requirements TBD

Somehow, setting the acpi kernel command-line parameter to acpi=off stops mender-luks-password-agent from working.

This is my implementation of a systemd password agent. This is needed for unattended decryption/booting (e.g. w/ a TPM module).

When acpi=off, the boot prompt doesn't pause... it immediately fails.

One wrinkle when I discovered this is I was messing around w/ stuff that would have locked the TPM during boot. So I wouldn't expect it to decrypt automatically. There should be a fallback where the system pauses for me type the password... but that doesn't happen. mender-luks-password-agent may be returning an empty string or something? It's not giving me time.

If the TPM was still good, maybe this would continue to work.... but there would be no fail-safe.

I'm not sure how/why these are related?

WARNING: grub-efi-2.04-r0 do_package: Manifest /yocto_workspace/build/tmp/sstate-control/manifest-x86_64_x86_64-nativesdk-mender-luks-initramfs.packagedata not found in genericx86_64 core2-64 x86_64 allarch x86_64_x86_64-nativesdk (variant '')?

Current LUKS keys are defined @ build time. All devices provisioned from that build share the same LUKS master key.

Would it be good to perform a cryptsetup reencrypt? Ideally just once. This would give each device unique keys.

Probably some sort of systemd service @ boot time.

https://man7.org/linux/man-pages/man8/cryptsetup.8.html

@coreycothrum I'm using a compulab board with an imx8mp part. They have a mender configuration that uses mender-partuuid. Integrating your layer I see

ERROR: mender-luks does not currently support mender-partuuid

This is the referenced line

https://github.com/compulab-yokneam/meta-mender-compulab/blob/gatesgarth/templates/local.conf.append#L15

Do you have any thoughts on what I can do to resolve this?

only the variable mender_boot_part is used to determine the active partition. During an update that is then inverted to determine what the new root candidate partition is.

That candidate is then mounted, and the new/candidate kernel copied into the corresponding kernel partition (via meta-mender-kernel state scripts).

After an update, mender_boot_part is modified. If you do another update (before rebooting, so essentially overwriting the update with another before it takes effect), this logic is wrong. You'll copy the kernel from the active/current partition.

This logic should include upgrade_available, and not invert mender_boot_part if an update is already in process.

1. Support booting w/o a LUKs partition
2. Option to convert to LUKs/encrypt after first boot. Similar to the new reencrypt capability.

This would/could eliminate the need to encrypt the image before provisioning devices.

Hi,
First, thanks for providing this tool. I'm trying to set it up in my workspace and encountered some little issues here and there but could hopefully create an image.
I'm testing with Yocto dunfell on qemu-X64 at the moment with the linux-yocto kernel.

I managed to build the image but I end up in the Uefi console. I tried starting grub from there but I ended up with a black screen.

This is my current configuration:

MACHINE = "qemux86-64"

# MENDER-LUKS config
MENDER/KERNEL_PART_A_NAME                  = "kernela"
MENDER/KERNEL_PART_B_NAME                  = "kernelb"

require conf/include/mender-luks.inc
require conf/include/mender-kernel.inc

IMAGE_INSTALL_append = "packagegroup-mender-luks"
MENDER/KERNEL_PART_SIZE_MB = "128"
MENDER/LUKS_PASSWORD           = "password"

# MENDER Config
MENDER_FEATURES_ENABLE_append = " mender-grub mender-image-uefi"
MENDER_FEATURES_DISABLE_append = " mender-uboot mender-image-sd"

# Yocto config
RM_OLD_IMAGE = "1"

GLIBC_GENERATE_LOCALES = "en_US.UTF-8"
IMAGE_LINGUAS ?= "en-us"

NOHDD="1"
NOISO="1"

USER_CLASSES ?= "buildstats image-mklibs image-prelink"
PACKAGE_CLASSES = "package_deb"
PACKAGE_FEED_BASE_PATHS = "deb"
IMAGE_OVERHEAD_FACTOR = "1.0"
EXTRA_IMAGE_FEATURES = "ssh-server-openssh package-management debug-tweaks splash tools-debug allow-empty-password debug-tweaks post-install-logging tools-profile"

DISTRO_FEATURES_remove = "bluetooth"
DISTRO_FEATURES_remove = "3g"
DISTRO_FEATURES_remove = "nfc"
DISTRO_FEATURES_remove = "nfs"
DISTRO_FEATURES_remove = "ext2"

DISTRO_FEATURES_append = " systemd "
DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
VIRTUAL-RUNTIME_init_manager = "systemd"
VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"

I used cryptsetup 2.3.2 on an ubuntu server, compiled it myself to make it work. I am not sure what I am missing but any help would be appreciated.

Edit: I tried enabling efi-secure-boot but i have the same result

Allow additional MENDER_EXTRA_PARTS.

Encrypt these extra partitions.

see: coreycothrum/meta-mender-kernel#7 (comment)

Image won't boot if you encrypt/post-process it more than once.

The UEFI image is encrypted after it's generated. This is done by mounting it as a loopback (via losetup and dmsetup) and using cryptsetup reencrypt. This requires access to /dev and some kernel modules. All in, it requires sudo access to the host machine.

That isn't great, and kind of goes against best practices for yocto/bitbake and/or running docker containers.

Try and determine if this is really necessary, and do it better if able.

@coreycothrum to get around this I changed --type from luks1 to luks2.

I guess I can also change the pbkdf option. Not sure this is a bug but figured I'd post in case you have any thoughts.