Support encrypted extension images. #38852
Description
Component
systemd-sysext
Is your feature request related to a problem? Please describe
Note
This issue mentions sysext only, but means both sysext and confext.
Currently, systemd-sysext fails to merge DDI extension images with a LUKS-encrypted partition:
# systemd-sysext merge
Failed to read metadata for image some: Protocol driver not attached
Also, systemd-dissect fails to mount such DDIs:
# systemd-dissect --mount /tmp/some.sysext.raw /tmp/mnt
🔐 Please enter image passphrase:
This is especially useful for activating extension images bound to the intended device's TPM, available since #28519
Script to reproduce: encrypted-extimg-tpm.sh
Describe the solution you'd like
systemd-dissect and systemd-sysext both should automatically attempt to decrypt extension images with TPM-bound LUKS encryption. It's acceptable if they aren't capable of working on setups that require additional user interaction such as entering a PIN.
Describe alternatives you've considered
No response
The systemd version you checked that didn't have the feature you are asking for
257.7
TODO
- Implement support for dissecting extension images with an encrypted partition. (Enable dissecting encrypted extension images #38854)
- Add recommendations for DDIs with encrypted partitions DDI: Add recomendation for LUKS encrypted partitions uapi-group/specifications#164
- Add support for encrypted DDIs to
systemd-repart(requested here)