Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

disko: Enable Luks disk encryption #517

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

disko: Enable Luks disk encryption #517

wants to merge 2 commits into from

Conversation

vunnyso
Copy link
Contributor

@vunnyso vunnyso commented Mar 15, 2024
edited

This patch creates luks filesystem which is encrypted and can be decrypted using Yubikey or system password.

Description of changes

Checklist for things done

  • Summary of the proposed changes in the PR description
  • More detailed description in the commit message(s)
  • Commits are squashed into relevant entities - avoid a lot of minimal dev time commits in the PR
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • PR linked to architecture documentation and requirement(s) (ticket id)
  • Test procedure described (or includes tests). Select one or more:
    • Tested on Lenovo X1 x86_64
    • Tested on Jetson Orin NX or AGX aarch64
    • Tested on Polarfire riscv64
  • Author has run nix flake check --accept-flake-config and it passes
  • All automatic Github Action checks pass - see actions
  • Author has added reviewers and removed PR draft status

Testing

Please follow the below steps:

  1. After fresh installation on first boot system will ask for Yubikey PIN:
    image
  2. After which need to tap Yubikey 2 times (Repeat steps 1 and 2 depending on how many devices need to encrypted)
  3. System will automatically continue to boot up, please check in ghaf-host terminal you will see lvm block devices encrypted.

image

  1. On Next boot user need to enter Yubikey PIN once + tap on Yubikey device (depending on devices to be decrypted).
    image

Improvements

  • For encryption depending on number of devices need to encrypted user need to enter Yubikey PIN each time + double tap the Yubikey.
  • For decryption user need to enter Yubikey PIN once + tap once Yubikey for each device which need to be decrypted.
  • More block devices can be added later.

@vunnyso vunnyso temporarily deployed to internal-build-workflow March 15, 2024 09:58 — with GitHub Actions Inactive
@vunnyso vunnyso requested review from Mic92 and vilvo March 15, 2024 11:14
@brianmcgillion
Copy link
Collaborator

I believe this has to be done in an installation phase? Either choose passwd or yubikey. Because rebuilding an image per installation is not really viable.

If full luks can't be done on the fly in the installer, can we prompt for a key rotation (i.e. force a password change on first boot, and give option for either passwd or yubikey)

Secondly, shouldn't the passwd,/yubikey be mixed with tpm on the device? Or does fido2luks do this behind the scene?

@vunnyso
Copy link
Contributor Author

vunnyso commented Mar 18, 2024

I believe this has to be done in an installation phase? Either choose passwd or yubikey. Because rebuilding an image per installation is not really viable.

If full luks can't be done on the fly in the installer, can we prompt for a key rotation (i.e. force a password change on first boot, and give option for either passwd or yubikey)

Secondly, shouldn't the passwd,/yubikey be mixed with tpm on the device? Or does fido2luks do this behind the scene?

Hi @remimimimimi can we do Luks encryption along with yubikey enrollment during installation phase?
Hi @TanelDettenborn can you please comment about tpm question?

@unbel13ver @vunnyso
lenovo-x1: new disk partitioning scheme
840397b 
New disk configuration provides grounds for upcoming features,
such as AB software updates and Storage VM and many more.

Signed-off-by: Ivan Nikolaenko <ivan.nikolaenko@unikie.com>
@vunnyso vunnyso temporarily deployed to internal-build-workflow April 8, 2024 13:27 — with GitHub Actions Inactive
@vunnyso
encryption: Enable LUKS encryption on LVM devices
b11ed1c 
This patch will add a disk encryption config option and
based on the config option if enabled then LUKS encryption
on particular LVM devices will be enabled.

Signed-off-by: Vunny Sodhi <vunny.sodhi@unikie.com>
@vunnyso vunnyso temporarily deployed to internal-build-workflow April 8, 2024 14:15 — with GitHub Actions Inactive
@vunnyso
Copy link
Contributor Author

vunnyso commented Apr 8, 2024

Hi @Mic92 please help to review my commit b11ed1c.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mic92 Mic92 Mic92 left review comments

@vilvo vilvo Awaiting requested review from vilvo

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@vunnyso @brianmcgillion @Mic92 @vilvo @unbel13ver