Message ID | 20250303112342.851020-5-Quirin.Gylstorff@siemens.com (mailing list archive) |
---|---|
State | Changes Requested |
Headers | show |
Series | Make /home partition optional | expand |
On 03.03.25 12:21, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This reduces the amount of necessary partitions. It also > allows to use a A/B-update scheme for the var partition. > > This fixes issue #123. > > https://gitlab.com/cip-project/cip-core/isar-cip-core/-/issues/123 > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > classes/read-only-rootfs.bbclass | 19 +++++++++++++++-- > kas/opt/encrypt-all.yml | 2 +- > kas/opt/separate-home-partition.yml | 21 +++++++++++++++++++ > ...ook_0.6.bb => initramfs-crypt-hook_0.7.bb} | 2 +- > 4 files changed, 40 insertions(+), 4 deletions(-) > create mode 100644 kas/opt/separate-home-partition.yml > rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt-hook_0.6.bb => initramfs-crypt-hook_0.7.bb} (98%) > > diff --git a/classes/read-only-rootfs.bbclass b/classes/read-only-rootfs.bbclass > index 0c8ae24..4e70d81 100644 > --- a/classes/read-only-rootfs.bbclass > +++ b/classes/read-only-rootfs.bbclass > @@ -14,8 +14,12 @@ INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img" > > do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build" > > -IMAGE_INSTALL += "home-fs" > -WIC_HOME_PARTITION = "part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid c07d5e8f-3448-46dc-9c0f-58904f369524" > +WIC_HOME_PARTITION:separate-home-part = "part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid c07d5e8f-3448-46dc-9c0f-58904f369524" > + > +WIC_HOME_PARTITION = "" > +IMAGE_INSTALL += " move-homedir-var" > +IMAGE_INSTALL:append:separate-home-part = " home-fs" > +IMAGE_INSTALL:remove:separate-home-part = " move-homedir-var" > > IMAGE_INSTALL:append:buster = " tmp-fs" > IMAGE_INSTALL:append:bullseye = " tmp-fs" > @@ -37,6 +41,17 @@ copy_dpkg_state() { > sudo cp -a ${ROOTFSDIR}/var/lib/dpkg "$IMMUTABLE_VAR_LIB/" > } > > +ROOTFS_POSTPROCESS_COMMAND:append = " copy_home_to_immutable_data" > +ROOTFS_POSTPROCESS_COMMAND:remove:separate-home-part = " copy_home_to_immutable_data" > +copy_home_to_immutable_data() { > + IMMUTABLE_HOME_DIR="${ROOTFSDIR}${IMMUTABLE_DATA_DIR}/" > + sudo mkdir -p "$IMMUTABLE_HOME_DIR" > + sudo mv ${ROOTFSDIR}/home "$IMMUTABLE_HOME_DIR/" > + # as the rootfs is read-only we need to create the link > + # between /var/home and /home during creation. > + sudo chroot ${IMAGE_ROOTFS} ln -s /var/home /home > +} > + > RO_ROOTFS_EXCLUDE_DIRS ??= "" > EROFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}" > SQUASHFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}" > diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml > index b6d4041..faf7206 100644 > --- a/kas/opt/encrypt-all.yml > +++ b/kas/opt/encrypt-all.yml > @@ -20,4 +20,4 @@ local_conf_header: > # As we use a weak default assignment in the intramfs-crypt-hook recipe we need > # to set all partitions > CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt ${ABROOTFS_PART_UUID_B}::reencrypt \ > - home:/home:reencrypt var:/var:reencrypt" > + var:/var:reencrypt" > diff --git a/kas/opt/separate-home-partition.yml b/kas/opt/separate-home-partition.yml > new file mode 100644 > index 0000000..aaf349b > --- /dev/null > +++ b/kas/opt/separate-home-partition.yml > @@ -0,0 +1,21 @@ > +# > +# CIP Core, generic profile > +# > +# Copyright (c) Siemens AG, 2025 > +# > +# Authors: > +# Quirin Gylstorff <quirin.gylstorff@siemens.com> > +# > +# SPDX-License-Identifier: MIT > +# > +# This kas file adds swupdate and generates a ${IMAGE_NAME}.swu > +# from the first wic partition Copy & pasted? May explain that this primarily provides compatibility support for existing deployments with separate home partitions. And where is this used, at least build-tested in CI? Jan > + > +header: > + version: 14 > + > +local_conf_header: > + separate-home-partition: | > + OVERRIDES .= ":separate-home-part" > + add-home-partition-to-crypt: | > + CRYPT_PARTITIONS:append:separate-home-part = " home:/home:reencrypt" > diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb > similarity index 98% > rename from recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb > rename to recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb > index df335c9..80a4755 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb > +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb > @@ -70,7 +70,7 @@ SRC_URI += "file://encrypt_partition.env.tmpl \ > file://pwquality.conf" > > # CRYPT_PARTITIONS elements are <partition-label>:<mountpoint>:<reencrypt or format>[:expand] > -CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt" > +CRYPT_PARTITIONS ??= "var:/var:reencrypt" > # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem > # in a newly formatted LUKS Partition > CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4"
On Mon, 2025-03-03 at 12:21 +0100, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This reduces the amount of necessary partitions. It also > allows to use a A/B-update scheme for the var partition. Hi, how would that work? The /var partition is by-definition not updated by any firmware update (a/b rootfs update). It must be deployed empty and in case of device resets can be cleared. Felix > > This fixes issue #123. > > https://gitlab.com/cip-project/cip-core/isar-cip-core/-/issues/123 > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > classes/read-only-rootfs.bbclass | 19 +++++++++++++++-- > kas/opt/encrypt-all.yml | 2 +- > kas/opt/separate-home-partition.yml | 21 > +++++++++++++++++++ > ...ook_0.6.bb => initramfs-crypt-hook_0.7.bb} | 2 +- > 4 files changed, 40 insertions(+), 4 deletions(-) > create mode 100644 kas/opt/separate-home-partition.yml > rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt- > hook_0.6.bb => initramfs-crypt-hook_0.7.bb} (98%) > > diff --git a/classes/read-only-rootfs.bbclass b/classes/read-only- > rootfs.bbclass > index 0c8ae24..4e70d81 100644 > --- a/classes/read-only-rootfs.bbclass > +++ b/classes/read-only-rootfs.bbclass > @@ -14,8 +14,12 @@ INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}- > ${MACHINE}.initrd.img" > > do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build" > > -IMAGE_INSTALL += "home-fs" > -WIC_HOME_PARTITION = "part /home --source rootfs --change- > directory=home --fstype=ext4 --label home --align 1024 --size 1G -- > fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid c07d5e8f-3448- > 46dc-9c0f-58904f369524" > +WIC_HOME_PARTITION:separate-home-part = "part /home --source rootfs > --change-directory=home --fstype=ext4 --label home --align 1024 -- > size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid > c07d5e8f-3448-46dc-9c0f-58904f369524" > + > +WIC_HOME_PARTITION = "" > +IMAGE_INSTALL += " move-homedir-var" > +IMAGE_INSTALL:append:separate-home-part = " home-fs" > +IMAGE_INSTALL:remove:separate-home-part = " move-homedir-var" > > IMAGE_INSTALL:append:buster = " tmp-fs" > IMAGE_INSTALL:append:bullseye = " tmp-fs" > @@ -37,6 +41,17 @@ copy_dpkg_state() { > sudo cp -a ${ROOTFSDIR}/var/lib/dpkg "$IMMUTABLE_VAR_LIB/" > } > > +ROOTFS_POSTPROCESS_COMMAND:append = " copy_home_to_immutable_data" > +ROOTFS_POSTPROCESS_COMMAND:remove:separate-home-part = " > copy_home_to_immutable_data" > +copy_home_to_immutable_data() { > + IMMUTABLE_HOME_DIR="${ROOTFSDIR}${IMMUTABLE_DATA_DIR}/" > + sudo mkdir -p "$IMMUTABLE_HOME_DIR" > + sudo mv ${ROOTFSDIR}/home "$IMMUTABLE_HOME_DIR/" > + # as the rootfs is read-only we need to create the link > + # between /var/home and /home during creation. > + sudo chroot ${IMAGE_ROOTFS} ln -s /var/home /home > +} > + > RO_ROOTFS_EXCLUDE_DIRS ??