[systemd-devel] How to express that a device listed in /etc/crypttab depends on a mount point

Lennart Poettering lennart at poettering.net
Fri Sep 27 11:46:55 UTC 2024


On Mi, 25.09.24 15:28, aplanas (aplanas at suse.de) wrote:

> Hi!
>
> An user have /home in a different encrypted partition via pcrlock. After the
> initrd, during the normal boot process, the systemd-cryptsetup generator is
> reading this file to open the devices in /dev/mapper/$name. But this is
> happening before /var gets mounted, and this contains the pcrlock.json file
> requires to unlock the home device.

systemd-pcrlock places a copy of the policy in the ESP, automatically,
where sd-stub then picks it up, so that it is available in the
initrd. (since 985a261701cd3ddcbd2587febacc490a481a6b59).

This is fundamental so that pcrlock can work for the rootfs or /var
itself. And those are the dirs one typically really wants to protect
with this, so this is really key.

> Is there a way to indicate this dependency for the generator, as a
> "RequiresMountsFor=" for .mount services or x-systemd.requires= in fstab?

Not currently, no. I think it would be OK to add though.

(But really, just get this in via the boot loader path, i.e. st-stub)

Lennart

--
Lennart Poettering, Berlin


More information about the systemd-devel mailing list