diff mbox series

[isar-cip-core,v3,7/9] crypt-hook: Extend partition selection

Message ID 20240425115119.813384-8-Quirin.Gylstorff@siemens.com (mailing list archive)
State Superseded
Headers show
Series Add option to encrypt the rootfs | expand

Commit Message

Quirin Gylstorff April 25, 2024, 11:50 a.m. UTC
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This adds the possiblity to select to partition to be encrypted
by UUID or absolute path.

If used with an UUID the uuid is used as the name of the device
mapper. With this change the swupdate-handler-roundrobin selects
the /dev/mapper/<PARTUUID> device for the update instead of the
underling partition.

This allows to update encrpyted partition without triggering a
reencryption.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../files/encrypt_partition.clevis.hook       |  2 ++
 .../files/encrypt_partition.script            | 27 ++++++++++++++-----
 .../files/encrypt_partition.systemd.hook      |  2 ++
 .../files/mount_crypt_partitions.script       | 20 +++++++++++---
 .../initramfs-crypt-hook_0.2.bb               |  3 ++-
 5 files changed, 43 insertions(+), 11 deletions(-)
diff mbox series

Patch

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
index 0bb8ce6..0644eab 100755
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook
@@ -72,6 +72,8 @@  copy_exec /usr/bin/seq || hook_error "Unable to copy /usr/bin/seq"
 copy_exec /usr/bin/pwmake || hook_error "Unable to copy /usr/bin/pwmake"
 copy_exec /usr/bin/file || hook_error "Unable to copy /usr/bin/file "
 copy_exec /usr/lib/*/libgcc_s.so.1 || hook_error "Unable to copy /usr/lib/*/libgcc_s.so.1 "
+copy_exec /usr/bin/uuidparse || hook_error "Unable to copy /usr/bin/uuidparse"
+
 if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
     copy_exec /usr/sbin/cryptsetup-reencrypt
 fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
index 685d882..293bfb1 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
@@ -121,19 +121,34 @@  fi
 prepare_for_encryption
 
 for partition_set in $partition_sets; do
-	partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+	partition="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
 	partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
 	partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
-	partition=/dev/disk/by-partlabel/"$partition_label"
-	crypt_mount_name="encrypted_$partition_label"
+	case "$partition" in
+		/*)
+			part_device=$(readlink -f "$partition")
+			crypt_mount_name="$( basename "$partition")"
+			;;
+		*)
+			if uuidparse "$partition" -n -o TYPE | grep -q invalid; then
+				part_device=$(readlink -f /dev/disk/by-partlabel/"$partition")
+				crypt_mount_name="encrypted_${partition}"
+			else
+				part_device=$(readlink -f /dev/disk/by-partuuid/"$partition")
+				crypt_mount_name="${partition}"
+			fi
+			;;
+	esac
+	if [ ! -e  "$part_device" ]; then
+		panic "Could not find device  mapped to '$partition' cannot be encrypted!"
+	fi
 	decrypted_part=/dev/mapper/"$crypt_mount_name"
-	part_device=$(readlink -f "$partition")
 	# check if we are trying to mount root
 	if [ "$partition_mountpoint" = "/" ]; then
 		echo "ROOT=$decrypted_part" >/conf/param.conf
 	fi
 
-	if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
+	if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \
 			| grep -q "luks2"; then
 		open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
 		continue
@@ -147,7 +162,7 @@  for partition_set in $partition_sets; do
 
 	# create random password for initial encryption
 	# this will be dropped after reboot
-	tmp_key=/tmp/"$partition_label-lukskey"
+	tmp_key=/tmp/"$(basename "$part_device")-lukskey"
 	openssl rand -base64 32 > "$tmp_key"
 
 	case "${partition_format}" in
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
index 941f0b1..19e0fe4 100755
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
@@ -51,6 +51,8 @@  copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenro
 copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found"
 copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread"
 copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms"
+copy_exec /usr/bin/basename || hook_error "Unable to copy /usr/bin/basename"
+copy_exec /usr/bin/uuidparse || hook_error "Unable to copy /usr/bin/uuidparse"
 
 copy_exec /usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so || hook_error "/usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so not found"
 if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
index b72323f..f35685e 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
@@ -45,11 +45,23 @@  mount_partition() {
 }
 partition_sets="$PARTITIONS"
 for partition_set in $partition_sets; do
-	partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+	partition="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
 	partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
-	partition=/dev/disk/by-partlabel/"$partition_label"
-	part_device=$(readlink -f "$partition")
-	crypt_mount_name="encrypted_$partition_label"
+	case "$partition" in
+		/*)
+			part_device=$(readlink -f "$partition")
+			crypt_mount_name="$( basename "$partition")"
+			;;
+		*)
+			if uuidparse "$partition" -n -o TYPE | grep -q invalid; then
+				part_device=$(readlink -f /dev/disk/by-partlabel/"$partition")
+				crypt_mount_name="encrypted_${partition}"
+			else
+				part_device=$(readlink -f /dev/disk/by-partuuid/"$partition")
+				crypt_mount_name="${partition}"
+			fi
+			;;
+	esac
 	decrypted_part=/dev/mapper/"$crypt_mount_name"
 	if [ -z "$partition_mountpoint" ]; then
 		continue
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb
index 1d5a4a7..72de5b6 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb
@@ -11,7 +11,8 @@ 
 inherit dpkg-raw
 DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \
     awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \
-    libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, e2fsprogs, tpm2-tools"
+    libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, \
+    e2fsprogs, tpm2-tools, coreutils, uuid-runtime"
 
 CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools"