JDM170/build
1
0
Fork 0
mirror of https://github.com/armbian/build synced 2025-09-24 19:47:06 +07:00
Code Issues Packages Projects Releases Wiki Activity

improve(lvm+cryptroot extensions): enable possibility for LVM on LUKS

Browse Source
This commit is contained in:
M.Schmidt
2024-12-03 21:47:11 +01:00
committed by Igor
parent 3ec24d40e8
commit 590b75fd6f
6 changed files with 55 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
extensions/fs-cryptroot-support.sh
View File

@@ -21,12 +21,13 @@ function extension_prepare_config__prepare_cryptroot() {
fi fi
} }
function prepare_root_device__encrypt_root_device() { function prepare_root_device__250_encrypt_root_device() {
# We encrypt the rootdevice (currently a loop device) and return the new mapped rootdevice # We encrypt the rootdevice (currently a loop device) and return the new mapped rootdevice
check_loop_device "$rootdevice" check_loop_device "$rootdevice"
display_alert "Extension: ${EXTENSION}: Encrypting root partition with LUKS..." "cryptsetup luksFormat $rootdevice" "" display_alert "Extension: ${EXTENSION}: Encrypting root partition with LUKS..." "cryptsetup luksFormat $rootdevice" ""
echo -n $CRYPTROOT_PASSPHRASE | cryptsetup luksFormat $CRYPTROOT_PARAMETERS $rootdevice - echo -n $CRYPTROOT_PASSPHRASE | cryptsetup luksFormat $CRYPTROOT_PARAMETERS $rootdevice -
echo -n $CRYPTROOT_PASSPHRASE | cryptsetup luksOpen $rootdevice $CRYPTROOT_MAPPER - echo -n $CRYPTROOT_PASSPHRASE | cryptsetup luksOpen $rootdevice $CRYPTROOT_MAPPER -
add_cleanup_handler cleanup_cryptroot
display_alert "Extension: ${EXTENSION}: Root partition encryption complete." "" "ext" display_alert "Extension: ${EXTENSION}: Root partition encryption complete." "" "ext"
# TODO: pass /dev/mapper to Docker # TODO: pass /dev/mapper to Docker
rootdevice=/dev/mapper/$CRYPTROOT_MAPPER # used by `mkfs` and `mount` commands rootdevice=/dev/mapper/$CRYPTROOT_MAPPER # used by `mkfs` and `mount` commands
@@ -65,6 +66,9 @@ function pre_install_kernel_debs__adjust_dropbear_configuration() {
# /usr/share/initramfs-tools/hooks/dropbear will automatically add 'id_ecdsa.pub' to authorized_keys file # /usr/share/initramfs-tools/hooks/dropbear will automatically add 'id_ecdsa.pub' to authorized_keys file
# during mkinitramfs of update-initramfs # during mkinitramfs of update-initramfs
#cat "${dropbear_dir}"/id_ecdsa.pub > "${SDCARD}"/etc/dropbear-initramfs/authorized_keys #cat "${dropbear_dir}"/id_ecdsa.pub > "${SDCARD}"/etc/dropbear-initramfs/authorized_keys
# copy it a) later via hook to make use of a proper naming / structural equal -> "${DESTIMG}/${version}.img"
CRYPTROOT_SSH_UNLOCK_KEY_NAME="${VENDOR}_${REVISION}_${BOARD^}_${RELEASE}_${BRANCH}_${DESKTOP_ENVIRONMENT}".key CRYPTROOT_SSH_UNLOCK_KEY_NAME="${VENDOR}_${REVISION}_${BOARD^}_${RELEASE}_${BRANCH}_${DESKTOP_ENVIRONMENT}".key
# copy dropbear ssh key to image output dir for convenience # copy dropbear ssh key to image output dir for convenience
cp "${dropbear_dir}"/id_ecdsa "${DEST}/images/${CRYPTROOT_SSH_UNLOCK_KEY_NAME}" cp "${dropbear_dir}"/id_ecdsa "${DEST}/images/${CRYPTROOT_SSH_UNLOCK_KEY_NAME}"
@@ -73,3 +77,12 @@ function pre_install_kernel_debs__adjust_dropbear_configuration() {
fi fi
fi fi
} }
function post_umount_final_image__750_cryptroot_cleanup(){
execute_and_remove_cleanup_handler cleanup_cryptroot
}
function cleanup_cryptroot(){
cryptsetup luksClose "${CRYPTROOT_MAPPER}" 2>&1
display_alert "Cryptroot closed ${CRYPTROOT_MAPPER}" "${EXTENSION}" "info"
}