= "" > EROFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}" > SQUASHFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}" > diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml > index b6d4041..faf7206 100644 > --- a/kas/opt/encrypt-all.yml > +++ b/kas/opt/encrypt-all.yml > @@ -20,4 +20,4 @@ local_conf_header: > # As we use a weak default assignment in the intramfs-crypt-hook > recipe we need > # to set all partitions > CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt > ${ABROOTFS_PART_UUID_B}::reencrypt \ > - home:/home:reencrypt var:/var:reencrypt" > + var:/var:reencrypt" > diff --git a/kas/opt/separate-home-partition.yml b/kas/opt/separate- > home-partition.yml > new file mode 100644 > index 0000000..aaf349b > --- /dev/null > +++ b/kas/opt/separate-home-partition.yml > @@ -0,0 +1,21 @@ > +# > +# CIP Core, generic profile > +# > +# Copyright (c) Siemens AG, 2025 > +# > +# Authors: > +# Quirin Gylstorff <quirin.gylstorff@siemens.com> > +# > +# SPDX-License-Identifier: MIT > +# > +# This kas file adds swupdate and generates a ${IMAGE_NAME}.swu > +# from the first wic partition > + > +header: > + version: 14 > + > +local_conf_header: > + separate-home-partition: | > + OVERRIDES .= ":separate-home-part" > + add-home-partition-to-crypt: | > + CRYPT_PARTITIONS:append:separate-home-part = " > home:/home:reencrypt" > diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- > hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- > hook_0.7.bb > similarity index 98% > rename from recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- > hook_0.6.bb > rename to recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- > hook_0.7.bb > index df335c9..80a4755 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- > hook_0.6.bb > +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- > hook_0.7.bb > @@ -70,7 +70,7 @@ SRC_URI += "file://encrypt_partition.env.tmpl \ > file://pwquality.conf" > > # CRYPT_PARTITIONS elements are <partition- > label>:<mountpoint>:<reencrypt or format>[:expand] > -CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt" > +CRYPT_PARTITIONS ??= "var:/var:reencrypt" > # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create > the filesystem > # in a newly formatted LUKS Partition > CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4"
On 3/3/25 15:00, Moessbauer, Felix (FT RPD CED OES-DE) wrote: > On Mon, 2025-03-03 at 12:21 +0100, Quirin Gylstorff wrote: >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> >> This reduces the amount of necessary partitions. It also >> allows to use a A/B-update scheme for the var partition. > > Hi, how would that work? The /var partition is by-definition not > updated by any firmware update (a/b rootfs update). It must be deployed > empty and in case of device resets can be cleared. > > Felix An example would be Jan btrfs a/b rootfs with snapshots. Quirin > >> >> This fixes issue #123. >> >> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/issues/123 >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> --- >> classes/read-only-rootfs.bbclass | 19 +++++++++++++++-- >> kas/opt/encrypt-all.yml | 2 +- >> kas/opt/separate-home-partition.yml | 21 >> +++++++++++++++++++ >> ...ook_0.6.bb => initramfs-crypt-hook_0.7.bb} | 2 +- >> 4 files changed, 40 insertions(+), 4 deletions(-) >> create mode 100644 kas/opt/separate-home-partition.yml >> rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt- >> hook_0.6.bb => initramfs-crypt-hook_0.7.bb} (98%) >> >> diff --git a/classes/read-only-rootfs.bbclass b/classes/read-only- >> rootfs.bbclass >> index 0c8ae24..4e70d81 100644 >> --- a/classes/read-only-rootfs.bbclass >> +++ b/classes/read-only-rootfs.bbclass >> @@ -14,8 +14,12 @@ INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}- >> ${MACHINE}.initrd.img" >> >> do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build" >> >> -IMAGE_INSTALL += "home-fs" >> -WIC_HOME_PARTITION = "part /home --source rootfs --change- >> directory=home --fstype=ext4 --label home --align 1024 --size 1G -- >> fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid c07d5e8f-3448- >> 46dc-9c0f-58904f369524" >> +WIC_HOME_PARTITION:separate-home-part = "part /home --source rootfs >> --change-directory=home --fstype=ext4 --label home --align 1024 -- >> size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid >> c07d5e8f-3448-46dc-9c0f-58904f369524" >> + >> +WIC_HOME_PARTITION = "" >> +IMAGE_INSTALL += " move-homedir-var" >> +IMAGE_INSTALL:append:separate-home-part = " home-fs" >> +IMAGE_INSTALL:remove:separate-home-part = " move-homedir-var" >> >> IMAGE_INSTALL:append:buster = " tmp-fs" >> IMAGE_INSTALL:append:bullseye = " tmp-fs" >> @@ -37,6 +41,17 @@ copy_dpkg_state() { >> sudo cp -a ${ROOTFSDIR}/var/lib/dpkg "$IMMUTABLE_VAR_LIB/" >> } >> >> +ROOTFS_POSTPROCESS_COMMAND:append = " copy_home_to_immutable_data" >> +ROOTFS_POSTPROCESS_COMMAND:remove:separate-home-part = " >> copy_home_to_immutable_data" >> +copy_home_to_immutable_data() { >> + IMMUTABLE_HOME_DIR="${ROOTFSDIR}${IMMUTABLE_DATA_DIR}/" >> + sudo mkdir -p "$IMMUTABLE_HOME_DIR" >> + sudo mv ${ROOTFSDIR}/home "$IMMUTABLE_HOME_DIR/" >> + # as the rootfs is read-only we need to create the link >> + # between /var/home and /home during creation. >> + sudo chroot ${IMAGE_ROOTFS} ln -s /var/home /home >> +} >> + >> RO_ROOTFS_EXCLUDE_DIRS ??= "" >> EROFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}" >> SQUASHFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}" >> diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml >> index b6d4041..faf7206 100644 >> --- a/kas/opt/encrypt-all.yml >> +++ b/kas/opt/encrypt-all.yml >> @@ -20,4 +20,4 @@ local_conf_header: >> # As we use a weak default assignment in the intramfs-crypt-hook >> recipe we need >> # to set all partitions >> CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt >> ${ABROOTFS_PART_UUID_B}::reencrypt \ >> - home:/home:reencrypt var:/var:reencrypt" >> + var:/var:reencrypt" >> diff --git a/kas/opt/separate-home-partition.yml b/kas/opt/separate- >> home-partition.yml >> new file mode 100644 >> index 0000000..aaf349b >> --- /dev/null >> +++ b/kas/opt/separate-home-partition.yml >> @@ -0,0 +1,21 @@ >> +# >> +# CIP Core, generic profile >> +# >> +# Copyright (c) Siemens AG, 2025 >> +# >> +# Authors: >> +# Quirin Gylstorff <quirin.gylstorff@siemens.com> >> +# >> +# SPDX-License-Identifier: MIT >> +# >> +# This kas file adds swupdate and generates a ${IMAGE_NAME}.swu >> +# from the first wic partition >> + >> +header: >> + version: 14 >> + >> +local_conf_header: >> + separate-home-partition: | >> + OVERRIDES .= ":separate-home-part" >> + add-home-partition-to-crypt: | >> + CRYPT_PARTITIONS:append:separate-home-part = " >> home:/home:reencrypt" >> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- >> hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- >> hook_0.7.bb >> similarity index 98% >> rename from recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- >> hook_0.6.bb >> rename to recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- >> hook_0.7.bb >> index df335c9..80a4755 100644 >> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- >> hook_0.6.bb >> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt- >> hook_0.7.bb >> @@ -70,7 +70,7 @@ SRC_URI += "file://encrypt_partition.env.tmpl \ >> file://pwquality.conf" >> >> # CRYPT_PARTITIONS elements are <partition- >> label>:<mountpoint>:<reencrypt or format>[:expand] >> -CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt" >> +CRYPT_PARTITIONS ??= "var:/var:reencrypt" >> # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create >> the filesystem >> # in a newly formatted LUKS Partition >> CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4" >
