From f40eb2a48770c4610c34a8669f0063646bd1d220 Mon Sep 17 00:00:00 2001 From: Jorge Ramirez-Ortiz Date: Tue, 2 Jan 2024 12:02:46 +0100 Subject: [PATCH] rm: linux-disk-encryption: document re-encryption Document LUKS2 re-encryption and PKCS#11 emulation. Signed-off-by: Jorge Ramirez-Ortiz Co-authored-by: Katrina Prosise Reviewed-by: Daiane Angolini --- source/_static/systemd-luks.png | Bin 0 -> 17330 bytes .../linux/linux-disk-encryption.rst | 341 +++++++++++++++++- 2 files changed, 328 insertions(+), 13 deletions(-) create mode 100644 source/_static/systemd-luks.png diff --git a/source/_static/systemd-luks.png b/source/_static/systemd-luks.png new file mode 100644 index 0000000000000000000000000000000000000000..a8746775606f590fe0a4a74a0395b4b7f897eadb GIT binary patch literal 17330 zcmeHvcTiN@`Xxz{AWhDx$=KwaQn_t!ZGc`3+HMi;(_j0=TIeVYIzi)kOt&bFALv3d&&BY!-^d_oH+s#1tbN-qkPVS`*-y3XK}s_KHEP0 zwDu_=eA zo9n4`Lhhc)ltF!aPa8UOe*at>+50lWWAVhCij`G}M-P>YcZpQT+&uRRhq$<@Cei!GF8xxgjlI~N3Pnn-lk!0bJ9Np_K(@b;OoJHqw>r%aM6ts8} z5)ht=Y4Trt+Z3>2%BUF9*nDgJbvg4c5_>0NLOgK)oX*ITYiGy5T<2SSQEe`|FtqPv zYoLdKeS6DYMhUHnDg%$-gzZ@bIxz%s>D|A+&s2KM)cY-U;}$4KwpOM;g7^7-8NS~t zEARJN$8DzGt}(sfj1w1(-$0^YqG%Pizg}8675IHR(nTSYM$dDl+4F;`=uCrM+lv`i zq~@RJxQ_SKvSGR-4@_9u?*oZx zNOj5^?Z_0VVQ_CZO|9G)Ke`FQ1G1>%Q1aqoSQUaWZHbHx2$Z13H6#+*qP2m8|16DL z74IvtBf0-vvs+W}_ClBBF+CcysurT;`)#V`Ygji5jG)uaNdT^wHyA0OBF6ENDMWA4 zrT+WtCdzD|A-zq7V2m3iOX#w=OP9YTW}d`WX1@RVIUjoS`8iIFel z#-;LM!Bup~z?q=6dxC(zv3`2J?(@;^Y6dezK_3r{-U-c8iH<4|b55)ZHbY~s$nF_- zo@}*sw(@=C!LIrMWyp5Np`;OSP`?Gt|I08B7yzk!ZJ;2Bl^2(4hX?m_Z>?E%Mv-!) zHS`LbBE!cDU24OgNZlf@dpIPrD4eR5hmi*baQz380(3XO?r;VS%;m81fp2o+Dpq7j zL_)!OB7JXMnQZu-C0z)H^nu~F=5ffnDJk0ygfLH^tZP3+lpMTwFHqT&6z~mQ_l?URmLc3GRF5I+D2B&V}6m z)HdMXvB3*w%?+WzEz&EIbTdtXP%66X>R^ATibsMy$&U~d3fOTu#PDcFFvPou*lQeR zBe_M1leB*>P~y?(wGv}j9>JlCZpKN;1OJ(Y)0d6^ggwpYjAn?~;#JIH?-GG-C82f~hc_<`q#7ThLSLce`ckJmn&1?QvTF?(*BD-m_-RmM^Rk{s z$l9DO`qcL#JtufCxx1n3{7+!Jf7Nn0SHP^o;^}qqpiM;P+)^Jm#GN2Q5ViKU_+BD8 z^R?yIcU+HlmT7c|!YC4+-F#Q#ceLYV)gFR&c~|l&w%jpKw_6$aVXA9^xa+>p9ys`O z+X6Pk{INapL?cfuo_+=)kMx#Gh(8rE4erAfo~i{I?}aHh7QI`LZt-gmB;90rD9HW& zXxONBQV>Xq>VS<2zptZ=h8;?hI-(940-+!-ZZ32b7Ap66@*lk6BZz>aWE~Et>uki4 z7~+Qk57G%Ux^28Wcxp^5sfr}tspBofyZMkQ&xa2eqa6gV*D@HwdXcrVo}HEr_O@+g zmp%Nmwy=X_DjhIXFL8dmSzmMH-E~G+#`U>Tha(D4nNm-3xI9o}=F6?cvFAeCC{f&0 zo{nB;@NzP<(dxvIM~K82$}=T`)XJ`upHV%kF-S(T>plo}e$*8ShBl7`@IHzAcia<@ zjP?g#Z(V4{Aa#v)^1*MNU1}kC1pFvYM|dn1zs1C< zik6HMYiBA&B<6LFpZ*iA75;C^ge&UYYSlak?b9fuRs=tWbnoyCD|C(cm2 z)TnF>W4$37G((J=T1k0#`8{!;c>Cs?@$V6cgm1|)O5C`+-`gpds^vCq3`dU9Bz+*gablrRJK!ZV(9zC zhN~v9NQ3+zL|nMqXwt9Uy7zg={`vCvYczTe)HhCgbh^ipj1DdzK!}kG+kaf76n@=4Y=fsj(k-V#FV8T8 zRe`ryJ}}3wEl3wc;4kSi3t5~RiGv_{Textx6v}v`z(ZMGuSIZPx=fer_3=f`8~ey# z7O{{LgIF#Op(`nT<}l7U_K2O>&u2A{Wn|!fyQt>U4WlRc6mXIMDgjj-se(2t(*1)IONX=_l#19gP<#-t}ubCzI~-X{OSElxR<@S1Sdbfd4)}*|r!x-rwMQ<-dlyUS~Z7UX^5A z{GWU(eS7}#4AiekKJbZcN0^0=e(i~51X#j}a&3xq+4A!8${TMUOfTj9h6&@2r%aX9ST*ft~JinCa zwuuvp5C`99jH;W3(W4Kfo<^MR4hYKTzfgDCTIhKC`g(;9WpTX*jMEdWP+B>$ST7AD zGIV2tC;ix%0|h|ajGH8BLcrJ2g1F~evMaqFsG|=cz6EHwA8vhODwXz_*0&G+LYvOZ z`C_KQVdez@IZuDIr12c%l(I|S%F?P8_6?>VNjQ$@N{KXKusV)=vi-5*)27%JIW%UD zb6UWtM6o8Dlb|X3;=J{3@M=Ffqf%J&=KL!