From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: <b.hutchman@gmail.com> MIME-Version: 1.0 References: <CAFZh4h-Azk-qGZPt1wEhqOLDtvhvTXc0Gn5pvo4y1v5=tx=XWQ@mail.gmail.com> <d3997af0a43d807c088e08123c6591da071fc1ba.camel@pengutronix.de> <CAFZh4h8Hd+sBBNz9m1ZJvnHEg9hsL4R19cmKJ21Y9Asiss2B5Q@mail.gmail.com> <1fa4195021526f8ef22b79c11ce5f1b39f0ebbaa.camel@pengutronix.de> <CAFZh4h-FCzTDpP4ZR86YK0dDjdwD_QXyU8AgDjz3i3+LZ5aRrw@mail.gmail.com> <CAFZh4h-c4fL=Z2W8NQKV+swCqMtM7cQq1-zp5TqMhni6nfzmmA@mail.gmail.com> <7a45d808c119e373c55163492003751229b4aab0.camel@pengutronix.de> In-Reply-To: <7a45d808c119e373c55163492003751229b4aab0.camel@pengutronix.de> From: Brian Hutchinson <b.hutchman@gmail.com> Date: Mon, 2 Aug 2021 11:22:09 -0400 Message-ID: <CAFZh4h-mtZe6J+6d3LGWS+Aee47ES5MmyHz5_BeaH_moACDPig@mail.gmail.com> Content-Type: multipart/alternative; boundary="000000000000a0a96a05c8952265" Subject: Re: [RAUC] Stumped, have a appfs partition that is encrypted, how to get RAUC to update it To: =?UTF-8?Q?Jan_L=C3=BCbbe?= <jlu@pengutronix.de>, rauc@pengutronix.de List-ID: <rauc.pengutronix.de> --000000000000a0a96a05c8952265 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, Jul 30, 2021 at 12:29 PM Jan L=C3=BCbbe <jlu@pengutronix.de> wrote: > Hi Brian, > > On Fri, 2021-07-30 at 10:20 -0400, Brian Hutchinson wrote: > > > 100% Installing failed. > > > LastError: Installation error: Failed updating slot appfs.1: failed t= o > run > > > mkfs.ext4: Child process exited with code 1 > > > Installing `/tmp/./update-myboard.raucb` failed > > > > > > But yet I can do mkfs.ext4 /dev/mapper/crypt_appfs2 and mount it and > the > > > filesystem is fine. > > > > > > Looks like I'm missing something still. > > Hmm, you should have more logs on the rauc service side, possible also > with an > error message from mkfs.ext4. > > > > > So I think my issue was because I was nfs booted. Slot A was activated > but not > > booted. But it looks like maybe it was using slot A /etc/rauc/system.co= nf > > instead of the currently running nfs instance /etc/rauc/system.conf > because what > > I tried before worked once I mounted /dev/mmcblk2gp0p2 and changed that > > /etc/rauc/system.conf to: > > It should use /etc/rauc/system.conf from the mounted rootfs, so NFS in yo= ur > case. > > > [slot.appfs.1] > > device=3D/dev/mapper/crypt_appfs2 > > type=3Dext4 > > parent=3Drootfs.1 > > > > So this brings up a question. If I have boards out in the field and > appfs goes > > from plain ext4 to encrypted, I somehow need to update the currently > running > > /etc/rauc/system.conf file first before performing an update??? How to > handle > > system.conf changes? > > The system.conf contents should describe the details of the system than > don't > change during updates. Generally, partitioning changes are not possible i= n > an > atomic A/B way, so those are not really in scope for RAUC. :/ > > Getting such a migration correct in the field is difficult. Something you > could > use, though. > > The device=3D properties will follow symlinks. So you could handle the sw= itch > between unencrypted and encrypted in a script before starting the rauc > service > and before mounting the current appfs. > > For both sides, you'd check if it already contains a luks header. If not, > it's > an old version which doesn't support encryption yet, so you link > /dev/mmcblk... > to /dev/appfs[12]. > If if already contains that header, attach the crypt device. The setup th= e > /dev/appfs[12] link to /dev/mapper/crypt_appfs[12]). > > The system.conf would then point to device=3D/dev/appfs[12]. > > Then add a pre-install handler: > > https://rauc.readthedocs.io/en/latest/using.html#system-based-customizati= on-handlers > It can check if the target slot link still points to the unencrypted > device. In > that case, it can setup the crypt device and change the link. RAUC > should(*) > then follow the updated link to the encrypted device when installing. > > Hope that helps... :) > > Hi Jan, Yes! Thanks. Now my problem is I have a very small 32M NOR flash and I have a 11M SquashFS rootfs based off core-image-minimal. I added packagegroup-luks and it blew size up to 47M. I then just tried to CORE_IMAGE_EXTRA_INSTALL +=3D "cryptsetup" and that was still a 35M rootfs so now I'm stumped trying to figure out if it's possible to get encryption support in my NOR flash image we boot from :( Regards, Brian --000000000000a0a96a05c8952265 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail= _attr">On Fri, Jul 30, 2021 at 12:29 PM Jan L=C3=BCbbe <<a href=3D"mailt= o:jlu@pengutronix.de" target=3D"_blank">jlu@pengutronix.de</a>> wrote:<b= r></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex= ;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Brian,<br> <br> On Fri, 2021-07-30 at 10:20 -0400, Brian Hutchinson wrote:<br> > > 100% Installing failed.