On 3/3/25 13:29, Jan Kiszka wrote: > On 03.03.25 12:21, Quirin Gylstorff wrote: >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> >> This reduces the amount of necessary partitions. It also >> allows to use a A/B-update scheme for the var partition. >> >> This fixes issue #123. >> >> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/issues/123 >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> --- >> classes/read-only-rootfs.bbclass | 19 +++++++++++++++-- >> kas/opt/encrypt-all.yml | 2 +- >> kas/opt/separate-home-partition.yml | 21 +++++++++++++++++++ >> ...ook_0.6.bb => initramfs-crypt-hook_0.7.bb} | 2 +- >> 4 files changed, 40 insertions(+), 4 deletions(-) >> create mode 100644 kas/opt/separate-home-partition.yml >> rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt-hook_0.6.bb => initramfs-crypt-hook_0.7.bb} (98%) >> >> diff --git a/classes/read-only-rootfs.bbclass b/classes/read-only-rootfs.bbclass >> index 0c8ae24..4e70d81 100644 >> --- a/classes/read-only-rootfs.bbclass >> +++ b/classes/read-only-rootfs.bbclass >> @@ -14,8 +14,12 @@ INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img" >> >> do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build" >> >> -IMAGE_INSTALL += "home-fs" >> -WIC_HOME_PARTITION = "part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid c07d5e8f-3448-46dc-9c0f-58904f369524" >> +WIC_HOME_PARTITION:separate-home-part = "part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid c07d5e8f-3448-46dc-9c0f-58904f369524" >> + >> +WIC_HOME_PARTITION = "" >> +IMAGE_INSTALL += " move-homedir-var" >> +IMAGE_INSTALL:append:separate-home-part = " home-fs" >> +IMAGE_INSTALL:remove:separate-home-part = " move-homedir-var" >> >> IMAGE_INSTALL:append:buster = " tmp-fs" >> IMAGE_INSTALL:append:bullseye = " tmp-fs" >> @@ -37,6 +41,17 @@ copy_dpkg_state() { >> sudo cp -a ${ROOTFSDIR}/var/lib/dpkg "$IMMUTABLE_VAR_LIB/" >> } >> >> +ROOTFS_POSTPROCESS_COMMAND:append = " copy_home_to_immutable_data" >> +ROOTFS_POSTPROCESS_COMMAND:remove:separate-home-part = " copy_home_to_immutable_data" >> +copy_home_to_immutable_data() { >> + IMMUTABLE_HOME_DIR="${ROOTFSDIR}${IMMUTABLE_DATA_DIR}/" >> + sudo mkdir -p "$IMMUTABLE_HOME_DIR" >> + sudo mv ${ROOTFSDIR}/home "$IMMUTABLE_HOME_DIR/" >> + # as the rootfs is read-only we need to create the link >> + # between /var/home and /home during creation. >> + sudo chroot ${IMAGE_ROOTFS} ln -s /var/home /home >> +} >> + >> RO_ROOTFS_EXCLUDE_DIRS ??= "" >> EROFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}" >> SQUASHFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}" >> diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml >> index b6d4041..faf7206 100644 >> --- a/kas/opt/encrypt-all.yml >> +++ b/kas/opt/encrypt-all.yml >> @@ -20,4 +20,4 @@ local_conf_header: >> # As we use a weak default assignment in the intramfs-crypt-hook recipe we need >> # to set all partitions >> CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt ${ABROOTFS_PART_UUID_B}::reencrypt \ >> - home:/home:reencrypt var:/var:reencrypt" >> + var:/var:reencrypt" >> diff --git a/kas/opt/separate-home-partition.yml b/kas/opt/separate-home-partition.yml >> new file mode 100644 >> index 0000000..aaf349b >> --- /dev/null >> +++ b/kas/opt/separate-home-partition.yml >> @@ -0,0 +1,21 @@ >> +# >> +# CIP Core, generic profile >> +# >> +# Copyright (c) Siemens AG, 2025 >> +# >> +# Authors: >> +# Quirin Gylstorff <quirin.gylstorff@siemens.com> >> +# >> +# SPDX-License-Identifier: MIT >> +# >> +# This kas file adds swupdate and generates a ${IMAGE_NAME}.swu >> +# from the first wic partition > > Copy & pasted? > > May explain that this primarily provides compatibility support for > existing deployments with separate home partitions. > Added in v3. > And where is this used, at least build-tested in CI? I can add an additional option to the ci and/or add a Kconfig entry. Which build jobs should enable that legacy feature. Currently I have it enable for `build:x86-uefi-secure-boot:`. https://gitlab.com/cip-project/cip-core/isar-cip-core/-/jobs/9302304512 Quirin > > Jan > >> + >> +header: >> + version: 14 >> + >> +local_conf_header: >> + separate-home-partition: | >> + OVERRIDES .= ":separate-home-part" >> + add-home-partition-to-crypt: | >> + CRYPT_PARTITIONS:append:separate-home-part = " home:/home:reencrypt" >> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb >> similarity index 98% >> rename from recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb >> rename to recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb >> index df335c9..80a4755 100644 >> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb >> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb >> @@ -70,7 +70,7 @@ SRC_URI += "file://encrypt_partition.env.tmpl \ >> file://pwquality.conf" >> >> # CRYPT_PARTITIONS elements are <partition-label>:<mountpoint>:<reencrypt or format>[:expand] >> -CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt" >> +CRYPT_PARTITIONS ??= "var:/var:reencrypt" >> # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem >> # in a newly formatted LUKS Partition >> CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4" >