&Uj2Lyi5sKFoT=XQk-xsZXF4lgvewVD zL#9YPmCR9QJAZi+Ec4{|{Z;_<#G}t6iVw<_38)p0M)E{v zehqGZc&6v#Qeikg?wzcN!UNI2e1xDS2mn6{IEv)gK#2#pZ6Uk7L-sGPw&p^mPEI~l zeq4jiODrT%a2tCRd;0U?#S}TKz5{1S@)o4WDW1q94s7c*OPH9HmU-%93TB05e(-dG zZ}bbqH>Oxtk_-wJL-%f(Bc8ik(7F@bf%UC)9>{1dAsG{C--#oY`=(*Ln@nBx0YR-< zk(|z*JL3>-M<-%m%dB`54shw-auWNuV;&6qs?VQSt2FZnah&S#Xs!}5$F(hsZkDn2 zc#aNFFZM}hglgCFw35Q9%aRPr9Qk9{DO3V_97ErosJ4Z^9ql0O6K9KR=s0))vu!b! z2@rMdm&`~0W;Z?^`*1RL>524@8<~oI6Kq|LwQnejCEggeeR#(Ff6M>dAs#4g5*eV$ z!s&NdK%n=(QM()glG578v28A}AcS(_ww&M3zl`K5b>iljWU?w;zg};<;cIujQ7Z=N zmQLN^#|838y231_9*a;MO{^^Mojw_m9y*tqChAOKKMLqK&U_L`G8Dl9&G=QDRSZeHe;dhOCbc@Zs-*@XWaSY|pW0Si46%Ksfh-6QLEoEuW$nB% zL>mX0;(T9BNvkI|Ot#Dgls3NL7rA0e188o39o0wx=#>UY%zi}t-s9m%$yN~r`K5e8 z3E8-Sw0RuOQr>jq4U-b-r8Se~7$rK7KRCwr^37Y8wTN+Rk&yenW)-apMV{E2Ai z!a-wNxeT{3t*+p}SAt{~rdo2f3De9-G`novA<}uIUcDjfN;B!L-z&zNv~yqB&boSf zG3vx?{()-*QZDK=M8LZF@#frfz3mUrZW<{S4hK>_3Fabcum51(uH%btIzq)5VW{l- zhmrwW1o*V-D2TxGlQ)46T^N9jl5tMEB{8gM3_WetCaAjJ4@8OD4M>*s9TG(FqSoa* z&l<19KdZMYGQhc6+hF}X)#LtKX|8bZ_!y(Uz4=%E6OB$9k?l?Z)y}iNbb736(Kp3h zh?_*gj_OOJ*8^D$|2^%(3@>h{z9YpWqrQpvQu;&a={PrA5V-;^GcsvENEC^9XmFrQ zV`MZM?@m0ixN6uDNiuKbWd{2Zdys}GOPk&IRfjO~zM#Ea|4+*^4N+Cq!Bjx%y zZQGWDRf(x6uY9B%#mhy^guP7s%Y*H%i~4MO=*@Pmes#Q_Yv9Db6Q|J&Kdmr&sC=v_ zP@;mt?}c$gYQcd$fN7wcdninJa;WD!BW(Z)P~(jdZEeQQwTQ%ikwTCjO<^5NNsq;y`|k?oKyREnx`E5ssZB6LyZx z(#2yqaOq`#ynVCqWC7H{kqL}^$C>&Z`(OhFNViP(z6l%^>1B2h@4}1z{|EkeuEU)Q zg#9Z&&4ti4)|%^e53uCVRrSN|#XJDghef(hp}mRZKcA!@3EFi=SOF*uGk74G4dBql zmmC&3KOGRuJI?g&4`*1I{#zSJQA!K6~-249huy$<{JZK%+@v*urg!=1)IWy3>oM0M(IU%4!G z#|nzy+6E_WPCuPVN^%$glt!%rK=VxuHmJtp?Jb0F>n?Uie%T#h&wQz3q;j^8Pbbc3 zRpx+2Gc+RhwxA&9!-DXAd-kZK(q`{P`+msmE&`ah_m91Xa(MPI)JBgH>I5oBOZY>DG7Y1}3YMCnhB6ZbrG={*=gH@L zM&?E5N2?Tdg<{THp&ONX=9?TvAaHfI1GeaxkC#_#A?&-*heoG(fT1n0q1=QHLr_K{ z*1O0mA29Yp`FNd6F5;-MNF~}{(6YYv2Ox_OpuWg?jOd?vs1$y11c!l0Aq42tagoc( zQt*!!Q5R>y>HNW4^EG%@O)k1MfMyEVoHcnR_uLrv!zu%WhKCM)RO26?y;EkUPhXDD zPyz97OiC`9XPSx9tt{f=>`?Fq;7KTxH2`VlGLXT_)U&MN@Wfo8IIN80pA|>v>D~xY z)pEI3dJdaX*ewhrD{Gy4oRl)W5t5B1bwLrzBQ1UX_F`w<4^{3@)ysfZc>|a{V#e3o zY*xHe?1wrs=s|Ho!E2_K*Le60i;|ytzViDbIouI-7B>HYC(5cLEU@Po7WFdnBq;R! z_uA?=M_BR#C=^5rrM)IZQlXluw*ttQgOR0(xo1pZcdB%yR_giKW<#I`#LUVVz`IzW z6B?bqtqVdVl3|#=iAp`DU!|(BpKI?LCU4OY3rH(AP7_l`guJ0rv3c%(KXn*{ZYg!I z>Dq$!z2U1&2I`)iTKxGhl-qA?P#pt)*bVcIDmWOe|5ybuA&B`9D(Vry^bUiq#SNInG zOsCudG2I;-(@zCa(dWOb>wkV~@zt0a6E!Fjb&4C!7t`P}j94GI%g6=jsTAh--`+o! zI@aiUo-f>np~A!S?b{Nq`gn_ZW#dVFjWpZ`l$c>6`rpyacQ>S}s%F#so7sPH=C>RI zsw+^5N?{nnq(2VGh6WQJ6ds2ug17s*UY>9yM-!OU7B7Hbmqpq+E{+CNR-!IBVIIJs zj(2Nv3Z^SGW2rM8$Is6sg+fuR)bK48oMf z`pzub^!LURlB8H;5JYvqYuIwWO%6lzramUai;o-d$JRV$ce;qk7#n`5TWcTP0YYX{<@V91#P@X;iPE}SX?1SncGG6Z~FOASWZoZnRt2l{?%V2myj7E zIJF+g0(__n;K*nrtLZ?f8v!A8_h%a-Y{IU#!HJIrnK(%4ky4L`PFQ!k$Io!B@fROM ze*P9d*n1|}$fzcS3W41K>|bkXynsYi4~-r^Vel>NY9y9p1M?Kp&GD8eGyxEuKN#=* zuX40ipEwi>rK6BpRe_aIKcWtMdsphzC?@KglE0!w+`uFh%Ejd@V%zd4v#c@1Fvf6Q zPGWjT1^2k-aCCQ_l`TCjIW;x4kNI+lOn#p~UV!?$0(9a9$(T{c&5R=A`+^oZ$?NOu z2t^iKG*WZh=JM);fY+kZo$-l=D!&#GA$1H58(J9f&kA`4c>ke`)(kTh)QRX_R>=Tx zi+=SWk#-(>F;Lkc+J7vcCng=fNpvufcRKnopTbr3FwFb8wAY+Y3Kb9c3dkeq!6z#v zsf#B!dK-9)MNd7qFqD%<9WR;0Eh7&;+@zvpW@b)%!&LUzA(LmoX08(=M59CW-hY9WZy>AFMESdo|1Z3Dy&)t#*gIDZy>tvfX^k6$8@bZai`$RXCfU&h5ymmhus`^(y8m zo*sBq#tW-wH-?(sCRfUaiJ*F?M0_8XKX;aEXYSegrg?58(5dY<#ZWzZXg!b_+~a%9 ze`WV6hK-O#^Rhw z`d(dTxaIkE31e2I=B*3!rOddb*#~qTQLb?=*+~-WV0C-S5WM|K?T@!%{M zEDk9$O#ybvsk1vhKeg_Pt|l4qk+nk_iBiB_c}IyUc}heE5;MMwac1^S&^m#aZLXEU zG9)z`LOel2eer1T&*Sxb4n;i$gQ)7(VwVVroFpf~LmLUP^mqpxz5q0j zcjTd+2d-hMy54zqS)-yyAKR9%3kP)(7OMP*Ea+4~anEqQW^LzK6+&#OqNzL#1jxZ6 zIe%_F6l|hYBT4)A3PU=K{WjUgr$*VWxAupzq~^HuFmgo_T$geiir~HTBfes8Kgv(jzE! zU~)(M6B)CbLhu$%(T4vDhD0v>p!Nz*gVDJHby0C=lQ35QIK6|@NxTyV#d`)G>{@5U z@BPstfUm6QTF|Lej}g`#Zv1xi!;7<}F4aElm(Qj;iHu=h;uX|$1cTo|HKX!86BG^i zIE%-4Rj(gj22msukl}@78wt|5O|1^ZV@5xms}OT8I(*F}S?|x(W1`&IB>;7hLE?qy64(V!=G=fjx_Kze@D?@4(~~i8aoE#h(XgmoT4; zWKy{Dk#*mE@N%Cr*5}t`ObK(R+axcesAJ50SF}TGzy=gR)xGS{;&IOw`BI76Ui((C zw3>86*4zM7-^b#*M2i~JJ}#o&TW|hn!T8R%zJS-p&pmIYr-5A`{`P^C-tobYt3VCT z^Ih$?l5XZfWBLugPuEq3?5>F47-i5cl&<^2oN#;xeC?%Af7OH3zr6sr?q)_EKVofg z=n@88$$fmHD}w-jSKb;gOJR~XK?5?W66gxpGcE7~a3ak;K5a3E47cfmzlLm7?|$?G z@D58g7pO#cPSx2QX7@){AduA6t|KVg?0fT{XU-#%XiS^Bl9Qn8Qj^Zo+f`^WxyO6 zxwkx!$_CL>^vNJE#)j}+j{gYZ1F58Ru*b~GTNL#w94J~r^RW#XcG;I#P=>dPX&cB` zzzMp!xw|A^wF=A!=}#H>P_v_qDpBp8i=CgIUGF`0mv_onh|x$iQu#G+3>e5f!(#b9 zB|{oMRI=c1noso1N3)6mb)%GB5OhHLF=Tz0#}yNxnFq4mvuVJd0K%$eO(-#x{9og| zH3l_i9?+O{0P=+QQ7J5epE<#ckuz;{y)AUbqIc7`AC-c*4(VH78FE3A*mOl#n%&IS68a$5}c}W166&}Ec+yhaT zRNBWbDm6V7yu-`NKR>kvAA0erR|L9nzy2BwH#axm1hq0jp&}M5A+T5}!e|NTnR&oH z@y%ldlsH)rqtC4XqbLYUBg*!-!C!`Hb@POaw-u=Hg1f&OR$jZ$4HXv`KL83;1pT~T zIUsGo6qNa5h^hEkPJgdG6ub)=1Nwm5jU7@cqn`m)UlHKH+PHv zqM6z8AOm2lj{v!7^>)6v>$O(_8&u`jDD-3ehrl8V8tW*!Z>U+=e=`JHXEgB*ykuc? z6t>3HEm3?`Zzld^e;#>MWCl}OJ5VJDVH3nyGrX;Fp7LwkCT6gXoAj0dKjJ_OcLZ=} z=6GfVJ3z4AFJT3oj{=tSNd^Fgh=j8Re~Z;WwK8~KmRzP=h@nu{cO_x8M9Bs#9#vnm zZ3_}&Xd6;a(E${KRADF(BP&CHe#P2w9{QCcn7T*YT5yxq#^8Cvc9MHxKi|mw;-A76 zJgb>1Yy?Wq^ebFD-y6C}4NLp7KLJu=d@vN4UXE1OXh#&k4zr{uZ=oXDD{s|te^+j zR%sM*=FfcfX3S4tE=EZNDS%74pbCKCj}iQ!!NuXH;xg^@G7Yc?SZNHG9Dh&HR3 z&r5pxAM=oI-HiIoeX4o0377Di3oq$h>BKZg3ZMv!dj8+|aH;3Z|B$t<9_`NPVc{3x zY;qlZgol6wPBRdRUk)BZpwo+bZ=v_S`X-z z7N2ch0h@2yV6UWPL;Noi>YwWMztd1m>19eqzVW8zTIA{CzWao88d?v51g#f~cS(|* zscCezz3k}t=l-OTO=IHkzh1T0za}yJ1JDkFQTZ!C^0uF@w|i>xF^5O*a|&OHF*<=b zYNv-NN5wBN~rmlqLqLz(>IYoRwt#_&N%)Zw6b>3NHGE1kacXR67AN(7T= z+CMiEB*>rSN>v?%5&i)30?o*3Qu0B2>3?V^V8q* zKeQu>dAB-1nPHcS@omb^&X(8QUhL}9x{n}LO$>!mFU?iz4? zIy)0B@E=$h0>ND!%Q|n&qRZ=VBImJUH1MeD&S-MhLvF%5{#}lKx7<%ian1&?Z^Y4Z zQfpMoI>TRT^d*0Wu7AWfeU~|Y!d46~4B`{_sqw$lqkE>=|GefM@xNC$hI;d0&ZA)n zS|2$hD1PpGsHWE_s|D$CkOlDUX^Ie?tt@!;=g z0pA$h!e*dIkN%HHD36W$;Xy?-jh?p<1Mjc6FBx`-wHq?5UMLdWR{Qn}F=&0}ibhU+;ko+w%1ehFKEJ z5bt}0#1ne=++~(A9LNQrgw~)vJl&E)#Gw-==l6LG!vyN`X^$Oi?uCO_A-iRr==fF> z6O(A&p+uQ@Tkp-Ko|)6X$$(XAL)PE1vKAdcishqXqrrIxp>-> zuoeBgFs0J_-Ov9S8Zn!MJ-sJm5S3(n0^A1fm9>Xa$2F-u_W1CF5-Of+I^$)UQgWA~ zlHk;XECktSXNQXxMLU8V1hgrl*3Gv{tztMH4dMi>y=5&>3V-pn49?4bdIc}V+&$zC zrT5m-b9j68rv?X=8U(s5m3N|U`PUFoconm9$j#O;81c^YN34f&Q$AZ~@yW46z#VDM zAoc<{daeO^Igqi32Q?U)G6UN+JOLim05X!wxZe2HkZRTx^_{+Wb3XR5c4yZFhRDJMc-yc8(Do=^dww;N55dLFMiuOu#tUesDcoXZiCfslmWFnkl zUBR@C(_=h^n(s59n<-ov;|5#Pcox>QOvypm>^$fAKnQiSR5QQK86ZU6B2K9WhoLkYjrI5CXIj!qIwe&xO$UhS7$Vj`k6QK z7yG#qm!45dpMS^S$A?3#?G?d*)bqrcvz=ZFCN=el9W||rl*d$;CPx7h^LQeupGPlb zU19YO_*?|!a`wtNCMgyw69<*rd6OkQA$Aq!@v|H%JoP6>tC_9-8I3pwFSIv(UA9?t%0=gI)s)_3eSQ?l22P24~AvZGnohK=mTtxsao%E zUADz~7YNLHUR5n8!?PdbkBc9vHd89`Vel#I%b|J4MEvw;BUa8U< zygdng8g}LWrn>qtyGb8nM<8)oaBw;v`DhezkP4&y)0t<~S+Y8aehYBAfT%6)U&{*h zdyOU&Mys>dZmTV236h(Io~oIrJ=d%7)3`DW>~rq9GcCT(XLdlgkZgjh%+%Rbo7r1l zlRhPzabksdBx2e2=EW^!fpIk3i_-9mF_F);38LyT+3xk>hg+s?L0)f~wmNU5_^RJR zOQ&^m=aRm?|3X+94R0ga<+rRa^2bo6bsZ6Eb}ClHyq2lI8ku`fS#tAfFhLd}*`$tV z9PkuratXqf4MAzl(;u5W_`K(y#7)EEFlo05ZbKS2Iz3CtIp9ir!a%#AD+2~gH1?-j=knA>UZ7bG4$CRy#gONGITc6 zbSTdfmmK|v?SPr=UGG77OEl2j?nQ+HEll$y6YZ!(?@&Uqo#;%OG35>Mu8r=`0}DDx z<;92LTIbUHJk`68=OjAKz@KH9O|O6>>De?|bhA96eu|i89}_!< zawX=c&wSrR;8@;!>Bzuhz4rJ@l}@H=-IKCR`#LMAnYelsth*^IMgg~0Y3OOFd8eQ1W{TC!hd;6p@oGjKP+BAjxDzzP14i8;e6anqc82~fLC-%pLuzS zGA@bTw$e#w$q8>(zz`6D$~FwOcaV&=D6vVA$%9|~O&DvQ66)TM_%QAre!LK6Nag^+ z&$-GC3Th>23vvF725n?Yu!`Iz3gIN;>4lc66SW+xlTs9$ag@Rv54ec)gRW0D z#&<+l4KUySQ2@Z5_`Kp^=Bm_>+N!p^f7e!}!J z91e=ci+X`#ssqDfLs zF0~=>sQg(8?mT7qkC0CUJWDj_fb^t-i#ls*+4`TsRZ*#~KC?>P;meZf1j>-ATz}i~ z#ha=ou;NwbjPEtneG|S}ADp@7csJqFk94X> z2&TTF{&}pSoT3zXDj2U#lQp4@Vez9Jn;AlQ8Pp@7kXipQ3JT)M_|-@gVUQm|C5d`l ztU$DxpdNi!LOE!%%HSR#y$6Bcdw>3W^}{G@tWh&$c4kr?y`Rg_Kyd>*4xqzyu}vKd z?V%IRZe|Y~$qCW>1F`}rWnXq_rZR#EVU%nH+qOF>k{kf&=LI}c7C?I=fV9|GeG1Uy zaGFRbKc7*_l(QMutE48K4^-yR# z0q8pdepUbiMI3mW)aqY@DoQV&ko+@1zF0rH(k=2XEDFcEM?rT8C)Rax05KtFlGNFr z0pK^CpE?yLRs~S|5OCyh1IO%MKeIPb`85LWzEe8k9ai7V3oMeSKQlV(7lGlTAGU| zy#Aq_3t?${(D9=ORAg>o!w&b`y0@31(=eDivPy-@xZ zKmymVj zop%O1eeMcDJ>aLAOjh(gl4k)~XwCp^#P!gOm$Hz)m75Ts+7H0Ap#>j!e0f*%zf^_> zw7-lyFV0U|0#%5k|F#pDsKfN`3s#OxkwSOCTDVW8eXhLTpVFxg^Zz<3&=$Ns9aIvr zr%P)Ge5iQ4{R@u)0at~ zvc!@2CN|Ovn8LZtlX*Hh8WooW!6`A>O+?tY2I%Gy01q_e3+NiLzM#00ue@4pDe4d0 z%>5+z>ag)E{mFQx7<$4Gpy504Czqhjje%Dq{Sg)%$(MP7@eur|7s_U}EPsMTej)(a zX4U2Syc&%=PJL4>myjgm7$P<#ek?QSDTvC#T2`{zpu%u?atq{+T7;;Gmdk2(aQG4H^ukW;K=b?)M43o_BGkG)^k>y= zVYMlUlT-QHavV9^JiUpyv`%ABytW6VqmK^-n1dWCkL#?LrGp?Qtx&yr1yIN`y3uZwEIcsM5DpOam2EMsr2jNli-OA$v!uKdSm079l>k=qPr#IwSXL=lWy}W=MUw?KvOHXGx{TsL=y1>gBY;Lvs+v4us%sWg z;-|e-z#d=qtaZ5qevTnL?lJ;6QZUJndsLRHZf(Fs)GPW)C9gZ=7g zGV%CEg%{w-y_TI_wNU%9KEQHFMz2TYSacVLk5l||pAp>m-B^=TDo-RwE^!DqO4jli zaN)iK&;%;tj6N7HOByBUe~@)fzC)lM8>5Z10zH{Zmx%_ZnzFjfiI*@V_8nmxAM}8C zlaxS_N{{7X7$}gH&a& zqKBRC?*;2ECWO>8Vl0uNTk~>mvyG)R!nO!tzJEDY|V9?_6WoNm!DP$Kp z1S08LdLtnTff#NBWT>*Q09x>hfY`7R zaJlK?|M17nVO&rswvR9=S~gN~Qw6J6Gw?x}nXl^JaQGCASb!}#q{>P+yZ@% z;PVHj^|o?D*<4A6m7oSQ3v9$TbOA}?DKy1{PS}v{NjB+0%Ru+G9-1;3P^1ct6xV zL5&Yb?@xSPw#7=sP2P*jDfysZ6b4NInLbg1BI6T2Uh)cuUo!E(^(g5U%RfISSA%~B z&VDhhk&^U_r9)(;i6hpYG0zbN(JCVNy(0<8+lg;QpzUVT{!>S|rRHB4#rZFclF;}E zqaaZMpu0;chu-8fK!X+-UwfJ|gcgd8;X$5YEP(9m^xhcIl;KP%z@idWbW5jOJQkd( zryOc`gSHpy@Lo9f-~sTQsk-Si$5r(u`KwQWIB5jg#Ue1UYE?o$Vx6~tnj)rQpmkiB zUc^2Z&{DeJmltP?dU9Dn{+6m*M|d>YzG{jZ*9Za5G!7uHPw51Kx5?zTHH+53Dh`X$ z7aahQCn4QFylx-U#Bpf))9;Jv@9#(Y6J=xua??@i0JniH5Gw_M!SlVFIKgE-x%>y^ zsxZz6vuce_f|y1NEAIQZt+zYCDTAg2CZqDgy_vIsqRb zblsUCkf_A)@+XjUX*E(M@A~FeD|GJ#45!CQ>7TL{N$B`__m?(v^+)-r4;caJps1SMznjQ{KhdBXyJ@ z@{XhxvYvW?Sa||soV#YbbpKtr(^n}LVUh$!To*bJC{cvTpk7H2-rv^I*1ZFB$dPvZyYHEwN)d6=U<)cMl&r z!Z(oFj}a^CwN5LatX<;O)Ct(sD23}WzB#J5sJd6x{_>36TKRS~%`fD&!