Re: [PATCH 1/2] Revert "meta: Add option to specify additional dependencies for package expand-on-first-boot in case an encrypted disk has to be resized"

[Uladzimir Bely <ubely@ilbers.de>]

On Fri, 2024-11-08 at 12:27 +0100, 'Jan Kiszka' via isar-users wrote:
> From: Jan Kiszka <jan.kiszka@siemens.com>
> 
> This reverts commit 8b30a4f86cb3ea3369bff3884141872c3a7d9979.
> 
> On second thought, this approach turned out to be inapplicable on the
> long-run. It is built around the assumption that the disk encryption
> secret is still accessible after initramfs used it to unload the
> disk.
> While the downstream implementation of cip-core currently fulfills
> this,
> it is not expected to stay like that because of the increase attack
> surface.
> 
> We will need a different solution for expanding encrypted partitions,
> most likely with the help of the encryption hook in the initramfs.
> 

Hello.

Does this mean that current solution we revert here is not working
anymore in some downstream it was originally implemented for? We
wouldn't like to revert any functionality if it's still used somewhere.

Im asking since in the meanwhile I was trying to test/merge other
patches (https://groups.google.com/g/isar-users/c/sDsUCt0zMgQ and
https://groups.google.com/g/isar-users/c/BkAmajnmVIk) and found out
that they depend on this patchset applied first.

It happens due to pure technical reasons (e.g., one-line/row
representation of DEBIAN_DEPENDS).

If we apply these reverts, does it mean "proper" patches for expanding
encrypted partition are expected later? Or will they be implemented on
downstream side providing that new "configurable" expand-on-first boot
patches together with
https://groups.google.com/g/isar-users/c/rSZGRUCVvus would allow this
without changes in Isar required?

> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> ---
>  .../expand-on-first-boot_1.5.bb                    | 14 +-----------
> --
>  1 file changed, 1 insertion(+), 13 deletions(-)
> 
> diff --git a/meta/recipes-support/expand-on-first-boot/expand-on-
> first-boot_1.5.bb b/meta/recipes-support/expand-on-first-boot/expand-
> on-first-boot_1.5.bb
> index 2596706d..4b9cf376 100644
> --- a/meta/recipes-support/expand-on-first-boot/expand-on-first-
> boot_1.5.bb
> +++ b/meta/recipes-support/expand-on-first-boot/expand-on-first-
> boot_1.5.bb
> @@ -10,19 +10,7 @@ inherit dpkg-raw
>  DESCRIPTION = "This service grows the last partition to the full
> medium during first boot"
>  MAINTAINER = "isar-users <isar-users@googlegroups.com>"
>  
> -# Additional packages that are needed to resize the disk if it is
> encrypted.
> -ADDITIONAL_DISK_ENCRYPTION_PACKAGES ?= ""
> -DEBIAN_DEPENDS = " \
> -    systemd, \
> -    sed, \
> -    grep, \
> -    coreutils, \
> -    mount, \
> -    e2fsprogs, \
> -    fdisk (>=2.29.2-3) | util-linux (<2.29.2-3), \
> -    util-linux, \
> -    ${ADDITIONAL_DISK_ENCRYPTION_PACKAGES} \
> -    "
> +DEBIAN_DEPENDS = "systemd, sed, grep, coreutils, mount, e2fsprogs,
> fdisk (>=2.29.2-3) | util-linux (<2.29.2-3), util-linux"
>  
>  SRC_URI = " \
>      file://expand-on-first-boot.service \
> -- 
> 2.43.0
> 

-- 
Best regards,
Uladzimir.

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/bd8cf0136388e8354a700240e91ca71315a95334.camel%40ilbers.de.