s390x: ignition-ostree-growfs: resize LUKS encrypted rootfs

Signed-off-by: Nikita Dubrovskii <[email protected]>
coreos · May 27, 2022 · 5270cfd · 5270cfd
1 parent fb088eb
commit 5270cfd
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 7 deletions.
diff --git a/manifests/bootable-rpm-ostree.yaml b/manifests/bootable-rpm-ostree.yaml
@@ -29,6 +29,8 @@ packages-s390x:
   # provided by s390utils-base, but soon will be -core too.
   - /usr/sbin/zipl
   - /usr/bin/genprotimg
+  # resize LUKS encrypted rootfs
+  - /usr/sbin/parted
 packages-x86_64:
   - grub2 grub2-efi-x64 efibootmgr shim
   - microcode_ctl

diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.sh b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.sh
@@ -40,6 +40,12 @@ else
     fi
 fi
 
+# IBM SecureExecution
+secure_execution=0
+if [[ $(uname -m) == s390x ]] && [[ -e /sys/firmware/uv/prot_virt_guest ]]; then
+    secure_execution=$(cat /sys/firmware/uv/prot_virt_guest)
+fi
+
 # Go through each blockdev in the hierarchy and verify we know how to grow them
 lsblk -no TYPE "${partition}" | while read dev; do
     case "${dev}" in
@@ -80,13 +86,25 @@ while true; do
             fi
             ;;
         crypt)
-            # XXX: yuck... we need to expose this sanely in clevis
-            (. /usr/bin/clevis-luks-common-functions
-             eval $(udevadm info --query=property --export "${NAME}")
-             # lsblk doesn't print PKNAME of crypt devices with --nodeps
-             PKNAME=/dev/$(ls "/sys/dev/block/${MAJMIN}/slaves")
-             clevis_luks_unlock_device "${PKNAME}" | cryptsetup resize -d- "${DM_NAME}"
-            )
+            eval $(udevadm info --query=property --export "${NAME}")
+            if [[ "${secure_execution}" == "0" ]]; then
+                # XXX: yuck... we need to expose this sanely in clevis
+                (. /usr/bin/clevis-luks-common-functions
+                # lsblk doesn't print PKNAME of crypt devices with --nodeps
+                PKNAME=/dev/$(ls "/sys/dev/block/${MAJMIN}/slaves")
+                clevis_luks_unlock_device "${PKNAME}" | cryptsetup resize -d- "${DM_NAME}"
+                )
+            else
+                if [[ ! -f /etc/luks/root ]]; then
+                    echo "error: /etc/luks/root doesn't exist"
+                    exit 1
+                fi
+                device=$(realpath /dev/disk/by-label/"${DM_NAME}")
+                eval $(udevadm info --query=property --export $device | grep PARTN=)
+                eval $(lsblk -o PKNAME --nodeps --noheadings --paths --pairs $device)
+                parted $PKNAME resizepart $PARTN 100%
+                cryptsetup resize --key-file=/etc/luks/root "${DM_NAME}"
+            fi
             ;;
         # already checked
         *) echo "unreachable" 1>&2; exit 1 ;;

diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh
@@ -46,6 +46,7 @@ install() {
         xfs_admin  \
         xfs_growfs \
         wc         \
+        parted     \
         wipefs
 
     # growpart deps