diff mbox series

[isar-cip-core,v2,4/4] Move content of home to IMMUTABLE_DATA_DIR

Message ID 20250303112342.851020-5-Quirin.Gylstorff@siemens.com (mailing list archive)
State Changes Requested
Headers show
Series Make /home partition optional | expand

Commit Message

Quirin Gylstorff March 3, 2025, 11:21 a.m. UTC
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This reduces the amount of necessary partitions. It also
allows to use a A/B-update scheme for the var partition.

This fixes issue #123.

https://gitlab.com/cip-project/cip-core/isar-cip-core/-/issues/123
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 classes/read-only-rootfs.bbclass              | 19 +++++++++++++++--
 kas/opt/encrypt-all.yml                       |  2 +-
 kas/opt/separate-home-partition.yml           | 21 +++++++++++++++++++
 ...ook_0.6.bb => initramfs-crypt-hook_0.7.bb} |  2 +-
 4 files changed, 40 insertions(+), 4 deletions(-)
 create mode 100644 kas/opt/separate-home-partition.yml
 rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt-hook_0.6.bb => initramfs-crypt-hook_0.7.bb} (98%)

Comments

Jan Kiszka March 3, 2025, 12:29 p.m. UTC | #1
On 03.03.25 12:21, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This reduces the amount of necessary partitions. It also
> allows to use a A/B-update scheme for the var partition.
> 
> This fixes issue #123.
> 
> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/issues/123
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  classes/read-only-rootfs.bbclass              | 19 +++++++++++++++--
>  kas/opt/encrypt-all.yml                       |  2 +-
>  kas/opt/separate-home-partition.yml           | 21 +++++++++++++++++++
>  ...ook_0.6.bb => initramfs-crypt-hook_0.7.bb} |  2 +-
>  4 files changed, 40 insertions(+), 4 deletions(-)
>  create mode 100644 kas/opt/separate-home-partition.yml
>  rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt-hook_0.6.bb => initramfs-crypt-hook_0.7.bb} (98%)
> 
> diff --git a/classes/read-only-rootfs.bbclass b/classes/read-only-rootfs.bbclass
> index 0c8ae24..4e70d81 100644
> --- a/classes/read-only-rootfs.bbclass
> +++ b/classes/read-only-rootfs.bbclass
> @@ -14,8 +14,12 @@ INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
>  
>  do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build"
>  
> -IMAGE_INSTALL += "home-fs"
> -WIC_HOME_PARTITION = "part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024  --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid c07d5e8f-3448-46dc-9c0f-58904f369524"
> +WIC_HOME_PARTITION:separate-home-part = "part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024  --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid c07d5e8f-3448-46dc-9c0f-58904f369524"
> +
> +WIC_HOME_PARTITION = ""
> +IMAGE_INSTALL += " move-homedir-var"
> +IMAGE_INSTALL:append:separate-home-part = " home-fs"
> +IMAGE_INSTALL:remove:separate-home-part = " move-homedir-var"
>  
>  IMAGE_INSTALL:append:buster   = " tmp-fs"
>  IMAGE_INSTALL:append:bullseye = " tmp-fs"
> @@ -37,6 +41,17 @@ copy_dpkg_state() {
>      sudo cp -a ${ROOTFSDIR}/var/lib/dpkg "$IMMUTABLE_VAR_LIB/"
>  }
>  
> +ROOTFS_POSTPROCESS_COMMAND:append = " copy_home_to_immutable_data"
> +ROOTFS_POSTPROCESS_COMMAND:remove:separate-home-part = " copy_home_to_immutable_data"
> +copy_home_to_immutable_data() {
> +    IMMUTABLE_HOME_DIR="${ROOTFSDIR}${IMMUTABLE_DATA_DIR}/"
> +    sudo mkdir -p "$IMMUTABLE_HOME_DIR"
> +    sudo mv ${ROOTFSDIR}/home "$IMMUTABLE_HOME_DIR/"
> +    # as the rootfs is read-only we need to create the link
> +    # between /var/home and /home during creation.
> +    sudo chroot ${IMAGE_ROOTFS} ln -s /var/home /home
> +}
> +
>  RO_ROOTFS_EXCLUDE_DIRS ??= ""
>  EROFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}"
>  SQUASHFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}"
> diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml
> index b6d4041..faf7206 100644
> --- a/kas/opt/encrypt-all.yml
> +++ b/kas/opt/encrypt-all.yml
> @@ -20,4 +20,4 @@ local_conf_header:
>      # As we use a weak default assignment in the intramfs-crypt-hook recipe we need
>      # to set all partitions
>      CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt ${ABROOTFS_PART_UUID_B}::reencrypt \
> -                         home:/home:reencrypt var:/var:reencrypt"
> +                         var:/var:reencrypt"
> diff --git a/kas/opt/separate-home-partition.yml b/kas/opt/separate-home-partition.yml
> new file mode 100644
> index 0000000..aaf349b
> --- /dev/null
> +++ b/kas/opt/separate-home-partition.yml
> @@ -0,0 +1,21 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2025
> +#
> +# Authors:
> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +# This kas file adds swupdate and generates a ${IMAGE_NAME}.swu
> +# from the first wic partition

