diff mbox series

[v2.1,2/4] initramfs-crypt-hook: Provide full losetup executable

Message ID 20240715093424.632716-1-stefan-koch@siemens.com (mailing list archive)
State New
Headers show
Series None | expand

Commit Message

Stefan Koch July 15, 2024, 9:34 a.m. UTC
- Avoids using a busybox losetup executable that
  doesn't support the "--sizelimit" parameter
- The "--sizelimit" parameter is needed for introducing
  speed-up of disk reencryption with the following commit

Signed-off-by: Stefan Koch <stefan-koch@siemens.com>
---
 .../initramfs-crypt-hook/files/encrypt_partition.env.tmpl    | 1 +
 .../files/encrypt_partition.systemd.hook                     | 4 ++++
 .../initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb         | 5 ++++-
 3 files changed, 9 insertions(+), 1 deletion(-)

Comments

Quirin Gylstorff July 15, 2024, 10:58 a.m. UTC | #1
Hi,

On 7/15/24 11:34 AM, Stefan Koch wrote:
> - Avoids using a busybox losetup executable that
>    doesn't support the "--sizelimit" parameter
> - The "--sizelimit" parameter is needed for introducing
>    speed-up of disk reencryption with the following commit
> 
> Signed-off-by: Stefan Koch <stefan-koch@siemens.com>
> ---
>   .../initramfs-crypt-hook/files/encrypt_partition.env.tmpl    | 1 +
>   .../files/encrypt_partition.systemd.hook                     | 4 ++++
>   .../initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb         | 5 ++++-
>   3 files changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> index bb93361..72033d1 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> @@ -5,3 +5,4 @@ WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}"
>   HASH_TYPE="${CRYPT_HASH_TYPE}"
>   KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}"
>   ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}"
> +LOSETUP_PATH="${CRYPT_LOSETUP_PATH}"
Why do we need a variable at this point?
Please drop that variable and install always the full losetup.

Quirin
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
> index be8c117..2ace533 100755
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
> @@ -19,6 +19,9 @@ esac
>   
>   . /usr/share/initramfs-tools/hook-functions
>   
> +# get configuration variables
> +. /usr/share/encrypt_partition/encrypt_partition.env
> +
>   hook_error() {
>       echo "(ERROR): $1" >&2
>       exit 1
> @@ -47,6 +50,7 @@ copy_exec /usr/bin/sleep || hook_error "/usr/bin/sleep not found"
>   copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found"
>   copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found"
>   copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found"
> +copy_exec /usr/sbin/losetup "$LOSETUP_PATH" || hook_error "/usr/sbin/losetup not found" >   copy_exec /usr/bin/systemd-cryptenroll || hook_error 
"/usr/bin/systemd-cryptenroll not found"
>   copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found"
>   copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread"
> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb
> index 72de5b6..1679133 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb
> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb
> @@ -9,7 +9,7 @@
>   # SPDX-License-Identifier: MIT
>   
>   inherit dpkg-raw
> -DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \
> +DEBIAN_DEPENDS = "initramfs-tools, mount, cryptsetup, \
>       awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \
>       libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, \
>       e2fsprogs, tpm2-tools, coreutils, uuid-runtime"
> @@ -57,6 +57,8 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
>   # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem
>   # in a newly formatted LUKS Partition
>   CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4"
> +# Path to full (non-busybox) losetup binary
> +CRYPT_LOSETUP_PATH ??= "/usr/local/sbin/losetup"
>   # Timeout for creating / re-encrypting partitions on first boot
>   CRYPT_SETUP_TIMEOUT ??= "600"
>   # Watchdog to service during the initial setup of the crypto partitions
> @@ -68,6 +70,7 @@ CRYPT_ENCRYPTION_OPTIONAL ??= "false"
>   
>   TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
>       CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \
> +    CRYPT_LOSETUP_PATH \
>       CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL"
>   TEMPLATE_FILES = "encrypt_partition.env.tmpl"
>
Quirin Gylstorff July 15, 2024, 11:01 a.m. UTC | #2
Hi,

