mail archive of the rauc mailing list
 help / color / mirror / Atom feed
From: Brian Hutchinson <b.hutchman@gmail.com>
To: "Jan Lübbe" <jlu@pengutronix.de>, rauc@pengutronix.de
Subject: Re: [RAUC] Stumped, have a appfs partition that is encrypted, how to get RAUC to update it
Date: Mon, 2 Aug 2021 11:22:09 -0400	[thread overview]
Message-ID: <CAFZh4h-mtZe6J+6d3LGWS+Aee47ES5MmyHz5_BeaH_moACDPig@mail.gmail.com> (raw)
In-Reply-To: <7a45d808c119e373c55163492003751229b4aab0.camel@pengutronix.de>

[-- Attachment #1: Type: text/plain, Size: 3309 bytes --]

On Fri, Jul 30, 2021 at 12:29 PM Jan Lübbe <jlu@pengutronix.de> wrote:

> Hi Brian,
>
> On Fri, 2021-07-30 at 10:20 -0400, Brian Hutchinson wrote:
> > > 100% Installing failed.
> > > LastError: Installation error: Failed updating slot appfs.1: failed to
> run
> > > mkfs.ext4: Child process exited with code 1
> > > Installing `/tmp/./update-myboard.raucb` failed
> > >
> > > But yet I can do mkfs.ext4 /dev/mapper/crypt_appfs2 and mount it and
> the
> > > filesystem is fine.
> > >
> > > Looks like I'm missing something still.
>
> Hmm, you should have more logs on the rauc service side, possible also
> with an
> error message from mkfs.ext4.
>
> >
> > So I think my issue was because I was nfs booted.  Slot A was activated
> but not
> > booted. But it looks like maybe it was using slot A /etc/rauc/system.conf
> > instead of the currently running nfs instance /etc/rauc/system.conf
> because what
> > I tried before worked once I mounted /dev/mmcblk2gp0p2 and changed that
> > /etc/rauc/system.conf to:
>
> It should use /etc/rauc/system.conf from the mounted rootfs, so NFS in your
> case.
>
> >  [slot.appfs.1]
> > device=/dev/mapper/crypt_appfs2
> > type=ext4
> > parent=rootfs.1
> >
> > So this brings up a question.  If I have boards out in the field and
> appfs goes
> > from plain ext4 to encrypted, I somehow need to update the currently
> running
> > /etc/rauc/system.conf file first before performing an update???  How to
> handle
> > system.conf changes?
>
> The system.conf contents should describe the details of the system than
> don't
> change during updates. Generally, partitioning changes are not possible in
> an
> atomic A/B way, so those are not really in scope for RAUC. :/
>
> Getting such a migration correct in the field is difficult. Something you
> could
> use, though.
>
> The device= properties will follow symlinks. So you could handle the switch
> between unencrypted and encrypted in a script before starting the rauc
> service
> and before mounting the current appfs.
>
> For both sides, you'd check if it already contains a luks header. If not,
> it's
> an old version which doesn't support encryption yet, so you link
> /dev/mmcblk...
> to /dev/appfs[12].
> If if already contains that header, attach the crypt device. The setup the
> /dev/appfs[12] link to /dev/mapper/crypt_appfs[12]).
>
> The system.conf would then point to device=/dev/appfs[12].
>
> Then add a pre-install handler:
>
> https://rauc.readthedocs.io/en/latest/using.html#system-based-customization-handlers
> It can check if the target slot link still points to the unencrypted
> device. In
> that case, it can setup the crypt device and change the link. RAUC
> should(*)
> then follow the updated link to the encrypted device when installing.
>
> Hope that helps... :)
>
>
Hi Jan,

Yes!  Thanks.

Now my problem is I have a very small 32M NOR flash and I have a 11M
SquashFS rootfs based off core-image-minimal.  I added packagegroup-luks
and it blew size up to 47M.  I then just tried to CORE_IMAGE_EXTRA_INSTALL
+= "cryptsetup" and that was still a 35M rootfs so now I'm stumped trying
to figure out if it's possible to get encryption support in my NOR flash
image we boot from :(

Regards,

Brian

[-- Attachment #2: Type: text/html, Size: 4648 bytes --]

  reply	other threads:[~2021-08-02 15:22 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-22 12:11 Brian Hutchinson
2021-07-22 12:16 ` Jan Lübbe
     [not found]   ` <CAFZh4h8Hd+sBBNz9m1ZJvnHEg9hsL4R19cmKJ21Y9Asiss2B5Q@mail.gmail.com>
2021-07-23 12:45     ` Brian Hutchinson
2021-07-23 13:40     ` Jan Lübbe
2021-07-30 13:33       ` Brian Hutchinson
2021-07-30 14:20         ` Brian Hutchinson
2021-07-30 16:29           ` Jan Lübbe
2021-08-02 15:22             ` Brian Hutchinson [this message]
2021-08-02 15:39               ` Jan Lübbe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAFZh4h-mtZe6J+6d3LGWS+Aee47ES5MmyHz5_BeaH_moACDPig@mail.gmail.com \
    --to=b.hutchman@gmail.com \
    --cc=jlu@pengutronix.de \
    --cc=rauc@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox