* [cip-dev][isar-cip-core][PATCH 1/7] wic/*: Add part-labels to system partition
2024-04-19 8:20 [cip-dev][isar-cip-core][PATCH 0/7] Add option to encrypt the rootfs Quirin Gylstorff
@ 2024-04-19 8:20 ` Quirin Gylstorff
2024-04-19 16:29 ` Jan Kiszka
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 2/7] initramfs: allow empty mountpoint for crypt hooks Quirin Gylstorff
` (5 subsequent siblings)
6 siblings, 1 reply; 12+ messages in thread
From: Quirin Gylstorff @ 2024-04-19 8:20 UTC (permalink / raw)
To: johnxw, cip-dev, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
wic/bbb-efibootguard.wks.in | 4 ++--
wic/hihope-rzg2m-efibootguard.wks.in | 4 ++--
wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 ++--
wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 ++--
wic/qemu-arm64-efibootguard.wks.in | 4 ++--
wic/qemu-riscv64-efibootguard.wks.in | 4 ++--
wic/x86-efibootguard.wks.in | 4 ++--
7 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/wic/bbb-efibootguard.wks.in b/wic/bbb-efibootguard.wks.in
index e9c04b9..b5772c2 100644
--- a/wic/bbb-efibootguard.wks.in
+++ b/wic/bbb-efibootguard.wks.in
@@ -11,8 +11,8 @@ part --source rawcopy --sourceparams "file=/usr/lib/u-boot/bbb/u-boot.img" --no-
include ebg-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
# home and var are extra partitions
part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
diff --git a/wic/hihope-rzg2m-efibootguard.wks.in b/wic/hihope-rzg2m-efibootguard.wks.in
index 9227a71..164e8a9 100644
--- a/wic/hihope-rzg2m-efibootguard.wks.in
+++ b/wic/hihope-rzg2m-efibootguard.wks.in
@@ -3,8 +3,8 @@
include ebg-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
# home and var are extra partitions
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index ef40d70..0f4d637 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -1,7 +1,7 @@
include ebg-signed-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
# home and var are extra partitions
part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
diff --git a/wic/qemu-arm64-efibootguard-secureboot.wks.in b/wic/qemu-arm64-efibootguard-secureboot.wks.in
index 01f395d..00d627d 100644
--- a/wic/qemu-arm64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-arm64-efibootguard-secureboot.wks.in
@@ -1,7 +1,7 @@
include ebg-signed-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
# home and var are extra partitions
part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
diff --git a/wic/qemu-arm64-efibootguard.wks.in b/wic/qemu-arm64-efibootguard.wks.in
index 942c3e1..6f03420 100644
--- a/wic/qemu-arm64-efibootguard.wks.in
+++ b/wic/qemu-arm64-efibootguard.wks.in
@@ -3,8 +3,8 @@
include ebg-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
# home and var are extra partitions
part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
diff --git a/wic/qemu-riscv64-efibootguard.wks.in b/wic/qemu-riscv64-efibootguard.wks.in
index 6934977..1704ded 100644
--- a/wic/qemu-riscv64-efibootguard.wks.in
+++ b/wic/qemu-riscv64-efibootguard.wks.in
@@ -3,8 +3,8 @@
include ebg-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
# home and var are extra partitions
part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
index 6382ff7..4c0484f 100644
--- a/wic/x86-efibootguard.wks.in
+++ b/wic/x86-efibootguard.wks.in
@@ -3,8 +3,8 @@
include ebg-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
+part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
# home and var are extra partitions
--
2.43.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH 1/7] wic/*: Add part-labels to system partition
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 1/7] wic/*: Add part-labels to system partition Quirin Gylstorff
@ 2024-04-19 16:29 ` Jan Kiszka
0 siblings, 0 replies; 12+ messages in thread
From: Jan Kiszka @ 2024-04-19 16:29 UTC (permalink / raw)
To: Quirin Gylstorff, johnxw, cip-dev
On 19.04.24 10:20, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
Reasoning missing.
