@@ -73,6 +73,9 @@ reencrypt_existing_partition() {
reduced_size="$(expr "$part_size_blocks" - 65536 )"
reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
+
+ CRYPTSETUP_PARAMS="--reduce-device-size ${reduce_device_size}k"
+
case $partition_fstype in
ext*)
# reduce the filesystem and partition by 32M to fit the LUKS header
@@ -91,14 +94,25 @@ reencrypt_existing_partition() {
squashfs|swap|erofs|"")
[ "$debug" = "y" ] && echo "skip disk resize as it is not supported or unnecessary for fstype: '$partition_fstype'"
;;
+ luks)
+ # Check if reencrypt was aborted
+ if /usr/sbin/cryptsetup luksDump --batch-mode "$1" \
+ | grep -q "online-reencrypt-v2"; then
+ /usr/sbin/cryptsetup repair --batch-mode "$1" < "$2" || \
+ panic "cryptsetup repair was not successful"
+ fi
+
+ # already luks partition, don't resize
+ CRYPTSETUP_PARAMS=""
+ ;;
*)
panic "cannot resize partition, unsupported fstype: '$partition_fstype'"
;;
esac
if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
- /usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2"
+ /usr/sbin/cryptsetup-reencrypt --new ${CRYPTSETUP_PARAMS} "$1" < "$2"
else
- /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2"
+ /usr/sbin/cryptsetup reencrypt --encrypt ${CRYPTSETUP_PARAMS} "$1" < "$2"
fi
}
@@ -248,11 +262,17 @@ for partition_set in $partition_sets; do
fi
if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \
- | grep -q "luks2"; then
+ | grep -q "systemd-tpm2\|clevis"; then
open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
continue
fi
+ # If partition contains an aborted reencrypt luks header, switch to reencrypt mode:
+ if /usr/sbin/cryptsetup luksDump --batch-mode "${part_device}" \
+ | grep -q "online-reencrypt-v2"; then
+ partition_format="reencrypt"
+ fi
+
# service watchdog in the background during lengthy re-encryption
if [ -z "$watchdog_pid" ]; then
service_watchdog &
Integrate detection and recovery of power failures while a partition is being encrypted. There are possible scenarios: 1. Power-fail happens while the partition is reencrypted: - The LUKS header contains `online-reencrypt-v2` and needs to be repaired with `cryptsetup repair` before it can continue. - Also no resizing of the file system is necessary 2. Power-fail happens before the systemd-tpm2/clevis token can be installed - The LUKS header does not contain 'systemd-tpm2'/'clevis', thus it needs to be registered and the temporary encryption key needs to be removed The list of these scenarios is not complete, there might be other instances where a sudden power-fail could be fatal to the system, but these where the most obvious and risky ones. Signed-off-by: Claudius Heine <ch@denx.de> --- .../initramfs-crypt-hook/files/local-top-complete | 26 +++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-)