diff --git a/classes/read-only-rootfs.bbclass b/classes/read-only-rootfs.bbclass index 0c8ae24..4e70d81 100644 --- a/classes/read-only-rootfs.bbclass +++ b/classes/read-only-rootfs.bbclass @@ -14,8 +14,12 @@ INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img" do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build" -IMAGE_INSTALL += "home-fs" -WIC_HOME_PARTITION = "part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid c07d5e8f-3448-46dc-9c0f-58904f369524" +WIC_HOME_PARTITION:separate-home-part = "part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid c07d5e8f-3448-46dc-9c0f-58904f369524" + +WIC_HOME_PARTITION = "" +IMAGE_INSTALL += " move-homedir-var" +IMAGE_INSTALL:append:separate-home-part = " home-fs" +IMAGE_INSTALL:remove:separate-home-part = " move-homedir-var" IMAGE_INSTALL:append:buster = " tmp-fs" IMAGE_INSTALL:append:bullseye = " tmp-fs" @@ -37,6 +41,17 @@ copy_dpkg_state() { sudo cp -a ${ROOTFSDIR}/var/lib/dpkg "$IMMUTABLE_VAR_LIB/" } +ROOTFS_POSTPROCESS_COMMAND:append = " copy_home_to_immutable_data" +ROOTFS_POSTPROCESS_COMMAND:remove:separate-home-part = " copy_home_to_immutable_data" +copy_home_to_immutable_data() { + IMMUTABLE_HOME_DIR="${ROOTFSDIR}${IMMUTABLE_DATA_DIR}/" + sudo mkdir -p "$IMMUTABLE_HOME_DIR" + sudo mv ${ROOTFSDIR}/home "$IMMUTABLE_HOME_DIR/" + # as the rootfs is read-only we need to create the link + # between /var/home and /home during creation. + sudo chroot ${IMAGE_ROOTFS} ln -s /var/home /home +} + RO_ROOTFS_EXCLUDE_DIRS ??= "" EROFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}" SQUASHFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}" diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml index b6d4041..faf7206 100644 --- a/kas/opt/encrypt-all.yml +++ b/kas/opt/encrypt-all.yml @@ -20,4 +20,4 @@ local_conf_header: # As we use a weak default assignment in the intramfs-crypt-hook recipe we need # to set all partitions CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt ${ABROOTFS_PART_UUID_B}::reencrypt \ - home:/home:reencrypt var:/var:reencrypt" + var:/var:reencrypt" diff --git a/kas/opt/separate-home-partition.yml b/kas/opt/separate-home-partition.yml new file mode 100644 index 0000000..aaf349b --- /dev/null +++ b/kas/opt/separate-home-partition.yml @@ -0,0 +1,21 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2025 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# +# This kas file adds swupdate and generates a ${IMAGE_NAME}.swu +# from the first wic partition + +header: + version: 14 + +local_conf_header: + separate-home-partition: | + OVERRIDES .= ":separate-home-part" + add-home-partition-to-crypt: | + CRYPT_PARTITIONS:append:separate-home-part = " home:/home:reencrypt" diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb similarity index 98% rename from recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb rename to recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb index df335c9..80a4755 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb @@ -70,7 +70,7 @@ SRC_URI += "file://encrypt_partition.env.tmpl \ file://pwquality.conf" # CRYPT_PARTITIONS elements are <partition-label>:<mountpoint>:<reencrypt or format>[:expand] -CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt" +CRYPT_PARTITIONS ??= "var:/var:reencrypt" # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem # in a newly formatted LUKS Partition CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4"