On 7/15/24 11:34 AM, Stefan Koch wrote:
> - Avoids using a busybox losetup executable that
>    doesn't support the "--sizelimit" parameter
> - The "--sizelimit" parameter is needed for introducing
>    speed-up of disk reencryption with the following commit
> 
> Signed-off-by: Stefan Koch <stefan-koch@siemens.com>
> ---
>   .../initramfs-crypt-hook/files/encrypt_partition.env.tmpl    | 1 +
>   .../files/encrypt_partition.systemd.hook                     | 4 ++++
>   .../initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb         | 5 ++++-
>   3 files changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> index bb93361..72033d1 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> @@ -5,3 +5,4 @@ WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}"
>   HASH_TYPE="${CRYPT_HASH_TYPE}"
>   KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}"
>   ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}"
> +LOSETUP_PATH="${CRYPT_LOSETUP_PATH}"
Why do we need a variable at this point?

If there is no reason please drop that variable and use always the full 
losetup.

Quirin
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
> index be8c117..2ace533 100755
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
> @@ -19,6 +19,9 @@ esac
>   
>   . /usr/share/initramfs-tools/hook-functions
>   
> +# get configuration variables
> +. /usr/share/encrypt_partition/encrypt_partition.env
> +
>   hook_error() {
>       echo "(ERROR): $1" >&2
>       exit 1
> @@ -47,6 +50,7 @@ copy_exec /usr/bin/sleep || hook_error "/usr/bin/sleep not found"
>   copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found"
>   copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found"
>   copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found"
> +copy_exec /usr/sbin/losetup "$LOSETUP_PATH" || hook_error "/usr/sbin/losetup not found" >   copy_exec /usr/bin/systemd-cryptenroll || hook_error 
"/usr/bin/systemd-cryptenroll not found"
>   copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found"
>   copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread"
> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb
> index 72de5b6..1679133 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb
> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb
> @@ -9,7 +9,7 @@
>   # SPDX-License-Identifier: MIT
>   
>   inherit dpkg-raw
> -DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \
> +DEBIAN_DEPENDS = "initramfs-tools, mount, cryptsetup, \
>       awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \
>       libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, \
>       e2fsprogs, tpm2-tools, coreutils, uuid-runtime"
> @@ -57,6 +57,8 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
>   # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem
>   # in a newly formatted LUKS Partition
>   CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4"
> +# Path to full (non-busybox) losetup binary
> +CRYPT_LOSETUP_PATH ??= "/usr/local/sbin/losetup"
>   # Timeout for creating / re-encrypting partitions on first boot
>   CRYPT_SETUP_TIMEOUT ??= "600"
>   # Watchdog to service during the initial setup of the crypto partitions
> @@ -68,6 +70,7 @@ CRYPT_ENCRYPTION_OPTIONAL ??= "false"
>   
>   TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
>       CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \
> +    CRYPT_LOSETUP_PATH \
>       CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL"
>   TEMPLATE_FILES = "encrypt_partition.env.tmpl"
>
Stefan Koch July 15, 2024, noon UTC | #3
On Mon, 2024-07-15 at 13:01 +0200, Gylstorff Quirin wrote:
> Hi,
> 
> On 7/15/24 11:34 AM, Stefan Koch wrote:
> > - Avoids using a busybox losetup executable that
> >    doesn't support the "--sizelimit" parameter
> > - The "--sizelimit" parameter is needed for introducing
> >    speed-up of disk reencryption with the following commit
> > 
> > Signed-off-by: Stefan Koch <stefan-koch@siemens.com>
> > ---
> >   .../initramfs-crypt-hook/files/encrypt_partition.env.tmpl    | 1
> > +
> >   .../files/encrypt_partition.systemd.hook                     | 4
> > ++++
> >   .../initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb         | 5
> > ++++-
> >   3 files changed, 9 insertions(+), 1 deletion(-)
> > 
> > diff --git a/recipes-initramfs/initramfs-crypt-
> > hook/files/encrypt_partition.env.tmpl b/recipes-
> > initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
> > index bb93361..72033d1 100644
> > --- a/recipes-initramfs/initramfs-crypt-
> > hook/files/encrypt_partition.env.tmpl
> > +++ b/recipes-initramfs/initramfs-crypt-
> > hook/files/encrypt_partition.env.tmpl
> > @@ -5,3 +5,4 @@ WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}"
> >   HASH_TYPE="${CRYPT_HASH_TYPE}"
> >   KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}"
> >   ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}"
> > +LOSETUP_PATH="${CRYPT_LOSETUP_PATH}"
> Why do we need a variable at this point?
> 
> If there is no reason please drop that variable and use always the
> full 
> losetup.
When remove it here, we need to hardcode the path
/usr/local/sbin/losetup three times within encrypt_partition.script and
once within encrypt_partition.systemd.hook
> 
> Quirin
> > diff --git a/recipes-initramfs/initramfs-crypt-
> > hook/files/encrypt_partition.systemd.hook b/recipes-
> > initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
> > index be8c117..2ace533 100755
> > --- a/recipes-initramfs/initramfs-crypt-
> > hook/files/encrypt_partition.systemd.hook
> > +++ b/recipes-initramfs/initramfs-crypt-
> > hook/files/encrypt_partition.systemd.hook
> > @@ -19,6 +19,9 @@ esac
> >   
> >   . /usr/share/initramfs-tools/hook-functions
> >   
> > +# get configuration variables
> > +. /usr/share/encrypt_partition/encrypt_partition.env
> > +
> >   hook_error() {
> >       echo "(ERROR): $1" >&2
> >       exit 1
> > @@ -47,6 +50,7 @@ copy_exec /usr/bin/sleep || hook_error
> > "/usr/bin/sleep not found"
> >   copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not
> > found"
> >   copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs
> > not found"
> >   copy_exec /usr/sbin/cryptsetup || hook_error
> > "/usr/sbin/cryptsetup not found"
> > +copy_exec /usr/sbin/losetup "$LOSETUP_PATH" || hook_error
> > "/usr/sbin/losetup not found" >   copy_exec /usr/bin/systemd-
> > cryptenroll || hook_error 
> "/usr/bin/systemd-cryptenroll not found"
> >   copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error
> > "/usr/lib/systemd/systemd-cryptsetup not found"
> >   copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy
> > /usr/bin/tpm2_pcrread"
> > diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-
> > crypt-hook_0.2.bb b/recipes-initramfs/initramfs-crypt-
> > hook/initramfs-crypt-hook_0.2.bb
> > index 72de5b6..1679133 100644
> > --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
> > hook_0.2.bb
> > +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
> > hook_0.2.bb
> > @@ -9,7 +9,7 @@
> >   # SPDX-License-Identifier: MIT
> >   
> >   inherit dpkg-raw
> > -DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \
> > +DEBIAN_DEPENDS = "initramfs-tools, mount, cryptsetup, \
> >       awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \
> >       libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, \
> >       e2fsprogs, tpm2-tools, coreutils, uuid-runtime"
> > @@ -57,6 +57,8 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt
> > var:/var:reencrypt"
> >   # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to
> > create the filesystem
> >   # in a newly formatted LUKS Partition
> >   CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4"
> > +# Path to full (non-busybox) losetup binary
> > +CRYPT_LOSETUP_PATH ??= "/usr/local/sbin/losetup"
> >   # Timeout for creating / re-encrypting partitions on first boot
> >   CRYPT_SETUP_TIMEOUT ??= "600"
> >   # Watchdog to service during the initial setup of the crypto
> > partitions
> > @@ -68,6 +70,7 @@ CRYPT_ENCRYPTION_OPTIONAL ??= "false"
> >   
> >   TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
> >       CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE
> > \
> > +    CRYPT_LOSETUP_PATH \
> >       CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL"
> >   TEMPLATE_FILES = "encrypt_partition.env.tmpl"
> >
Quirin Gylstorff July 15, 2024, 12:51 p.m. UTC | #4
On 7/15/24 2:00 PM, Koch, Stefan (DI PA DCP R&D 3) wrote:
> On Mon, 2024-07-15 at 13:01 +0200, Gylstorff Quirin wrote:
>> Hi,
>>
>> On 7/15/24 11:34 AM, Stefan Koch wrote:
>>> - Avoids using a busybox losetup executable that
>>>     doesn't support the "--sizelimit" parameter
>>> - The "--sizelimit" parameter is needed for introducing
>>>     speed-up of disk reencryption with the following commit
>>>
>>> Signed-off-by: Stefan Koch <stefan-koch@siemens.com>
>>> ---
>>>    .../initramfs-crypt-hook/files/encrypt_partition.env.tmpl    | 1
>>> +
>>>    .../files/encrypt_partition.systemd.hook                     | 4
>>> ++++
>>>    .../initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb         | 5
>>> ++++-
>>>    3 files changed, 9 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/recipes-initramfs/initramfs-crypt-
>>> hook/files/encrypt_partition.env.tmpl b/recipes-
>>> initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
>>> index bb93361..72033d1 100644
>>> --- a/recipes-initramfs/initramfs-crypt-
>>> hook/files/encrypt_partition.env.tmpl
>>> +++ b/recipes-initramfs/initramfs-crypt-
>>> hook/files/encrypt_partition.env.tmpl
>>> @@ -5,3 +5,4 @@ WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}"
>>>    HASH_TYPE="${CRYPT_HASH_TYPE}"
>>>    KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}"
>>>    ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}"
>>> +LOSETUP_PATH="${CRYPT_LOSETUP_PATH}"
>> Why do we need a variable at this point?
>>
>> If there is no reason please drop that variable and use always the
>> full
>> losetup.
> When remove it here, we need to hardcode the path
> /usr/local/sbin/losetup three times within encrypt_partition.script and
> once within encrypt_partition.systemd.hook

Then make it a internal variable of the scripts no need to set it with 
the template mechanism, which is intend to be modified by downstream.

And it does not need to be added in the hook.

>>
>> Quirin
>>> diff --git a/recipes-initramfs/initramfs-crypt-
>>> hook/files/encrypt_partition.systemd.hook b/recipes-
>>> initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
>>> index be8c117..2ace533 100755
>>> --- a/recipes-initramfs/initramfs-crypt-
>>> hook/files/encrypt_partition.systemd.hook
>>> +++ b/recipes-initramfs/initramfs-crypt-
>>> hook/files/encrypt_partition.systemd.hook
>>> @@ -19,6 +19,9 @@ esac
>>>    
>>>    . /usr/share/initramfs-tools/hook-functions
>>>    
>>> +# get configuration variables
>>> +. /usr/share/encrypt_partition/encrypt_partition.env
>>> +
>>>    hook_error() {
>>>        echo "(ERROR): $1" >&2
>>>        exit 1
>>> @@ -47,6 +50,7 @@ copy_exec /usr/bin/sleep || hook_error
>>> "/usr/bin/sleep not found"
>>>    copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not
>>> found"
>>>    copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs
>>> not found"
>>>    copy_exec /usr/sbin/cryptsetup || hook_error
>>> "/usr/sbin/cryptsetup not found"
>>> +copy_exec /usr/sbin/losetup "$LOSETUP_PATH" || hook_error
>>> "/usr/sbin/losetup not found" >   copy_exec /usr/bin/systemd-
>>> cryptenroll || hook_error
This is unnecessary please remove LOSETUP from here. Also it needs to be 
added to the clevis hook.

The syntax is `copy_exec <binary_name> || hook_error`.

