IDP: Two new AB PMAPs, consolidate naming

learmj · learmj · commit 30b86caf84b7 · 2025-11-03T11:52:15.000Z
Add two new PMAPs:
- cryptdata  : Only the persistent storage partition is encrypted.
- cryptslots : Only the system (OS) partition for each slot is encrypted.

Rename hybrid -&gt; crypthybrid - this is a development-only PMAP which
encrypts B.system.

A crypt* PMAP now denotes encryption will be applied on some part of the
disk image at provisioning time.

Documentation updated.
diff --git a/docs/layer/image-rota.html b/docs/layer/image-rota.html
@@ -454,7 +454,7 @@ <h2>Configuration Variables</h2>
                 
                 <tr>
                     <td><code>IGconf_image_data_part_size</code></td>
-                    <td>Writable storage partition retained across
+                    <td>Writable data partition retained across
  slot rotations.</td>
                     <td>
                        
@@ -489,16 +489,18 @@ <h2>Configuration Variables</h2>
                     <td><code>IGconf_image_pmap</code></td>
                     <td>Provisioning Map type for this image layout.
  clear: All partitions will be provisioned unencrypted.
- crypt: All partitions except <slot>:boot will be provisioned encrypted.
- hybrid: B:system will be provisioned encrypted (development only).</td>
+ crypt: All non-boot partitions will be provisioned encrypted.
+ cryptslots: Only system OS partitions will be provisioned encrypted.
+ cryptdata: Only the data partition will be provisioned encrypted.
+ crypthybrid: B:system OS partition will be provisioned encrypted (dev only).</td>
                     <td>
                        
