| Message ID | 20240712125713.2066512-1-stefan-koch@siemens.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [v2,1/4] initramfs-crypt-hook: Do not attempt to repair a partially encrypted filesystem | expand |
On 12.07.24 14:57, Stefan Koch wrote: > Avoids that e2fsck will repair the partially rencrypted > filesystem after power-loss while reencryption. > > In general, cryptsetup is capable to resume a partial encryption, > but there is no key available to unlock the partial encrypted data, yet. > The key is enrolled only after fully succeeded reencryption, yet. OK, that is understood now. Question remains, though, if we shouldn't fix that directly. Quirin, was there a particular reason to hold back the TPM writing? Jan > > Signed-off-by: Stefan Koch <stefan-koch@siemens.com> > --- > .../initramfs-crypt-hook/files/encrypt_partition.script | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script > index ff4c135..f943aea 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script > @@ -77,7 +77,13 @@ reencrypt_existing_partition() { > [options] > broken_system_clock=true > EOF > - e2fsck -p -f "$1" > + # ensure that filesystem is clean otherwise resize2fs will fail > + # do not attempt to repair a partially encrypted filesystem > + # ensure that there is no attempt to > + # repair a partially encrypted filesystem > + if ! cryptsetup luksUUID "$1" &> /dev/null; then > + e2fsck -p -f "$1" > + fi > if ! resize2fs "$1" "${reduced_size_in_kb}"; then > panic "reencryption of filesystem $1 cannot continue!" > fi
On Fri, 2024-07-12 at 16:15 +0200, Jan Kiszka wrote: > On 12.07.24 14:57, Stefan Koch wrote: > > Avoids that e2fsck will repair the partially rencrypted > > filesystem after power-loss while reencryption. > > > > In general, cryptsetup is capable to resume a partial encryption, > > but there is no key available to unlock the partial encrypted data, > > yet. > > The key is enrolled only after fully succeeded reencryption, yet. > > OK, that is understood now. Question remains, though, if we shouldn't > fix that directly. Quirin, was there a particular reason to hold back > the TPM writing? github.com/systemd/systemd/issues/20230 https://github.com/systemd/systemd/issues/20230 That states that cryptsetup 2.6.0 introduced the "--token-type" parameter "systemd-fido/systemd-tpm2". Bookworm have cryptsetup 2.6.1, maybe continuation of aborted (power-loss) "cryptsetup reencrypt" could be achieved with that parameter. > > Jan > > > > > Signed-off-by: Stefan Koch <stefan-koch@siemens.com> > > --- > > .../initramfs-crypt-hook/files/encrypt_partition.script | 8 > > +++++++- > > 1 file changed, 7 insertions(+), 1 deletion(-) > > > > diff --git a/recipes-initramfs/initramfs-crypt- > > hook/files/encrypt_partition.script b/recipes-initramfs/initramfs- > > crypt-hook/files/encrypt_partition.script > > index ff4c135..f943aea 100644 > > --- a/recipes-initramfs/initramfs-crypt- > > hook/files/encrypt_partition.script > > +++ b/recipes-initramfs/initramfs-crypt- > > hook/files/encrypt_partition.script > > @@ -77,7 +77,13 @@ reencrypt_existing_partition() { > > [options] > > broken_system_clock=true > > EOF > > - e2fsck -p -f "$1" > > + # ensure that filesystem is clean otherwise > > resize2fs will fail > > + # do not attempt to repair a partially encrypted > > filesystem > > + # ensure that there is no attempt to > > + # repair a partially encrypted filesystem > > + if ! cryptsetup luksUUID "$1" &> /dev/null; then > > + e2fsck -p -f "$1" > > + fi > > if ! resize2fs "$1" "${reduced_size_in_kb}"; then > > panic "reencryption of filesystem $1 cannot > > continue!" > > fi >
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script index ff4c135..f943aea 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -77,7 +77,13 @@ reencrypt_existing_partition() { [options] broken_system_clock=true EOF - e2fsck -p -f "$1" + # ensure that filesystem is clean otherwise resize2fs will fail + # do not attempt to repair a partially encrypted filesystem + # ensure that there is no attempt to + # repair a partially encrypted filesystem + if ! cryptsetup luksUUID "$1" &> /dev/null; then + e2fsck -p -f "$1" + fi if ! resize2fs "$1" "${reduced_size_in_kb}"; then panic "reencryption of filesystem $1 cannot continue!" fi
Avoids that e2fsck will repair the partially rencrypted filesystem after power-loss while reencryption. In general, cryptsetup is capable to resume a partial encryption, but there is no key available to unlock the partial encrypted data, yet. The key is enrolled only after fully succeeded reencryption, yet. Signed-off-by: Stefan Koch <stefan-koch@siemens.com> --- .../initramfs-crypt-hook/files/encrypt_partition.script | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)