ExternalVendorCode/balena-supervisor
1
0
Fork 0
mirror of https://github.com/balena-os/balena-supervisor.git synced 2024-12-18 13:26:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
balena-supervisor/mount-partitions.sh
Alex Gonzalez 619f644299 Add NXP support to balenaOS secure boot 
On NXP iMX devices the partitions are not encrypted with LUKS but with
the lower level dm-crypt subsystem.

Adapt the partition mount script to use dmsetup which works for both
LUKS and dm-crypt encrypted partitions.

Change-type: patch
Signed-off-by: Alex Gonzalez <alexg@balena.io>
2024-10-18 13:53:14 -03:00

196 lines
7.1 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/sh
# Mounts boot, state, & data partitions from balenaOS.
# The container must be privileged for this to function correctly.
# Set overlayfs root mountpoint
export ROOT_MOUNTPOINT="/mnt/root"
# Set DBus system bus address for getting the current boot block device
export DBUS_SYSTEM_BUS_ADDRESS="${DBUS_SYSTEM_BUS_ADDRESS:-unix:path="${ROOT_MOUNTPOINT}"/run/dbus/system_bus_socket}"
# Get the block device from systemd
# The dbus-send command below should return something like:
# ```
# method return time=1680132905.878117 sender=:1.0 -> destination=:1.20155 serial=245193 reply_serial=2
# variant string "/dev/sda1"
# ```
# Usage: dbus_get_mount PARTITION
# Partition is only the label, e.g. boot, state, data
dbus_get_mount() {
part="$1"
result=$(dbus-send --system --print-reply \
--dest=org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/mnt_2d${part}_2emount org.freedesktop.DBus.Properties.Get \
string:"org.freedesktop.systemd1.Mount" string:"What" | grep "string" | cut -d'"' -f2 2>&1)
# If the output doesn't match the /dev/* device regex, return empty and do not exit
if [ "$(echo "${result}" | grep -E '^/dev/')" = "" ]; then
echo ""
else
echo "${result}"
fi
}
# Identify an encrypted partition using dmsetup
# Works for both dm-crypt and LUKS encrypted partitions
# Arguments:
# 1: Partition device - will be converted to a DM device
# Returns:
# 0: The partition device is encrypted
# 1: The partition device is not encrypted
is_part_encrypted() {
_part="${1#/dev/}"
_dm_part="${_part}"
if command -v dmsetup > /dev/null; then
if [ "${_part#dm-}" = "${_part}" ]; then
# Does not start with dm-
if [ "${_part#mapper/}" = "${_part}" ]; then
# Does not start with mapper/
# Find the corresponding DM device to the partition
_dm_part=$(lsblk -nlo kname "/dev/${_dm_part}" | grep dm)
if [ -z "${_dm_part}" ]; then
# No corresponding DM device, no dm-crypt in use
return 1
fi
fi
fi
# _dm_part is a DM device, either dm* or mapper/*
_name=$(lsblk -nlo name "/dev/${_dm_part}")
if dmsetup ls --target crypt | grep -q "${_name}"; then
return 0
fi
fi
return 1
}
# Make sure dm-crypt devices are active in the container
dmsetup_part() {
_label="${1}"
if _dmname=$(dmsetup ls --target crypt | grep "${_label}" | awk '{print $1}'); then
# LUKS DM devices are not named after the partition label
# so no need to check for LUKS explicitely
if [ -n "${_dmname}" ]; then
dmsetup resume "${_dmname}"
fi
fi
}
# Get the current boot block device in case there are duplicate partition labels
# for `(balena|resin)-(boot|state|data)` found.
secure_boot_partitions='efi rpi imx'
current_boot_block_device=""
if [ "${TEST}" != 1 ]; then
mnt_boot_dev=$(dbus_get_mount "boot")
dmsetup_part "boot"
if is_part_encrypted "${mnt_boot_dev}"; then
echo "INFO: Encrypted boot partition detected."
for part in $secure_boot_partitions; do
echo "INFO: Trying ${part} as boot partition."
boot_part=$(dbus_get_mount "${part}")
if [ -n "${boot_part}" ]; then
echo "INFO: Using ${part} as boot partition."
break
else
