[systemd-devel] systemd-repart very slow creation of partitions with Encrypt=

Lennart Poettering lennart at poettering.net
Mon Jun 5 09:26:24 UTC 2023


On Mo, 05.06.23 11:09, Lennart Poettering (lennart at poettering.net) wrote:

> On Mo, 05.06.23 10:41, Valentin David (valentin.david at canonical.com) wrote:
>
> > On Mon, Jun 5, 2023 at 9:56 AM Lennart Poettering <lennart at poettering.net>
> > wrote:
> >
> > > On So, 04.06.23 14:25, Valentin David (valentin.david at canonical.com)
> > > wrote:
> > >
> > > > I have been trying to create a root partition from initrd with
> > > > systemd-repart. The repart.d file for this partition is as follow:
> > > >
> > > > [Partition]
> > > > Type=root
> > > > Label=root
> > > > Encrypt=tpm2
> > > > Format=ext4
> > > > FactoryReset=yes
> > > >
> > > > I am just using systemd-repart.service in initrd, without modification
> > > > (that is, it finds the disk from /sysusr/usr). Even though this is
> > > working,
> > > > the problem I have is that it takes a very long time for the partition to
> > > > be created. Looking at the logs, it spends most of time in the
> > > > reencryption.
> > >
> > > reencryption? We don't do any reencrytion really. i.e. we do not
> > > actually support anything like "cryptsetup reencrypt" at all. All we
> > > do is the equivalent of "cryptsetup luksFormat". Are you suggesting
> > > that repart is slower at formatting a block device via LUKS than
> > > invoking cryptsetup directly would be? I'd find that very surprising...
> > >
> >
> > This is what it looks like in src/partition/repart.c. Function
> > partition_encrypt calls sym_crypt_reencrypt_init_by_passphrase and
> > then sym_crypt_reencrypt.
> > And make_filesystem is called before partition_encrypt. So it must
> > reencrypt since mkfs was called before.
>
> Oh, fuck, yeah, Daan added that.
>
> This is a bug really.

Valentin, could you file an issue about this on github, so that we can
track this? This definitely should be fixed. 3h for this at boot is
not OK, given this could just finish in seconds.

The reason the reencryption stuff was added to repart was to allow
unpriv operaiton for building disk images. But this really shouldn't
break repart use at boot like that...

Lennart

--
Lennart Poettering, Berlin


More information about the systemd-devel mailing list