Re: [RAUC] Stumped, have a appfs partition that is encrypted, how to get RAUC to update it

["Jan Lübbe" <jlu@pengutronix.de>]

Hi Brian,

On Fri, 2021-07-30 at 10:20 -0400, Brian Hutchinson wrote:
> > 100% Installing failed.
> > LastError: Installation error: Failed updating slot appfs.1: failed to run
> > mkfs.ext4: Child process exited with code 1
> > Installing `/tmp/./update-myboard.raucb` failed
> > 
> > But yet I can do mkfs.ext4 /dev/mapper/crypt_appfs2 and mount it and the
> > filesystem is fine.
> > 
> > Looks like I'm missing something still.

Hmm, you should have more logs on the rauc service side, possible also with an
error message from mkfs.ext4.

> 
> So I think my issue was because I was nfs booted.  Slot A was activated but not
> booted. But it looks like maybe it was using slot A /etc/rauc/system.conf
> instead of the currently running nfs instance /etc/rauc/system.conf because what
> I tried before worked once I mounted /dev/mmcblk2gp0p2 and changed that
> /etc/rauc/system.conf to:

It should use /etc/rauc/system.conf from the mounted rootfs, so NFS in your
case.

>  [slot.appfs.1]
> device=/dev/mapper/crypt_appfs2
> type=ext4
> parent=rootfs.1
> 
> So this brings up a question.  If I have boards out in the field and appfs goes
> from plain ext4 to encrypted, I somehow need to update the currently running
> /etc/rauc/system.conf file first before performing an update???  How to handle
> system.conf changes?

The system.conf contents should describe the details of the system than don't
change during updates. Generally, partitioning changes are not possible in an
atomic A/B way, so those are not really in scope for RAUC. :/

Getting such a migration correct in the field is difficult. Something you could
use, though.

The device= properties will follow symlinks. So you could handle the switch
between unencrypted and encrypted in a script before starting the rauc service
and before mounting the current appfs.

For both sides, you'd check if it already contains a luks header. If not, it's
an old version which doesn't support encryption yet, so you link /dev/mmcblk...
to /dev/appfs[12].
If if already contains that header, attach the crypt device. The setup the
/dev/appfs[12] link to /dev/mapper/crypt_appfs[12]).

The system.conf would then point to device=/dev/appfs[12].

Then add a pre-install handler:
https://rauc.readthedocs.io/en/latest/using.html#system-based-customization-handlers
It can check if the target slot link still points to the unencrypted device. In
that case, it can setup the crypt device and change the link. RAUC should(*)
then follow the updated link to the encrypted device when installing.

Hope that helps... :)

You can also join us in #rauc on libera.chat or via matrix.org.

Jan

(*) I'm not 100% sure right now when the symlink resolution happens. So you
should check the source. :)
-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |


_______________________________________________
RAUC mailing list