Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

install: Add support for LUKS #75

Merged
merged 2 commits into from Mar 16, 2023
Merged

install: Add support for LUKS #75

merged 2 commits into from Mar 16, 2023

Conversation

cgwalters
Copy link
Collaborator

install: Drop impl Default for Filesystem

We require this to be configured externally now.

install: Add support for LUKS

This currently requires systemd 253 for
systemd/systemd@03f36e9

@cgwalters
install: Drop impl Default for Filesystem
83d144a 
We require this to be configured externally now.

Signed-off-by: Colin Walters <walters@verbum.org>
@cgwalters
Copy link
Collaborator Author

One thing I'm a bit uncertain about here is that while systemd-cryptenroll is a much nicer replacement for the bash scripts in https://github.com/latchset/clevis it doesn't scope in NBDE/Tang like clevis either. With my RHEL-families hat on it seems almost certain at least some images will need to support that.

Maybe one thing we end up doing with the install code is having things be more explicitly pluggable, so "tpm2-luks" can be backed by either systemd-cryptenroll or clevis. It's probably not too hard to also add clevis support and then make this another install config option.

@cgwalters cgwalters marked this pull request as draft March 14, 2023 00:27
@cgwalters
install: Add support for LUKS
b8f2b6d 
This currently requires systemd 253 for
systemd/systemd@03f36e9

Signed-off-by: Colin Walters <walters@verbum.org>
@cgwalters
Copy link
Collaborator Author

cgwalters commented Mar 14, 2023
edited

This installs but fails to boot, looks like the systemd-cryptsetup-generator is refusing to mount because it wants a keyfile or pin. Tried also injecting luks.options=tpm2-device=auto but no luck. Going to need to debug the cryptsetup generator I guess.

cgwalters added a commit to cgwalters/bootc-demo-base-images that referenced this pull request Mar 15, 2023
@cgwalters
system-configuration: Enable tpm2 in initramfs
ff46f76 
Needed for containers/bootc#75
@cgwalters
Copy link
Collaborator Author

OK this needed cgwalters/bootc-demo-base-images@ff46f76

@cgwalters cgwalters marked this pull request as ready for review March 15, 2023 11:45
jmarrero
jmarrero approved these changes Mar 16, 2023
View reviewed changes
Copy link
Member

@jmarrero jmarrero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@jmarrero jmarrero merged commit 7873787 into containers:main Mar 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmarrero jmarrero jmarrero approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@cgwalters @jmarrero