Comments (13)
Basically this just wasn't my use-case, and I didn't have time or HW to test with this config.
Random thoughts:
- I don't think
mender-partuuid
should be an issue, but I'm not sure of the implications.meta-mender-kernel
relies onMENDER_STORAGE_DEVICE_BASE
for the new/separate kernel partitions, is that variable valid when using UUID? - briefly looking at
grub-mender-grubenv
seems like it'd work with uuid and the separate A/B kernel partitions
Have you tried removing that check? Not likely it'll work with just that, but it might get most the way there.
from meta-mender-luks.
thanks. I'm not really sure what I'm doing so thought I'd at least run it by you first. I commented the check out and seemed to get past it. Im going to leave this open for a bit.
from meta-mender-luks.
ok made it here
ERROR: mender-luks-initramfs-1.0-r0 do_rootfs: MENDER_EXTRA_PARTS and DISTRO_FEATURE 'mender-partuuid' are both defined and incompatible
from meta-mender-luks.
ok made it here
ERROR: mender-luks-initramfs-1.0-r0 do_rootfs: MENDER_EXTRA_PARTS and DISTRO_FEATURE 'mender-partuuid' are both defined and incompatible
That's going to be a tough one to get past. MENDER_EXTRA_PARTS
is the hook that meta-mender-kernel
uses to create the A/B kernel partitions.
To get around this, you'd need to either
- have some other way of creating the kernel partitions. I'm not sure if there is another mechanism in
meta-mender
, or rewrite/reimplement the partition/image creation mender has - not have dual A/B kernels, and move the kernel into
/boot
For the second option, you can try
- Override
MENDER_EXTRA_PARTS
to be empty - Override
grub-mender-grubenv_git%.bbappend
to setmender_kernela_part
andmender_kernelb_part
to empty (""
) or the/boot
part number. - The
meta-mender-kernel
state scripts are probably invalid in this use case (https://github.com/coreycothrum/meta-mender-kernel/tree/master/recipes-mender/mender-kernel-state-scripts). Might want to override that recipe to not install anything.
Again though, this loses the kernel A/B stuff. Might be OK. You'd need to write a state script or update module to update it (coreycothrum/meta-mender-kernel#5).
from meta-mender-luks.
@coreycothrum thanks a ton for the comments. From doing a bit of research, for my target platforms such as imx8, raspberry pi, etc. it seems the second option is the way to go
let me see if I can remove the /boot
dependencies
from meta-mender-luks.
@coreycothrum I'm getting DEV_BASE
to be blank despite the variables seemingly being find and I can see the image file exists
I've never used sudo in a bbclass before. Is there anything special I need to do?
from meta-mender-luks.
I hate that I had to (use sudo), but I couldn't find a way around it.
I typically run my builds inside a docker container under WSL. There was some "special" stuff there, but it might not be directly applicable.
What that class/function does is mount the image as a loopback device, and then encrypt it. So basically you need root access to your machine (host) /dev
.
When running in a container, I needed to run as sudo/root, use the --privileged
flag, and volume mount /dev
into the container. If you running natively, I'm not sure there is anything specially to do to get access to /dev
Are there some (host) dependancies with losetup
? Can you try those commands manually/natively to confirm you can mount the image on your system?
from meta-mender-luks.
Yes, I see now in the logs its unhappy about not getting a root password. No passwd for sudo fixes it but your docker container idea is definitely the way to go.
from meta-mender-luks.
@coreycothrum I realize I've now gone pretty far afield from your original project. But, I think I'm close now.
For my raspberry pi I now have a /boot
and three encrypted partitions. The /boot
directory has a /boot/LUKS
folder with three 16.8 MB .luks
files.
Sorry i'm so clueless on this but is the general strategy to use the .luks
files to decode the partition? Do I need grub
for that? Right now I just have uboot and it doesn't seem to be doing that step.
Hit any key to stop autoboot: 0
switch to partitions #0, OK
mmc0 is current device
Scanning mmc 0:1...
