[isar-cip-core,v2] crypt: remove e2fsck.config option system_broken_clock

Commit Message

Quirin Gylstorff Feb. 19, 2025, 4:13 p.m. UTC

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

In case of enabling disk encryption after the first boot( e.g. enabling
encryption after a firmware update) setting
the option `system_broken_clock` to true will lead to a panic in
the initrd as resize2fs will fail with the message:

```
+ resize2fs /dev/sda6 1330380K
resize2fs 1.47.0 (5-Feb-2023)
Please run 'e2fsck -f /dev/sda6' first
```

resize2fs checks if the time stamp of the last mount is before the
last check. The e2fsck option `-p`(prune) repairs this mismatch on
systems with a unbuffered system clock.

If the encryption occurs during first boot, mount timestamp is not set,
the system boots.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---

was: crypt: do not assume that all system clocks are broken
Changes v2:
 - drop setting the e2fsck option instead optional enabling.

 .../initramfs-crypt-hook/files/local-top-complete            | 5 -----
 1 file changed, 5 deletions(-)

Comments

Jan Kiszka Feb. 19, 2025, 4:32 p.m. UTC | #1

On 19.02.25 17:13, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> In case of enabling disk encryption after the first boot( e.g. enabling
> encryption after a firmware update) setting
> the option `system_broken_clock` to true will lead to a panic in
> the initrd as resize2fs will fail with the message:
> 
> ```
> + resize2fs /dev/sda6 1330380K
> resize2fs 1.47.0 (5-Feb-2023)
> Please run 'e2fsck -f /dev/sda6' first
> ```
> 
> resize2fs checks if the time stamp of the last mount is before the
> last check. The e2fsck option `-p`(prune) repairs this mismatch on
> systems with a unbuffered system clock.
> 
> If the encryption occurs during first boot, mount timestamp is not set,
> the system boots.
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> 
> was: crypt: do not assume that all system clocks are broken
> Changes v2:
>  - drop setting the e2fsck option instead optional enabling.
> 
>  .../initramfs-crypt-hook/files/local-top-complete            | 5 -----
>  1 file changed, 5 deletions(-)
> 
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
> index 54b8a6e..5ef7ca4 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
> @@ -75,11 +75,6 @@ reencrypt_existing_partition() {
>  	case $partition_fstype in
>  	ext*)
>  		# reduce the filesystem and partition by 32M to fit the LUKS header
> -		export E2FSCK_CONFIG=/tmp/e2fsck.conf
> -		cat > "$E2FSCK_CONFIG" << EOF
> -[options]
> -	broken_system_clock=true
> -EOF
>  		e2fsck -p -f "$1"
>  		if ! resize2fs "$1" "${reduced_size_in_kb}"; then
>  			panic "reencryption of partition $1 cannot continue - resizing of the partition failed!"

Thanks, applied.

Jan

Patch

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
index 54b8a6e..5ef7ca4 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
+++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete
@@ -75,11 +75,6 @@  reencrypt_existing_partition() {
 	case $partition_fstype in
 	ext*)
 		# reduce the filesystem and partition by 32M to fit the LUKS header
-		export E2FSCK_CONFIG=/tmp/e2fsck.conf
-		cat > "$E2FSCK_CONFIG" << EOF
-[options]
-	broken_system_clock=true
-EOF
 		e2fsck -p -f "$1"
 		if ! resize2fs "$1" "${reduced_size_in_kb}"; then
 			panic "reencryption of partition $1 cannot continue - resizing of the partition failed!"