38
extensions/lvm.sh
View File

@@ -32,22 +32,17 @@ function extension_prepare_config__prepare_lvm() {
} }
function post_create_partitions__setup_lvm() { function post_create_partitions__setup_lvm() {
LOOP=$(losetup -f)
[[ -z $LOOP ]] && exit_with_error "Unable to find free loop device"
check_loop_device "$LOOP"
losetup $LOOP ${SDCARD}.raw
partprobe $LOOP
# the partition to setup LVM on is defined as rootpart
local lvmpart=${rootpart}
local lvmdev=${LOOP}p${lvmpart}
display_alert "LVM will be on Partition ${lvmpart}, thats ${lvmdev}" "${EXTENSION}" "info"
# Setup LVM on the partition, ROOTFS # Setup LVM on the partition, ROOTFS
parted -s ${SDCARD}.raw -- set ${lvmpart} lvm on parted -s ${SDCARD}.raw -- set ${rootpart} lvm on
display_alert "LVM Partition table created" "${EXTENSION}" "info" display_alert "LVM Partition table created" "${EXTENSION}" "info"
parted -s ${SDCARD}.raw -- print >> "${DEST}"/${LOG_SUBPATH}/lvm.log 2>&1 parted -s ${SDCARD}.raw -- print >> "${DEST}"/${LOG_SUBPATH}/lvm.log 2>&1
}
function prepare_root_device__create_volume_group() {
# the partition to setup LVM on is defined as rootpart
local lvmdev=$rootdevice
display_alert "LVM will be on Partition ${rootpart}, thats ${lvmdev}" "${EXTENSION}" "info"
# Caculate the required volume size # Caculate the required volume size
declare -g -i rootfs_size declare -g -i rootfs_size
@@ -57,20 +52,18 @@ function post_create_partitions__setup_lvm() {
display_alert "Root volume size" "$volsize MiB" "info" display_alert "Root volume size" "$volsize MiB" "info"
# Create the PV VG and VOL # Create the PV VG and VOL
display_alert "LVM Creating VG" "${SDCARD}.raw" "info" display_alert "LVM Creating VG" "${lvmdev}" "info"
check_loop_device ${lvmdev} check_loop_device ${lvmdev}
pvcreate ${lvmdev} pvcreate ${lvmdev}
vgcreate ${LVM_VG_NAME} ${lvmdev} vgcreate ${LVM_VG_NAME} ${lvmdev}
wait_for_disk_sync "wait for VG to sync"
# Note that devices wont come up automatically inside docker # Note that devices wont come up automatically inside docker
lvcreate -Zn --name root --size ${volsize}M ${LVM_VG_NAME} lvcreate -Zn --name root --size ${volsize}M ${LVM_VG_NAME}
vgmknodes vgmknodes
lvs >> "${DEST}"/${LOG_SUBPATH}/lvm.log 2>&1 lvs >> "${DEST}"/${LOG_SUBPATH}/lvm.log 2>&1
# TODO [ms] check if disable-scan-enable is necessary
vgchange -a n ${LVM_VG_NAME} vgchange -a n ${LVM_VG_NAME}
losetup -d ${LOOP}
display_alert "LVM created volume group" "${EXTENSION}" "info" display_alert "LVM created volume group" "${EXTENSION}" "info"
}
function prepare_root_device__create_volume_group() {
display_alert "Using LVM root" "${EXTENSION}" "info" display_alert "Using LVM root" "${EXTENSION}" "info"
vgscan vgscan
@@ -87,8 +80,11 @@ function format_partitions__format_lvm() {
display_alert "LVM labeled partitions" "${EXTENSION}" "info" display_alert "LVM labeled partitions" "${EXTENSION}" "info"
} }
function post_umount_final_image__close_lvm() { function post_umount_final_image__lvm_cleanup(){
# Deactivat the Volume Group execute_and_remove_cleanup_handler cleanup_lvm
vgchange -a n ${LVM_VG_NAME} }
function cleanup_lvm() {
vgchange -a n ${LVM_VG_NAME} >> "${DEST}"/${LOG_SUBPATH}/lvm.log 2>&1 || true
display_alert "LVM deactivated volume group" "${EXTENSION}" "info" display_alert "LVM deactivated volume group" "${EXTENSION}" "info"
} }

2
lib/functions/image/loop.sh
View File

@@ -19,7 +19,7 @@ function check_loop_device() {
function check_loop_device_internal() { function check_loop_device_internal() {
local device="${1}" local device="${1}"
display_alert "Checking look device" "${device}" "debug" display_alert "Checking loop device" "${device}" "debug"
if [[ ! -b "${device}" ]]; then if [[ ! -b "${device}" ]]; then
if [[ $CONTAINER_COMPAT == yes && -b "/tmp/${device}" ]]; then if [[ $CONTAINER_COMPAT == yes && -b "/tmp/${device}" ]]; then
display_alert "Creating device node" "${device}" display_alert "Creating device node" "${device}"