Found U-Boot script /boot.scr
299 bytes read in 1 ms (292 KiB/s)
## Executing script at 02400000
switch to partitions #0, OK
mmc0 is current device
** Unrecognized filesystem type **
Bad Linux ARM64 Image magic!
SCRIPT FAILED: continuing...
Card did not respond to voltage select!
from meta-mender-luks.
Those files are the 'detached headers' for the LUKS partition(s).
I have only used it with grub, but I don't think that's a requirement. The decryption happens after grub, when the kernel is booting.
So in my use-case, I have dual A/B kernel partitions. grub will choose which patition/kernel to use based on the mender roots partition, and launch that one.
That stuff is likely different, I'm not sure how uboot is doing it.
But there should be a linux kernel in /boot... and it should be "bundled". Meaning, it is both a kernel and an initramfs. This layer has an init script that runs when the kernel is booted, and that unlocks the roots and data paritions.
What's the contents of boot.scr? What's generating it? I couldn't really tell from my QUICK look through meta-mender
. Does it not launch the kernel? It may need to be patched so it does.
Hope that helps!
from meta-mender-luks.
ah, good to know. So, if I can get the kernel to boot then I should be in good shape!
Yes, that is my problem though is uboot will no longer boot the kernel when I use your layer. Image
is indeed in the \boot
directory along with the .dtb
files and boot.scr
boot.scr
I think comes from here
https://github.com/mendersoftware/meta-mender/blob/dunfell/meta-mender-raspberrypi/recipes-bsp/rpi-u-boot-scr/files/boot.cmd.in
and mine looks like this
'V�R�M�����w�,Boot script�fdt addr ${fdt_addr} && fdt get value bootargs /chosen bootargs
run mender_setup
mmc dev ${mender_uboot_dev}
load ${mender_uboot_root} ${kernel_addr_r} /boot/Image
booti ${kernel_addr_r} - ${fdt_addr}
run mender_try_to_recover
What is super weird though is I can take all the \boot
files from a good working image and copy them over to the \boot
partition on the image I create when I use your layer and it still doesn't work.
There is a hidden partition at the beginning of the .sdimg
file and I'm not sure what is there but maybe it's different.
from meta-mender-luks.
Can KERNEL_IMAGETYPE
be set to bzImage
? Is that a grub only thing?
from meta-mender-luks.
@coreycothrum using a compressed image is a good idea but I can't seem to build it with the current kernel recipe.
At any rate, I figured out the problem. meta-mender-raspberrypi
is indeed A/B'ing the kernel. uboot
is being used for partition selection between 2 or 3
load ${mender_uboot_root} ${kernel_addr_r} /boot/Image
where mender_uboot_root
starts off as mmc 0:2
.
I had assumed it was /boot
which is mmc 0:1
but there's actually a /boot
partition in the main rootfs parititon.
So, any thoughts on this? Maybe I should just pull the kernel from the /boot
partition and not worry about A/B'ing the kernel.
You are using the kernel to decrypt those partitions so I'm not sure I have an alternative?
from meta-mender-luks.
Related Issues (16)
- Support for MENDER_EXTRA_PARTS
- mender-luks-cryptsetup gives Not compatible PBKDF options. HOT 1
- `abort-if-update-in-progress.sh` logic incorrect HOT 1
- update to kirkstone LTS
- `acpi=off` breaks password agent
- create update module for boot partition HOT 1
- running mender-luks-encrypt-image.sh multiple times doesn't work HOT 2
- allow booting from non-LUKs partition + online conversion/encryption HOT 4
- initramfs: support unattended boot from network/server hosted keyfile
- initramfs: support unattended boot from USB stick keyfile
- Workspace example? HOT 3
- grub-efi: mender-luks-initramfs.packagedata WARNING HOT 1
- idea: cryptsetup (online) reencrypt for unique LUKS master key
- build/bitbake environment requires sudo
- invalid candidate rootfs mounted when doing multiple updates w/o reboot HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from meta-mender-luks.