttab (and /etc/crypttab.initramfs):
root@porridge:~# cat /etc/crypttab
# <target name> <source device> <key file> <options>
crypt LABEL=luks none luks
fstab:
root@porridge:~# cat /etc/fstab
UUID=eadbec4a-c01f-4041-816f-c32222ba6176 / ext4 errors=remount-ro 0 1
UUID=1910-BD80 /boot/efi vfat umask=0077 0 1
LABEL=root /mnt/root ext4 defaults 0 2
ids:
root@porridge:~# blkid
/dev/sr0: BLOCK_SIZE="2048" UUID="2024-02-10-11-31-15-00" LABEL="Debian 12.5.0 amd64 n" TYPE="iso9660" PTUUID="34862533" PTTYPE="dos"
/dev/mapper/crypt: LABEL="root" UUID="a5aa816c-0295-40ea-8857-2b1d04aa8394" BLOCK_SIZE="4096" TYPE="ext4"
/dev/sda2: UUID="eb7642ba-8c51-487a-bf2f-af92a521eaf4" LABEL="luks" TYPE="crypto_LUKS" PARTUUID="677d0201-3513-4888-a9d0-e819a915a180"
/dev/sda3: UUID="eadbec4a-c01f-4041-816f-c32222ba6176" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="647adfe5-7356-484a-9981-6e82393fb801"
/dev/sda1: UUID="1910-BD80" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="d1bc7784-b91e-4fb9-ad62-2e54db656c57"
Choosing the writeable overlay (note encryption works fine with the top option)
Gets stuck during boot timing out waiting for the /dev/mapper/root to unlock (LABEL=root)
What can I do to get this working?
Thanks
