harald/VerityBook
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

use /dev/mapper/data and a /etc/fstab on the real root

Browse source
This commit is contained in:
Harald Hoyer 2018-09-05 15:07:46 +02:00
parent de922ad17c
commit 2bd0b8d314
3 changed files with 17 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
README.md
View file

@ -59,7 +59,6 @@ This is WIP. Please test and report issues, comments or missing components on ht
- no kernel command line on DELL ( you need a newer systemd https://github.com/systemd/systemd/pull/10001 )
cp linuxx64.efi.stub to this git repo dir from a compiled upstream systemd
- gnome-software: can't update firmware repo
- systemd: failed to umount /var
## Create

22
pre-pivot.sh
View file

@ -47,10 +47,11 @@ for datadev in $disk*; do
done
if cryptsetup isLuks --type luks2 "$datadev"; then
luksname=luks-$(blkid -o value -s UUID "$datadev")
mapdev=/dev/mapper/$luksname
#luksname=luks-$(blkid -o value -s UUID "$datadev")
luksname=data
luksdev=/dev/mapper/$luksname
if ! [[ -b $mapdev ]]; then
if ! [[ -b $luksdev ]]; then
if ! cryptsetup luksDump "$datadev" | grep -F -q clevis ; then
udevadm settle --exit-if-exists=/dev/tpmrm0
export TPM2TOOLS_TCTI_NAME=device
@ -58,27 +59,26 @@ if cryptsetup isLuks --type luks2 "$datadev"; then
if echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7"}'; then
echo -n "zero key" | cryptsetup luksRemoveKey "$datadev" /dev/stdin || die "Failed to remove key from LUKS"
clevis-luks-unlock -d "$datadev" || die "Failed to unlock $datadev"
clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7","key":"rsa"}'; then
echo -n "zero key" | cryptsetup luksRemoveKey "$datadev" /dev/stdin || die "Failed to remove key from LUKS"
clevis-luks-unlock -d "$datadev" || die "Failed to unlock $datadev"
clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
else
warn "Failed to bind disk to TPM2"
echo -n "zero key" | cryptsetup open --type luks2 "$datadev" $luksname --key-file /dev/stdin
fi
else
clevis-luks-unlock -d "$datadev" || die "Failed to unlock $datadev"
clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
fi
fi
else
mapdev="$datadev"
datadev="$luksdev"
fi
if [[ $(blkid -o value -s TYPE "$mapdev") != "xfs" ]]; then
mkfs.xfs -f -L data "$mapdev"
if [[ $(blkid -o value -s TYPE "$datadev") != "xfs" ]]; then
mkfs.xfs -f -L data "$datadev"
fi
mount $mapdev /sysroot/data || die "Failed to mount $mapdev"
mount -o discard $datadev /sysroot/data || die "Failed to mount $datadev"
[[ -d /sysroot/data/var ]] || mkdir /sysroot/data/var
[[ -d /sysroot/data/home ]] || mkdir /sysroot/data/home

6
prepare-root.sh
View file

@ -299,6 +299,12 @@ if [[ -d "$sysroot"/usr/share/flatpak ]]; then
chroot "$sysroot" bash -c '/usr/bin/flatpak remote-add --if-not-exists flathub /usr/share/flatpak/flathub.flatpakrepo'
fi
cat >"$sysroot"/etc/fstab <<EOF
LABEL=data /data xfs defaults,discard 0 0
/data/var /var - bind 0 0
/data/home /home - bind 0 0
EOF
#---------------
# var
rm -fr "$sysroot"/var/lib/rpm