| Message ID | 20240712081143.1376952-2-stefan-koch@siemens.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | initramfs-crypt-hook: Speedup disk-encryption reencrypt and other improvements | expand |
What is a partially encrypted FS in this context? Please describe the error scenario to enable a proper assessment of the approach to resolve it. On 12.07.24 10:11, Stefan Koch wrote: > Signed-off-by: Stefan Koch <stefan-koch@siemens.com> > --- > .../initramfs-crypt-hook/files/encrypt_partition.script | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script > index ff4c135..f943aea 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script > @@ -77,7 +77,13 @@ reencrypt_existing_partition() { > [options] > broken_system_clock=true > EOF > - e2fsck -p -f "$1" > + # ensure that filesystem is clean otherwise resize2fs will fail > + # do not attempt to repair a partially encrypted filesystem > + # ensure that there is no attempt to > + # repair a partially encrypted filesystem > + if ! cryptsetup luksUUID "$1" &> /dev/null; then > + e2fsck -p -f "$1" > + fi > if ! resize2fs "$1" "${reduced_size_in_kb}"; then > panic "reencryption of filesystem $1 cannot continue!" > fi Jan
On Fri, 2024-07-12 at 11:32 +0200, Jan Kiszka wrote: > What is a partially encrypted FS in this context? Please describe the > error scenario to enable a proper assessment of the approach to > resolve it. When there is a power loss while reencryption takes place, at the next boot e2fsck will repair the partially rencrypted filesystem - and destroys it. As described in the last answer to [PATCH 3/4] cryptsetup is capable to resume a partial encryption. So that patch is for future, when somemone implement a proper TPM key storage that respects power-loss case. > > On 12.07.24 10:11, Stefan Koch wrote: > > Signed-off-by: Stefan Koch <stefan-koch@siemens.com> > > --- > > .../initramfs-crypt-hook/files/encrypt_partition.script | 8 > > +++++++- > > 1 file changed, 7 insertions(+), 1 deletion(-) > > > > diff --git a/recipes-initramfs/initramfs-crypt- > > hook/files/encrypt_partition.script b/recipes-initramfs/initramfs- > > crypt-hook/files/encrypt_partition.script > > index ff4c135..f943aea 100644 > > --- a/recipes-initramfs/initramfs-crypt- > > hook/files/encrypt_partition.script > > +++ b/recipes-initramfs/initramfs-crypt- > > hook/files/encrypt_partition.script > > @@ -77,7 +77,13 @@ reencrypt_existing_partition() { > > [options] > > broken_system_clock=true > > EOF > > - e2fsck -p -f "$1" > > + # ensure that filesystem is clean otherwise > > resize2fs will fail > > + # do not attempt to repair a partially encrypted > > filesystem > > + # ensure that there is no attempt to > > + # repair a partially encrypted filesystem > > + if ! cryptsetup luksUUID "$1" &> /dev/null; then > > + e2fsck -p -f "$1" > > + fi > > if ! resize2fs "$1" "${reduced_size_in_kb}"; then > > panic "reencryption of filesystem $1 cannot > > continue!" > > fi > > Jan >
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script index ff4c135..f943aea 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -77,7 +77,13 @@ reencrypt_existing_partition() { [options] broken_system_clock=true EOF - e2fsck -p -f "$1" + # ensure that filesystem is clean otherwise resize2fs will fail + # do not attempt to repair a partially encrypted filesystem + # ensure that there is no attempt to + # repair a partially encrypted filesystem + if ! cryptsetup luksUUID "$1" &> /dev/null; then + e2fsck -p -f "$1" + fi if ! resize2fs "$1" "${reduced_size_in_kb}"; then panic "reencryption of filesystem $1 cannot continue!" fi
Signed-off-by: Stefan Koch <stefan-koch@siemens.com> --- .../initramfs-crypt-hook/files/encrypt_partition.script | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)