From 3017ca6308ad8fce9e65882441a9ef5e123e9c6f Mon Sep 17 00:00:00 2001
From: Christina Ying Wang <christina@balena.io>
Date: Wed, 17 Apr 2024 09:20:56 -0700
Subject: [PATCH] Add rpi support to balenaOS secure boot

- Loop through `rpi`, `efi` for crypt boot mount
- Remove `exit 1` from dbus_get_mount

Change-type: minor
Signed-off-by: Christina Ying Wang <christina@balena.io>
---
 mount-partitions.sh | 33 ++++++++++++++++++++++++---------
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/mount-partitions.sh b/mount-partitions.sh
index a17d8250..6a69a328 100755
--- a/mount-partitions.sh
+++ b/mount-partitions.sh
@@ -19,38 +19,53 @@ export DBUS_SYSTEM_BUS_ADDRESS="${DBUS_SYSTEM_BUS_ADDRESS:-unix:path="${ROOT_MOU
 # Partition is only the label, e.g. boot, state, data
 dbus_get_mount() {
     part="$1"
-
     result=$(dbus-send --system --print-reply \
         --dest=org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/mnt_2d${part}_2emount org.freedesktop.DBus.Properties.Get \
         string:"org.freedesktop.systemd1.Mount" string:"What" | grep "string" | cut -d'"' -f2 2>&1)
-    # If the output doesn't match the /dev/* device regex, exit with an error
+    # If the output doesn't match the /dev/* device regex, return empty and do not exit
     if [ "$(echo "${result}" | grep -E '^/dev/')" = "" ]; then
-        echo "ERROR: Could not determine ${part} device from dbus. Please launch Supervisor as a privileged container with DBus socket access."
-        exit 1
+        echo ""
+    else
+        echo "${result}"
     fi
-
-    echo "${result}"
 }
 
 # Get the current boot block device in case there are duplicate partition labels
 # for `(balena|resin)-(boot|state|data)` found.
+secure_boot_partitions='efi rpi'
 current_boot_block_device=""
 if [ "${TEST}" != 1 ]; then
     mnt_boot_mount=$(dbus_get_mount "boot")
     mnt_boot_type=$(lsblk -no type "${mnt_boot_mount}")
-    # If the (resin|balena)-boot partition is encrypted, we need to have a look at the efi partition
     if [ "${mnt_boot_type}" = "crypt" ]; then
-        boot_part=$(dbus_get_mount "efi")
+        echo "INFO: Encrypted boot partition detected."
+        for part in $secure_boot_partitions; do
+            echo "INFO: Trying ${part} as boot partition."
+            boot_part=$(dbus_get_mount "${part}")
+            if [ -n "${boot_part}" ]; then
+                echo "INFO: Using ${part} as boot partition."
+                break
+            else
+                echo "ERROR: Could not determine ${part} device from dbus."
+            fi
+        done
     else
         boot_part="${mnt_boot_mount}"
     fi
+
+    if [ -z "${boot_part}" ]; then
+        echo "ERROR: Could not determine boot device from dbus. Please launch Supervisor as a privileged container with DBus socket access."
+        exit 1
+    fi
+
     current_boot_block_device=$(lsblk -no pkname "${boot_part}")
-    if [ "${current_boot_block_device}" = "" ]; then
+    if [ -z "${current_boot_block_device}" ]; then
         echo "ERROR: Could not determine boot device from lsblk. Please launch Supervisor as a privileged container."
         exit 1
     fi
 fi
 
+
 # Mounts a device to a path if it's not already mounted.
 # Usage: do_mount DEVICE MOUNT_PATH
 do_mount() {