Closed as not planned
Description
The configuration name boot_device does suggest that the boot partition is encrypted. But it is not.
Example
variant: fcos
version: 1.5.0
boot_device:
luks:
tpm2: true
produces the following ignition file with butane
{
"ignition": {
"version": "3.4.0"
},
"storage": {
"filesystems": [
{
"device": "/dev/mapper/root",
"format": "xfs",
"label": "root",
"wipeFilesystem": true
}
],
"luks": [
{
"clevis": {
"tpm2": true
},
"device": "/dev/disk/by-partlabel/root",
"label": "luks-root",
"name": "root",
"wipeVolume": true
}
]
}
}
and after ignition and boot one can check the encryption status of the disk via
Fedora CoreOS 37.20230401.3.0
[core@localhost ~]$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sr0 11:0 1 1024M 0 rom
vda 252:0 0 10G 0 disk
├─vda1 252:1 0 1M 0 part
├─vda2 252:2 0 127M 0 part
├─vda3 252:3 0 384M 0 part /boot
└─vda4 252:4 0 9.5G 0 part
└─root 253:0 0 9.5G 0 crypt /var
/sysroot/ostree/deploy/fedora-coreos/var
/usr
/etc
/
/sysroot
which give back that only vda4/root is of type crypt.
Further the luksDump shows the same via
sudo cryptsetup luksDump /dev/vda2
Device /dev/vda2 is not a valid LUKS device.
Furthermore,
[core@localhost ~]$ blkid /dev/vda3
/dev/vda3: LABEL="boot" UUID="506be212-354f-46d5-9c66-ee494d7c17a5" BLOCK_SIZE="1024" TYPE="ext4" PARTLABEL="boot" PARTUUID="d5f8aec0-3897-4e39-904b-3ebda6def530"
shows that vda3 is the boot partition but the TYPE is not crypto_LUKSas I would have expected from the naming of the configuration option.
It should then be called root_device or so.
Overall, if this does not encrypt the boot partition how can one then achieve encryption of the boot partition with an ignition file?
Metadata
Metadata
Assignees
Labels
No labels