<|5sNh@U6 zYEDSOHcB+3F_|PQNJSiq7qY}ca@{9)s5g^H$$bX})jK5IS(0Bk>4?7Q1gH7Vc1}{e zhi?owgo&W>Fz&9Ijw(61fArG)FtHMy-r*beiWPO_b#CXrSNx+%ZkOa5z@IeOp~wAP zZrkLN!lnQMHJ!o5;bQ}q^6W3Y>6{(RblSkyAPgA531`AA;upXNPDM*w87j`j#T6?2 zs;fQzkTX`4D+c2xb9;WQ{T?ViDP6i=qqzqMGkd>f;V>0W={&np9l~nWA8h7Hz!@*? z#{^Y_HMuzBghcKw7A$S<-wy`. Prerequisites ------------- -As the process for decrypting the disk needs to be unattended, LmP requires either PKCS#11 (e.g. OP-TEE with RPMB as secure storage) or TPM 2.0 to be available by the target hardware. -These are leveraged for securely storing the Key Encryption Key (KEK) used for decrypting the disk during the boot process. -This is done via LUKS2 tokens, leveraging systemd-pkcs11 or systemd-tpm2, see `systemd-cryptenroll`_ for more information. +To ensure that the disk encryption and decryption processes can be +carried out without human intervention, LmP mandates the presence of +either PKCS#11 or TPM 2.0 controlled devices on the target hardware. + +Devices controlled via PKCS#11 or TPM 2.0 interfaces can therefore be +utilized to securely store and provide the Key Encryption Key (KEK). + +Storing the KEK is achieved through the use of LUKS2 tokens, making use +of either the **systemd-pkcs11** or **systemd-tpm2** plugins (refer to +`systemd-cryptenroll`_ for additional details). -For enhanced security, TPM 2.0 support also requires UEFI secure boot to be enabled. -This is because the key is bound to the Platform Configuration Register (PCR) 7, which tracks the secure boot state of the machine. + +.. figure:: /_static/systemd-luks.png + :width: 300 + :align: center + + systemd-cryptenroll + + +In ARM System on Chips (SoCs), a common PKCS#11 scenario is to execute +OP-TEE within the TrustZone. In this setup, OP-TEE should be configured +to use the eMMC Replay Protected Memory Block (RPMB) for secure storage +with tamper-resistant properties. + +In TPM 2.0 devices and as a security enhancement, we require that UEFI +boots with secure boot be enabled. This is because the KEK is linked to +the Platform Configuration Register 7 (PCR 7), which monitors the +**secure boot state of the machine**. + +We demonstrate both of these scenarios using QEMU in the sections below. Enabling Support for Disk Encryption ------------------------------------ @@ -69,7 +129,7 @@ Doing so would cause the system to fail at boot. A recovery key can be created and provided manually if required, but it will not be an unattended boot. Testing TPM 2.0 Support With Qemu (x86) and swtpm -------------------------------------------------- +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ It is possible to test the disk encryption support with TPM 2.0 with QEMU and `swtpm`_. @@ -80,8 +140,9 @@ Make sure LUKS support is enabled for your x86 target: $ cat meta-subscriber-overrides/conf/machine/include/lmp-factory-custom.inc DISTRO_FEATURES:append:intel-corei7-64 = " luks" -Then enroll the :ref:`UEFI Secure Boot Certificates ` to enable secure boot support. -This is required as the LUKS2 TPM 2.0 token leverages PCR 7, which tracks the secure boot state. +Then make sure to enroll the :ref:`UEFI Secure Boot Certificates ` +to enable secure boot support. This is required as