From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: MIME-Version: 1.0 References: In-Reply-To: From: Brian Hutchinson Date: Fri, 23 Jul 2021 08:45:11 -0400 Message-ID: Subject: Re: [RAUC] Stumped, have a appfs partition that is encrypted, how to get RAUC to update it List-Id: RAUC Project - Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0674573291==" Errors-To: rauc-bounces@pengutronix.de Sender: "RAUC" To: =?UTF-8?Q?Jan_L=C3=BCbbe?= , rauc@pengutronix.de --===============0674573291== Content-Type: multipart/alternative; boundary="000000000000e5e74405c7c9c617" --000000000000e5e74405c7c9c617 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Jul 22, 2021 at 8:55 AM Brian Hutchinson wrote: > > Hi Jan, > D > On Thu, Jul 22, 2021 at 8:16 AM Jan L=C3=BCbbe wrote= : > >> On Thu, 2021-07-22 at 08:11 -0400, Brian Hutchinson wrote: >> > Hello again, >> >> Hi! >> >> > I'm wanting to have a rootfs that is read-only SquashFS and a appfs >> that is >> > encrypted. >> >> I assume you want to have a A/B appfs. >> > > Yes, have A/B for Kernel, dtb, rootfs and appfs. > > >> How do you encrypt your appfs? dm-crypt or fscrypt? >> > > So process in factory will set everything up on eMMC the first time with: > > cryptsetup luksFormat /dev/mmcblk2p1 & /dev/mmcblk2p2 > cryptsetup luksOpen /dev/mmcblk2p1 crypt_appfs1 (same thing for > /dev/mmcblk2p2) > mkfs.ext4 /dev/mapper/crypt_appfs1 & crypt_appfs2 > > Then in normal use just have a script that figures out which slots we are > starting, A or B to determine with appfs partition to use and cryptsetup > luksOpen then mount /dev/mapper. > > > >> > And I'm kind of stumped. I've searched the Documentation and archives >> and it >> > doesn't look like RAUC has native support for encrypted partitions but >> in the >> > archives I saw where one gentleman needed to create encrypted bundles >> so this >> > might be similar to my problem. >> >> Bundle encryption is independent of encryption in the rest of the system= . >> >> > I know a bundle can have pre and post triggers so maybe I can use thos= e >> to >> > cryptsetup luksOpen the partition and then mount it and then RAUC can >> do it's >> > normal thing ... but I've not researched that enough to know if that's >> the way >> > to go so thought I'd ask for some guidance to point me in the right >> direction >> > first. >> >> If you use dm-crypt, you can just use the device-mapper path for the >> slot's >> device=3D propert in system.conf. That way, the encryption is transparen= t >> to rauc. >> > > Not following how that would work since the inactive appfs would be > "closed/encrypted". > > Thanks! > > Regards, > > Brian > > Sorry, forgot to reply-all to last message. So when I did my luksFormat etc., I used a key-file that I created with openssl rand -base64 32 > luks_appfs_key. Are you telling me that if I add a key and put it in the rauc key ring in /etc/rauc and in my system.conf refer to my appfs by /dev/mapper name rauc will know what to do to "open" the inactive appfs to do the update? I guess I'm hung up on how the "open" will take place and how to tell rauc about the key to use etc. Regards, Brian --000000000000e5e74405c7c9c617 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Thu, Jul 22, 2021 at 8:55 AM Brian Hutchinson <b.hutchman@gmail.com> wrote:
<= blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l= eft:1px solid rgb(204,204,204);padding-left:1ex">

Hi Jan,
D
On Thu, Jul 22, 2021 at 8:1= 6 AM Jan L=C3=BCbbe <jlu@pengutronix.de> wrote:
On Thu, 2021-07-22 at 08:11 -0400, Brian Hutchinson = wrote:
> Hello again,

Hi!

> I'm wanting to have a rootfs that is read-only SquashFS and a appf= s that is
> encrypted.

I assume you want to have a A/B appfs.

= Yes, have A/B for Kernel, dtb, rootfs and appfs.


How do you encrypt your appfs? dm-crypt or fscrypt?
So process in factory will set everything up on eMMC the first= time with:

cryptsetup luksFormat /dev/mmcblk2p1 &= amp; /dev/mmcblk2p2
cryptsetup luksOpen /dev/mmcblk2p1 crypt_appf= s1 (same thing for /dev/mmcblk2p2)
mkfs.ext4 /dev/mapper/crypt_ap= pfs1 & crypt_appfs2

Then in normal use just ha= ve a script that figures out which slots we are starting, A or B to determi= ne with appfs partition to use and cryptsetup luksOpen then mount /dev/mapp= er.



> And I'm kind of stumped.=C2=A0 I've searched the Documentation= and archives and it
> doesn't look like RAUC has native support for encrypted partitions= but in the
> archives I saw where one gentleman needed to create encrypted bundles = so this
> might be similar to my problem.

Bundle encryption is independent of encryption in the rest of the system.
> I know a bundle can have pre and post triggers so maybe I can use thos= e to
> cryptsetup luksOpen the partition and then mount it and then RAUC can = do it's
> normal thing ... but I've not researched that enough to know if th= at's the way
> to go so thought I'd ask for some guidance to point me in the righ= t direction
> first.

If you use dm-crypt, you can just use the device-mapper path for the slot&#= 39;s
device=3D propert in system.conf. That way, the encryption is transparent t= o rauc.

Not following how that would wo= rk since the inactive appfs would be "closed/encrypted".

Thanks!

Regards,

Brian


<= div>Sorry, forgot to reply-all to last message.=C2=A0 So when I did my luks= Format etc., I used a key-file that I created with openssl rand -base64 32 > luks_appfs_key.=C2=A0 Are you telling me= that if I add a key and put it in the rauc key ring in /etc/rauc and in my= system.conf refer to my appfs by /dev/mapper name rauc will know what to d= o to "open" the inactive appfs to do the update?

I guess I'm hung up on how the "open" w= ill take place and how to tell rauc about the key to use etc.=C2=A0

Regards,

Brian
--000000000000e5e74405c7c9c617-- --===============0674573291== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ RAUC mailing list --===============0674573291==--