On Thu, 2021-07-22 at 08:11 -0400, Brian Hutchinson wrote:
> Hello again,
Hi!
> I'm wanting to have a rootfs that is read-only SquashFS and a appfs that is
> encrypted.
I assume you want to have a A/B appfs.
Yes, have A/B for Kernel, dtb, rootfs and appfs.
How do you encrypt your appfs? dm-crypt or fscrypt?
So process in factory will set everything up on eMMC the first time with:
cryptsetup luksFormat /dev/mmcblk2p1 & /dev/mmcblk2p2
cryptsetup luksOpen /dev/mmcblk2p1 crypt_appfs1 (same thing for /dev/mmcblk2p2)
mkfs.ext4 /dev/mapper/crypt_appfs1 & crypt_appfs2
Then in normal use just have a script that figures out which slots we are starting, A or B to determine with appfs partition to use and cryptsetup luksOpen then mount /dev/mapper.
> And I'm kind of stumped. I've searched the Documentation and archives and it
> doesn't look like RAUC has native support for encrypted partitions but in the
> archives I saw where one gentleman needed to create encrypted bundles so this
> might be similar to my problem.
Bundle encryption is independent of encryption in the rest of the system.
> I know a bundle can have pre and post triggers so maybe I can use those to
> cryptsetup luksOpen the partition and then mount it and then RAUC can do it's
> normal thing ... but I've not researched that enough to know if that's the way
> to go so thought I'd ask for some guidance to point me in the right direction
> first.
If you use dm-crypt, you can just use the device-mapper path for the slot's
device= propert in system.conf. That way, the encryption is transparent to rauc.
Not following how that would work since the inactive appfs would be "closed/encrypted".
Thanks!
Regards,
Brian