Quirin
>> "/usr/bin/systemd-cryptenroll not found"
>>>    copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error
>>> "/usr/lib/systemd/systemd-cryptsetup not found"
>>>    copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy
>>> /usr/bin/tpm2_pcrread"
>>> diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-
>>> crypt-hook_0.2.bb b/recipes-initramfs/initramfs-crypt-
>>> hook/initramfs-crypt-hook_0.2.bb
>>> index 72de5b6..1679133 100644
>>> --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
>>> hook_0.2.bb
>>> +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-
>>> hook_0.2.bb
>>> @@ -9,7 +9,7 @@
>>>    # SPDX-License-Identifier: MIT
>>>    
>>>    inherit dpkg-raw
>>> -DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \
>>> +DEBIAN_DEPENDS = "initramfs-tools, mount, cryptsetup, \
>>>        awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \
>>>        libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, \
>>>        e2fsprogs, tpm2-tools, coreutils, uuid-runtime"
>>> @@ -57,6 +57,8 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt
>>> var:/var:reencrypt"
>>>    # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to
>>> create the filesystem
>>>    # in a newly formatted LUKS Partition
>>>    CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4"
>>> +# Path to full (non-busybox) losetup binary
>>> +CRYPT_LOSETUP_PATH ??= "/usr/local/sbin/losetup"
>>>    # Timeout for creating / re-encrypting partitions on first boot
>>>    CRYPT_SETUP_TIMEOUT ??= "600"
>>>    # Watchdog to service during the initial setup of the crypto
>>> partitions
>>> @@ -68,6 +70,7 @@ CRYPT_ENCRYPTION_OPTIONAL ??= "false"
>>>    
>>>    TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
>>>        CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE
>>> \
>>> +    CRYPT_LOSETUP_PATH \
>>>        CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL"
>>>    TEMPLATE_FILES = "encrypt_partition.env.tmpl"
>>>    
>
diff mbox series

Patch

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
index bb93361..72033d1 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
@@ -5,3 +5,4 @@  WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}"
 HASH_TYPE="${CRYPT_HASH_TYPE}"
 KEY_ALGORITHM="${CRYPT_KEY_ALGORITHM}"
 ENCRYPTION_IS_OPTIONAL="${CRYPT_ENCRYPTION_OPTIONAL}"
+LOSETUP_PATH="${CRYPT_LOSETUP_PATH}"
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
index be8c117..2ace533 100755
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
@@ -19,6 +19,9 @@  esac
 
 . /usr/share/initramfs-tools/hook-functions
 
+# get configuration variables
+. /usr/share/encrypt_partition/encrypt_partition.env
+
 hook_error() {
     echo "(ERROR): $1" >&2
     exit 1
@@ -47,6 +50,7 @@  copy_exec /usr/bin/sleep || hook_error "/usr/bin/sleep not found"
 copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found"
 copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found"
 copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found"
+copy_exec /usr/sbin/losetup "$LOSETUP_PATH" || hook_error "/usr/sbin/losetup not found"
 copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenroll not found"
 copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found"
 copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread"
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb
index 72de5b6..1679133 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.2.bb
@@ -9,7 +9,7 @@ 
 # SPDX-License-Identifier: MIT
 
 inherit dpkg-raw
-DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \
+DEBIAN_DEPENDS = "initramfs-tools, mount, cryptsetup, \
     awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \
     libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, \
     e2fsprogs, tpm2-tools, coreutils, uuid-runtime"
@@ -57,6 +57,8 @@  CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
 # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem
 # in a newly formatted LUKS Partition
 CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4"
+# Path to full (non-busybox) losetup binary
+CRYPT_LOSETUP_PATH ??= "/usr/local/sbin/losetup"
 # Timeout for creating / re-encrypting partitions on first boot
 CRYPT_SETUP_TIMEOUT ??= "600"
 # Watchdog to service during the initial setup of the crypto partitions
@@ -68,6 +70,7 @@  CRYPT_ENCRYPTION_OPTIONAL ??= "false"
 
 TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
     CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \
+    CRYPT_LOSETUP_PATH \
     CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL"
 TEMPLATE_FILES = "encrypt_partition.env.tmpl"