| Message ID | 20240715093424.632716-1-stefan-koch@siemens.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | None | expand |
Hi, On 7/15/24 11:34 AM, Stefan Koch wrote: > - Avoids using a busybox losetup executable that > doesn't support the "--sizelimit" parameter > - The "--sizelimit" parameter is needed for introducing > speed-up of disk reencryption with the following commit > > Signed-off-by: Stefan Koch <stefan-koch@siemens.com> > --- > .../initramfs-crypt-hook/files/encrypt_partition.env.tmpl | 1 + > .../files/encrypt_partition.systemd.hook | 4 ++++ > .../initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb | 5 ++++- > 3 files changed, 9 insertions(+), 1 deletion(-) > > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl > index bb93361..72033d1 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl > @@ -5,3 +5,4 @@ WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}" > HASH_TYPE="${CRYPT_HASH_TYPE}" > KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}" > ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}" > +LOSETUP_PATH="${CRYPT_LOSETUP_PATH}" Why do we need a variable at this point? Please drop that variable and install always the full losetup. Quirin > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook > index be8c117..2ace533 100755 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook > @@ -19,6 +19,9 @@ esac > > . /usr/share/initramfs-tools/hook-functions > > +# get configuration variables > +. /usr/share/encrypt_partition/encrypt_partition.env > + > hook_error() { > echo "(ERROR): $1" >&2 > exit 1 > @@ -47,6 +50,7 @@ copy_exec /usr/bin/sleep || hook_error "/usr/bin/sleep not found" > copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found" > copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found" > copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found" > +copy_exec /usr/sbin/losetup "$LOSETUP_PATH" || hook_error "/usr/sbin/losetup not found" > copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenroll not found" > copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found" > copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" > diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb > index 72de5b6..1679133 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb > +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb > @@ -9,7 +9,7 @@ > # SPDX-License-Identifier: MIT > > inherit dpkg-raw > -DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \ > +DEBIAN_DEPENDS = "initramfs-tools, mount, cryptsetup, \ > awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \ > libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, \ > e2fsprogs, tpm2-tools, coreutils, uuid-runtime" > @@ -57,6 +57,8 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt" > # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem > # in a newly formatted LUKS Partition > CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4" > +# Path to full (non-busybox) losetup binary > +CRYPT_LOSETUP_PATH ??= "/usr/local/sbin/losetup" > # Timeout for creating / re-encrypting partitions on first boot > CRYPT_SETUP_TIMEOUT ??= "600" > # Watchdog to service during the initial setup of the crypto partitions > @@ -68,6 +70,7 @@ CRYPT_ENCRYPTION_OPTIONAL ??= "false" > > TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ > CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \ > + CRYPT_LOSETUP_PATH \ > CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL" > TEMPLATE_FILES = "encrypt_partition.env.tmpl" >
Hi, On 7/15/24 11:34 AM, Stefan Koch wrote: > - Avoids using a busybox losetup executable that > doesn't support the "--sizelimit" parameter > - The "--sizelimit" parameter is needed for introducing > speed-up of disk reencryption with the following commit > > Signed-off-by: Stefan Koch <stefan-koch@siemens.com> > --- > .../initramfs-crypt-hook/files/encrypt_partition.env.tmpl | 1 + > .../files/encrypt_partition.systemd.hook | 4 ++++ > .../initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb | 5 ++++- > 3 files changed, 9 insertions(+), 1 deletion(-) > > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl > index bb93361..72033d1 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl > @@ -5,3 +5,4 @@ WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}" > HASH_TYPE="${CRYPT_HASH_TYPE}" > KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}" > ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}" > +LOSETUP_PATH="${CRYPT_LOSETUP_PATH}" Why do we need a variable at this point? If there is no reason please drop that variable and use always the full losetup. Quirin > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook > index be8c117..2ace533 100755 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook > @@ -19,6 +19,9 @@ esac > > . /usr/share/initramfs-tools/hook-functions > > +# get configuration variables > +. /usr/share/encrypt_partition/encrypt_partition.env > + > hook_error() { > echo "(ERROR): $1" >&2 > exit 1 > @@ -47,6 +50,7 @@ copy_exec /usr/bin/sleep || hook_error "/usr/bin/sleep not found" > copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found" > copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found" > copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found" > +copy_exec /usr/sbin/losetup "$LOSETUP_PATH" || hook_error "/usr/sbin/losetup not found" > copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenroll not found" > copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found" > copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" > diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb > index 72de5b6..1679133 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb > +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb > @@ -9,7 +9,7 @@ > # SPDX-License-Identifier: MIT > > inherit dpkg-raw > -DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \ > +DEBIAN_DEPENDS = "initramfs-tools, mount, cryptsetup, \ > awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \ > libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, \ > e2fsprogs, tpm2-tools, coreutils, uuid-runtime" > @@ -57,6 +57,8 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt" > # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem > # in a newly formatted LUKS Partition > CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4" > +# Path to full (non-busybox) losetup binary > +CRYPT_LOSETUP_PATH ??= "/usr/local/sbin/losetup" > # Timeout for creating / re-encrypting partitions on first boot > CRYPT_SETUP_TIMEOUT ??= "600" > # Watchdog to service during the initial setup of the crypto partitions > @@ -68,6 +70,7 @@ CRYPT_ENCRYPTION_OPTIONAL ??= "false" > > TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ > CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \ > + CRYPT_LOSETUP_PATH \ > CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL" > TEMPLATE_FILES = "encrypt_partition.env.tmpl" >
On Mon, 2024-07-15 at 13:01 +0200, Gylstorff Quirin wrote: > Hi, > > On 7/15/24 11:34 AM, Stefan Koch wrote: > > - Avoids using a busybox losetup executable that > > doesn't support the "--sizelimit" parameter > > - The "--sizelimit" parameter is needed for introducing > > speed-up of disk reencryption with the following commit > > > > Signed-off-by: Stefan Koch <stefan-koch@siemens.com> > > --- > > .../initramfs-crypt-hook/files/encrypt_partition.env.tmpl | 1 > > + > > .../files/encrypt_partition.systemd.hook | 4 > > ++++ > > .../initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb | 5 > > ++++- > > 3 files changed, 9 insertions(+), 1 deletion(-) > > > > diff --git a/recipes-initramfs/initramfs-crypt- > > hook/files/encrypt_partition.env.tmpl b/recipes- > > initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl > > index bb93361..72033d1 100644 > > --- a/recipes-initramfs/initramfs-crypt- > > hook/files/encrypt_partition.env.tmpl > > +++ b/recipes-initramfs/initramfs-crypt- > > hook/files/encrypt_partition.env.tmpl > > @@ -5,3 +5,4 @@ WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}" > > HASH_TYPE="${CRYPT_HASH_TYPE}" > > KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}" > > ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}" > > +LOSETUP_PATH="${CRYPT_LOSETUP_PATH}" > Why do we need a variable at this point? > > If there is no reason please drop that variable and use always the > full > losetup. When remove it here, we need to hardcode the path /usr/local/sbin/losetup three times within encrypt_partition.script and once within encrypt_partition.systemd.hook > > Quirin > > diff --git a/recipes-initramfs/initramfs-crypt- > > hook/files/encrypt_partition.systemd.hook b/recipes- > > initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook > > index be8c117..2ace533 100755 > > --- a/recipes-initramfs/initramfs-crypt- > > hook/files/encrypt_partition.systemd.hook > > +++ b/recipes-initramfs/initramfs-crypt- > > hook/files/encrypt_partition.systemd.hook > > @@ -19,6 +19,9 @@ esac > > > > . /usr/share/initramfs-tools/hook-functions > > > > +# get configuration variables > > +. /usr/share/encrypt_partition/encrypt_partition.env > > + > > hook_error() { > > echo "(ERROR): $1" >&2 > > exit 1 > > @@ -47,6 +50,7 @@ copy_exec /usr/bin/sleep || hook_error > > "/usr/bin/sleep not found" > > copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not > > found" > > copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs > > not found" > > copy_exec /usr/sbin/cryptsetup || hook_error > > "/usr/sbin/cryptsetup not found" > > +copy_exec /usr/sbin/losetup "$LOSETUP_PATH" || hook_error > > "/usr/sbin/losetup not found" > copy_exec /usr/bin/systemd- > > cryptenroll || hook_error > "/usr/bin/systemd-cryptenroll not found" > > copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error > > "/usr/lib/systemd/systemd-cryptsetup not found" > > copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy > > /usr/bin/tpm2_pcrread" > > diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs- > > crypt-hook_0.2.bb b/recipes-initramfs/initramfs-crypt- > > hook/initramfs-crypt-hook_0.2.bb > > index 72de5b6..1679133 100644 > > --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- > > hook_0.2.bb > > +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- > > hook_0.2.bb > > @@ -9,7 +9,7 @@ > > # SPDX-License-Identifier: MIT > > > > inherit dpkg-raw > > -DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \ > > +DEBIAN_DEPENDS = "initramfs-tools, mount, cryptsetup, \ > > awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \ > > libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, \ > > e2fsprogs, tpm2-tools, coreutils, uuid-runtime" > > @@ -57,6 +57,8 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt > > var:/var:reencrypt" > > # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to > > create the filesystem > > # in a newly formatted LUKS Partition > > CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4" > > +# Path to full (non-busybox) losetup binary > > +CRYPT_LOSETUP_PATH ??= "/usr/local/sbin/losetup" > > # Timeout for creating / re-encrypting partitions on first boot > > CRYPT_SETUP_TIMEOUT ??= "600" > > # Watchdog to service during the initial setup of the crypto > > partitions > > @@ -68,6 +70,7 @@ CRYPT_ENCRYPTION_OPTIONAL ??= "false" > > > > TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ > > CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE > > \ > > + CRYPT_LOSETUP_PATH \ > > CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL" > > TEMPLATE_FILES = "encrypt_partition.env.tmpl" > >
On 7/15/24 2:00 PM, Koch, Stefan (DI PA DCP R&D 3) wrote: > On Mon, 2024-07-15 at 13:01 +0200, Gylstorff Quirin wrote: >> Hi, >> >> On 7/15/24 11:34 AM, Stefan Koch wrote: >>> - Avoids using a busybox losetup executable that >>> doesn't support the "--sizelimit" parameter >>> - The "--sizelimit" parameter is needed for introducing >>> speed-up of disk reencryption with the following commit >>> >>> Signed-off-by: Stefan Koch <stefan-koch@siemens.com> >>> --- >>> .../initramfs-crypt-hook/files/encrypt_partition.env.tmpl | 1 >>> + >>> .../files/encrypt_partition.systemd.hook | 4 >>> ++++ >>> .../initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb | 5 >>> ++++- >>> 3 files changed, 9 insertions(+), 1 deletion(-) >>> >>> diff --git a/recipes-initramfs/initramfs-crypt- >>> hook/files/encrypt_partition.env.tmpl b/recipes- >>> initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl >>> index bb93361..72033d1 100644 >>> --- a/recipes-initramfs/initramfs-crypt- >>> hook/files/encrypt_partition.env.tmpl >>> +++ b/recipes-initramfs/initramfs-crypt- >>> hook/files/encrypt_partition.env.tmpl >>> @@ -5,3 +5,4 @@ WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}" >>> HASH_TYPE="${CRYPT_HASH_TYPE}" >>> KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}" >>> ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}" >>> +LOSETUP_PATH="${CRYPT_LOSETUP_PATH}" >> Why do we need a variable at this point? >> >> If there is no reason please drop that variable and use always the >> full >> losetup. > When remove it here, we need to hardcode the path > /usr/local/sbin/losetup three times within encrypt_partition.script and > once within encrypt_partition.systemd.hook Then make it a internal variable of the scripts no need to set it with the template mechanism, which is intend to be modified by downstream. And it does not need to be added in the hook. >> >> Quirin >>> diff --git a/recipes-initramfs/initramfs-crypt- >>> hook/files/encrypt_partition.systemd.hook b/recipes- >>> initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook >>> index be8c117..2ace533 100755 >>> --- a/recipes-initramfs/initramfs-crypt- >>> hook/files/encrypt_partition.systemd.hook >>> +++ b/recipes-initramfs/initramfs-crypt- >>> hook/files/encrypt_partition.systemd.hook >>> @@ -19,6 +19,9 @@ esac >>> >>> . /usr/share/initramfs-tools/hook-functions >>> >>> +# get configuration variables >>> +. /usr/share/encrypt_partition/encrypt_partition.env >>> + >>> hook_error() { >>> echo "(ERROR): $1" >&2 >>> exit 1 >>> @@ -47,6 +50,7 @@ copy_exec /usr/bin/sleep || hook_error >>> "/usr/bin/sleep not found" >>> copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not >>> found" >>> copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs >>> not found" >>> copy_exec /usr/sbin/cryptsetup || hook_error >>> "/usr/sbin/cryptsetup not found" >>> +copy_exec /usr/sbin/losetup "$LOSETUP_PATH" || hook_error >>> "/usr/sbin/losetup not found" > copy_exec /usr/bin/systemd- >>> cryptenroll || hook_error This is unnecessary please remove LOSETUP from here. Also it needs to be added to