| Message ID | 20250226095921.168962-4-ch@denx.de (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Initramfs-crypt-hook patches, encryption on update | expand |
On 26.02.25 10:59, Claudius Heine wrote: > In the 'format' case the `$partition` variable is used instead of > `$part_device`, which is likely an error, because all other cases use > `$part_device`. > > `$part_device` is the real path to the block device, while `$partition` > is the 'name' of the partition in the `$PARITIONS` variable, as defined > in the recipe. > > This fixes an inconsistency, it shouldn't be a bug here, but could > result in bugs when this script is adapted in product layers, etc. > > Signed-off-by: Claudius Heine <ch@denx.de> > --- > recipes-initramfs/initramfs-crypt-hook/files/local-top-complete | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete > index f1aa0d7..b907ea7 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete > +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete > @@ -254,7 +254,7 @@ for partition_set in $partition_sets; do > "format") > log_begin_msg "Encryption of ${part_device}" > /usr/sbin/cryptsetup luksFormat --batch-mode \ > - --type luks2 "$partition" < "$tmp_key" > + --type luks2 "$part_device" < "$tmp_key" > enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type" > open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" > eval "${create_file_system_cmd} ${decrypted_part}" This goes back to commit 98974a68ab9b, and there it is stated: + # clevis does not work with links in /dev/disk* + part_device=$(readlink -f "$partition") So this really looks like a pure consistency cleanup (but a valid one). Right, Quirin? Jan
On 2/27/25 10:16, Jan Kiszka wrote: > On 26.02.25 10:59, Claudius Heine wrote: >> In the 'format' case the `$partition` variable is used instead of >> `$part_device`, which is likely an error, because all other cases use >> `$part_device`. >> >> `$part_device` is the real path to the block device, while `$partition` >> is the 'name' of the partition in the `$PARITIONS` variable, as defined >> in the recipe. >> >> This fixes an inconsistency, it shouldn't be a bug here, but could >> result in bugs when this script is adapted in product layers, etc. >> >> Signed-off-by: Claudius Heine <ch@denx.de> >> --- >> recipes-initramfs/initramfs-crypt-hook/files/local-top-complete | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete >> index f1aa0d7..b907ea7 100644 >> --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete >> +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete >> @@ -254,7 +254,7 @@ for partition_set in $partition_sets; do >> "format") >> log_begin_msg "Encryption of ${part_device}" >> /usr/sbin/cryptsetup luksFormat --batch-mode \ >> - --type luks2 "$partition" < "$tmp_key" >> + --type luks2 "$part_device" < "$tmp_key" >> enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type" >> open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" >> eval "${create_file_system_cmd} ${decrypted_part}" > > This goes back to commit 98974a68ab9b, and there it is stated: > > + # clevis does not work with links in /dev/disk* > + part_device=$(readlink -f "$partition") > > So this really looks like a pure consistency cleanup (but a valid one). > Right, Quirin? Yes. Quirin > > Jan >
On 26.02.25 10:59, Claudius Heine wrote: > In the 'format' case the `$partition` variable is used instead of > `$part_device`, which is likely an error, because all other cases use > `$part_device`. > > `$part_device` is the real path to the block device, while `$partition` > is the 'name' of the partition in the `$PARITIONS` variable, as defined > in the recipe. > > This fixes an inconsistency, it shouldn't be a bug here, but could > result in bugs when this script is adapted in product layers, etc. > > Signed-off-by: Claudius Heine <ch@denx.de> > --- > recipes-initramfs/initramfs-crypt-hook/files/local-top-complete | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete > index f1aa0d7..b907ea7 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete > +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete > @@ -254,7 +254,7 @@ for partition_set in $partition_sets; do > "format") > log_begin_msg "Encryption of ${part_device}" > /usr/sbin/cryptsetup luksFormat --batch-mode \ > - --type luks2 "$partition" < "$tmp_key" > + --type luks2 "$part_device" < "$tmp_key" > enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type" > open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" > eval "${create_file_system_cmd} ${decrypted_part}" Thanks, applied. Jan
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete index f1aa0d7..b907ea7 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete @@ -254,7 +254,7 @@ for partition_set in $partition_sets; do "format") log_begin_msg "Encryption of ${part_device}" /usr/sbin/cryptsetup luksFormat --batch-mode \ - --type luks2 "$partition" < "$tmp_key" + --type luks2 "$part_device" < "$tmp_key" enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type" open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" eval "${create_file_system_cmd} ${decrypted_part}"
In the 'format' case the `$partition` variable is used instead of `$part_device`, which is likely an error, because all other cases use `$part_device`. `$part_device` is the real path to the block device, while `$partition` is the 'name' of the partition in the `$PARITIONS` variable, as defined in the recipe. This fixes an inconsistency, it shouldn't be a bug here, but could result in bugs when this script is adapted in product layers, etc. Signed-off-by: Claudius Heine <ch@denx.de> --- recipes-initramfs/initramfs-crypt-hook/files/local-top-complete | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)