Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rm: linux-disk-encryption: document re-encryption #621

Closed
wants to merge 7 commits into from
Closed

rm: linux-disk-encryption: document re-encryption #621

wants to merge 7 commits into from

Conversation

ldts
Copy link
Contributor

@ldts ldts commented Nov 1, 2023
edited
Loading

Document LUKS2 re-encryption and PKCS#11 emulation.

Readiness

  • Merge (pending reviews)
  • Merge after date or event
  • Draft

Overview

Why merge this PR? What does it solve?

Checklist

Optional. Add a 'x' to steps taken.
You can fill this out after opening the PR. "Did I..."

  • Run spelling and grammar check, preferably with linter.
  • Avoid changing any header associated with a link/reference.
  • Step through instructions (or ask someone to do so).
  • Review for wordiness
  • Match tone and style of page/section.
  • Run make linkcheck.
  • View HTML in a browser to check rendering.
  • Use semantic newlines.
  • follow best practices for commits.
    • Descriptive title written in the imperative.
    • Include brief overview of QA steps taken.
    • Mention any related issues numbers.
    • End message with sign off/DCO line (-s, --signoff).
    • Sign commit with your gpg key (-S, --gpg-sign).
    • Squash commits if needed.
  • Request PR review by a technical writer and at least one peer.

Comments

Any thing else that a maintainer/reviewer should know.
This could include potential issues, rational for approach, etc.

@doanac
Copy link
Member

doanac commented Nov 1, 2023

Docs for 182b37f are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2451/docs/artifacts/html/index.html

@doanac
Copy link
Member

doanac commented Nov 1, 2023

Docs for fb9b0c6 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2452/docs/artifacts/html/index.html

@doanac
Copy link
Member

doanac commented Nov 1, 2023

Docs for b21768f are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2453/docs/artifacts/html/index.html

@doanac
Copy link
Member

doanac commented Nov 1, 2023

Docs for aa0289b are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2454/docs/artifacts/html/index.html

angolini
angolini approved these changes Nov 1, 2023
View reviewed changes
Copy link
Collaborator

@angolini angolini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As always, it's a pleasure to read your texts! I only made a few double-checking and tiny suggestions, but the text is excellent!

source/reference-manual/linux/linux-disk-encryption.rst Outdated Show resolved Hide resolved
source/reference-manual/linux/linux-disk-encryption.rst Outdated Show resolved Hide resolved
source/reference-manual/linux/linux-disk-encryption.rst Outdated Show resolved Hide resolved
source/reference-manual/linux/linux-disk-encryption.rst Outdated Show resolved Hide resolved
source/reference-manual/linux/linux-disk-encryption.rst Outdated Show resolved Hide resolved
source/reference-manual/linux/linux-disk-encryption.rst Outdated Show resolved Hide resolved
@doanac
Copy link
Member

doanac commented Nov 2, 2023

Docs for 9feb2c3 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2458/docs/artifacts/html/index.html

@doanac
Copy link
Member

doanac commented Nov 2, 2023

Docs for c84e5d0 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2460/docs/artifacts/html/index.html

@doanac
Copy link
Member

doanac commented Nov 2, 2023

Docs for 4430eaf are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2464/docs/artifacts/html/index.html

@ldts
Copy link
Contributor Author

ldts commented Nov 2, 2023

As always, it's a pleasure to read your texts! I only made a few double-checking and tiny suggestions, but the text is excellent!

sorry Diane, this gave me extra motivation to try and do a better job and I reorganized things a bit more. Maybe you can have a look? it is your fault for the encouragement :)

@ldts
rm: linux-disk-encryption: document re-encryption
d375aed 
Document LUKS2 re-encryption and PKCS#11 emulation.