Copy & pasted?

May explain that this primarily provides compatibility support for
existing deployments with separate home partitions.

And where is this used, at least build-tested in CI?

Jan

> +
> +header:
> +  version: 14
> +
> +local_conf_header:
> +  separate-home-partition: |
> +    OVERRIDES .= ":separate-home-part"
> +  add-home-partition-to-crypt: |
> +    CRYPT_PARTITIONS:append:separate-home-part = " home:/home:reencrypt"
> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb
> similarity index 98%
> rename from recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
> rename to recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb
> index df335c9..80a4755 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb
> @@ -70,7 +70,7 @@ SRC_URI += "file://encrypt_partition.env.tmpl \
>              file://pwquality.conf"
>  
>  # CRYPT_PARTITIONS elements are <partition-label>:<mountpoint>:<reencrypt or format>[:expand]
> -CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
> +CRYPT_PARTITIONS ??= "var:/var:reencrypt"
>  # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem
>  # in a newly formatted LUKS Partition
>  CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4"
MOESSBAUER, Felix March 3, 2025, 2 p.m. UTC | #2
On Mon, 2025-03-03 at 12:21 +0100, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This reduces the amount of necessary partitions. It also
> allows to use a A/B-update scheme for the var partition.

Hi, how would that work? The /var partition is by-definition not
updated by any firmware update (a/b rootfs update). It must be deployed
empty and in case of device resets can be cleared.

