Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 313484 mount_gpt_image.sh: add ability to mount /var
Starred by 1 user Project Member Reported by quiche@chromium.org, Oct 31 2013 Back to list
Status: Untriaged
Owner: ----
Cc: keescook@chromium.org
Components:
OS: Chrome
Pri: 2
Type: Bug


Sign in to add a comment
Sometimes builds fail in VMTest, in such a way that we can't ssh into the the VM. We'd like to be able to diagnose these problems, by examining the log files from the VM disk image.

mount_gpt_image.sh seems like the right tool for the job, but it isn't quite complete. This is because although /var is on stateful, most of stateful is actually encrypted.

We can get at the logs by booting the VM image, but that's a bit clunkier than being able to navigate the filesystem directly. Also, booting the image will change the logs.
 
Comment 1 by quiche@chromium.org, Oct 31 2013
Cc: keescook@chromium.org
@keescook: Do you have a pointer to how encrypted /var can be mounted?
The chromeos_startup script calls out to mount-encrypted to do the work. Since mount-encrypted really like validating its environment, it can be a little weird to set up, but is possible to mount externally if the conditions are correct.

The main problem is that mount-encrypted uses characteristics of the device it runs on to do the mounting. So, it might not be possible for one to mount the encrypted stateful partition when off that device.

I assume that under VMTest, there is no TPM and not CrOS firmware? In this case, mount-encrypted will attempt to read /proc/cmdline for "encrypted-stateful-key=NNNN...", and failing that, will use the contents of /sys/class/dmi/id/product_uuid. Failing that, it will use a static key of "default unsafe static key".

So, once you identify which key mount-encrypted is using on VMTest, and you can reconstruct that environment on the machine you want to mount on, this procedure should work:

BLOCK=/path/to/stateful-partition/block-dev
WORK="/tmp/test-root"

mkdir -p $WORK/var
mkdir -p $WORK/home/chronos
mkdir -p $WORK/mnt/stateful_partition

mount -n -t ext4 -o loop,noatime,commit=600 $BLOCK $WORK/mnt/stateful_partition

MOUNT_ENCRYPTED_ROOT=$WORK mount-encrypted

*examine $WORK/var here*

MOUNT_ENCRYPTED_ROOT=$WORK mount-encrypted umount
umount -n $WORK/mnt/stateful_partition/

Comment 3 by quiche@chromium.org, Oct 31 2013
Status: Available
@keescook, yep, no TPM an no CrOS firmware. I'll give your instructions a shot. Thanks!
Labels: Gardening
Project Member Comment 5 by sheriffbot@chromium.org, Mar 26
Labels: Hotlist-Recharge-Cold
Status: Untriaged
This issue has been available for more than 365 days, and should be re-evaluated. Hotlist-Recharge-Cold label is added for tracking. Please re-triage this issue.

For more details visit https://sites.google.com/a/chromium.org/dev/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment