LUKS+TPM: separate /boot partition is mounted rw + broken transactional-update

awoimbee commented 2 years ago

What I'm trying to achieve

Hi, I would like to run Kubic nodes in environments where disk encryption is required, but nodes should be able to reboot by themselves (so no password prompt). The solution seems to be disk encryption with auto unlocking using LUKS2+TPM2 (https://en.opensuse.org/SDB:LUKS2,_TPM2_and_FIDO2#Unencrypted_boot_partition).

The issues

/boot is rw: e.g. on a 'normal' system, dracut -f returns dracut: No permission to write to /boot., here it just does its thing
/boot can't be updated from transactional-update shell (one needs to run dracut -f from the host system) Example error message from transactional-update:
```
Warning: The following files were changed in the snapshot, but are shadowed by other mounts and will not be visible to the system: /.snapshots/2/snapshot/boot/initrd-5.17.4-1-default
```
Note: in this case it's possible to cp /.snapshots/2/snapshot/boot/initrd-5.17.4-1-default /boot/initrd-5.17.4-1-default.

My setup

Here is my current partitionning setup:

localhost:~ # lsblk
NAME          MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
sr0            11:0    1    2G  0 rom
sr1            11:1    1  350K  0 rom
vda           253:0    0   60G  0 disk
├─vda1        253:1    0    8M  0 part
├─vda2        253:2    0    1G  0 part  /boot/writable
│                                       /boot
└─vda3        253:3    0   59G  0 part
  └─cr_vda3   254:0    0   59G  0 crypt
    ├─vg0-lv0 254:1    0   20G  0 lvm   /srv
    │                                   /opt
    │                                   /usr/local
    │                                   /.snapshots
    │                                   /home
    │                                   /root
    │                                   /
    └─vg0-lv1 254:2    0   39G  0 lvm   /var/lib/containers/storage/btrfs
                                        /var
transactional update # lsblk
NAME          MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
sr0            11:0    1    2G  0 rom
sr1            11:1    1  350K  0 rom
vda           253:0    0   60G  0 disk
├─vda1        253:1    0    8M  0 part
├─vda2        253:2    0    1G  0 part  /boot/writable
└─vda3        253:3    0   59G  0 part
  └─cr_vda3   254:0    0   59G  0 crypt
    ├─vg0-lv0 254:1    0   20G  0 lvm   /.snapshots
    │                                   /root
    │                                   /opt
    │                                   /
    └─vg0-lv1 254:2    0   39G  0 lvm   /var/cache
                                        /var/lib/selinux
                                        /var/lib/alternatives
                                        /var/lib/ca-certificates
                                        /var/lib/zypp
                                        /var/log

Screenshot from 2022-04-28 17-13-43

laenion commented 2 years ago

/boot is not expected to be a separate mount point at this time, but you should be able to add it as a required bind mount in /etc/tukit.conf (see /usr/etc/tukit.conf for an example).

awoimbee commented 2 years ago

Thanks, it works perfectly, I used this command: (cat /usr/etc/tukit.conf && printf 'BINDDIRS[1]="/boot"\n') > /etc/tukit.conf.

I also enabled multiversion kernel since I don't have snapshots of /boot anymore: sed -iE 's|#?(multiversion ?=)|\1 provides:multiversion(kernel)|' /etc/zypp/zypp.conf.

-> Small issue with /etc/zypp/zypp.conf after a fresh install: extra (duplicate) multiversion= right above this line.

multiversion=
multiversion.kernels = latest,latest-1,running

kubic-project / issues