Jan
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> wic/bbb-efibootguard.wks.in | 4 ++--
> wic/hihope-rzg2m-efibootguard.wks.in | 4 ++--
> wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 ++--
> wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 ++--
> wic/qemu-arm64-efibootguard.wks.in | 4 ++--
> wic/qemu-riscv64-efibootguard.wks.in | 4 ++--
> wic/x86-efibootguard.wks.in | 4 ++--
> 7 files changed, 14 insertions(+), 14 deletions(-)
>
> diff --git a/wic/bbb-efibootguard.wks.in b/wic/bbb-efibootguard.wks.in
> index e9c04b9..b5772c2 100644
> --- a/wic/bbb-efibootguard.wks.in
> +++ b/wic/bbb-efibootguard.wks.in
> @@ -11,8 +11,8 @@ part --source rawcopy --sourceparams "file=/usr/lib/u-boot/bbb/u-boot.img" --no-
>
> include ebg-sysparts.inc
>
> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
>
> # home and var are extra partitions
> part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
> diff --git a/wic/hihope-rzg2m-efibootguard.wks.in b/wic/hihope-rzg2m-efibootguard.wks.in
> index 9227a71..164e8a9 100644
> --- a/wic/hihope-rzg2m-efibootguard.wks.in
> +++ b/wic/hihope-rzg2m-efibootguard.wks.in
> @@ -3,8 +3,8 @@
>
> include ebg-sysparts.inc
>
> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
>
> # home and var are extra partitions
>
> diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
> index ef40d70..0f4d637 100644
> --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
> +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
> @@ -1,7 +1,7 @@
> include ebg-signed-sysparts.inc
>
> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
>
> # home and var are extra partitions
> part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
> diff --git a/wic/qemu-arm64-efibootguard-secureboot.wks.in b/wic/qemu-arm64-efibootguard-secureboot.wks.in
> index 01f395d..00d627d 100644
> --- a/wic/qemu-arm64-efibootguard-secureboot.wks.in
> +++ b/wic/qemu-arm64-efibootguard-secureboot.wks.in
> @@ -1,7 +1,7 @@
> include ebg-signed-sysparts.inc
>
> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
>
> # home and var are extra partitions
> part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
> diff --git a/wic/qemu-arm64-efibootguard.wks.in b/wic/qemu-arm64-efibootguard.wks.in
> index 942c3e1..6f03420 100644
> --- a/wic/qemu-arm64-efibootguard.wks.in
> +++ b/wic/qemu-arm64-efibootguard.wks.in
> @@ -3,8 +3,8 @@
>
> include ebg-sysparts.inc
>
> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
>
> # home and var are extra partitions
> part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
> diff --git a/wic/qemu-riscv64-efibootguard.wks.in b/wic/qemu-riscv64-efibootguard.wks.in
> index 6934977..1704ded 100644
> --- a/wic/qemu-riscv64-efibootguard.wks.in
> +++ b/wic/qemu-riscv64-efibootguard.wks.in
> @@ -3,8 +3,8 @@
>
> include ebg-sysparts.inc
>
> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systemb
>
> # home and var are extra partitions
> part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024 --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002
> diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
> index 6382ff7..4c0484f 100644
> --- a/wic/x86-efibootguard.wks.in
> +++ b/wic/x86-efibootguard.wks.in
> @@ -3,8 +3,8 @@
>
> include ebg-sysparts.inc
>
> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> -part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_A}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
> +part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}" --part-type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 --part-name systema
>
> # home and var are extra partitions
>
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 12+ messages in thread
* [cip-dev][isar-cip-core][PATCH 2/7] initramfs: allow empty mountpoint for crypt hooks
2024-04-19 8:20 [cip-dev][isar-cip-core][PATCH 0/7] Add option to encrypt the rootfs Quirin Gylstorff
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 1/7] wic/*: Add part-labels to system partition Quirin Gylstorff
@ 2024-04-19 8:20 ` Quirin Gylstorff
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 3/7] fix: disk formatting Quirin Gylstorff
