RFC - Encrypted overlay and help with boot ordering

Peter Naulls peter at chocky.org
Mon Dec 5 12:20:04 PST 2022 

I've been experimenting with making the overlay encrypted as part of our
security requirements.

There are a couple of things needed to make this work - first, cryptsetup and
other kernel modules need to be brought in.  This also needs the upstream kernel
patch to block2mtd that I posted last week that allows for a custom label.

Finally, in the OpenWrt kernel patch to the partition split logic, I renamed
"rootfs_data" to "rootfs_image.

Then I added the following file as /lib/preinit/80_mount_prepare. Note that this
is carefully named so it appears after 80_lvm2 and before 80_mount_root.

Running the steps manually after boot (I shut down as much as possible), the 
process is OK, but during boot, things are not quite right:

[   21.397406] mount_root: Could not open mtd device: /dev/mtd8
[   21.408913] mount_root: reading rootfs_data failed
[   21.420865] mount_root: Could not open mtd device: /dev/mtd5
[   21.432353] mount_root: reading rootfs failed
[   21.441237] mount_root: mounting /dev/root

It appears that the device nodes are not ready at this point. In my setup, mtd5 
is the old "rootfs_image" and mtd8 is the mtd created by block2mtd.

In any case, feedback on this whole setup and what's going on here welcome. 
This is obviously very experimental in nature.


do_prepare_rootfs() {
   echo " Preparing rootfs"


   encrypt_name=rootfs_image
   data_name=rootfs_data

   mtd=$(cat /proc/mtd | grep ${encrypt_name} | cut -d : -f 1)

   if [ -z "${mtd}" ] ; then
     echo "${encrypt_name} not found" 1>&2
     exit 1
   fi

   block=$(echo $mtd | sed s#mtd#mtdblock#)

   pass=test

   echo "Trying to open partition /dev/{$block} as is"
   if ! echo -n "${pass}" | cryptsetup luksOpen /dev/${block} rootfs 
2>/dev/null; then
     echo "Formatting parititon /dev/${block}"
     echo -n "${pass}" | cryptsetup -q luksFormat /dev/${block}

     echo "Complete, opening again"
     echo -n "${pass}" | cryptsetup luksOpen /dev/${block} rootfs
   fi

   insmod block2mtd block2mtd=/dev/mapper/rootfs,32KiB,${data_name}

   data=$(cat /proc/mtd | grep ${data_name} | cut -d : -f 1)

   if [ -z "${data}" ] ; then
     echo "${data_name} not found"
     exit 1
   fi


   # Now rely upon mount_root to check partition and setup for jffs2
}


[ "$INITRAMFS" = "1" ] || boot_hook_add preinit_main do_prepare_rootfs

More information about the openwrt-devel mailing list