Felix

> 
> This fixes issue #123.
> 
> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/issues/123
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  classes/read-only-rootfs.bbclass              | 19 +++++++++++++++--
>  kas/opt/encrypt-all.yml                       |  2 +-
>  kas/opt/separate-home-partition.yml           | 21
> +++++++++++++++++++
>  ...ook_0.6.bb => initramfs-crypt-hook_0.7.bb} |  2 +-
>  4 files changed, 40 insertions(+), 4 deletions(-)
>  create mode 100644 kas/opt/separate-home-partition.yml
>  rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt-
> hook_0.6.bb => initramfs-crypt-hook_0.7.bb} (98%)
> 
> diff --git a/classes/read-only-rootfs.bbclass b/classes/read-only-
> rootfs.bbclass
> index 0c8ae24..4e70d81 100644
> --- a/classes/read-only-rootfs.bbclass
> +++ b/classes/read-only-rootfs.bbclass
> @@ -14,8 +14,12 @@ INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-
> ${MACHINE}.initrd.img"
>  
>  do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build"
>  
> -IMAGE_INSTALL += "home-fs"
> -WIC_HOME_PARTITION = "part /home --source rootfs --change-
> directory=home --fstype=ext4 --label home --align 1024  --size 1G --
> fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid c07d5e8f-3448-
> 46dc-9c0f-58904f369524"
> +WIC_HOME_PARTITION:separate-home-part = "part /home --source rootfs
> --change-directory=home --fstype=ext4 --label home --align 1024  --
> size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid
> c07d5e8f-3448-46dc-9c0f-58904f369524"
> +
> +WIC_HOME_PARTITION = ""
> +IMAGE_INSTALL += " move-homedir-var"
> +IMAGE_INSTALL:append:separate-home-part = " home-fs"
> +IMAGE_INSTALL:remove:separate-home-part = " move-homedir-var"
>  
>  IMAGE_INSTALL:append:buster   = " tmp-fs"
>  IMAGE_INSTALL:append:bullseye = " tmp-fs"
> @@ -37,6 +41,17 @@ copy_dpkg_state() {
>      sudo cp -a ${ROOTFSDIR}/var/lib/dpkg "$IMMUTABLE_VAR_LIB/"
>  }
>  
> +ROOTFS_POSTPROCESS_COMMAND:append = " copy_home_to_immutable_data"
> +ROOTFS_POSTPROCESS_COMMAND:remove:separate-home-part = "
> copy_home_to_immutable_data"
> +copy_home_to_immutable_data() {
> +    IMMUTABLE_HOME_DIR="${ROOTFSDIR}${IMMUTABLE_DATA_DIR}/"
> +    sudo mkdir -p "$IMMUTABLE_HOME_DIR"
> +    sudo mv ${ROOTFSDIR}/home "$IMMUTABLE_HOME_DIR/"
> +    # as the rootfs is read-only we need to create the link
> +    # between /var/home and /home during creation.
> +    sudo chroot ${IMAGE_ROOTFS} ln -s /var/home /home
> +}
> +
>  RO_ROOTFS_EXCLUDE_DIRS ??= ""
>  EROFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}"
>  SQUASHFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}"
> diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml
> index b6d4041..faf7206 100644
> --- a/kas/opt/encrypt-all.yml
> +++ b/kas/opt/encrypt-all.yml
> @@ -20,4 +20,4 @@ local_conf_header:
>      # As we use a weak default assignment in the intramfs-crypt-hook
> recipe we need
>      # to set all partitions
>      CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt
> ${ABROOTFS_PART_UUID_B}::reencrypt \
> -                         home:/home:reencrypt var:/var:reencrypt"
> +                         var:/var:reencrypt"
> diff --git a/kas/opt/separate-home-partition.yml b/kas/opt/separate-
> home-partition.yml
> new file mode 100644
> index 0000000..aaf349b
> --- /dev/null
> +++ b/kas/opt/separate-home-partition.yml
> @@ -0,0 +1,21 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2025
> +#
> +# Authors:
> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +# This kas file adds swupdate and generates a ${IMAGE_NAME}.swu
> +# from the first wic partition
> +
> +header:
> +  version: 14
> +
> +local_conf_header:
> +  separate-home-partition: |
> +    OVERRIDES .= ":separate-home-part"
> +  add-home-partition-to-crypt: |
> +    CRYPT_PARTITIONS:append:separate-home-part = "
> home:/home:reencrypt"
> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
> hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
> hook_0.7.bb
> similarity index 98%
> rename from recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
> hook_0.6.bb
> rename to recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
> hook_0.7.bb
> index df335c9..80a4755 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
> hook_0.6.bb
> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
> hook_0.7.bb
> @@ -70,7 +70,7 @@ SRC_URI += "file://encrypt_partition.env.tmpl \
>              file://pwquality.conf"
>  
>  # CRYPT_PARTITIONS elements are <partition-
> label>:<mountpoint>:<reencrypt or format>[:expand]
> -CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
> +CRYPT_PARTITIONS ??= "var:/var:reencrypt"
>  # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create
> the filesystem
>  # in a newly formatted LUKS Partition
>  CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4"
Quirin Gylstorff March 3, 2025, 2:03 p.m. UTC | #3
On 3/3/25 15:00, Moessbauer, Felix (FT RPD CED OES-DE) wrote:
> On Mon, 2025-03-03 at 12:21 +0100, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This reduces the amount of necessary partitions. It also
>> allows to use a A/B-update scheme for the var partition.
> 
> Hi, how would that work? The /var partition is by-definition not
> updated by any firmware update (a/b rootfs update). It must be deployed
> empty and in case of device resets can be cleared.
> 
> Felix