the LUKS2 TPM 2.0 token +leverages **PCR 7**, which tracks the secure boot state. Now install ``swtpm`` on the host machine, and start the ``swtpm`` daemon. This will be consumed by QEMU and act as the hardware TPM. @@ -139,14 +200,14 @@ Verify that LUKS2 is using the TPM 2.0 based systemd token for encryption: Label: otaroot Subsystem: (no subsystem) Flags: (no flags) - + Data segments: 0: crypt offset: 16777216 [bytes] length: (whole device) cipher: aes-xts-plain64 sector: 512 [bytes] - + Keyslots: 1: luks2 Key: 512 bits @@ -196,6 +257,260 @@ Verify that LUKS2 is using the TPM 2.0 based systemd token for encryption: Digest: 5c 30 5b f3 59 db fe 6a 71 c4 9a a0 2d 22 cf 6b 18 e7 cc 8d 6a 44 c9 67 97 f8 34 80 96 69 53 7b +.. note:: + + As long as the TPM 2.0 emulation storage is not deleted, you will be + able to reboot your QEMU image since the key will persist. + + +Implementation Details for OP-TEE PKCS#11 Support +------------------------------------------------- + +To prevent conflicts with the PKCS#11 token slot utilized by +``aktualizr-lite``, a dedicated slot is necessary. + +LmP will set this dedicated slot as **slot 1** with the label ``lmp``. + +Before initiating the re-encryption process, the slot is initialized, +and a new **RSA 2048** key is generated. This key never leaves the +PKCS#11 domain. + +It is important to emphasize that only the **encrypted master key** is +stored in the LUKS JSON token header area. + +Please ensure that you **DO NOT** erase the PKCS#11 token slot or its key +throughout the lifespan of your product. Failure to follow this +precaution will result in the system's inability to boot. + +In the event of such a scenario, a recovery key can be created and +provided manually, but it won't support an unattended boot process. + + +Testing PKCS#11 Support With Qemu (arm64) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Make sure LUKS support is enabled for your ``qemuarm64-secureboot`` target: + +.. code-block:: console + + $ cat meta-subscriber-overrides/conf/machine/include/lmp-factory-custom.inc + DISTRO_FEATURES:append:qemuarm64-secureboot = " luks" + + +When running QEMU, please be cautious not to exceed 2GB of memory usage, +as attempting to use more than 2GB of memory may prevent the OP-TEE +emulation from successfully booting. So, it's advisable to stay within +this memory limit. + +.. code-block:: console + + $ qemu-system-aarch64 -m 2048 -cpu cortex-a57 -no-acpi -bios flash.bin \ + -device virtio-net-device,netdev=net0,mac=52:54:00:12:35:02 -device virtio-serial-device \ + -drive id=disk0,file=lmp-console-image-qemuarm64-secureboot.wic,if=none,format=raw \ + -device virtio-blk-device,drive=disk0 -netdev user,id=net0,hostfwd=tcp::2222-:22 \ + -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0 \ + -chardev null,id=virtcon -machine virt,secure=on -nographic + + +During the boot sequence, you will observe the following: + +.. code-block:: none + + [ 1.932467] Freeing unused kernel memory: 4736K + [ 1.933323] Run /init as init process + Starting version 250.5+ + [ 53.995060] e2fsck: otaroot: clean, 7841/136880 files, 79834/156064 blocks + Enrolling LUKS2 keyslot based on pkcs11 token + Token successfully initialized + User PIN successfully initialized + Key pair generated: + Private Key Object; RSA + label: luks + ID: 9d + Usage: decrypt, sign + Access: sensitive, always sensitive, never extractable, local + Public Key Object; RSA 2048 bits + label: luks + ID: 9d + Usage: encrypt, verify + Access: local + Engine "pkcs11" set. + Created certificate: + 7Certificate Object; type = X.509 cert + label: luks + subject: DN: CN=LmP + ID: 9d + Successfully logged into security token 'lmp' via protected authentication path. + New PKCS#11 token enrolled as key slot 0. + Wiped slot 31. + Successfully logged into security token 'lmp' via protected authentication path. + Successfully decrypted key with security token. + [...] + [ OK ] Reached target Basic System. + Starting D-Bus System Message Bus... + Starting Check and fix an … store of the docker daemon... + Starting IPv6 Packet Filtering Framework... + Starting IPv4 Packet Filtering Framework... + Starting Online LUKS2 disk re-encryption... + Starting User Login Management... + [ OK ] Started TEE Supplicant. + [ OK ] Started Network Name Resolution. + [ OK ] Finished IPv6 Packet Filtering Framework. + [ OK ] Finished IPv4 Packet Filtering Framework. + [ OK ] Starting Network Manager Script Dispatcher Service... + [ OK ] Started Network Manager Script Dispatcher Service. + + Linux-microPlatform 4.0.11 qemuarm64-secureboot - + + qemuarm64-secureboot login: fio + Password: + + fio@qemuarm64-secureboot:~$ + + [ OK ] Finished Online LUKS2 disk re-encryption. + Starting Resize root filesystem to fit available disk space... + [ 210.434491] EXT4-fs (dm-0): resizing filesystem from 156064 to 160161 blocks + [ 210.448134] EXT4-fs (dm-0): resized filesystem to 160161 + [ OK ] Finished Resize root filesystem to fit available disk space. + + +After the service has finished, you can inspect the volume. First list +the block devices: + +.. code-block:: none + + fio@qemuarm64-secureboot:~$ lsblk + NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS + zram0 251:0 0 0B 0 disk + vda 253:0 0 925.6M 0 disk + |-vda1 253:1 0 78M 0 part /var/rootdirs/mnt/boot + |-vda2 253:2 0 200M 0 part /boot + `-vda3 253:3 0 641.6M 0 part + `-vda3_crypt 252:0 0 625.6M 0 crypt /var + /usr + / + /sysroot + + +Then inspect the encrypted one: + +.. code-block:: none + + fio@qemuarm64-secureboot:~$ sudo cryptsetup luksDump /dev/vda3 + Password: + LUKS header information + Version: 2 + Epoch: 99 + Metadata area: 16384 [bytes] + Keyslots area: 16744448 [bytes] + UUID: 06be9f40-ac4f-4301-ad33-e566def6023d + Label: otaroot + Subsystem: (no subsystem) + Flags: (no flags) + + Data segments: + 0: crypt + offset: 16777216 [bytes] + length: (whole device) + cipher: aes-xts-plain64 + sector: 512 [bytes] + + Keyslots: + 1: luks2 + Key: 512 bits + Priority: normal + Cipher: aes-xts-plain64 + Cipher key: 512 bits + PBKDF: pbkdf2 + Hash: sha512 + Iterations: 1000 + Salt: a2 76 b4 61 3b c6 79 02 1a c1 23 89 02 ca 02 8f + f3 82 ec e6 c4 b0 6a c7 4a 4b 99 5e e6 92 c0 88 + AF stripes: 4000 + AF hash: sha512 + Area offset:32768 [bytes] + Area