From 2bd0b8d3142ac6b3981e9fe97e28318bf6cb256e Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Wed, 5 Sep 2018 15:07:46 +0200 Subject: [PATCH] use /dev/mapper/data and a /etc/fstab on the real root --- README.md | 1 - pre-pivot.sh | 22 +++++++++++----------- prepare-root.sh | 6 ++++++ 3 files changed, 17 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 5fb985f..bae1e81 100644 --- a/README.md +++ b/README.md @@ -59,7 +59,6 @@ This is WIP. Please test and report issues, comments or missing components on ht - no kernel command line on DELL ( you need a newer systemd https://github.com/systemd/systemd/pull/10001 ) cp linuxx64.efi.stub to this git repo dir from a compiled upstream systemd - gnome-software: can't update firmware repo -- systemd: failed to umount /var ## Create diff --git a/pre-pivot.sh b/pre-pivot.sh index deafca2..28472d5 100644 --- a/pre-pivot.sh +++ b/pre-pivot.sh @@ -47,10 +47,11 @@ for datadev in $disk*; do done if cryptsetup isLuks --type luks2 "$datadev"; then - luksname=luks-$(blkid -o value -s UUID "$datadev") - mapdev=/dev/mapper/$luksname + #luksname=luks-$(blkid -o value -s UUID "$datadev") + luksname=data + luksdev=/dev/mapper/$luksname - if ! [[ -b $mapdev ]]; then + if ! [[ -b $luksdev ]]; then if ! cryptsetup luksDump "$datadev" | grep -F -q clevis ; then udevadm settle --exit-if-exists=/dev/tpmrm0 export TPM2TOOLS_TCTI_NAME=device @@ -58,27 +59,26 @@ if cryptsetup isLuks --type luks2 "$datadev"; then if echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7"}'; then echo -n "zero key" | cryptsetup luksRemoveKey "$datadev" /dev/stdin || die "Failed to remove key from LUKS" - clevis-luks-unlock -d "$datadev" || die "Failed to unlock $datadev" + clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev" elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7","key":"rsa"}'; then echo -n "zero key" | cryptsetup luksRemoveKey "$datadev" /dev/stdin || die "Failed to remove key from LUKS" - clevis-luks-unlock -d "$datadev" || die "Failed to unlock $datadev" + clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev" else warn "Failed to bind disk to TPM2" echo -n "zero key" | cryptsetup open --type luks2 "$datadev" $luksname --key-file /dev/stdin fi else - clevis-luks-unlock -d "$datadev" || die "Failed to unlock $datadev" + clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev" fi fi -else - mapdev="$datadev" + datadev="$luksdev" fi -if [[ $(blkid -o value -s TYPE "$mapdev") != "xfs" ]]; then - mkfs.xfs -f -L data "$mapdev" +if [[ $(blkid -o value -s TYPE "$datadev") != "xfs" ]]; then + mkfs.xfs -f -L data "$datadev" fi -mount $mapdev /sysroot/data || die "Failed to mount $mapdev" +mount -o discard $datadev /sysroot/data || die "Failed to mount $datadev" [[ -d /sysroot/data/var ]] || mkdir /sysroot/data/var [[ -d /sysroot/data/home ]] || mkdir /sysroot/data/home diff --git a/prepare-root.sh b/prepare-root.sh index 1eff855..ba69174 100755 --- a/prepare-root.sh +++ b/prepare-root.sh @@ -299,6 +299,12 @@ if [[ -d "$sysroot"/usr/share/flatpak ]]; then chroot "$sysroot" bash -c '/usr/bin/flatpak remote-add --if-not-exists flathub /usr/share/flatpak/flathub.flatpakrepo' fi +cat >"$sysroot"/etc/fstab <