tree: import changes from testing-devel at ba8264a

jbtrystram · Jun 5, 2024 · e145735 · e145735
1 parent 06a9dfb
commit e145735
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 8 deletions.
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator
@@ -150,7 +150,6 @@ fi
 if [[ "${secure_execution}" = "1" ]]; then
     mkdir -p /run/coreos/
     touch /run/coreos/secure-execution
-    cp /usr/lib/coreos/01-secex.ign /usr/lib/ignition/base.d/01-secex.ign
     # Add dropins to disable Ignition logging for all stages
     stages=("fetch-offline" "fetch" "kargs" "disks" "mount" "files")
     for s in "${stages[@]}"; do
@@ -167,5 +166,5 @@ EOF
     # This one is done dynamically because it hard Requires a device to appear
     # and if it's always part of the transaction, systemd will want the device
     # to appear regardless of ConditionPathExists.
-    add_requires coreos-secex-ignition-decrypt.service ignition-diskful.target
+    add_requires coreos-secex-ignition-prepare.service ignition-diskful.target
 fi
diff --git a/...ion/coreos-secex-ignition-decrypt.service → ...ion/coreos-secex-ignition-prepare.service b/...ion/coreos-secex-ignition-decrypt.service → ...ion/coreos-secex-ignition-prepare.service
@@ -1,7 +1,7 @@
 # This service is enabled by coreos-diskful-generator
 
 [Unit]
-Description=CoreOS Secex Ignition Config Decryptor
+Description=CoreOS Secex Ignition Config Preparation
 ConditionPathExists=/etc/initrd-release
 ConditionPathExists=/run/coreos/secure-execution
 DefaultDependencies=false
@@ -17,4 +17,4 @@ Before=ignition-fetch-offline.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/usr/sbin/coreos-secex-ignition-decrypt
+ExecStart=/usr/sbin/coreos-secex-ignition-prepare
diff --git a/...ignition/coreos-secex-ignition-decrypt.sh → ...ignition/coreos-secex-ignition-prepare.sh b/...ignition/coreos-secex-ignition-decrypt.sh → ...ignition/coreos-secex-ignition-prepare.sh
@@ -15,6 +15,10 @@ cleanup() {
 
 trap cleanup EXIT
 
+# copy base Secure Execution config (enables LUKS+dm-verity for boot and root partitions)
+cp /usr/lib/coreos/01-secex.ign /usr/lib/ignition/base.d/01-secex.ign
+
+# decrypt user's config
 tmpd=$(mktemp -d)
 
 if [ ! -e "${disk}" ]; then

diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh
@@ -83,10 +83,10 @@ install() {
 
     # IBM Secure Execution. Ignition config for reencryption of / and /boot
     inst_simple "$moddir/01-secex.ign" /usr/lib/coreos/01-secex.ign
-    inst_simple "$moddir/coreos-secex-ignition-decrypt.service" \
-        "$systemdsystemunitdir/coreos-secex-ignition-decrypt.service"
-    inst_script "$moddir/coreos-secex-ignition-decrypt.sh" \
-        "/usr/sbin/coreos-secex-ignition-decrypt"
+    inst_simple "$moddir/coreos-secex-ignition-prepare.service" \
+        "$systemdsystemunitdir/coreos-secex-ignition-prepare.service"
+    inst_script "$moddir/coreos-secex-ignition-prepare.sh" \
+        "/usr/sbin/coreos-secex-ignition-prepare"
 
     inst_multiple jq blkid
     inst_script "$moddir/coreos-rootflags.sh" \