An example would be Jan btrfs a/b rootfs with snapshots.

Quirin
> 
>>
>> This fixes issue #123.
>>
>> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/issues/123
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>   classes/read-only-rootfs.bbclass              | 19 +++++++++++++++--
>>   kas/opt/encrypt-all.yml                       |  2 +-
>>   kas/opt/separate-home-partition.yml           | 21
>> +++++++++++++++++++
>>   ...ook_0.6.bb => initramfs-crypt-hook_0.7.bb} |  2 +-
>>   4 files changed, 40 insertions(+), 4 deletions(-)
>>   create mode 100644 kas/opt/separate-home-partition.yml
>>   rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt-
>> hook_0.6.bb => initramfs-crypt-hook_0.7.bb} (98%)
>>
>> diff --git a/classes/read-only-rootfs.bbclass b/classes/read-only-
>> rootfs.bbclass
>> index 0c8ae24..4e70d81 100644
>> --- a/classes/read-only-rootfs.bbclass
>> +++ b/classes/read-only-rootfs.bbclass
>> @@ -14,8 +14,12 @@ INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-
>> ${MACHINE}.initrd.img"
>>   
>>   do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build"
>>   
>> -IMAGE_INSTALL += "home-fs"
>> -WIC_HOME_PARTITION = "part /home --source rootfs --change-
>> directory=home --fstype=ext4 --label home --align 1024  --size 1G --
>> fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid c07d5e8f-3448-
>> 46dc-9c0f-58904f369524"
>> +WIC_HOME_PARTITION:separate-home-part = "part /home --source rootfs
>> --change-directory=home --fstype=ext4 --label home --align 1024  --
>> size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid
>> c07d5e8f-3448-46dc-9c0f-58904f369524"
>> +
>> +WIC_HOME_PARTITION = ""
>> +IMAGE_INSTALL += " move-homedir-var"
>> +IMAGE_INSTALL:append:separate-home-part = " home-fs"
>> +IMAGE_INSTALL:remove:separate-home-part = " move-homedir-var"
>>   
>>   IMAGE_INSTALL:append:buster   = " tmp-fs"
>>   IMAGE_INSTALL:append:bullseye = " tmp-fs"
>> @@ -37,6 +41,17 @@ copy_dpkg_state() {
>>       sudo cp -a ${ROOTFSDIR}/var/lib/dpkg "$IMMUTABLE_VAR_LIB/"
>>   }
>>   
>> +ROOTFS_POSTPROCESS_COMMAND:append = " copy_home_to_immutable_data"
>> +ROOTFS_POSTPROCESS_COMMAND:remove:separate-home-part = "
>> copy_home_to_immutable_data"
>> +copy_home_to_immutable_data() {
>> +    IMMUTABLE_HOME_DIR="${ROOTFSDIR}${IMMUTABLE_DATA_DIR}/"
>> +    sudo mkdir -p "$IMMUTABLE_HOME_DIR"
>> +    sudo mv ${ROOTFSDIR}/home "$IMMUTABLE_HOME_DIR/"
>> +    # as the rootfs is read-only we need to create the link
>> +    # between /var/home and /home during creation.
>> +    sudo chroot ${IMAGE_ROOTFS} ln -s /var/home /home
>> +}
>> +
>>   RO_ROOTFS_EXCLUDE_DIRS ??= ""
>>   EROFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}"
>>   SQUASHFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}"
>> diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml
>> index b6d4041..faf7206 100644
>> --- a/kas/opt/encrypt-all.yml
>> +++ b/kas/opt/encrypt-all.yml
>> @@ -20,4 +20,4 @@ local_conf_header:
>>       # As we use a weak default assignment in the intramfs-crypt-hook
>> recipe we need
>>       # to set all partitions
>>       CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt
>> ${ABROOTFS_PART_UUID_B}::reencrypt \
>> -                         home:/home:reencrypt var:/var:reencrypt"
>> +                         var:/var:reencrypt"
>> diff --git a/kas/opt/separate-home-partition.yml b/kas/opt/separate-
>> home-partition.yml
>> new file mode 100644
>> index 0000000..aaf349b
>> --- /dev/null
>> +++ b/kas/opt/separate-home-partition.yml
>> @@ -0,0 +1,21 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2025
>> +#
>> +# Authors:
>> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +# This kas file adds swupdate and generates a ${IMAGE_NAME}.swu
>> +# from the first wic partition
>> +
>> +header:
>> +  version: 14
>> +
>> +local_conf_header:
>> +  separate-home-partition: |
>> +    OVERRIDES .= ":separate-home-part"
>> +  add-home-partition-to-crypt: |
>> +    CRYPT_PARTITIONS:append:separate-home-part = "
>> home:/home:reencrypt"
>> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
>> hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
>> hook_0.7.bb
>> similarity index 98%
>> rename from recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
>> hook_0.6.bb
>> rename to recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
>> hook_0.7.bb
>> index df335c9..80a4755 100644
>> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
>> hook_0.6.bb
>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