Signed-off-by: Jorge Ramirez-Ortiz <[email protected]>
Reviewed-by: Daiane Angolini <[email protected]>
@doanac
Copy link
Member

doanac commented Nov 2, 2023

Docs for d375aed are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2465/docs/artifacts/html/index.html

@angolini
Copy link
Collaborator

angolini commented Nov 2, 2023

As always, it's a pleasure to read your texts! I only made a few double-checking and tiny suggestions, but the text is excellent!

sorry Diane, this gave me extra motivation to try and do a better job and I reorganized things a bit more. Maybe you can have a look? it is your fault for the encouragement :)

I will review again and "resolve" everything I think is resolved from my pov ;) I'm glad you got motivated <3

@angolini
Copy link
Collaborator

angolini commented Nov 2, 2023

Great changes! it's a looks great to me ;)

mike-scott
mike-scott reviewed Nov 2, 2023
View reviewed changes
source/reference-manual/linux/linux-disk-encryption.rst

.. note::

If the system is restarted before the non-blocking re-encryption
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ldts Are we 100% sure this is true? We have clients that are using re-encryption and it picks up where it left off and does not block the boot in their case. Did something change here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes 100%.
I am not sure what configuration they might be running but in our case as soon as we enroll the TPM/PKCS11 tokens, we remove the passphrase and initiate the re-encryption.

If the volume is closed without having completed re-encryption, it just cant be opened again. It is easy to prototype locally on any machine (create a file of ~60MB, create an ext4 filesystem, and encrypt it with luks).

but tell me more about the configuration of those clients so I can see how they differ...

Copy link
Contributor Author

@ldts ldts Nov 2, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

um, are you sure about what your clients are reporting??

see this:
https://github.com/foundriesio/meta-lmp/blob/main/meta-lmp-base/recipes-core/initrdscripts/initramfs-framework/cryptfs#L109

with the current code in the baseline, if online reencryption didnt finish and the board reboots we are going to block initramfs until it completes (resume is a blocking call)

having said that, this segment of code seems to succeed at opening ? which is kind of weird...

kprosise
kprosise approved these changes Nov 3, 2023
View reviewed changes
Copy link
Contributor

@kprosise kprosise left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some suggestions, but it LGTM!

source/reference-manual/linux/linux-disk-encryption.rst Outdated Show resolved Hide resolved
source/reference-manual/linux/linux-disk-encryption.rst Outdated Show resolved Hide resolved
source/reference-manual/linux/linux-disk-encryption.rst Outdated Show resolved Hide resolved
source/reference-manual/linux/linux-disk-encryption.rst Outdated Show resolved Hide resolved
source/reference-manual/linux/linux-disk-encryption.rst Outdated Show resolved Hide resolved
@doanac
Copy link
Member

doanac commented Nov 3, 2023

Docs for efb04d2 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2467/docs/artifacts/html/index.html

@doanac
Copy link
Member

doanac commented Nov 3, 2023

Docs for 79977a1 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2468/docs/artifacts/html/index.html

@doanac
Copy link
Member

doanac commented Nov 3, 2023

Docs for 38c5b50 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2469/docs/artifacts/html/index.html

@doanac
Copy link
Member

doanac commented Nov 3, 2023

Docs for 3a71ee8 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2470/docs/artifacts/html/index.html

@doanac
Copy link
Member

doanac commented Nov 3, 2023

Docs for 285b686 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2471/docs/artifacts/html/index.html

@kprosise
Copy link
Contributor

kprosise commented Nov 9, 2023

@ldts whenever you are ready for this to be merged, squash the commits and give me the word!

@ldts
Copy link
Contributor Author

ldts commented Nov 13, 2023

@ldts whenever you are ready for this to be merged, squash the commits and give me the word!

thanks @kprosise just waiting for the final functional review

@doanac
Copy link
Member

doanac commented Dec 19, 2023

Docs for aa10607 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2520/docs/artifacts/html/index.html

@ldts
Copy link
Contributor Author

ldts commented Jan 2, 2024

#639

@ldts ldts closed this Jan 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mike-scott mike-scott mike-scott left review comments

@kprosise kprosise kprosise approved these changes

@angolini angolini angolini approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ldts @doanac @angolini @kprosise @mike-scott