the clevis hook. The syntax is `copy_exec <binary_name> || hook_error`. Quirin >> "/usr/bin/systemd-cryptenroll not found" >>> copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error >>> "/usr/lib/systemd/systemd-cryptsetup not found" >>> copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy >>> /usr/bin/tpm2_pcrread" >>> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs- >>> crypt-hook_0.2.bb b/recipes-initramfs/initramfs-crypt- >>> hook/initramfs-crypt-hook_0.2.bb >>> index 72de5b6..1679133 100644 >>> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- >>> hook_0.2.bb >>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- >>> hook_0.2.bb >>> @@ -9,7 +9,7 @@ >>> # SPDX-License-Identifier: MIT >>> >>> inherit dpkg-raw >>> -DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \ >>> +DEBIAN_DEPENDS = "initramfs-tools, mount, cryptsetup, \ >>> awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \ >>> libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, \ >>> e2fsprogs, tpm2-tools, coreutils, uuid-runtime" >>> @@ -57,6 +57,8 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt >>> var:/var:reencrypt" >>> # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to >>> create the filesystem >>> # in a newly formatted LUKS Partition >>> CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4" >>> +# Path to full (non-busybox) losetup binary >>> +CRYPT_LOSETUP_PATH ??= "/usr/local/sbin/losetup" >>> # Timeout for creating / re-encrypting partitions on first boot >>> CRYPT_SETUP_TIMEOUT ??= "600" >>> # Watchdog to service during the initial setup of the crypto >>> partitions >>> @@ -68,6 +70,7 @@ CRYPT_ENCRYPTION_OPTIONAL ??= "false" >>> >>> TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ >>> CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE >>> \ >>> + CRYPT_LOSETUP_PATH \ >>> CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL" >>> TEMPLATE_FILES = "encrypt_partition.env.tmpl" >>> >
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl index bb93361..72033d1 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl @@ -5,3 +5,4 @@ WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}" HASH_TYPE="${CRYPT_HASH_TYPE}" KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}" ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}" +LOSETUP_PATH="${CRYPT_LOSETUP_PATH}" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook index be8c117..2ace533 100755 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook @@ -19,6 +19,9 @@ esac . /usr/share/initramfs-tools/hook-functions +# get configuration variables +. /usr/share/encrypt_partition/encrypt_partition.env + hook_error() { echo "(ERROR): $1" >&2 exit 1 @@ -47,6 +50,7 @@ copy_exec /usr/bin/sleep || hook_error "/usr/bin/sleep not found" copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found" copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found" copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found" +copy_exec /usr/sbin/losetup "$LOSETUP_PATH" || hook_error "/usr/sbin/losetup not found" copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenroll not found" copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found" copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb index 72de5b6..1679133 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb @@ -9,7 +9,7 @@ # SPDX-License-Identifier: MIT inherit dpkg-raw -DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \ +DEBIAN_DEPENDS = "initramfs-tools, mount, cryptsetup, \ awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \ libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, \ e2fsprogs, tpm2-tools, coreutils, uuid-runtime" @@ -57,6 +57,8 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt" # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem # in a newly formatted LUKS Partition CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4" +# Path to full (non-busybox) losetup binary +CRYPT_LOSETUP_PATH ??= "/usr/local/sbin/losetup" # Timeout for creating / re-encrypting partitions on first boot CRYPT_SETUP_TIMEOUT ??= "600" # Watchdog to service during the initial setup of the crypto partitions @@ -68,6 +70,7 @@ CRYPT_ENCRYPTION_OPTIONAL ??= "false" TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \ + CRYPT_LOSETUP_PATH \ CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL" TEMPLATE_FILES = "encrypt_partition.env.tmpl"
- Avoids using a busybox losetup executable that doesn't support the "--sizelimit" parameter - The "--sizelimit" parameter is needed for introducing speed-up of disk reencryption with the following commit Signed-off-by: Stefan Koch <stefan-koch@siemens.com> --- .../initramfs-crypt-hook/files/encrypt_partition.env.tmpl | 1 + .../files/encrypt_partition.systemd.hook | 4 ++++ .../initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb | 5 ++++- 3 files changed, 9 insertions(+), 1 deletion(-)