<br> > > LastError: Installation error: Failed updating slot appfs.1: fail= ed to run<br> > > mkfs.ext4: Child process exited with code 1<br> > > Installing `/tmp/./update-myboard.raucb` failed<br> > > <br> > > But yet I can do mkfs.ext4 /dev/mapper/crypt_appfs2 and mount it = and the<br> > > filesystem is fine.<br> > > <br> > > Looks like I'm missing something still.<br> <br> Hmm, you should have more logs on the rauc service side, possible also with= an<br> error message from mkfs.ext4.<br> <br> > <br> > So I think my issue was because I was nfs booted.=C2=A0 Slot A was act= ivated but not<br> > booted. But it looks like maybe it was using slot A /etc/rauc/system.c= onf<br> > instead of the currently running nfs instance /etc/rauc/system.conf be= cause what<br> > I tried before worked once I mounted /dev/mmcblk2gp0p2 and changed tha= t<br> > /etc/rauc/system.conf to:<br> <br> It should use /etc/rauc/system.conf from the mounted rootfs, so NFS in your= <br> case.<br> <br> > =C2=A0[slot.appfs.1]<br> > device=3D/dev/mapper/crypt_appfs2<br> > type=3Dext4<br> > parent=3Drootfs.1<br> > <br> > So this brings up a question.=C2=A0 If I have boards out in the field = and appfs goes<br> > from plain ext4 to encrypted, I somehow need to update the currently r= unning<br> > /etc/rauc/system.conf file first before performing an update???=C2=A0 = How to handle<br> > system.conf changes?<br> <br> The system.conf contents should describe the details of the system than don= 't<br> change during updates. Generally, partitioning changes are not possible in = an<br> atomic A/B way, so those are not really in scope for RAUC. :/<br> <br> Getting such a migration correct in the field is difficult. Something you c= ould<br> use, though.<br> <br> The device=3D properties will follow symlinks. So you could handle the swit= ch<br> between unencrypted and encrypted in a script before starting the rauc serv= ice<br> and before mounting the current appfs.<br> <br> For both sides, you'd check if it already contains a luks header. If no= t, it's<br> an old version which doesn't support encryption yet, so you link /dev/m= mcblk...<br> to /dev/appfs[12].<br> If if already contains that header, attach the crypt device. The setup the<= br> /dev/appfs[12] link to /dev/mapper/crypt_appfs[12]).<br> <br> The system.conf would then point to device=3D/dev/appfs[12].<br> <br> Then add a pre-install handler:<br> <a href=3D"https://rauc.readthedocs.io/en/latest/using.html#system-based-cu= stomization-handlers" rel=3D"noreferrer" target=3D"_blank">https://rauc.rea= dthedocs.io/en/latest/using.html#system-based-customization-handlers</a><br= > It can check if the target slot link still points to the unencrypted device= . In<br> that case, it can setup the crypt device and change the link. RAUC should(*= )<br> then follow the updated link to the encrypted device when installing.<br> <br> Hope that helps... :)<br> <br></blockquote><div><br></div><div>Hi Jan,</div><div><br></div><div>Yes!= =C2=A0 Thanks.</div><div><br></div><div>Now my problem is I have a very sma= ll 32M NOR flash and I have a 11M SquashFS rootfs based off core-image-mini= mal.=C2=A0 I added packagegroup-luks and it blew size up to 47M.=C2=A0 I th= en just tried to <span style=3D"font-family:monospace"><span style=3D"color= :rgb(0,0,0);background-color:rgb(255,255,255)">CORE_IMAGE_EXTRA_INSTALL += =3D "cryptsetup" and that was still a 35M rootfs so now I'm s= tumped trying to figure out if it's possible to get encryption support = in my NOR flash image we boot from :(</span></span></div><div><span style= =3D"font-family:monospace"><span style=3D"color:rgb(0,0,0);background-color= :rgb(255,255,255)"><br></span></span></div><div><span style=3D"font-family:= monospace"><span style=3D"color:rgb(0,0,0);background-color:rgb(255,255,255= )">Regards,</span></span></div><div><span style=3D"font-family:monospace"><= span style=3D"color:rgb(0,0,0);background-color:rgb(255,255,255)"><br></spa= n></span></div><div><span style=3D"font-family:monospace"><span style=3D"co= lor:rgb(0,0,0);background-color:rgb(255,255,255)">Brian</span><br></span></= div></div></div> --000000000000a0a96a05c8952265--