31
lib/functions/image/partitioning.sh
View File

@@ -246,7 +246,6 @@ function prepare_partitions() {
fi fi
declare -g LOOP declare -g LOOP
call_extension_method "post_create_partitions" <<- 'POST_CREATE_PARTITIONS' call_extension_method "post_create_partitions" <<- 'POST_CREATE_PARTITIONS'
*called after all partitions are created, but not yet formatted* *called after all partitions are created, but not yet formatted*
POST_CREATE_PARTITIONS POST_CREATE_PARTITIONS
@@ -256,10 +255,15 @@ function prepare_partitions() {
exec {FD}> /var/lock/armbian-debootstrap-losetup exec {FD}> /var/lock/armbian-debootstrap-losetup
flock -x $FD flock -x $FD
#--partscan is using to force the kernel for scanning partition table in preventing of partprobe errors
#--partscan is using to force the kernel for scaning partition table in preventing of partprobe errors if [[ -z $LOOP ]]; then
LOOP=$(losetup --show --partscan --find "${SDCARD}".raw) || exit_with_error "Unable to find free loop device" LOOP=$(losetup -f)
display_alert "Allocated loop device" "LOOP=${LOOP}" # LOOP=$(losetup --show --partscan --find "${SDCARD}".raw) || exit_with_error "Unable to find free loop device"
[[ -z $LOOP ]] && exit_with_error "Unable to find free loop device"
display_alert "Allocated loop device" "LOOP=${LOOP}"
check_loop_device "$LOOP"
losetup $LOOP ${SDCARD}.raw
fi
# loop device was grabbed here, unlock # loop device was grabbed here, unlock
flock -u $FD flock -u $FD
@@ -279,8 +283,8 @@ function prepare_partitions() {
## ROOT PARTITION ## ROOT PARTITION
## ##
if [[ -n $rootpart ]]; then if [[ -n $rootpart ]]; then
local physical_rootdevice="${LOOP}p${rootpart}" local rootdevice=${LOOP}p${rootpart}
local rootdevice="${LOOP}p${rootpart}" local physical_rootdevice=$rootdevice
call_extension_method "prepare_root_device" <<- 'PREPARE_ROOT_DEVICE' call_extension_method "prepare_root_device" <<- 'PREPARE_ROOT_DEVICE'
*Specialized storage extensions typically transform the root device into a mapped device and should hook in here * *Specialized storage extensions typically transform the root device into a mapped device and should hook in here *
@@ -306,23 +310,20 @@ function prepare_partitions() {
root_part_uuid="$(blkid -s UUID -o value ${LOOP}p${rootpart})" root_part_uuid="$(blkid -s UUID -o value ${LOOP}p${rootpart})"
declare -g -r ROOT_PART_UUID="${root_part_uuid}" declare -g -r ROOT_PART_UUID="${root_part_uuid}"
physical_root_part_uuid="$(blkid -s UUID -o value $physical_rootdevice)"
declare -g -r PHYSICAL_ROOT_PART_UUID="${physical_root_part_uuid}"
display_alert "Physical root device" "$physical_rootdevice (UUID=${PHYSICAL_ROOT_PART_UUID})" "debug"
display_alert "Mounting rootfs" "$rootdevice (UUID=${ROOT_PART_UUID})" display_alert "Mounting rootfs" "$rootdevice (UUID=${ROOT_PART_UUID})"
run_host_command_logged mount ${fscreateopt} $rootdevice $MOUNT/ run_host_command_logged mount ${fscreateopt} $rootdevice $MOUNT/
# create fstab (and crypttab) entry # create fstab (and crypttab) entry
local rootfs
if [[ $CRYPTROOT_ENABLE == yes ]]; then if [[ $CRYPTROOT_ENABLE == yes ]]; then
# map the LUKS container partition via its UUID to be the 'cryptroot' device # map the LUKS container partition via its UUID to be the 'cryptroot' device
physical_root_part_uuid="$(blkid -s UUID -o value $physical_rootdevice)"
echo "$CRYPTROOT_MAPPER UUID=${physical_root_part_uuid} none luks" >> $SDCARD/etc/crypttab echo "$CRYPTROOT_MAPPER UUID=${physical_root_part_uuid} none luks" >> $SDCARD/etc/crypttab
rootfs=$rootdevice # used in fstab run_host_command_logged cat $SDCARD/etc/crypttab
else
rootfs="UUID=$(blkid -s UUID -o value $rootdevice)"
fi fi
rootfs="UUID=$(blkid -s UUID -o value $rootdevice)"
echo "$rootfs / ${mkfs[$ROOTFS_TYPE]} defaults,noatime${mountopts[$ROOTFS_TYPE]} 0 1" >> $SDCARD/etc/fstab echo "$rootfs / ${mkfs[$ROOTFS_TYPE]} defaults,noatime${mountopts[$ROOTFS_TYPE]} 0 1" >> $SDCARD/etc/fstab
run_host_command_logged cat $SDCARD/etc/fstab
else else
# update_initramfs will fail if /lib/modules/ doesn't exist # update_initramfs will fail if /lib/modules/ doesn't exist
mount --bind --make-private $SDCARD $MOUNT/ mount --bind --make-private $SDCARD $MOUNT/

