Support encrypted extension images.

[frederictobiasc]

Component

systemd-sysext

Is your feature request related to a problem? Please describe

Note

This issue mentions sysext only, but means both sysext and confext.

Currently, systemd-sysext fails to merge DDI extension images with a LUKS-encrypted partition:

# systemd-sysext merge
Failed to read metadata for image some: Protocol driver not attached

Also, systemd-dissect fails to mount such DDIs:

# systemd-dissect --mount /tmp/some.sysext.raw /tmp/mnt
🔐 Please enter image passphrase: 

This is especially useful for activating extension images bound to the intended device's TPM, available since #28519

Script to reproduce: encrypted-extimg-tpm.sh

Describe the solution you'd like

systemd-dissect and systemd-sysext both should automatically attempt to decrypt extension images with TPM-bound LUKS encryption. It's acceptable if they aren't capable of working on setups that require additional user interaction such as entering a PIN.

Describe alternatives you've considered

No response

The systemd version you checked that didn't have the feature you are asking for

257.7

TODO

• Implement support for dissecting extension images with an encrypted partition. (Enable dissecting encrypted extension images #38854)
• Add recommendations for DDIs with encrypted partitions DDI: Add recomendation for LUKS encrypted partitions uapi-group/specifications#164
• Add support for encrypted DDIs to systemd-repart (requested here)
• Add dissection policies (see comment) for partitions with
  • encryption with verity
  • encryption with signed verity

[frederictobiasc]

There is an entry in TODO referencing the feature described in this issue.

systemd/TODO

Lines 1288 to 1298 in 9ce0fbb

	* add support for asymmetric LUKS2 TPM based encryption. i.e. allow preparing
	an encrypted image on some host given a public key belonging to a specific
	other host, so that only hosts possessing the private key in the TPM2 chip
	can decrypt the volume key and activate the volume. Use case: systemd-confext
	for a central orchestrator to generate confext images securely that can only
	be activated on one specific host (which can be used for installing a bunch
	of creds in /etc/credstore/ for example). Extending on this: allow binding
	LUKS2 TPM based encryption also to the TPM2 internal clock. Net result:
	prepare a confext image that can only be activated on a specific host that
	runs a specific software in a specific time window. confext would be
	automatically invalidated outside of it.