echo "ERROR: Could not determine ${part} device from dbus."
fi
done
else
boot_part="${mnt_boot_dev}"
fi
if [ -z "${boot_part}" ]; then
echo "ERROR: Could not determine boot device from dbus. Please launch Supervisor as a privileged container with DBus socket access."
exit 1
fi
current_boot_block_device=$(lsblk -no pkname "${boot_part}")
if [ -z "${current_boot_block_device}" ]; then
echo "ERROR: Could not determine boot device from lsblk. Please launch Supervisor as a privileged container."
exit 1
fi
fi
# Mounts a device to a path if it's not already mounted.
# Usage: do_mount DEVICE MOUNT_PATH
do_mount() {
device=$1
mount_path=$2
# Create the directory if it doesn't exist
mkdir -p "${mount_path}"
# Mount the device if it doesn't exist
if [ "$(mountpoint -n "${mount_path}" | awk '{ print $1 }')" != "${device}" ]; then
fs_type=$(lsblk -nlo fstype "${device}")
mount -t "${fs_type}" "${device}" "${mount_path}"
fi
}
# Find the devices for each balenaOS partition.
# Usage: setup_then_mount PARTITION MOUNT_PATH
# PARTITION should be one of boot, state, or data.
setup_then_mount() {
# If in test environment, pretend we've succeeded at mounting everything to their
# new mountpoints. We don't want to actually mount in a containerized test environment
# where the Supervisor is probably not running on a host that has the needed partitions.
if [ "${TEST}" = 1 ]; then
return 0
fi
partition_label=$1
target_path=$2
dmsetup_part "${partition_label}"
# Try FS label first and partition label as a fallback
for arg in label partlabel; do
kname=$(lsblk "/dev/${current_boot_block_device}" -nlo "kname,${arg}" | grep -E "(resin|balena)-${partition_label}" | awk '{print $1}')
device="/dev/${kname}"
if [ -b "${device}" ]; then
echo "INFO: Found device $device on current boot device $current_boot_block_device, using as mount for '(resin|balena)-${partition_label}'."
do_mount "${device}" "${target_path}"
return 0
fi
done
# If no devices were found, use legacy mountpoints.
echo "ERROR: Could not determine which partition to mount for label '(resin|balena)-${partition_label}'. Please make sure the Supervisor is running on a balenaOS device."
exit 1
}
# Set boot mountpoint
BOOT_MOUNTPOINT="/mnt/boot"
setup_then_mount "boot" "${BOOT_MOUNTPOINT}"
export BOOT_MOUNTPOINT
# Read from the os-release of boot partition instead of overlay
#
# TODO: We need to remove the dependence on /mnt/root for this particular file.
# Reading from /mnt/boot/os-release is not always accurate, so we need to work
# with the OS team to find a better way to get the OS version.
export HOST_OS_VERSION_PATH="/mnt/root/etc/os-release"
# CONFIG_MOUNT_POINT is set to /boot/config.json in Dockerfile.template,
# but that's a legacy mount provided by host and we should override it.
export CONFIG_MOUNT_POINT="${BOOT_MOUNTPOINT}/config.json"
# Set state mountpoint
STATE_MOUNTPOINT="/mnt/state"
setup_then_mount "state" "${STATE_MOUNTPOINT}"
export STATE_MOUNTPOINT
# Set data mountpoint
DATA_MOUNTPOINT="/mnt/data"
setup_then_mount "data" "${DATA_MOUNTPOINT}"
export DATA_MOUNTPOINT
# Mount the Supervisor database directory to a more accessible & backwards compatible location.
# TODO: DB should be moved to a managed volume and mounted to /data in-container.
# Handle the case of such a Supervisor volume already existing.
# NOTE: After this PR, it should be good to remove the OS's /data/database.sqlite mount.
if [ ! -f /data/database.sqlite ] && [ "${TEST}" != 1 ]; then
mkdir -p "${DATA_MOUNTPOINT}/resin-data/balena-supervisor"
mount -o bind,shared "${DATA_MOUNTPOINT}"/resin-data/balena-supervisor /data
fi
export DATABASE_PATH="/data/database.sqlite"
Reference in New Issue View Git Blame Copy Permalink