diff mbox series

[isar-cip-core,v3,4/9] fix: use luks2 to identify encrypted partition

Message ID 20240425115119.813384-5-Quirin.Gylstorff@siemens.com (mailing list archive)
State Superseded
Headers show
Series Add option to encrypt the rootfs | expand

Commit Message

Quirin Gylstorff April 25, 2024, 11:50 a.m. UTC
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This fixes an issue with encrypted rootfs during system reboot.
With the token option it can happen that during reboot the no
valid Luks partition is found and the boot up fails in the initrd.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../initramfs-crypt-hook/files/encrypt_partition.script         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Felix Moessbauer April 25, 2024, 12:06 p.m. UTC | #1
On Thu, 2024-04-25 at 13:50 +0200, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This fixes an issue with encrypted rootfs during system reboot.
> With the token option it can happen that during reboot the no
> valid Luks partition is found and the boot up fails in the initrd.

This is an interesting testcase for the watchdog. Does the kernel
already trigger the watchdog at this initrd stage? Did the system hang
here forever, or did it reboot?

Felix

> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  .../initramfs-crypt-hook/files/encrypt_partition.script         | 2
> +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-
> crypt-hook/files/encrypt_partition.script
> index 51c81f3..685d882 100644
> --- a/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script
> +++ b/recipes-initramfs/initramfs-crypt-
> hook/files/encrypt_partition.script
> @@ -134,7 +134,7 @@ for partition_set in $partition_sets; do
>         fi
>  
>         if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
> -                       | grep -q "token"; then
> +                       | grep -q "luks2"; then
>                 open_tpm2_partition "$part_device"
> "$crypt_mount_name" "$tpm_device"
>                 continue
>         fi
Quirin Gylstorff April 25, 2024, 12:08 p.m. UTC | #2
On 4/25/24 2:06 PM, Moessbauer, Felix (T CED OES-DE) wrote:
> On Thu, 2024-04-25 at 13:50 +0200, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This fixes an issue with encrypted rootfs during system reboot.
>> With the token option it can happen that during reboot the no
>> valid Luks partition is found and the boot up fails in the initrd.
> 
> This is an interesting testcase for the watchdog. Does the kernel
> already trigger the watchdog at this initrd stage? Did the system hang
> here forever, or did it reboot?

As we have panic=5 enabled the watchdog will be triggered and we have a
reboot loop.

Quirin
> 
> Felix
> 
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>   .../initramfs-crypt-hook/files/encrypt_partition.script         | 2
>> +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-
>> crypt-hook/files/encrypt_partition.script
>> index 51c81f3..685d882 100644
>> --- a/recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.script
>> +++ b/recipes-initramfs/initramfs-crypt-
>> hook/files/encrypt_partition.script
>> @@ -134,7 +134,7 @@ for partition_set in $partition_sets; do
>>          fi
>>   
>>          if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
>> -                       | grep -q "token"; then
>> +                       | grep -q "luks2"; then
>>                  open_tpm2_partition "$part_device"
>> "$crypt_mount_name" "$tpm_device"
>>                  continue
>>          fi
>
diff mbox series

Patch

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
index 51c81f3..685d882 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
@@ -134,7 +134,7 @@  for partition_set in $partition_sets; do
 	fi
 
 	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
-			| grep -q "token"; then
+			| grep -q "luks2"; then
 		open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
 		continue
 	fi