>> hook_0.7.bb
>> @@ -70,7 +70,7 @@ SRC_URI += "file://encrypt_partition.env.tmpl \
>>               file://pwquality.conf"
>>   
>>   # CRYPT_PARTITIONS elements are <partition-
>> label>:<mountpoint>:<reencrypt or format>[:expand]
>> -CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
>> +CRYPT_PARTITIONS ??= "var:/var:reencrypt"
>>   # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create
>> the filesystem
>>   # in a newly formatted LUKS Partition
>>   CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4"
>
Quirin Gylstorff March 4, 2025, 9:01 a.m. UTC | #4
On 3/3/25 13:29, Jan Kiszka wrote:
> On 03.03.25 12:21, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This reduces the amount of necessary partitions. It also
>> allows to use a A/B-update scheme for the var partition.
>>
>> This fixes issue #123.
>>
>> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/issues/123
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>   classes/read-only-rootfs.bbclass              | 19 +++++++++++++++--
>>   kas/opt/encrypt-all.yml                       |  2 +-
>>   kas/opt/separate-home-partition.yml           | 21 +++++++++++++++++++
>>   ...ook_0.6.bb => initramfs-crypt-hook_0.7.bb} |  2 +-
>>   4 files changed, 40 insertions(+), 4 deletions(-)
>>   create mode 100644 kas/opt/separate-home-partition.yml
>>   rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt-hook_0.6.bb => initramfs-crypt-hook_0.7.bb} (98%)
>>
>> diff --git a/classes/read-only-rootfs.bbclass b/classes/read-only-rootfs.bbclass
>> index 0c8ae24..4e70d81 100644
>> --- a/classes/read-only-rootfs.bbclass
>> +++ b/classes/read-only-rootfs.bbclass
>> @@ -14,8 +14,12 @@ INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
>>   
>>   do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build"
>>   
>> -IMAGE_INSTALL += "home-fs"
>> -WIC_HOME_PARTITION = "part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024  --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid c07d5e8f-3448-46dc-9c0f-58904f369524"
>> +WIC_HOME_PARTITION:separate-home-part = "part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024  --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid c07d5e8f-3448-46dc-9c0f-58904f369524"
>> +
>> +WIC_HOME_PARTITION = ""
>> +IMAGE_INSTALL += " move-homedir-var"
>> +IMAGE_INSTALL:append:separate-home-part = " home-fs"
>> +IMAGE_INSTALL:remove:separate-home-part = " move-homedir-var"
>>   
>>   IMAGE_INSTALL:append:buster   = " tmp-fs"
>>   IMAGE_INSTALL:append:bullseye = " tmp-fs"
>> @@ -37,6 +41,17 @@ copy_dpkg_state() {
>>       sudo cp -a ${ROOTFSDIR}/var/lib/dpkg "$IMMUTABLE_VAR_LIB/"
>>   }
>>   
>> +ROOTFS_POSTPROCESS_COMMAND:append = " copy_home_to_immutable_data"
>> +ROOTFS_POSTPROCESS_COMMAND:remove:separate-home-part = " copy_home_to_immutable_data"
>> +copy_home_to_immutable_data() {
>> +    IMMUTABLE_HOME_DIR="${ROOTFSDIR}${IMMUTABLE_DATA_DIR}/"
>> +    sudo mkdir -p "$IMMUTABLE_HOME_DIR"
>> +    sudo mv ${ROOTFSDIR}/home "$IMMUTABLE_HOME_DIR/"
>> +    # as the rootfs is read-only we need to create the link
>> +    # between /var/home and /home during creation.
>> +    sudo chroot ${IMAGE_ROOTFS} ln -s /var/home /home
>> +}
>> +
>>   RO_ROOTFS_EXCLUDE_DIRS ??= ""
>>   EROFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}"
>>   SQUASHFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}"
>> diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml
>> index b6d4041..faf7206 100644
>> --- a/kas/opt/encrypt-all.yml
>> +++ b/kas/opt/encrypt-all.yml
>> @@ -20,4 +20,4 @@ local_conf_header:
>>       # As we use a weak default assignment in the intramfs-crypt-hook recipe we need
>>       # to set all partitions
>>       CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt ${ABROOTFS_PART_UUID_B}::reencrypt \
>> -                         home:/home:reencrypt var:/var:reencrypt"
>> +                         var:/var:reencrypt"
>> diff --git a/kas/opt/separate-home-partition.yml b/kas/opt/separate-home-partition.yml
>> new file mode 100644
>> index 0000000..aaf349b
>> --- /dev/null
>> +++ b/kas/opt/separate-home-partition.yml
>> @@ -0,0 +1,21 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2025
>> +#
>> +# Authors:
>> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +# This kas file adds swupdate and generates a ${IMAGE_NAME}.swu
>> +# from the first wic partition
> 
> Copy & pasted?
> 
> May explain that this primarily provides compatibility support for
> existing deployments with separate home partitions.
>
Added in v3.