` (4 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: Quirin Gylstorff @ 2024-04-19 8:20 UTC (permalink / raw)
To: johnxw, cip-dev, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This allows to encrypt partition which have as seperate mount
script like verity and abrootfs
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../initramfs-crypt-hook/files/mount_crypt_partitions.script | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
index 3411e70..b72323f 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script
@@ -51,7 +51,9 @@ for partition_set in $partition_sets; do
part_device=$(readlink -f "$partition")
crypt_mount_name="encrypted_$partition_label"
decrypted_part=/dev/mapper/"$crypt_mount_name"
-
+ if [ -z "$partition_mountpoint" ]; then
+ continue
+ fi
if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \
| grep -q "luks2"; then
mount_partition "$decrypted_part" "${rootmnt}""$partition_mountpoint"
--
2.43.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [cip-dev][isar-cip-core][PATCH 3/7] fix: disk formatting
2024-04-19 8:20 [cip-dev][isar-cip-core][PATCH 0/7] Add option to encrypt the rootfs Quirin Gylstorff
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 1/7] wic/*: Add part-labels to system partition Quirin Gylstorff
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 2/7] initramfs: allow empty mountpoint for crypt hooks Quirin Gylstorff
@ 2024-04-19 8:20 ` Quirin Gylstorff
2024-04-19 16:29 ` Jan Kiszka
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 4/7] initramfs-crypt: Only resize partition if ext* formatted Quirin Gylstorff
` (3 subsequent siblings)
6 siblings, 1 reply; 12+ messages in thread
From: Quirin Gylstorff @ 2024-04-19 8:20 UTC (permalink / raw)
To: johnxw, cip-dev, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This fixes an regression from cfef8103a0385c0d6c4631f23aabcdf65de4efba.
As the format path was not update to the new function arguments.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../initramfs-crypt-hook/files/encrypt_partition.script | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
index 8763f69..8f6cbf6 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
@@ -147,7 +147,7 @@ for partition_set in $partition_sets; do
"format")
/usr/sbin/cryptsetup luksFormat --batch-mode \
--type luks2 "$partition" < "$tmp_key"
- enroll_tpm2_token "$part_device" "$tmp_key"
+ enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type"
open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
eval "${create_file_system_cmd} ${decrypted_part}"
;;
--
2.43.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH 3/7] fix: disk formatting
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 3/7] fix: disk formatting Quirin Gylstorff
@ 2024-04-19 16:29 ` Jan Kiszka
0 siblings, 0 replies; 12+ messages in thread
From: Jan Kiszka @ 2024-04-19 16:29 UTC (permalink / raw)
To: Quirin Gylstorff, johnxw, cip-dev
On 19.04.24 10:20, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> This fixes an regression from cfef8103a0385c0d6c4631f23aabcdf65de4efba.
> As the format path was not update to the new function arguments.
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> .../initramfs-crypt-hook/files/encrypt_partition.script | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
> index 8763f69..8f6cbf6 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
> @@ -147,7 +147,7 @@ for partition_set in $partition_sets; do
> "format")
> /usr/sbin/cryptsetup luksFormat --batch-mode \
> --type luks2 "$partition" < "$tmp_key"
> - enroll_tpm2_token "$part_device" "$tmp_key"
> + enroll_tpm2_token "$part_device" "$tmp_key" "$tpm_device" "$tpm_key_algorithm" "$pcr_bank_hash_type"
> open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
> eval "${create_file_system_cmd} ${decrypted_part}"
> ;;
Merging this one as fix already.
Thanks,
Jan
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 12+ messages in thread
* [cip-dev][isar-cip-core][PATCH 4/7] initramfs-crypt: Only resize partition if ext* formatted
2024-04-19 8:20 [cip-dev][isar-cip-core][PATCH 0/7] Add option to encrypt the rootfs Quirin Gylstorff
` (2 preceding siblings ...)
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 3/7] fix: disk formatting Quirin Gylstorff
@ 2024-04-19 8:20 ` Quirin Gylstorff
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 5/7] use luks2 to identify encrypted partition Quirin Gylstorff
` (2 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: Quirin Gylstorff @ 2024-04-19 8:20 UTC (permalink / raw)
To: johnxw, cip-dev, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
squashfs or empty partition cannot be resized with resize2fs.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../files/encrypt_partition.script | 20 +++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
index 8f6cbf6..51c81f3 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
@@ -64,14 +64,26 @@ service_watchdog() {
reencrypt_existing_partition() {
part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)"
# reduce the filesystem and partition by 32M to fit the LUKS header
+ partition_fstype=$(get_fstype "${1}")
reduce_device_size=32768
reduced_size="$(expr "$part_size_blocks" - 65536 )"
reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
- e2fsck -f "$1"
- if ! resize2fs "$1" "${reduced_size_in_kb}"; then
- panic "reencryption of filesystem $1 cannot continue!"
- fi
+ case $partition_fstype in
+ ext*)
+ # reduce the filesystem and partition by 32M to fit the LUKS header
+ e2fsck -f "$1"
+ if ! resize2fs "$1" "${reduced_size_in_kb}"; then
+ panic "reencryption of filesystem $1 cannot continue!"
+ fi
+ ;;
+ squashfs|"")
+ echo "skip disk resize as it not support or unnecessary for fstype: '$partition_fstype'"
+ ;;
+ *)
+ panic "cannot resize parition. unsupport fstype: $partition_fstype"
+ ;;
+ esac
if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
/usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2"
else
--
2.43.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [cip-dev][isar-cip-core][PATCH 5/7] use luks2 to identify encrypted partition
2024-04-19 8:20 [cip-dev][isar-cip-core][PATCH 0/7] Add option to encrypt the rootfs Quirin Gylstorff
` (3 preceding siblings ...)
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 4/7] initramfs-crypt: Only resize partition if ext* formatted Quirin Gylstorff
@ 2024-04-19 8:20 ` Quirin Gylstorff
2024-04-19 16:29 ` Jan Kiszka
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 6/7] Kconfig: Add option to encrypt the rootfs Quirin Gylstorff
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 7/7] README: Add rootfs encryption Quirin Gylstorff
6 siblings, 1 reply; 12+ messages in thread
From: Quirin Gylstorff @ 2024-04-19 8:20 UTC (permalink / raw)
To: johnxw, cip-dev, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This fixes an issue with encrypted rootfs during system reboot.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../initramfs-crypt-hook/files/encrypt_partition.script | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
index 51c81f3..685d882 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
@@ -134,7 +134,7 @@ for partition_set in $partition_sets; do
fi
if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
- | grep -q "token"; then
+ | grep -q "luks2"; then
open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
continue
fi
--
2.43.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH 5/7] use luks2 to identify encrypted partition
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 5/7] use luks2 to identify encrypted partition Quirin Gylstorff
@ 2024-04-19 16:29 ` Jan Kiszka
0 siblings, 0 replies; 12+ messages in thread
From: Jan Kiszka @ 2024-04-19 16:29 UTC (permalink / raw)
To: Quirin Gylstorff, johnxw, cip-dev
On 19.04.24 10:20, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> This fixes an issue with encrypted rootfs during system reboot.
>
And what was that issue?
Jan
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> .../initramfs-crypt-hook/files/encrypt_partition.script | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
> index 51c81f3..685d882 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script
> @@ -134,7 +134,7 @@ for partition_set in $partition_sets; do
> fi
>
> if /usr/sbin/cryptsetup luksDump --batch-mode "$partition" \
> - | grep -q "token"; then
> + | grep -q "luks2"; then
> open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device"
> continue
> fi
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 12+ messages in thread
* [cip-dev][isar-cip-core][PATCH 6/7] Kconfig: Add option to encrypt the rootfs
2024-04-19 8:20 [cip-dev][isar-cip-core][PATCH 0/7] Add option to encrypt the rootfs Quirin Gylstorff
` (4 preceding siblings ...)
