boot_service: split volumes auto open into a separate systemd service

imlk0 · imlk0 · commit d57d386e3b0a · 2025-05-23T09:39:11.000+08:00
Signed-off-by: Kun Lai &lt;laikun@linux.alibaba.com&gt;
diff --git a/cryptpilot.spec b/cryptpilot.spec
@@ -71,8 +71,9 @@ install -d -p %{buildroot}%{dracut_dst}
 install -p -m 755 dist/dracut/modules.d/91cryptpilot/module-setup.sh %{buildroot}%{dracut_dst}
 install -p -m 755 dist/dracut/modules.d/91cryptpilot/initrd-trigger-network-online.sh %{buildroot}%{dracut_dst}
 install -p -m 755 dist/dracut/modules.d/91cryptpilot/initrd-wait-network-online.sh %{buildroot}%{dracut_dst}
-install -p -m 644 dist/dracut/modules.d/91cryptpilot/cryptpilot-before-sysroot.service %{buildroot}%{dracut_dst}
-install -p -m 644 dist/dracut/modules.d/91cryptpilot/cryptpilot-after-sysroot.service %{buildroot}%{dracut_dst}
+install -p -m 644 dist/dracut/modules.d/91cryptpilot/cryptpilot-fde-before-sysroot.service %{buildroot}%{dracut_dst}
+install -p -m 644 dist/dracut/modules.d/91cryptpilot/cryptpilot-fde-after-sysroot.service %{buildroot}%{dracut_dst}
+install -p -m 644 dist/dracut/modules.d/91cryptpilot/cryptpilot-auto-open.service %{buildroot}%{dracut_dst}
 install -p -m 644 dist/dracut/modules.d/91cryptpilot/initrd-wait-network-online.service %{buildroot}%{dracut_dst}
 install -d -p %{buildroot}%{_prefix}/lib/systemd/system
 install -d -p %{buildroot}/etc/cryptpilot
@@ -114,8 +115,9 @@ rm -rf %{buildroot}
 %{dracut_dst}module-setup.sh
 %{dracut_dst}initrd-trigger-network-online.sh
 %{dracut_dst}initrd-wait-network-online.sh
-%{dracut_dst}cryptpilot-before-sysroot.service
-%{dracut_dst}cryptpilot-after-sysroot.service
+%{dracut_dst}cryptpilot-fde-before-sysroot.service
+%{dracut_dst}cryptpilot-fde-after-sysroot.service
+%{dracut_dst}cryptpilot-auto-open.service
 %{dracut_dst}initrd-wait-network-online.service
 
 %changelog
diff --git a/dist/dracut/modules.d/91cryptpilot/cryptpilot-auto-open.service b/dist/dracut/modules.d/91cryptpilot/cryptpilot-auto-open.service
@@ -1,17 +1,18 @@
 [Unit]
-Description=Cryptpilot Service (before /sysroot mount)
+Description=Cryptpilot Volumes Auto Open Service
 DefaultDependencies=no
 ConditionPathExists=/etc/initrd-release
 Requires=network-online.target
 After=network-online.target
+After=cryptpilot-fde-before-sysroot.service
 Before=initrd-root-device.target
 Wants=attestation-agent.service
 After=attestation-agent.service
 
 [Service]
 Type=oneshot
 RemainAfterExit=true
-ExecStart=/usr/bin/cryptpilot boot-service --stage initrd-before-sysroot
+ExecStart=/usr/bin/cryptpilot boot-service --stage initrd-volumes-auto-open
 StandardOutput=journal+console
 StandardError=journal+console
 
diff --git a/dist/dracut/modules.d/91cryptpilot/cryptpilot-fde-after-sysroot.service b/dist/dracut/modules.d/91cryptpilot/cryptpilot-fde-after-sysroot.service
@@ -1,9 +1,9 @@
 [Unit]
-Description=Cryptpilot Service (after /sysroot mount)
+Description=Cryptpilot FDE Service (after /sysroot mount)
 DefaultDependencies=no
 ConditionPathExists=/etc/initrd-release
-After=cryptpilot-before-sysroot.service
-Requisite=cryptpilot-before-sysroot.service
+After=cryptpilot-fde-before-sysroot.service
+Requisite=cryptpilot-fde-before-sysroot.service
 After=dracut-initqueue.service
 After=sysroot.mount
 Before=initrd-root-fs.target
@@ -12,9 +12,9 @@ Requires=sysroot.mount
 [Service]
 Type=oneshot
 RemainAfterExit=true
-ExecStart=/usr/bin/cryptpilot boot-service --stage initrd-after-sysroot
+ExecStart=/usr/bin/cryptpilot boot-service --stage initrd-fde-after-sysroot
 StandardOutput=journal+console
 StandardError=journal+console
 