> And where is this used, at least build-tested in CI?


I can add an additional option to the ci and/or add a Kconfig entry.

Which build jobs should enable that legacy feature. Currently I have it 
enable for `build:x86-uefi-secure-boot:`.

https://gitlab.com/cip-project/cip-core/isar-cip-core/-/jobs/9302304512

Quirin
> 
> Jan
> 
>> +
>> +header:
>> +  version: 14
>> +
>> +local_conf_header:
>> +  separate-home-partition: |
>> +    OVERRIDES .= ":separate-home-part"
>> +  add-home-partition-to-crypt: |
>> +    CRYPT_PARTITIONS:append:separate-home-part = " home:/home:reencrypt"
>> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb
>> similarity index 98%
>> rename from recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
>> rename to recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb
>> index df335c9..80a4755 100644
>> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb
>> @@ -70,7 +70,7 @@ SRC_URI += "file://encrypt_partition.env.tmpl \
>>               file://pwquality.conf"
>>   
>>   # CRYPT_PARTITIONS elements are <partition-label>:<mountpoint>:<reencrypt or format>[:expand]
>> -CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
>> +CRYPT_PARTITIONS ??= "var:/var:reencrypt"
>>   # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem
>>   # in a newly formatted LUKS Partition
>>   CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4"
>
diff mbox series