length:258048 [bytes] + Digest ID: 1 + Tokens: + 0: systemd-pkcs11 + pkcs11-uri: pkcs11:token=lmp;object=luks + pkcs11-key: 38 49 ce f7 3e e9 dc fc 66 3d b8 13 90 ec ec 29 + 99 73 5d 47 6a cb d0 fc 6c ab 1c a7 26 a8 08 7e + 46 b3 5d 15 f5 01 a9 e7 e6 d2 80 72 15 14 0d 0b + 61 85 fe ee 1f f8 f0 04 26 c8 46 31 83 52 cc 37 + 44 d7 2a 83 7d 5a d9 44 a3 90 d0 f5 ff f2 9d e3 + 6f 09 4b 2c 79 5e df e3 b0 f7 df b4 b2 8c 0b 78 + 0a 4a 31 c1 d1 63 bb 54 a3 ca c9 a9 a3 88 bc ec + 96 68 25 26 75 b3 44 3d 9b ee bc a4 73 a5 e2 b3 + f2 5e a3 74 29 32 7a 46 b2 af 55 cf 48 3d b6 ea + 4e d0 ca 0c da 06 f1 4e 33 23 73 be bb b0 c0 e1 + ab bf 7a 2d f3 d7 7a be 5c 01 e5 d6 ab 43 33 91 + 48 e7 14 77 61 1c b9 c0 2c 6a 47 36 4c 1f a1 81 + 39 8c 5b 56 43 fa 86 33 7f 8d ec ee cf 74 1a 3a + 43 69 6d bf 3b 70 70 ea 4b f7 02 a0 99 c0 55 02 + 49 16 14 00 45 da 78 da b9 5e 34 17 65 1b 3b c3 + 78 26 64 60 bf fe da 11 a0 3b 7a f9 0f 9e 93 8f + Keyslot: 1 + Digests: + 1: pbkdf2 + Hash: sha512 + Iterations: 1000 + Salt: a6 10 c3 0d 89 22 c4 67 32 c1 c4 49 31 6f 05 10 + 4a f6 3d bd 7f 26 7a ba 9e 74 54 0b 5f da 54 34 + Digest: 58 da 0f b2 ec d5 0d 5d 3d 99 15 85 85 ab e5 40 + 41 14 9c 57 6a 16 02 08 5d 8f 2a 18 ca 77 2d 7b + e1 be 92 d4 0a 49 f1 f1 77 48 c3 c1 27 35 57 ea + 68 47 60 20 15 a1 a2 80 11 c5 dd 8e c7 93 c4 80 + + +You can also examine the PKCS#11 slot created by OP-TEE to verify the +presence of the RSA-2048 key mentioned earlier: + +.. code-block:: none + + root@qemuarm64-secureboot:/var/rootdirs/home/fio# pkcs11-tool --module /usr/lib/libckteec.so.0 --list-token-slots + Available slots: + Slot 0 (0x0): 94e9ab89-4c43-56ea-8b35-45dc07226830 + token state: uninitialized + Slot 1 (0x1): 94e9ab89-4c43-56ea-8b35-45dc07226830 + token label : lmp + token manufacturer : Linaro + token model : OP-TEE TA + token flags : login required, PIN pad present, rng, token initialized, PIN initialized + hardware version : 0.0 + firmware version : 0.1 + serial num : 0000000000000001 + pin min/max : 4/128 + Slot 2 (0x2): 94e9ab89-4c43-56ea-8b35-45dc07226830 + token state: uninitialized + +.. note:: + + The OP-TEE PKCS#11 secure storage emulation will NOT survive across + reboots. As a consequence of this, because the root file system + was encrypted, the system will encounter a failure in mounting the + root file system during the subsequent boot. + + +If you were to reboot the system under the described circumstances, you +should expect to encounter the following error: + +.. code-block :: none + + [ 1.776260] registered taskstats version 1 + [ 1.776628] Loading compiled-in X.509 certificates + [ 1.879079] Loaded X.509 cert 'Default insecure key from Factory II: 1b2327c0b75d0bc1e4914c8195bbf053629b8abb' + [ 1.902679] uart-pl011 9000000.pl011: no DMA platform data + [ 1.937637] Freeing unused kernel memory: 4736K + [ 1.938472] Run /init as init process + Starting version 250.5+ + No slot with token named "lmp" found + PKCS11 certificate not found! + + +.. _re-encryption: + https://man7.org/linux/man-pages/man8/cryptsetup-reencrypt.8.html + .. _systemd-cryptenroll: https://www.freedesktop.org/software/systemd/man/systemd-cryptenroll.html