 [Install]
-WantedBy=initrd-root-fs.target
+RequiredBy=initrd-root-fs.target
diff --git a/dist/dracut/modules.d/91cryptpilot/cryptpilot-fde-before-sysroot.service b/dist/dracut/modules.d/91cryptpilot/cryptpilot-fde-before-sysroot.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=Cryptpilot FDE Service (before /sysroot mount)
+DefaultDependencies=no
+ConditionPathExists=/etc/initrd-release
+Requires=network-online.target
+After=network-online.target
+Before=initrd-root-device.target
+Wants=attestation-agent.service
+After=attestation-agent.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+ExecStart=/usr/bin/cryptpilot boot-service --stage initrd-fde-before-sysroot
+StandardOutput=journal+console
+StandardError=journal+console
+
+[Install]
+RequiredBy=initrd-root-device.target
diff --git a/dist/dracut/modules.d/91cryptpilot/module-setup.sh b/dist/dracut/modules.d/91cryptpilot/module-setup.sh
@@ -35,10 +35,12 @@ install() {
                 inst_simple $moddir/initrd-wait-network-online.service /usr/lib/systemd/system/initrd-wait-network-online.service
                 systemctl --root "$initdir" enable initrd-wait-network-online.service
         fi
-        inst_simple $moddir/cryptpilot-before-sysroot.service /usr/lib/systemd/system/cryptpilot-before-sysroot.service
-        inst_simple $moddir/cryptpilot-after-sysroot.service /usr/lib/systemd/system/cryptpilot-after-sysroot.service
-        systemctl --root "$initdir" enable cryptpilot-after-sysroot.service
-        systemctl --root "$initdir" enable cryptpilot-before-sysroot.service
+        inst_simple $moddir/cryptpilot-fde-before-sysroot.service /usr/lib/systemd/system/cryptpilot-fde-before-sysroot.service
+        inst_simple $moddir/cryptpilot-fde-after-sysroot.service /usr/lib/systemd/system/cryptpilot-fde-after-sysroot.service
+        inst_simple $moddir/cryptpilot-auto-open.service /usr/lib/systemd/system/cryptpilot-auto-open.service
+        systemctl --root "$initdir" enable cryptpilot-fde-after-sysroot.service
+        systemctl --root "$initdir" enable cryptpilot-fde-before-sysroot.service
+        systemctl --root "$initdir" enable cryptpilot-auto-open.service
 
         set +u
         set +e
diff --git a/src/cli.rs b/src/cli.rs
@@ -82,18 +82,22 @@ pub struct BootServiceOptions {
 
 #[derive(ValueEnum, Clone, Debug)]
 pub enum BootStage {
-    #[clap(name = "initrd-before-sysroot")]
-    InitrdBeforeSysroot,
+    #[clap(name = "initrd-fde-before-sysroot")]
+    InitrdFdeBeforeSysroot,
 
-    #[clap(name = "initrd-after-sysroot")]
-    InitrdAfterSysroot,
+    #[clap(name = "initrd-fde-after-sysroot")]
+    InitrdFdeAfterSysroot,
+
+    #[clap(name = "initrd-volumes-auto-open")]
+    InitrdVolumesAutoOpen,
 }
 
 impl Display for BootStage {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         match self {
-            BootStage::InitrdBeforeSysroot => write!(f, "initrd-before-sysroot"),
-            BootStage::InitrdAfterSysroot => write!(f, "initrd-after-sysroot"),
+            BootStage::InitrdFdeBeforeSysroot => write!(f, "initrd-fde-before-sysroot"),
+            BootStage::InitrdFdeAfterSysroot => write!(f, "initrd-fde-after-sysroot"),
+            BootStage::InitrdVolumesAutoOpen => write!(f, "initrd-volumes-auto-open"),
         }
     }
 }
diff --git a/src/cmd/boot_service/copy_config.rs b/src/cmd/boot_service/copy_config.rs
@@ -18,7 +18,7 @@ use super::{detect_boot_part, initrd_state::InitrdStateConfigSource};
 
 const CRYPTPILOT_CONFIG_DIR_INITRD_UNTRUSTED: &'static str = "cryptpilot/config";
 
-pub async fn copy_config_to_initrd_state_if_not_exist() -> Result<()> {
+pub async fn copy_config_to_initrd_state_if_not_exist(extend_measurement: bool) -> Result<()> {
     if InitrdStateConfigSource::exist() {
         return Ok(());
     }
@@ -30,15 +30,18 @@ pub async fn copy_config_to_initrd_state_if_not_exist() -> Result<()> {
     let initrd_state = InitrdState { config };
     serialize_initrd_state(&initrd_state).await?;
 
