* [isar-cip-core][PATCH 0/2] swupodate: Account for slower storage in initramfs hooks
@ 2022-06-02 16:17 Jan Kiszka
2022-06-02 16:17 ` [isar-cip-core][PATCH 1/2] initramfs-abrootfs-hook: Account for slower storage devices Jan Kiszka
2022-06-02 16:17 ` [isar-cip-core][PATCH 2/2] initramfs-verity-hook: " Jan Kiszka
0 siblings, 2 replies; 3+ messages in thread
From: Jan Kiszka @ 2022-06-02 16:17 UTC (permalink / raw)
To: cip-dev
This addresses boot issues when slow storage devices do not show up
immedately, preventing discovery without waiting for a while.
Thanks to Srinu for reporting. Please help with testing. The secured
path was only regression-tested - I do not have a real HW deployment
with secure boot on in reach, and isar-cip-core does not directly
support that as well.
Jan Kiszka (2):
initramfs-abrootfs-hook: Account for slower storage devices
initramfs-verity-hook: Account for slower storage devices
.../files/abrootfs.script | 86 +++++++++++---
.../files/verity.script.tmpl | 109 ++++++++++++++----
2 files changed, 159 insertions(+), 36 deletions(-)
--
2.35.3
^ permalink raw reply [flat|nested] 3+ messages in thread
* [isar-cip-core][PATCH 1/2] initramfs-abrootfs-hook: Account for slower storage devices
2022-06-02 16:17 [isar-cip-core][PATCH 0/2] swupodate: Account for slower storage in initramfs hooks Jan Kiszka
@ 2022-06-02 16:17 ` Jan Kiszka
2022-06-02 16:17 ` [isar-cip-core][PATCH 2/2] initramfs-verity-hook: " Jan Kiszka
1 sibling, 0 replies; 3+ messages in thread
From: Jan Kiszka @ 2022-06-02 16:17 UTC (permalink / raw)
To: cip-dev
From: Jan Kiszka <jan.kiszka@siemens.com>
Add a retry loop to account for storage devices that do not show up
immediately. Specifically USB can fall under this.
The logic is split along the classic PARTUUID/PARTLABEL case and the
more complex image UUID matching. To avoid continously mounting/
checking/unmounting the same partitions partitions, we keep track of the
already checked ones and only test those that are newly discovered.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
.../files/abrootfs.script | 86 +++++++++++++++----
1 file changed, 71 insertions(+), 15 deletions(-)
diff --git a/recipes-initramfs/initramfs-abrootfs-hook/files/abrootfs.script b/recipes-initramfs/initramfs-abrootfs-hook/files/abrootfs.script
index b61fe30..23bbfe7 100644
--- a/recipes-initramfs/initramfs-abrootfs-hook/files/abrootfs.script
+++ b/recipes-initramfs/initramfs-abrootfs-hook/files/abrootfs.script
@@ -30,37 +30,93 @@ esac
. /scripts/functions
. /usr/share/abrootfs/image-uuid.env
+find_root_via_image_uuid()
+{
+ for part in $partitions; do
+ if [ "$(blkid -p "${part}" --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
+ mount -o ro -t "$(get_fstype "${part}")" "${part}" "${rootmnt}"
+ . "${rootmnt}/etc/os-release"
+ umount "${rootmnt}"
+ if [ "${IMAGE_UUID}" = "${TARGET_IMAGE_UUID}" ]; then
+ found_root="${part}"
+ break
+ fi
+ fi
+ done
+}
+
# Even if this script fails horribly, make sure there won't be a chance the
# current $ROOT will be attempted. As this device most likely contains a
# perfectly valid filesystem, it would be mounted successfully, leading to a
# broken boot.
echo "ROOT=/dev/null" >/conf/param.conf
wait_for_udev 10
+
case "$ROOT" in
PART*)
- # root was given as PARTUUID= or PARTLABEL=. Use blkid to find the matching
- # partition
- ROOT=$(blkid --list-one --output device --match-token "$ROOT")
+ # Root was given as PARTUUID= or PARTLABEL=.