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 5/7] use luks2 to identify encrypted partition Quirin Gylstorff
@ 2024-04-19 8:20 ` Quirin Gylstorff
2024-04-19 16:34 ` Jan Kiszka
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 7/7] README: Add rootfs encryption Quirin Gylstorff
6 siblings, 1 reply; 12+ messages in thread
From: Quirin Gylstorff @ 2024-04-19 8:20 UTC (permalink / raw)
To: johnxw, cip-dev, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Kconfig | 20 ++++++++++++++++++--
kas/opt/encrypt-rootfs.yml | 22 ++++++++++++++++++++++
2 files changed, 40 insertions(+), 2 deletions(-)
create mode 100644 kas/opt/encrypt-rootfs.yml
diff --git a/Kconfig b/Kconfig
index 7c19640..e657a22 100644
--- a/Kconfig
+++ b/Kconfig
@@ -202,15 +202,31 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT
default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
+
+menuconfig DISK_ENCRYPTION
+ bool
+ prompt "disk encryption"
+ select IMAGE_SECURE_BOOT
+
config IMAGE_DATA_ENCRYPTION
bool "Encrypt data partitions on first boot"
- depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM
- select IMAGE_SECURE_BOOT
+ depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
help
This enables LUKS encryption for the partitions /var and /home.
+config IMAGE_FULL_ENCRYPTION
+ bool "Encrypt rootfs and data partitions"
+ depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
+ select IMAGE_DATA_ENCRYPTION
+ help
+ This enables LUKS encryption for all partitions.
+
config KAS_INCLUDE_DATA_ENCRYPTION
string
default "kas/opt/encrypt-partitions.yml" if IMAGE_DATA_ENCRYPTION
+config KAS_INCLUDE_ROOTFS_ENCRYPTION
+ string
+ default "kas/opt/encrypt-rootfs.yml" if IMAGE_FULL_ENCRYPTION
+
endif
diff --git a/kas/opt/encrypt-rootfs.yml b/kas/opt/encrypt-rootfs.yml
new file mode 100644
index 0000000..f273b65
--- /dev/null
+++ b/kas/opt/encrypt-rootfs.yml
@@ -0,0 +1,22 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2024
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 14
+ includes:
+ - kas/opt/encrypt-partitions.yml
+local_conf_header:
+ encrypted_root: |
+ # Do not set mount points for systema and systemb as they are mounted by the
+ # abrootfs/verity initramfs
+ # As we use a weak default assignment in the intramfs-crypt-hook recipe we need
+ # to set all partitions
+ CRYPT_PARTITIONS:append = "systema::reencrypt systemb::reencrypt home:/home:reencrypt var:/var:rueencrypt"
--
2.43.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [cip-dev][isar-cip-core][PATCH 6/7] Kconfig: Add option to encrypt the rootfs
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 6/7] Kconfig: Add option to encrypt the rootfs Quirin Gylstorff
@ 2024-04-19 16:34 ` Jan Kiszka
0 siblings, 0 replies; 12+ messages in thread
From: Jan Kiszka @ 2024-04-19 16:34 UTC (permalink / raw)
To: Quirin Gylstorff, johnxw, cip-dev
On 19.04.24 10:20, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> Kconfig | 20 ++++++++++++++++++--
> kas/opt/encrypt-rootfs.yml | 22 ++++++++++++++++++++++
> 2 files changed, 40 insertions(+), 2 deletions(-)
> create mode 100644 kas/opt/encrypt-rootfs.yml
>
> diff --git a/Kconfig b/Kconfig
> index 7c19640..e657a22 100644
> --- a/Kconfig
> +++ b/Kconfig
> @@ -202,15 +202,31 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT
> default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
> default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
>
> +
> +menuconfig DISK_ENCRYPTION
> + bool
> + prompt "disk encryption"
> + select IMAGE_SECURE_BOOT
> +
> config IMAGE_DATA_ENCRYPTION
> bool "Encrypt data partitions on first boot"
> - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM
> - select IMAGE_SECURE_BOOT
> + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
> help
> This enables LUKS encryption for the partitions /var and /home.
>
> +config IMAGE_FULL_ENCRYPTION
> + bool "Encrypt rootfs and data partitions"
> + depends on DISK_ENCRYPTION && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
> + select IMAGE_DATA_ENCRYPTION
> + help
> + This enables LUKS encryption for all partitions.
> +
> config KAS_INCLUDE_DATA_ENCRYPTION
> string
> default "kas/opt/encrypt-partitions.yml" if IMAGE_DATA_ENCRYPTION
>
> +config KAS_INCLUDE_ROOTFS_ENCRYPTION
> + string
> + default "kas/opt/encrypt-rootfs.yml" if IMAGE_FULL_ENCRYPTION
We still have a logic flip in the name of the kas option files:
"encrypt-partitions" suggest "all partitions" while "encrypt-rootfs"
does not suggest that it actually means "(almost) all".
I would suggest:
encrypt-partitions.yml -> encrypt-data.yml
encrypt-rootfs.yml -> encrypt-all.yml
Jan
> +
> endif
> diff --git a/kas/opt/encrypt-rootfs.yml b/kas/opt/encrypt-rootfs.yml
> new file mode 100644
> index 0000000..f273b65
> --- /dev/null
> +++ b/kas/opt/encrypt-rootfs.yml
> @@ -0,0 +1,22 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2024
> +#
> +# Authors:
> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +header:
> + version: 14
> + includes:
> + - kas/opt/encrypt-partitions.yml
> +local_conf_header:
> + encrypted_root: |
> + # Do not set mount points for systema and systemb as they are mounted by the
> + # abrootfs/verity initramfs
> + # As we use a weak default assignment in the intramfs-crypt-hook recipe we need
> + # to set all partitions
> + CRYPT_PARTITIONS:append = "systema::reencrypt systemb::reencrypt home:/home:reencrypt var:/var:rueencrypt"
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 12+ messages in thread
* [cip-dev][isar-cip-core][PATCH 7/7] README: Add rootfs encryption
2024-04-19 8:20 [cip-dev][isar-cip-core][PATCH 0/7] Add option to encrypt the rootfs Quirin Gylstorff
` (5 preceding siblings ...)
2024-04-19 8:20 ` [cip-dev][isar-cip-core][PATCH 6/7] Kconfig: Add option to encrypt the rootfs Quirin Gylstorff
@ 2024-04-19 8:20 ` Quirin Gylstorff
6 siblings, 0 replies; 12+ messages in thread
From: Quirin Gylstorff @ 2024-04-19 8:20 UTC (permalink / raw)
To: johnxw, cip-dev, jan.kiszka
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
doc/README.tpm2.encryption.md | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md
index 69a18dd..a0a78d2 100644
--- a/doc/README.tpm2.encryption.md
+++ b/doc/README.tpm2.encryption.md
@@ -44,6 +44,16 @@ Each entry uses the schema `<partition-label>:<mountpoint>:<reencrypt or format>
- `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount
- `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD`
+#### Encrypted root file system
+
+To encrypt the root file system the variable `CRYPT_PARTITIONS` needs to be set to:
+```
+CRYPT_PARTITIONS = "systema::reencrypt systemb::reencrypt"
+```
+The mountpoint is empty as the root partition is mounted by another initramfs service.
+Both partitions are encrypted during first boot. The initramfs opens systema and systemb
+during boot.
+
### CRYPT_CREATE_FILE_SYSTEM_CMD
The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly
@@ -59,7 +69,7 @@ based encryption:
- jq
## steps to convert clevis to systemd
-The following script shows how to enroll a systemd-tpm2 token with a existinng clevis based encryption:
+The following script shows how to enroll a systemd-tpm2 token with a existing clevis based encryption:
```bash
export device=/dev/sda6
export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots | first' | head -n1)
--
2.43.0
^ permalink raw reply related [flat|nested] 12+ messages in thread