* [PATCH 1/2] Revert "meta: Add option to specify additional dependencies for package expand-on-first-boot in case an encrypted disk has to be resized"
@ 2024-11-08 11:27 'Jan Kiszka' via isar-users
2024-11-16 6:00 ` Uladzimir Bely
2024-11-18 6:10 ` Uladzimir Bely
0 siblings, 2 replies; 4+ messages in thread
From: 'Jan Kiszka' via isar-users @ 2024-11-08 11:27 UTC (permalink / raw)
To: isar-users; +Cc: Quirin Gylstorff, Heinisch, Alexander (T CED SES-AT)
From: Jan Kiszka <jan.kiszka@siemens.com>
This reverts commit 8b30a4f86cb3ea3369bff3884141872c3a7d9979.
On second thought, this approach turned out to be inapplicable on the
long-run. It is built around the assumption that the disk encryption
secret is still accessible after initramfs used it to unload the disk.
While the downstream implementation of cip-core currently fulfills this,
it is not expected to stay like that because of the increase attack
surface.
We will need a different solution for expanding encrypted partitions,
most likely with the help of the encryption hook in the initramfs.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
.../expand-on-first-boot_1.5.bb | 14 +-------------
1 file changed, 1 insertion(+), 13 deletions(-)
diff --git a/meta/recipes-support/expand-on-first-boot/expand-on-first-boot_1.5.bb b/meta/recipes-support/expand-on-first-boot/expand-on-first-boot_1.5.bb
index 2596706d..4b9cf376 100644
--- a/meta/recipes-support/expand-on-first-boot/expand-on-first-boot_1.5.bb
+++ b/meta/recipes-support/expand-on-first-boot/expand-on-first-boot_1.5.bb
@@ -10,19 +10,7 @@ inherit dpkg-raw
DESCRIPTION = "This service grows the last partition to the full medium during first boot"
MAINTAINER = "isar-users <isar-users@googlegroups.com>"
-# Additional packages that are needed to resize the disk if it is encrypted.
-ADDITIONAL_DISK_ENCRYPTION_PACKAGES ?= ""
-DEBIAN_DEPENDS = " \
- systemd, \
- sed, \
- grep, \
- coreutils, \
- mount, \
- e2fsprogs, \
- fdisk (>=2.29.2-3) | util-linux (<2.29.2-3), \
- util-linux, \
- ${ADDITIONAL_DISK_ENCRYPTION_PACKAGES} \
- "
+DEBIAN_DEPENDS = "systemd, sed, grep, coreutils, mount, e2fsprogs, fdisk (>=2.29.2-3) | util-linux (<2.29.2-3), util-linux"
SRC_URI = " \
file://expand-on-first-boot.service \
--
2.43.0
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/5b0f1ad9-3d12-4d05-a5e4-bb9dcf258545%40siemens.com.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] Revert "meta: Add option to specify additional dependencies for package expand-on-first-boot in case an encrypted disk has to be resized"
2024-11-08 11:27 [PATCH 1/2] Revert "meta: Add option to specify additional dependencies for package expand-on-first-boot in case an encrypted disk has to be resized" 'Jan Kiszka' via isar-users
@ 2024-11-16 6:00 ` Uladzimir Bely
2024-11-16 6:46 ` 'Jan Kiszka' via isar-users
2024-11-18 6:10 ` Uladzimir Bely
1 sibling, 1 reply; 4+ messages in thread
From: Uladzimir Bely @ 2024-11-16 6:00 UTC (permalink / raw)
To: Jan Kiszka, isar-users
On Fri, 2024-11-08 at 12:27 +0100, 'Jan Kiszka' via isar-users wrote:
> From: Jan Kiszka <jan.kiszka@siemens.com>
>
> This reverts commit 8b30a4f86cb3ea3369bff3884141872c3a7d9979.
>
> On second thought, this approach turned out to be inapplicable on the
> long-run. It is built around the assumption that the disk encryption
> secret is still accessible after initramfs used it to unload the
> disk.
> While the downstream implementation of cip-core currently fulfills
> this,
> it is not expected to stay like that because of the increase attack
> surface.
>
> We will need a different solution for expanding encrypted partitions,
> most likely with the help of the encryption hook in the initramfs.
>
Hello.
Does this mean that current solution we revert here is not working
anymore in some downstream it was originally implemented for? We
wouldn't like to revert any functionality if it's still used somewhere.
Im asking since in the meanwhile I was trying to test/merge other
patches (https://groups.google.com/g/isar-users/c/sDsUCt0zMgQ and
https://groups.google.com/g/isar-users/c/BkAmajnmVIk) and found out
that they depend on this patchset applied first.
It happens due to pure technical reasons (e.g., one-line/row
representation of DEBIAN_DEPENDS).
If we apply these reverts, does it mean "proper" patches for expanding
encrypted partition are expected later? Or will they be implemented on
downstream side providing that new "configurable" expand-on-first boot
patches together with
https://groups.google.com/g/isar-users/c/rSZGRUCVvus would allow this
without changes in Isar required?
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> ---
> .../expand-on-first-boot_1.5.bb | 14 +-----------
> --
> 1 file changed, 1 insertion(+), 13 deletions(-)
>
> diff --git a/meta/recipes-support/expand-on-first-boot/expand-on-
> first-boot_1.5.bb b/meta/recipes-support/expand-on-first-boot/expand-
> on-first-boot_1.5.bb
> index 2596706d..4b9cf376 100644
> --- a/meta/recipes-support/expand-on-first-boot/expand-on-first-
> boot_1.5.bb
> +++ b/meta/recipes-support/expand-on-first-boot/expand-on-first-
> boot_1.5.bb
> @@ -10,19 +10,7 @@ inherit dpkg-raw
> DESCRIPTION = "This service grows the last partition to the full
> medium during first boot"
> MAINTAINER = "isar-users <isar-users@googlegroups.com>"
>
> -# Additional packages that are needed to resize the disk if it is
> encrypted.
> -ADDITIONAL_DISK_ENCRYPTION_PACKAGES ?= ""
> -DEBIAN_DEPENDS = " \
> - systemd, \
> - sed, \
> - grep, \
> - coreutils, \
> - mount, \
> - e2fsprogs, \
> - fdisk (>=2.29.2-3) | util-linux (<2.29.2-3), \
> - util-linux, \
> - ${ADDITIONAL_DISK_ENCRYPTION_PACKAGES} \
> - "
> +DEBIAN_DEPENDS = "systemd, sed, grep, coreutils, mount, e2fsprogs,
> fdisk (>=2.29.2-3) | util-linux (<2.29.2-3), util-linux"
>
> SRC_URI = " \
> file://expand-on-first-boot.service \
> --
> 2.43.0
>
--
Best regards,
Uladzimir.
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/bd8cf0136388e8354a700240e91ca71315a95334.camel%40ilbers.de.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] Revert "meta: Add option to specify additional dependencies for package expand-on-first-boot in case an encrypted disk has to be resized"
2024-11-16 6:00 ` Uladzimir Bely
@ 2024-11-16 6:46 ` 'Jan Kiszka' via isar-users
0 siblings, 0 replies; 4+ messages in thread
From: 'Jan Kiszka' via isar-users @ 2024-11-16 6:46 UTC (permalink / raw)
To: Uladzimir Bely, isar-users
On 16.11.24 07:00, Uladzimir Bely wrote:
> On Fri, 2024-11-08 at 12:27 +0100, 'Jan Kiszka' via isar-users wrote:
>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>
>> This reverts commit 8b30a4f86cb3ea3369bff3884141872c3a7d9979.
>>
>> On second thought, this approach turned out to be inapplicable on the
>> long-run. It is built around the assumption that the disk encryption
>> secret is still accessible after initramfs used it to unload the
>> disk.
>> While the downstream implementation of cip-core currently fulfills
>> this,
>> it is not expected to stay like that because of the increase attack
>> surface.
>>
>> We will need a different solution for expanding encrypted partitions,
>> most likely with the help of the encryption hook in the initramfs.
>>
>
> Hello.
>
> Does this mean that current solution we revert here is not working
> anymore in some downstream it was originally implemented for? We
> wouldn't like to revert any functionality if it's still used somewhere.
>
It was originally designed to be used in isar-cip-core, but there it was
never pulled in, and it won't be anymore. Theoretically, there could be
users outside, but I don't expect any. And those would suffer from the
same conceptual limitation which makes this path useless.
Jan
--
Siemens AG, Technology
Linux Expert Center
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/7141936a-2067-416b-a5a7-a232a7646891%40siemens.com.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] Revert "meta: Add option to specify additional dependencies for package expand-on-first-boot in case an encrypted disk has to be resized"
2024-11-08 11:27 [PATCH 1/2] Revert "meta: Add option to specify additional dependencies for package expand-on-first-boot in case an encrypted disk has to be resized" 'Jan Kiszka' via isar-users
2024-11-16 6:00 ` Uladzimir Bely
@ 2024-11-18 6:10 ` Uladzimir Bely
1 sibling, 0 replies; 4+ messages in thread
From: Uladzimir Bely @ 2024-11-18 6:10 UTC (permalink / raw)
To: Jan Kiszka, isar-users
On Fri, 2024-11-08 at 12:27 +0100, 'Jan Kiszka' via isar-users wrote:
> From: Jan Kiszka <jan.kiszka@siemens.com>
>
> This reverts commit 8b30a4f86cb3ea3369bff3884141872c3a7d9979.
>
> On second thought, this approach turned out to be inapplicable on the
> long-run. It is built around the assumption that the disk encryption
> secret is still accessible after initramfs used it to unload the
> disk.
> While the downstream implementation of cip-core currently fulfills
> this,
> it is not expected to stay like that because of the increase attack
> surface.
>
> We will need a different solution for expanding encrypted partitions,
> most likely with the help of the encryption hook in the initramfs.
>
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> ---
> .../expand-on-first-boot_1.5.bb | 14 +-----------
> --
> 1 file changed, 1 insertion(+), 13 deletions(-)
>
> diff --git a/meta/recipes-support/expand-on-first-boot/expand-on-
> first-boot_1.5.bb b/meta/recipes-support/expand-on-first-boot/expand-
> on-first-boot_1.5.bb
> index 2596706d..4b9cf376 100644
> --- a/meta/recipes-support/expand-on-first-boot/expand-on-first-
> boot_1.5.bb
> +++ b/meta/recipes-support/expand-on-first-boot/expand-on-first-
> boot_1.5.bb
> @@ -10,19 +10,7 @@ inherit dpkg-raw
> DESCRIPTION = "This service grows the last partition to the full
> medium during first boot"
> MAINTAINER = "isar-users <isar-users@googlegroups.com>"
>
> -# Additional packages that are needed to resize the disk if it is
> encrypted.
> -ADDITIONAL_DISK_ENCRYPTION_PACKAGES ?= ""
> -DEBIAN_DEPENDS = " \
> - systemd, \
> - sed, \
> - grep, \
> - coreutils, \
> - mount, \
> - e2fsprogs, \
> - fdisk (>=2.29.2-3) | util-linux (<2.29.2-3), \
> - util-linux, \
> - ${ADDITIONAL_DISK_ENCRYPTION_PACKAGES} \
> - "
> +DEBIAN_DEPENDS = "systemd, sed, grep, coreutils, mount, e2fsprogs,
> fdisk (>=2.29.2-3) | util-linux (<2.29.2-3), util-linux"
>
> SRC_URI = " \
> file://expand-on-first-boot.service \
> --
> 2.43.0
>
Applied to next, thanks.
--
Best regards,
Uladzimir.
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/4249afea0d8a06f616b31e723a858d8d595aa58f.camel%40ilbers.de.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-11-18 6:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-11-08 11:27 [PATCH 1/2] Revert "meta: Add option to specify additional dependencies for package expand-on-first-boot in case an encrypted disk has to be resized" 'Jan Kiszka' via isar-users
2024-11-16 6:00 ` Uladzimir Bely
2024-11-16 6:46 ` 'Jan Kiszka' via isar-users
2024-11-18 6:10 ` Uladzimir Bely
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox