@@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then
create_file_system_cmd="mke2fs -t ext4"
fi
+service_watchdog() {
+ for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
+ printf '\0'
+ sleep 10
+ done > "$WATCHDOG_DEV"
+}
+
open_tpm2_partition() {
if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \
-d "$1"; then
@@ -104,6 +111,12 @@ for partition_set in $partition_sets; do
continue
fi
+ # service watchdog in the background during lengthy re-encryption
+ if [ -z "$watchdog_pid" ]; then
+ service_watchdog &
+ watchdog_pid=$!
+ fi
+
# create random password for initial encryption
# this will be dropped after reboot
tmp_key=/tmp/"$partition_label-lukskey"
@@ -136,3 +149,7 @@ for partition_set in $partition_sets; do
# afterwards no new keys can be enrolled
cryptsetup -v luksKillSlot -q "$part_device" 0
done
+
+if [ -n "$watchdog_pid" ]; then
+ kill "$watchdog_pid"
+fi
@@ -1,2 +1,4 @@
PARTITIONS="${CRYPT_PARTITIONS}"
CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}"
+SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}"
+WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}"
@@ -36,6 +36,8 @@ copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found"
copy_exec /usr/bin/grep || hook_error "/usr/bin/grep not found"
copy_exec /usr/bin/awk || hook_error "/usr/bin/awk not found"
copy_exec /usr/bin/expr || hook_error "/usr/bin/expr not found"
+copy_exec /usr/bin/seq || hook_error "/usr/bin/seq not found"
+copy_exec /usr/bin/sleep || hook_error "/usr/bin/sleep not found"
copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found"
copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found"
copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found"
@@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then
create_file_system_cmd="mke2fs -t ext4"
fi
+service_watchdog() {
+ for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
+ printf '\0'
+ sleep 10
+ done > "$WATCHDOG_DEV"
+}
+
open_tpm2_partition() {
if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \
"$1" - tpm2-device="$tpm_device"; then
@@ -111,6 +118,12 @@ for partition_set in $partition_sets; do
continue
fi
+ # service watchdog in the background during lengthy re-encryption
+ if [ -z "$watchdog_pid" ]; then
+ service_watchdog &
+ watchdog_pid=$!
+ fi
+
# create random password for initial encryption
# this will be dropped after reboot
tmp_key=/tmp/"$partition_label-lukskey"
@@ -143,3 +156,7 @@ for partition_set in $partition_sets; do
# afterwards no new keys can be enrolled
/usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
done
+
+if [ -n "$watchdog_pid" ]; then
+ kill "$watchdog_pid"
+fi
@@ -33,8 +33,13 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
# CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem
# in a newly formatted LUKS Partition
CRYPT_CREATE_FILE_SYSTEM_CMD ??= "mke2fs -t ext4"
+# Timeout for creating / re-encrypting partitions on first boot
+CRYPT_SETUP_TIMEOUT ??= "600"
+# Watchdog to service during the initial setup of the crypto partitions
+INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog"
-TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD"
+TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
+ CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE"
TEMPLATE_FILES = "encrypt_partition.env.tmpl"
do_install[cleandirs] += " \