-    // Extend config hash to runtime measurement
-    let measure = AutoDetectMeasure::new().await;
-    if let Err(e) = measure
-        .extend_measurement_hash(OPERATION_NAME_LOAD_CONFIG.into(), config_str)
-        .await
-        .context("Failed to extend cryptpilot config hash to runtime measurement")
-    {
-        warn!("{e:?}")
+    if extend_measurement {
+        // Extend config hash to runtime measurement
+        let measure = AutoDetectMeasure::new().await;
+        if let Err(e) = measure
+            .extend_measurement_hash(OPERATION_NAME_LOAD_CONFIG.into(), config_str)
+            .await
+            .context("Failed to extend cryptpilot config hash to runtime measurement")
+        {
+            warn!("{e:?}")
+        }
     }
+
     Ok(())
 }
 
diff --git a/src/cmd/boot_service/mod.rs b/src/cmd/boot_service/mod.rs
@@ -82,15 +82,17 @@ pub struct BootServiceCommand {
 impl super::Command for BootServiceCommand {
     async fn run(&self) -> Result<()> {
         match &self.boot_service_options.stage {
-            BootStage::InitrdBeforeSysroot => {
+            BootStage::InitrdFdeBeforeSysroot => {
                 setup_volumes_required_by_fde()
                     .await
                     .context("Failed to setup volumes required by FDE")?;
+            }
+            BootStage::InitrdVolumesAutoOpen => {
                 setup_user_provided_volumes(&self.boot_service_options)
                     .await
                     .context("Failed to setup volumes user provided automatically")?;
             }
-            BootStage::InitrdAfterSysroot => {
+            BootStage::InitrdFdeAfterSysroot => {
                 let measure = AutoDetectMeasure::new().await;
                 if let Err(e) = measure
                     .extend_measurement(OPERATION_NAME_INITRD_SWITCH_ROOT.into(), "{}".into()) // empty json object
@@ -575,7 +577,7 @@ async fn setup_user_provided_volumes(boot_service_options: &BootServiceOptions)
     info!("Opening volumes according to volume configs");
     for volume_config in &volume_configs {
         match boot_service_options.stage {
-            BootStage::InitrdBeforeSysroot
+            BootStage::InitrdFdeBeforeSysroot
                 if volume_config.extra_config.auto_open != Some(true) =>
             {
                 info!(
@@ -584,8 +586,8 @@ async fn setup_user_provided_volumes(boot_service_options: &BootServiceOptions)
                 );
                 continue;
             }
-            BootStage::InitrdAfterSysroot => {
-                unreachable!("This should never happen in initrd-after-sysroot stage")
+            BootStage::InitrdFdeAfterSysroot => {
+                unreachable!("This should never happen in initrd-fde-after-sysroot stage")
             }
             _ => { /* Accept */ }
         };
diff --git a/src/lib.rs b/src/lib.rs
@@ -10,7 +10,6 @@ use std::path::Path;
 
 use anyhow::{bail, Context, Result};
 use clap::Parser as _;
-use cli::{BootServiceOptions, BootStage};
 use cmd::{
     boot_service::{
         copy_config::copy_config_to_initrd_state_if_not_exist,
@@ -53,19 +52,9 @@ pub async fn run() -> Result<()> {
 
     // Handle config dir
     match args.command {
-        cli::Command::BootService(BootServiceOptions {
-            stage: BootStage::InitrdBeforeSysroot,
-        }) => {
+        cli::Command::BootService(_) => {
             // We should load the configs from unsafe space and save them to initrd state for using later.
-            copy_config_to_initrd_state_if_not_exist().await?;
-            config::source::set_config_source(CachedConfigSource::new(
-                InitrdStateConfigSource::new(),
-            ))
-            .await;
-        }
-        cli::Command::BootService(BootServiceOptions {
-            stage: BootStage::InitrdAfterSysroot,
-        }) => {
+            copy_config_to_initrd_state_if_not_exist(true).await?;
             config::source::set_config_source(CachedConfigSource::new(
                 InitrdStateConfigSource::new(),
             ))
@@ -82,8 +71,8 @@ pub async fn run() -> Result<()> {
                 ))
                 .await;
             } else if Path::new("/etc/initrd-release").exists() {
-                // If we are in initrd, copy config to initrd state and load it from there.
-                copy_config_to_initrd_state_if_not_exist().await?;
+                // If we are in initrd, copy config to initrd state and load it from there, so we can run cryptpilot commands manually in initrd in case we need to operate in emergency shell.
+                copy_config_to_initrd_state_if_not_exist(false).await?;
                 config::source::set_config_source(CachedConfigSource::new(
                     InitrdStateConfigSource::new(),
                 ))
