| Message ID | 20240422141120.577573-2-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Add option to encrypt the rootfs | expand |
On Mon, 2024-04-22 at 16:09 +0200, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This allows to use the part-label for encryptition or > boot selection. We should not rely on partition labels at all. We had the discussion in the past already, where swupdate applied the update to the wrong partition due to having the same label on multiple devices. We either must use UUIDs, or we must limit the label search to the current device only. On recent EBG versions this is made available via the systemd BOOT_LOADER_INTERFACE (EFI variables), but these might be tricky to check in the initrd. Also, the eifvars fs needs to be explicitly exposed on RT kernels via efi=runtime. Felix > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > wic/bbb-efibootguard.wks.in | 4 ++-- > wic/hihope-rzg2m-efibootguard.wks.in | 4 ++-- > wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 ++-- > wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 ++-- > wic/qemu-arm64-efibootguard.wks.in | 4 ++-- > wic/qemu-riscv64-efibootguard.wks.in | 4 ++-- > wic/x86-efibootguard.wks.in | 4 ++-- > 7 files changed, 14 insertions(+), 14 deletions(-) > > diff --git a/wic/bbb-efibootguard.wks.in b/wic/bbb- > efibootguard.wks.in > index e9c04b9..b5772c2 100644 > --- a/wic/bbb-efibootguard.wks.in > +++ b/wic/bbb-efibootguard.wks.in > @@ -11,8 +11,8 @@ part --source rawcopy --sourceparams > "file=/usr/lib/u-boot/bbb/u-boot.img" --no- > > include ebg-sysparts.inc > > -part --source rawcopy --sourceparams > "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 > -part --source empty --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 > +part --source rawcopy --sourceparams > "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 --part-name systema > +part --source empty --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 --part-name systemb > > # home and var are extra partitions > part /home --source rootfs --change-directory=home --fstype=ext4 -- > label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56- > 0242ac120002 > diff --git a/wic/hihope-rzg2m-efibootguard.wks.in b/wic/hihope-rzg2m- > efibootguard.wks.in > index 9227a71..164e8a9 100644 > --- a/wic/hihope-rzg2m-efibootguard.wks.in > +++ b/wic/hihope-rzg2m-efibootguard.wks.in > @@ -3,8 +3,8 @@ > > include ebg-sysparts.inc > > -part --source rawcopy --sourceparams > "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 > -part --source empty --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 > +part --source rawcopy --sourceparams > "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 --part-name systema > +part --source empty --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 --part-name systemb > > # home and var are extra partitions > > diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in > b/wic/qemu-amd64-efibootguard-secureboot.wks.in > index ef40d70..0f4d637 100644 > --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in > +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in > @@ -1,7 +1,7 @@ > include ebg-signed-sysparts.inc > > -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" > --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part- > type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 > -part --source empty --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 > +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" > --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part- > type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema > +part --source empty --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 --part-name systemb > > # home and var are extra partitions > part /home --source rootfs --change-directory=home --fstype=ext4 -- > label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56- > 0242ac120002 > diff --git a/wic/qemu-arm64-efibootguard-secureboot.wks.in > b/wic/qemu-arm64-efibootguard-secureboot.wks.in > index 01f395d..00d627d 100644 > --- a/wic/qemu-arm64-efibootguard-secureboot.wks.in > +++ b/wic/qemu-arm64-efibootguard-secureboot.wks.in > @@ -1,7 +1,7 @@ > include ebg-signed-sysparts.inc > > -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" > --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part- > type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 > -part --source empty --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 > +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" > --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part- > type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema > +part --source empty --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 --part-name systemb > > # home and var are extra partitions > part /home --source rootfs --change-directory=home --fstype=ext4 -- > label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56- > 0242ac120002 > diff --git a/wic/qemu-arm64-efibootguard.wks.in b/wic/qemu-arm64- > efibootguard.wks.in > index 942c3e1..6f03420 100644 > --- a/wic/qemu-arm64-efibootguard.wks.in > +++ b/wic/qemu-arm64-efibootguard.wks.in > @@ -3,8 +3,8 @@ > > include ebg-sysparts.inc > > -part --source rawcopy --sourceparams > "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 > -part --source empty --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 > +part --source rawcopy --sourceparams > "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 --part-name systema > +part --source empty --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 --part-name systemb > > # home and var are extra partitions > part /home --source rootfs --change-directory=home --fstype=ext4 -- > label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56- > 0242ac120002 > diff --git a/wic/qemu-riscv64-efibootguard.wks.in b/wic/qemu-riscv64- > efibootguard.wks.in > index 6934977..1704ded 100644 > --- a/wic/qemu-riscv64-efibootguard.wks.in > +++ b/wic/qemu-riscv64-efibootguard.wks.in > @@ -3,8 +3,8 @@ > > include ebg-sysparts.inc > > -part --source rawcopy --sourceparams > "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 > -part --source empty --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 > +part --source rawcopy --sourceparams > "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 --part-name systema > +part --source empty --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 --part-name systemb > > # home and var are extra partitions > part /home --source rootfs --change-directory=home --fstype=ext4 -- > label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56- > 0242ac120002 > diff --git a/wic/x86-efibootguard.wks.in b/wic/x86- > efibootguard.wks.in > index 6382ff7..4c0484f 100644 > --- a/wic/x86-efibootguard.wks.in > +++ b/wic/x86-efibootguard.wks.in > @@ -3,8 +3,8 @@ > > include ebg-sysparts.inc > > -part --source rawcopy --sourceparams > "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 > -part --source empty --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 > +part --source rawcopy --sourceparams > "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 --part-name systema > +part --source empty --align 1024 --fixed-size 1G --uuid > "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79- > 3D69D8477DE4 --part-name systema > > # home and var are extra partitions >
diff --git a/wic/bbb-efibootguard.wks.in b/wic/bbb-efibootguard.wks.in index e9c04b9..b5772c2 100644 --- a/wic/bbb-efibootguard.wks.in +++ b/wic/bbb-efibootguard.wks.in @@ -11,8 +11,8 @@ part --source rawcopy --sourceparams "file=/usr/lib/u-boot/bbb/u-boot.img" --no- include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 diff --git a/wic/hihope-rzg2m-efibootguard.wks.in b/wic/hihope-rzg2m-efibootguard.wks.in index 9227a71..164e8a9 100644 --- a/wic/hihope-rzg2m-efibootguard.wks.in +++ b/wic/hihope-rzg2m-efibootguard.wks.in @@ -3,8 +3,8 @@ include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in index ef40d70..0f4d637 100644 --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in @@ -1,7 +1,7 @@ include ebg-signed-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 diff --git a/wic/qemu-arm64-efibootguard-secureboot.wks.in b/wic/qemu-arm64-efibootguard-secureboot.wks.in index 01f395d..00d627d 100644 --- a/wic/qemu-arm64-efibootguard-secureboot.wks.in +++ b/wic/qemu-arm64-efibootguard-secureboot.wks.in @@ -1,7 +1,7 @@ include ebg-signed-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 diff --git a/wic/qemu-arm64-efibootguard.wks.in b/wic/qemu-arm64-efibootguard.wks.in index 942c3e1..6f03420 100644 --- a/wic/qemu-arm64-efibootguard.wks.in +++ b/wic/qemu-arm64-efibootguard.wks.in @@ -3,8 +3,8 @@ include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 diff --git a/wic/qemu-riscv64-efibootguard.wks.in b/wic/qemu-riscv64-efibootguard.wks.in index 6934977..1704ded 100644 --- a/wic/qemu-riscv64-efibootguard.wks.in +++ b/wic/qemu-riscv64-efibootguard.wks.in @@ -3,8 +3,8 @@ include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb # home and var are extra partitions part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in index 6382ff7..4c0484f 100644 --- a/wic/x86-efibootguard.wks.in +++ b/wic/x86-efibootguard.wks.in @@ -3,8 +3,8 @@ include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema # home and var are extra partitions