                            
                            <code>clear</code>
                            
                        
                     </td>
-                    <td>Must be one of: clear, crypt, hybrid</td>
+                    <td>Must be one of: clear, crypt, cryptslots, cryptdata, crypthybrid</td>
                     <td>
                         <a href="variable-validation.html#set-policies" class="badge policy-immediate" title="Click for policy and validation help">immediate</a>
                     </td>
diff --git a/image/gpt/ab_userdata/device/provisionmap-cryptdata.json b/image/gpt/ab_userdata/device/provisionmap-cryptdata.json
@@ -0,0 +1,93 @@
+[
+   {
+      "attributes": {
+         "PMAPversion": "1.2.0",
+         "system_type": "slotted"
+      }
+   },
+   {
+      "partitions": [
+         {
+            "image": "config"
+         }
+      ]
+   },
+   {
+      "slots": {
+         "A": {
+            "partitions": [
+               {
+                  "image": "boot_a",
+                  "static": {
+                     "uuid": "<BOOT_UUID>",
+                     "role": "boot"
+                  }
+               }
+            ]
+         }
+      }
+   },
+   {
+      "slots": {
+         "B": {
+            "partitions": [
+               {
+                  "image": "boot_b",
+                  "static": {
+                     "uuid": "<BOOT_UUID>",
+                     "role": "boot"
+                  }
+               }
+            ]
+         }
+      }
+   },
+   {
+      "slots": {
+         "A": {
+            "partitions": [
+               {
+                  "image": "system_a",
+                  "static": {
+                     "uuid": "<SYSTEM_UUID>",
+                     "role": "system"
+                  }
+               }
+            ]
+         }
+      }
+   },
+   {
+      "slots": {
+         "B": {
+            "partitions": [
+               {
+                  "image": "system_b",
+                  "static": {
+                     "uuid": "<SYSTEM_UUID>",
+                     "role": "system"
+                  }
+               }
+            ]
+         }
+      }
+   },
+   {
+      "encrypted": {
+         "luks2": {
+            "key_size": 512,
+            "cipher": "aes-xts-plain64",
+            "hash": "sha256",
+            "label": "root",
+            "uuid": "<CRYPT_UUID>",
+            "mname": "cryptroot",
+            "etype": "partitioned"
+         },
+         "partitions": [
+            {
+               "image": "persistent"
+            }
+         ]
+      }
+   }
+]
diff --git a/image/gpt/ab_userdata/device/provisionmap-crypthybrid.json b/image/gpt/ab_userdata/device/provisionmap-crypthybrid.json
diff --git a/image/gpt/ab_userdata/device/provisionmap-cryptslots.json b/image/gpt/ab_userdata/device/provisionmap-cryptslots.json
@@ -0,0 +1,89 @@
+[
+   {
+      "attributes": {
+         "PMAPversion": "1.3.0",
+         "system_type": "slotted"
+      }
+   },
+   {
+      "partitions": [
+         {
+            "image": "config"
+         }
+      ]
+   },
+   {
+      "slots": {
+         "A": {
+            "partitions": [
+               {
+                  "image": "boot_a",
+                  "static": {
+                     "uuid": "<BOOT_UUID>",
+                     "role": "boot"
+                  }
+               }
+            ]
+         }
+      }
+   },
+   {
+      "slots": {
+         "B": {
+            "partitions": [
+               {
+                  "image": "boot_b",
+                  "static": {
+                     "uuid": "<BOOT_UUID>",
+                     "role": "boot"
+                  }
+               }
+            ]
+         }
+      }
+   },
+   {
+      "encrypted": {
+         "luks2": {
+            "key_size": 512,
+            "cipher": "aes-xts-plain64",
+            "hash": "sha256",
+            "label": "root",
+            "uuid": "<CRYPT_UUID>",
+            "mname": "cryptroot",
+            "etype": "partitioned"
+         },
+         "slots": {
+            "A": {
+               "partitions": [
+                  {
+                     "image": "system_a",
+                     "static": {
+                        "uuid": "<SYSTEM_UUID>",
+                        "role": "system"
+                     }
+                  }
+               ]
+            },
+            "B": {
+               "partitions": [
+                  {
+                     "image": "system_b",
+                     "static": {
+                        "uuid": "<SYSTEM_UUID>",
+                        "role": "system"
+                     }
+                  }
+               ]
+            }
+         }
+      }
+   },
+   {
+      "partitions": [
+         {
+            "image": "persistent"
+         }
+      ]
+   }
+]
diff --git a/image/gpt/ab_userdata/image.yaml b/image/gpt/ab_userdata/image.yaml
@@ -24,7 +24,7 @@
 # X-Env-Var-system_part_size-Set: y
 #
 # X-Env-Var-data_part_size: 1G
-# X-Env-Var-data_part_size-Desc: Writable storage partition retained across
+# X-Env-Var-data_part_size-Desc: Writable data partition retained across
 #  slot rotations.
 # X-Env-Var-data_part_size-Required: n
 # X-Env-Var-data_part_size-Valid: size
@@ -39,10 +39,12 @@
 # X-Env-Var-pmap: clear
 # X-Env-Var-pmap-Desc: Provisioning Map type for this image layout.
 #  clear: All partitions will be provisioned unencrypted.
-#  crypt: All partitions except <slot>:boot will be provisioned encrypted.
-#  hybrid: B:system will be provisioned encrypted (development only).
+#  crypt: All non-boot partitions will be provisioned encrypted.
+#  cryptslots: Only system OS partitions will be provisioned encrypted.
+#  cryptdata: Only the data partition will be provisioned encrypted.
+#  crypthybrid: B:system OS partition will be provisioned encrypted (dev only).
 # X-Env-Var-pmap-Required: n
-# X-Env-Var-pmap-Valid: clear,crypt,hybrid
+# X-Env-Var-pmap-Valid: clear,crypt,cryptslots,cryptdata,crypthybrid
 # X-Env-Var-pmap-Set: y
 #
 # X-Env-Var-ptable_protect: $( [ "${IGconf_device_storage_type:-}" = "emmc" ] && echo y || echo n )