+ # Use blkid to find the matching partition
+ found_root=$(blkid --list-one --output device --match-token "$ROOT")
+ if [ -z "${found_root}" ]; then
+ log_begin_msg "Waiting for ${ROOT}"
+ while true; do
+ sleep 1
+ time_elapsed="$(time_elapsed)"
+
+ found_root=$(blkid --list-one --output device --match-token "$ROOT")
+ if [ -n "${found_root}" ]; then
+ log_end_msg 1
+ break
+ fi
+ if [ "${time_elapsed}" -ge 30 ]; then
+ log_end_msg 0
+ break
+ fi
+ done
+ fi
;;
"")
- # No Root device was given. Use find the matching IMAGE_UUID
- partitions=$(blkid -o device)
- for part in $partitions; do
- if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
- mount -o ro -t $(get_fstype $part) $part ${rootmnt}
- . ${rootmnt}/etc/os-release
- umount ${rootmnt}
- if [ "${IMAGE_UUID}" = "${TARGET_IMAGE_UUID}" ]; then
- ROOT="$part"
+ # No Root device was given. Search for the matching IMAGE_UUID
+ partitions="$(blkid -o device)"
+ find_root_via_image_uuid
+ if [ -z "${found_root}" ]; then
+ log_begin_msg "Waiting for IMAGE_UUID=${TARGET_IMAGE_UUID}"
+ scanned_partitions="${partitions}"
+ while true; do
+ sleep 1
+ time_elapsed="$(time_elapsed)"
+
+ unset partitions
+ for part in $(blkid -o device); do
+ unset found
+ for scanned_part in ${scanned_partitions}; do
+ if [ "${scanned_part}" = "${part}" ]; then
+ found=1
+ break
+ fi
+ done
+ if [ -z "${found}" ]; then
+ partitions="${partitions} ${part}"
+ fi
+ done
+ find_root_via_image_uuid
+ if [ -n "${found_root}" ]; then
+ log_end_msg 1
break
fi
- fi
- done
+ if [ "${time_elapsed}" -ge 30 ]; then
+ log_end_msg 0
+ break
+ fi
+ scanned_partitions="${scanned_partitions} ${partitions}"
+ done
+ fi
;;
esac
-if [ -z "${ROOT}" ]; then
+if [ -z "${found_root}" ]; then
panic "Can't find the root device with matching UUID!"
fi
+ROOT="${found_root}"
echo "ROOT=${ROOT}" >/conf/param.conf
--
2.35.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [isar-cip-core][PATCH 2/2] initramfs-verity-hook: Account for slower storage devices
2022-06-02 16:17 [isar-cip-core][PATCH 0/2] swupodate: Account for slower storage in initramfs hooks Jan Kiszka
2022-06-02 16:17 ` [isar-cip-core][PATCH 1/2] initramfs-abrootfs-hook: Account for slower storage devices Jan Kiszka
@ 2022-06-02 16:17 ` Jan Kiszka
1 sibling, 0 replies; 3+ messages in thread
From: Jan Kiszka @ 2022-06-02 16:17 UTC (permalink / raw)
To: cip-dev
From: Jan Kiszka <jan.kiszka@siemens.com>
Same story as for abrootfs-hook, same solution pattern, just different
implementation of find_root_via_image_uuid.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
.../files/verity.script.tmpl | 109 ++++++++++++++----
1 file changed, 88 insertions(+), 21 deletions(-)
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
index da37711..8865b0f 100644
--- a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
@@ -1,4 +1,15 @@
#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021-2022
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+# Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
prereqs()
{
# Make sure that this script is run last in local-top
@@ -22,42 +33,98 @@ esac
. /scripts/functions
. /lib/cryptsetup/functions
. /usr/share/verity-env/verity.env
+
+find_root_via_image_uuid()
+{
+ for part in ${partitions}; do
+ if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
+ verity_uuid=$(
+ veritysetup dump "${part}" --hash-offset "${HASH_OFFSET}" | \
+ while IFS=":" read key value; do
+ if [ "${key}" = "UUID" ]; then
+ # this pattern must use a real tab
+ echo "${value##* }"
+ break
+ fi
+ done
+ )
+ if [ "${UUID}" = "${verity_uuid}" ]; then
+ found_root="${part}"