Patch

diff --git a/classes/read-only-rootfs.bbclass b/classes/read-only-rootfs.bbclass
index 0c8ae24..4e70d81 100644
--- a/classes/read-only-rootfs.bbclass
+++ b/classes/read-only-rootfs.bbclass
@@ -14,8 +14,12 @@  INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
 
 do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build"
 
-IMAGE_INSTALL += "home-fs"
-WIC_HOME_PARTITION = "part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024  --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid c07d5e8f-3448-46dc-9c0f-58904f369524"
+WIC_HOME_PARTITION:separate-home-part = "part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024  --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid c07d5e8f-3448-46dc-9c0f-58904f369524"
+
+WIC_HOME_PARTITION = ""
+IMAGE_INSTALL += " move-homedir-var"
+IMAGE_INSTALL:append:separate-home-part = " home-fs"
+IMAGE_INSTALL:remove:separate-home-part = " move-homedir-var"
 
 IMAGE_INSTALL:append:buster   = " tmp-fs"
 IMAGE_INSTALL:append:bullseye = " tmp-fs"
@@ -37,6 +41,17 @@  copy_dpkg_state() {
     sudo cp -a ${ROOTFSDIR}/var/lib/dpkg "$IMMUTABLE_VAR_LIB/"
 }
 
+ROOTFS_POSTPROCESS_COMMAND:append = " copy_home_to_immutable_data"
+ROOTFS_POSTPROCESS_COMMAND:remove:separate-home-part = " copy_home_to_immutable_data"
+copy_home_to_immutable_data() {
+    IMMUTABLE_HOME_DIR="${ROOTFSDIR}${IMMUTABLE_DATA_DIR}/"
+    sudo mkdir -p "$IMMUTABLE_HOME_DIR"
+    sudo mv ${ROOTFSDIR}/home "$IMMUTABLE_HOME_DIR/"
+    # as the rootfs is read-only we need to create the link
+    # between /var/home and /home during creation.
+    sudo chroot ${IMAGE_ROOTFS} ln -s /var/home /home
+}
+
 RO_ROOTFS_EXCLUDE_DIRS ??= ""
 EROFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}"
 SQUASHFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}"
diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml
index b6d4041..faf7206 100644
--- a/kas/opt/encrypt-all.yml
+++ b/kas/opt/encrypt-all.yml
@@ -20,4 +20,4 @@  local_conf_header:
     # As we use a weak default assignment in the intramfs-crypt-hook recipe we need
     # to set all partitions
     CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt ${ABROOTFS_PART_UUID_B}::reencrypt \
-                         home:/home:reencrypt var:/var:reencrypt"
+                         var:/var:reencrypt"
diff --git a/kas/opt/separate-home-partition.yml b/kas/opt/separate-home-partition.yml
new file mode 100644
index 0000000..aaf349b
--- /dev/null
+++ b/kas/opt/separate-home-partition.yml
@@ -0,0 +1,21 @@ 
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2025
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+# This kas file adds swupdate and generates a ${IMAGE_NAME}.swu
+# from the first wic partition
+
+header:
+  version: 14
+
+local_conf_header:
+  separate-home-partition: |
+    OVERRIDES .= ":separate-home-part"
+  add-home-partition-to-crypt: |
+    CRYPT_PARTITIONS:append:separate-home-part = " home:/home:reencrypt"
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb
similarity index 98%
rename from recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
rename to recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb
index df335c9..80a4755 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb
@@ -70,7 +70,7 @@  SRC_URI += "file://encrypt_partition.env.tmpl \
             file://pwquality.conf"
 
 # CRYPT_PARTITIONS elements are <partition-label>:<mountpoint>:<reencrypt or format>[:expand]
-CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
+CRYPT_PARTITIONS ??= "var:/var:reencrypt"
 # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem
 # in a newly formatted LUKS Partition
 CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4"