3
lib/functions/image/rootfs-to-image.sh
View File

@@ -117,9 +117,8 @@ function create_image_from_sdcard_rootfs() {
fi fi
wait_for_disk_sync "before umount MOUNT" wait_for_disk_sync "before umount MOUNT"
umount_chroot_recursive "${MOUNT}" "MOUNT" umount_chroot_recursive "${MOUNT}" "MOUNT"
[[ $CRYPTROOT_ENABLE == yes ]] && cryptsetup luksClose "$CRYPTROOT_MAPPER"
call_extension_method "post_umount_final_image" "config_post_umount_final_image" <<- 'POST_UMOUNT_FINAL_IMAGE' call_extension_method "post_umount_final_image" "config_post_umount_final_image" <<- 'POST_UMOUNT_FINAL_IMAGE'
*allow config to hack into the image after the unmount* *allow config to hack into the image after the unmount*

9
lib/functions/rootfs/trap-rootfs.sh
View File

@@ -56,15 +56,18 @@ function trap_handler_cleanup_rootfs_and_image() {
debug_tmpfs_show_usage "before cleanup of rootfs" debug_tmpfs_show_usage "before cleanup of rootfs"
cd "${SRC}" || echo "Failed to cwd to ${SRC}" # Move pwd away, so unmounts work cd "${SRC}" || echo "Failed to cwd to ${SRC}" # Move pwd away, so unmounts work
# those will loop until they're unmounted. # those will loop until they're unmounted.
display_alert "Cleanup sdcard begin" "trap_handler_cleanup_rootfs_and_image" "cleanup"
umount_chroot_recursive "${SDCARD}" "SDCARD" || true umount_chroot_recursive "${SDCARD}" "SDCARD" || true
display_alert "Cleanup mount begin" "trap_handler_cleanup_rootfs_and_image" "cleanup"
umount_chroot_recursive "${MOUNT}" "MOUNT" || true umount_chroot_recursive "${MOUNT}" "MOUNT" || true
display_alert "Cleanup umount sdcard begin" "trap_handler_cleanup_rootfs_and_image" "cleanup"
# unmount tmpfs mounted on SDCARD if it exists. #@TODO: move to new tmpfs-utils scheme # unmount tmpfs mounted on SDCARD if it exists. #@TODO: move to new tmpfs-utils scheme
mountpoint -q "${SDCARD}" && umount "${SDCARD}" mountpoint -q "${SDCARD}" && umount "${SDCARD}"
[[ $CRYPTROOT_ENABLE == yes ]] && cryptsetup luksClose "${CRYPTROOT_MAPPER}"
if [[ "${PRESERVE_SDCARD_MOUNT}" == "yes" ]]; then if [[ "${PRESERVE_SDCARD_MOUNT}" == "yes" ]]; then
display_alert "Preserving SD card mount" "trap_handler_cleanup_rootfs_and_image" "warn" display_alert "Preserving SD card mount" "trap_handler_cleanup_rootfs_and_image" "warn"
return 0 return 0
@@ -72,7 +75,7 @@ function trap_handler_cleanup_rootfs_and_image() {
# shellcheck disable=SC2153 # global var. # shellcheck disable=SC2153 # global var.
if [[ -b "${LOOP}" ]]; then if [[ -b "${LOOP}" ]]; then
display_alert "Freeing loop" "trap_handler_cleanup_rootfs_and_image ${LOOP}" "wrn" display_alert "Freeing loop" "trap_handler_cleanup_rootfs_and_image ${LOOP}" "warn"
free_loop_device_insistent "${LOOP}" || true free_loop_device_insistent "${LOOP}" || true
fi fi