+ break
+ fi
+ fi
+ done
+}
+
# Even if this script fails horribly, make sure there won't be a chance the
# current $ROOT will be attempted. As this device most likely contains a
# perfectly valid filesystem, it would be mounted successfully, leading to a
# broken trust chain.
echo "ROOT=/dev/null" >/conf/param.conf
wait_for_udev 10
+
case "$ROOT" in
PART*)
- # root was given as PARTUUID= or PARTLABEL=. Use blkid to find the matching
- # partition
- ROOT=$(blkid --list-one --output device --match-token "$ROOT")
+ # Root was given as PARTUUID= or PARTLABEL=.
+ # Use blkid to find the matching partition
+ found_root=$(blkid --list-one --output device --match-token "$ROOT")
+ if [ -z "${found_root}" ]; then
+ log_begin_msg "Waiting for ${ROOT}"
+ while true; do
+ sleep 1
+ time_elapsed="$(time_elapsed)"
+
+ found_root=$(blkid --list-one --output device --match-token "$ROOT")
+ if [ -n "${found_root}" ]; then
+ log_end_msg 1
+ break
+ fi
+ if [ "${time_elapsed}" -ge 30 ]; then
+ log_end_msg 0
+ break
+ fi
+ done
+ fi
;;
"")
# No Root device was given. Use veritysetup verify to search matching roots
- partitions=$(blkid -o device)
- for part in ${partitions}; do
- if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
- verity_uuid=$(
- veritysetup dump "${part}" --hash-offset "${HASH_OFFSET}" | \
- while IFS=":" read key value; do
- if [ "${key}" = "UUID" ]; then
- # this pattern must use a real tab
- echo "${value##* }"
- break
- fi
- done
- )
- if [ "${UUID}" = "${verity_uuid}" ]; then
- ROOT="${part}"
+ partitions="$(blkid -o device)"
+ find_root_via_image_uuid
+ if [ -z "${found_root}" ]; then
+ log_begin_msg "Waiting for IMAGE_UUID=${TARGET_IMAGE_UUID}"
+ scanned_partitions="${partitions}"
+ while true; do
+ sleep 1
+ time_elapsed="$(time_elapsed)"
+
+ unset partitions
+ for part in $(blkid -o device); do
+ unset found
+ for scanned_part in ${scanned_partitions}; do
+ if [ "${scanned_part}" = "${part}" ]; then
+ found=1
+ break
+ fi
+ done
+ if [ -z "${found}" ]; then
+ partitions="${partitions} ${part}"
+ fi
+ done
+ find_root_via_image_uuid
+ if [ -n "${found_root}" ]; then
+ log_end_msg 1
break
fi
- fi
- done
+ if [ "${time_elapsed}" -ge 30 ]; then
+ log_end_msg 0
+ break
+ fi
+ scanned_partitions="${scanned_partitions} ${partitions}"
+ done
+ fi
;;
esac
-set -- "$ROOT" verityroot
+set -- "${found_root}" verityroot
if ! veritysetup open \
${VERITY_BEHAVIOR_ON_CORRUPTION} \
--data-block-size "${DATA_BLOCK_SIZE}" \
--
2.35.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-06-02 16:17 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-02 16:17 [isar-cip-core][PATCH 0/2] swupodate: Account for slower storage in initramfs hooks Jan Kiszka
2022-06-02 16:17 ` [isar-cip-core][PATCH 1/2] initramfs-abrootfs-hook: Account for slower storage devices Jan Kiszka
2022-06-02 16:17 ` [isar-cip-core][PATCH 2/2] initramfs-verity-hook: " Jan Kiszka
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.