diff --git a/cryptpilot-convert.sh b/cryptpilot-convert.sh index 7876bb5..ca22564 100755 --- a/cryptpilot-convert.sh +++ b/cryptpilot-convert.sh @@ -752,6 +752,9 @@ step:update_rootfs() { fi log::info "Updating /etc/fstab" + # add ro,noload flag / if it is an ext4 partition + sed -i '/^[[:space:]]*[^#].*[[:space:]]\+\/[[:space:]]\+ext4[[:space:]]\+/ { /[,[:space:]]ro\([,[:space:]]\|$\)/! s/\([[:space:]]ext4[[:space:]]\+\)\([^[:space:]]\+\)/\1\2,ro/ ; /[,[:space:]]noload\([,[:space:]]\|$\)/! s/\([[:space:]]ext4[[:space:]]\+\)\([^[:space:]]\+\)/\1\2,noload/ }' "${rootfs_mount_point}/etc/fstab" + # Prevent duplicate mounting of efi partitions sed -i '/[[:space:]]\/boot\/efi[[:space:]]/ s/defaults,/defaults,auto,nofail,/' "${rootfs_mount_point}/etc/fstab" @@ -931,7 +934,12 @@ if [[ -f /tmp/cryptpilot/global.toml ]]; then dracut_common_args+=(--include /tmp/cryptpilot/global.toml /etc/cryptpilot/global.toml) fi -if [ "${uki:-false}" = true ]; then +if [ "${uki:-false}" = true ]; then + # Remove all existing EFI entries + find /boot/efi/EFI -mindepth 1 -maxdepth 1 -exec rm -rf {} + + # Remove NvVars file + rm -f /boot/efi/NvVars + # Generate UKI with dracut echo "Generating UKI image" dracut_args=("${dracut_common_args[@]}" --uefi --hostonly-cmdline) @@ -939,23 +947,23 @@ if [ "${uki:-false}" = true ]; then cmdline=$(echo "${cmdline} ${uki_append_cmdline}" | xargs) dracut_args=("${dracut_args[@]}" --kernel-cmdline "$cmdline") - UKI_FILE="/boot/efi/EFI/BOOT/BOOTX64.EFI" - dracut "${dracut_args[@]}" "$UKI_FILE" + # Put UKI to /tmp/ instead of /boot directory since objcopy will create a temporary file in the same directory, which may cause no space left error + TMP_UKI_FILE="/tmp/BOOTX64.EFI" + FINAL_UKI_FILE="/boot/efi/EFI/BOOT/BOOTX64.EFI" + dracut "${dracut_args[@]}" "$TMP_UKI_FILE" echo "Patching cmdline in UKI" # The generated cmdline will have a leading space, remove it - objcopy --dump-section .cmdline="/tmp/cmdline_full.bin" "$UKI_FILE" + objcopy --dump-section .cmdline="/tmp/cmdline_full.bin" "$TMP_UKI_FILE" cat "/tmp/cmdline_full.bin" | xargs echo -n 2>/dev/null >"/tmp/cmdline_stripped.bin" echo -ne "\x00" >>"/tmp/cmdline_stripped.bin" - objcopy --update-section .cmdline="/tmp/cmdline_stripped.bin" "$UKI_FILE" + objcopy --update-section .cmdline="/tmp/cmdline_stripped.bin" "$TMP_UKI_FILE" + mkdir -p $(dirname "$FINAL_UKI_FILE") + cp "$TMP_UKI_FILE" "$FINAL_UKI_FILE" + + echo "UKI successfully created at $FINAL_UKI_FILE, the default boot entry is now overwrited" - echo "UKI successfully created at $UKI_FILE, the default boot entry is now overwrited" - # Remove all other EFI entries - find /boot/efi/EFI -mindepth 1 -maxdepth 1 ! -name BOOT -exec rm -rf {} + - find /boot/efi/EFI/BOOT -mindepth 1 -maxdepth 1 ! -name BOOTX64.EFI -exec rm -rf {} + - # Remove NvVars file - rm -f /boot/efi/NvVars else echo "Generating new initrd image" dracut "${dracut_common_args[@]}" @@ -966,17 +974,22 @@ EOF } - # Note that the rootfs.img will not be used any more so mount it without 'ro' flag will not change the hash of rootfs. + # Remove read-only flag from rootfs.img + tune2fs -O ^read-only "${rootfs_file_path}" + + # Note that the rootfs.img will not be used any more so mount it without '-o ro' flag will not change the hash of rootfs. run_in_chroot_mounts "$rootfs_file_path" "$efi_part" "$boot_file_path" update_initrd_inner "$uki" "$uki_append_cmdline" } step::shrink_and_extract_rootfs_part() { local rootfs_orig_part=$1 + # Mark the rootfs partition as read-only + tune2fs -O read-only "${rootfs_orig_part}" + + # Adjust file system content, all move to front local before_shrink_size_in_bytes before_shrink_size_in_bytes=$(blockdev --getsize64 "${rootfs_orig_part}") - - # Adjust file system content, all move to front log::info "Checking and shrinking rootfs filesystem" if e2fsck -y -f "${rootfs_orig_part}"; then