LUKS encrypted rootfs and /data partitions for meta-mender. TPM2 integration for unattended boot.
Requires meta-mender-kernel for separate A/B kernel partitions.
- The
/bootand A/B kernel partitions are left unencrypted. - The rootfs and
/datapartitions are encrypted with detached LUKS headers. The detached headers are stored on the/bootpartition. - The LUKS passphrase is stored in plain text on the (encrypted)
/datapartition. - An
ArtifactInstallstate-script mounts the rootfs LUKS partition formender-clientaccess during an update. - Optional TPM2 integration for unattended boot.
Requires meta-secure-core. See this kas file for more setup details.
For unattended boot, the LUKS passphrase is loaded/sealed on the TPM2 device. This should be transparent to the user.
mender-luks-password-agentreads key and provides to cryptsetup at bootmender-luks-tpm-key-watcher.serviceupdates TPM2 when/if the LUKS key (file, on the filesystem) changes- mender updates:
mender-luks-state-scripts-tpmunlocks/reseals toMENDER/LUKS_TPM_PCR_UPDATE_UNLOCKafter a mender artifact is installed/written.- After a reboot,
mender-luks-tpm-seal-on-boot.servicereseals toMENDER/LUKS_TPM_PCR_SET_MAXif no systemd services have failed afterMENDER/LUKS_SEAL_DELAY_SECS(i.e. a successful boot). Additional systemd dependencies can by added withMENDER/LUKS_SEAL_SYSTEMD_AFTER.
The following definitions should be added to local.conf or custom_machine.conf
require conf/include/mender-luks.inc
MENDER/LUKS_PASSWORD = "n3w_p@ssw0rd"
# 0 = @ system boot: randomize LUKS password if weak or still set to default value
# 1 = @ system boot: do not check LUKS password
# MENDER/LUKS_BYPASS_RANDOM_KEY = "1"
# 0 = @ system boot: reencrypt LUKS master key(s) if password is still set to default value
# 1 = @ system boot: do no reencrypt LUKS partitions
# MENDER/LUKS_BYPASS_REENCRYPT = "1"
# PCRs levels to seal TPM2
# unlock options: none | min | max | N,N,N
# MENDER/LUKS_TPM_PCR_SET_NONE = "0"
# MENDER/LUKS_TPM_PCR_SET_MIN = "0,1"
# MENDER/LUKS_TPM_PCR_SET_MAX = "0,1,2,3,4,5"
# MENDER/LUKS_TPM_PCR_UPDATE_UNLOCK = "min"
Alternatively, a kas file has been provided to help with setup/config. Include kas/kas.yml from this layer in the top level kas file. E.g.:
header:
version : 1
includes:
- repo: meta-mender-luks
file: kas/kas.yml
local_conf_header:
01_meta-mender-luks: |
# define here, or in a custom layer
MENDER/LUKS_PASSWORD = "n3w_p@ssw0rd"
MENDER/LUKS_BYPASS_RANDOM_KEY = "1"
MENDER/LUKS_BYPASS_REENCRYPT = "1"
Additional files in kas/ have been provided to selectively turn on some features, such as TPM2 integration.
Image encryption is not an automated part of the build process. It can be done with either a post-build script~~, or on system during 1st boot~~.
The mender artifact(s) work as-is w/o this encryption step. If all you need is the mender artifact(s), then no further action is required. Image encryption is only significant when provisioning a new system.
The initial run of this script will luksFormat the partitions. Subsequent runs will reencrypt partitions in-place.
To execute:
bitbake mender-luks-cryptsetup-utils-native -caddto_recipe_sysroot \
&& PASSWORD="p1" oe-run-native mender-luks-cryptsetup-utils-native \
mender-luks-cryptsetup-reencrypt-image-file.sh /path/to/IMAGE_FILE
This will/may take awhile. On failure, it may not cleanup gracefully. Check /dev/mapper and /dev/loop* and cleanup as needed:
sudo dmsetup remove --force <NAME>
sudo losetup && sudo losetup -D
- The mender update artifact (*.mender) remains UNENCRYPTED.
MENDER_BOOT_PART_SIZE_MBneeds to have capacity for detached LUKS headers.- Enabling
efi-secure-bootis recommended, especially when using unattended boot (requires meta-secure-core).
This layer will remain compatible with the latest YOCTO LTS. This mirrors meta-mender.
