Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable CONFIG_FS_ENCRYPTION in kernel 5.15 #3908

Merged
merged 2 commits into from
Apr 27, 2024
Merged

Enable CONFIG_FS_ENCRYPTION in kernel 5.15 #3908

merged 2 commits into from
Apr 27, 2024

Conversation

larvacea
Copy link
Member

Description of changes:

Enable CONFIG_FS_ENCRYPTION in 5.15. This is already enabled in the 5.10 and 6.1 kernel configs.

Testing done:

Sonobuoy

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@bcressey
Copy link
Contributor

Can you post the usual kernel config diff in the testing results?

@larvacea
Copy link
Member Author

The config diffs:

==> configs_config-fs-encryption/config-aarch64-aws-k8s-1.26-diff <==
 FS_ENCRYPTION n -> y
+FS_ENCRYPTION_ALGS y
+FS_ENCRYPTION_INLINE_CRYPT n

==> configs_config-fs-encryption/config-x86_64-aws-k8s-1.26-diff <==
 FS_ENCRYPTION n -> y
+FS_ENCRYPTION_ALGS y
+FS_ENCRYPTION_INLINE_CRYPT n

I could also enable FS_ENCRYPTION_INLINE_CRYPT (we have the prerequisite block-device inline encryption configuration selected). Opinions? My inclination is yes.

@yeazelm
Copy link
Contributor

yeazelm commented Apr 24, 2024

I'm not sure if anything will actually be able to use FS_ENCRYPTION_INLINE_CRYPT but I'm fine enabling it if that keeps 5.15 and 6.1 consistent on these configs.

@larvacea
Copy link
Member Author

The new and improved config diffs:

==> configs_config-fs-encryption/config-aarch64-aws-k8s-1.23-diff <==

==> configs_config-fs-encryption/config-aarch64-aws-k8s-1.26-diff <==
 FS_ENCRYPTION n -> y
+FS_ENCRYPTION_ALGS y
+FS_ENCRYPTION_INLINE_CRYPT y

==> configs_config-fs-encryption/config-x86_64-aws-k8s-1.23-diff <==

==> configs_config-fs-encryption/config-x86_64-aws-k8s-1.26-diff <==
 FS_ENCRYPTION n -> y
+FS_ENCRYPTION_ALGS y
+FS_ENCRYPTION_INLINE_CRYPT y

==> configs_config-fs-encryption/config-x86_64-metal-k8s-1.26-diff <==

==> configs_config-fs-encryption/config-x86_64-vmware-k8s-1.26-diff <==

CONFIG_FS_ENCRYPTION_INLINE_CRYPT permits filesystem encryption to use inline (hardware) block device encryption when it is available. Our 5.15 and 6.1 kernels enable the prerequisite block device encryption:

CONFIG_BLK_INLINE_ENCRYPTION=y

The 5.10 kernel does not (and therefore can't enable CONFIG_FS_ENCRYPTION_INLINE_CRYPT).

yeazelm
yeazelm approved these changes Apr 25, 2024
View reviewed changes
Copy link
Contributor

@yeazelm yeazelm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@larvacea larvacea merged commit f4ffaa5 into bottlerocket-os:develop Apr 27, 2024
33 checks passed
@larvacea larvacea deleted the config-fs-encryption branch April 27, 2024 16:15
@ginglis13 ginglis13 mentioned this pull request May 6, 2024
Closed
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcressey bcressey bcressey approved these changes

@yeazelm yeazelm yeazelm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@larvacea @bcressey @yeazelm