LUKS encrypted rootfs and /data
partitions for meta-mender. TPM2 integration for unattended boot.
Requires meta-mender-kernel for separate A/B kernel partitions.
- The
/boot
and A/B kernel partitions are left unencrypted. - The rootfs and
/data
partitions are encrypted with detached LUKS headers. The detached headers are stored on the/boot
partition. - The LUKS passphrase is stored in plain text on the (encrypted)
/data
partition. - An
ArtifactInstall
state-script mounts the rootfs LUKS partition formender-client
access during an update. - Optional TPM2 integration for unattended boot.
#FIXME - coming soon
Requires meta-secure-core. See this kas file for more setup details.
For unattended boot, the LUKS passphrase is loaded/sealed on the TPM2 device. This should be transparent to the user.
mender-luks-password-agent
reads key and provides to cryptsetup at bootmender-luks-tpm-key-watcher.service
updates TPM2 when/if the LUKS key (file, on the filesystem) changes- mender updates:
mender-luks-state-scripts-tpm
unlocks/reseals toMENDER/LUKS_TPM_PCR_UPDATE_UNLOCK
after a mender artifact is installed/written.- After a reboot,
mender-luks-tpm-seal-on-boot.service
reseals toMENDER/LUKS_TPM_PCR_SET_MAX
if no systemd services have failed afterMENDER/LUKS_SEAL_DELAY_SECS
(i.e. a successful boot). Additional systemd dependencies can by added withMENDER/LUKS_SEAL_SYSTEMD_AFTER
.
#FIXME - coming soon
#FIXME - coming soon
This layer depends on:
URI: git://git.openembedded.org/bitbake
URI: git://git.openembedded.org/openembedded-core
layers: meta
branch: master
URI: https://github.com/mendersoftware/meta-mender.git
layers: meta-mender-core
branch: master
URI: https://github.com/coreycothrum/meta-mender-kernel.git
layers: meta-mender-kernel
branch: master
URI: https://github.com/coreycothrum/meta-bitbake-variable-substitution.git
layers: meta-bitbake-variable-substitution
branch: master
In order to use this layer, the build system must be aware of it.
Assuming this layer exists at the top-level of the yocto build tree; add the location of this layer to bblayers.conf
, along with any additional layers needed:
BBLAYERS ?= " \
/path/to/yocto/meta \
/path/to/yocto/meta-poky \
/path/to/yocto/meta-yocto-bsp \
/path/to/yocto/meta-mender/meta-mender-core \
/path/to/yocto/meta-bitbake-variable-substitution \
/path/to/yocto/meta-mender-kernel \
/path/to/yocto/meta-mender-luks \
"
Alternatively, run bitbake-layers to add:
$ bitbake-layers add-layer /path/to/yocto/meta-mender-luks
The following definitions should be added to local.conf
or custom_machine.conf
require conf/include/mender-luks.inc
MENDER/LUKS_PASSWORD = "n3w_p@ssw0rd"
# 0 = @ system boot: randomize LUKS password if weak or still set to default value
# 1 = @ system boot: do not check LUKS password
# MENDER/LUKS_BYPASS_RANDOM_KEY = "1"
# 0 = @ system boot: reencrypt LUKS master key(s) if password is still set to default value
# 1 = @ system boot: do no reencrypt LUKS partitions
# MENDER/LUKS_BYPASS_REENCRYPT = "1"
# PCRs levels to seal TPM2
# unlock options: none | min | max | N,N,N
# MENDER/LUKS_TPM_PCR_SET_NONE = "0"
# MENDER/LUKS_TPM_PCR_SET_MIN = "0,1"
# MENDER/LUKS_TPM_PCR_SET_MAX = "0,1,2,3,4,5"
# MENDER/LUKS_TPM_PCR_UPDATE_UNLOCK = "min"
Alternatively, a kas file has been provided to help with setup/config. Include kas/kas.yml
from this layer in the top level kas file. E.g.:
header:
version : 1
includes:
- repo: meta-mender-luks
file: kas/kas.yml
local_conf_header:
01_meta-mender-luks: |
# define here, or in a custom layer
MENDER/LUKS_PASSWORD = "n3w_p@ssw0rd"
MENDER/LUKS_BYPASS_RANDOM_KEY = "1"
MENDER/LUKS_BYPASS_REENCRYPT = "1"
Additional files in kas/ have been provided to selectively turn on some features, such as TPM2 integration.
A standalone reference build kas file has been provided.
All testing has been done with the Dockerfile
located in this repo.
Commands executed from docker image:
# clone repo
cd $YOCTO_WORKDIR && git clone https://github.com/coreycothrum/meta-mender-luks.git
# build TARGET image
cd $YOCTO_WORKDIR && kas build $YOCTO_WORKDIR/meta-mender-luks/kas/reference_builds/kas.min.x86-64.yml
# build QEMU image
cd $YOCTO_WORKDIR && kas build $YOCTO_WORKDIR/meta-mender-luks/kas/reference_builds/kas.min.x86-64.yml:$YOCTO_WORKDIR/meta-mender-luks/kas/reference_builds/kas.qemu.yml
Encryption is not an automated part of the build process. This native script is provided as an optional post-build action.
This is only needed when provisioning a new device from the full disk image. The mender artifacts work as-is w/o this encryption step.
To execute the encryption script:
bitbake mender-luks-encrypt-image-native -caddto_recipe_sysroot && \
oe-run-native mender-luks-encrypt-image-native mender-luks-encrypt-image.sh <path_to_deploy_image>
This will take awhile. If it fails, it may not cleanup gracefully. Check /dev/mapper
and /dev/loop*
and cleanup as needed
(hint(s): sudo dmsetup remove --force <NAME>
and sudo losetup && sudo losetup -D
).
- The mender update artifact (*.mender) is UNENCRYPTED.
MENDER_BOOT_PART_SIZE_MB
needs to have capacity for detached LUKS headers.- Enabling
efi-secure-boot
is recommended, especially when using unattended boot (requires meta-secure-core).
Please submit any patches against this layer via pull request.
Commits must be signed off.
Use conventional commits.
This layer will remain compatible with the latest YOCTO LTS. This mirrors what meta-mender does.