add CRYPTROOT_AUTOUNLOCK option and fix CRYPTROOT for uefi builds

[sashasimkin]

Description

This fixes #6280 and enables uefi-x86 builds with CRYPTROOT_ENABLE=yes.

Also, it adds CRYPTROOT_AUTOUNLOCK option, that will generate /etc/rootfs.key and use it for unattended unlocking.
This is useful for automated scenarios when such key can be further enrolled into TPM afterwards, or just to have illusion of security if user wants so.

Documentation summary for feature / change

armbian/documentation#836

How Has This Been Tested?

I've verified that it builds for uefi-x86 and orangepi5 with CRYPTROOT_ENABLE=yes and CRYPTROOT_AUTOUNLOCK=yes. Later, I'll confirm that it boots.

Checklist:

Please delete options that are not relevant.

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• My changes generate no new warnings

[github-actions]

Hey @sashasimkin! 👋

Thanks for submitting your first pull request to the Armbian project — we're excited to have you contributing! 🧡
Your effort doesn’t just improve Armbian — it benefits the entire community of users and developers.

If you'd like to stay informed about project updates or collaborate more closely with the team,
you can optionally share some personal contact preferences at armbian.com/update-data.
This helps us keep in touch without relying solely on GitHub notifications.

Also, don’t forget to ⭐ star the repo if you haven’t already — and welcome aboard! 🚀

[coderabbitai]

Walkthrough

Adds LUKS autounlock support and wiring: when CRYPTROOT_AUTOUNLOCK=yes the installer generates a temporary 32-byte base64 key, stores its path in a new global cryptroot_autounlock_key_file, formats and opens the root LUKS container using that key, and arranges persistence of the key as /etc/rootfs.key with appropriate initramfs hooks and crypttab entries. Validation now accepts either CRYPTROOT_PASSPHRASE or CRYPTROOT_AUTOUNLOCK. Initramfs cache hashing includes /etc/crypttab. GRUB routines set UEFI_MOUNT_POINT, pass --efi-directory to grub-install, probe/create UUID device nodes for root/boot, and explicitly enable UUID handling. Resize scripts switch many lsblk calls to device-level (-d) and support unattended cryptresize using the key file.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Areas to focus review on:

• extensions/fs-cryptroot-support.sh — key generation, declare -g cryptroot_autounlock_key_file, autounlock vs passphrase branches, and cleanup.
• lib/functions/partitioning.sh — moving/persisting the key into image, umask/initramfs keyfile handling, and crypttab entry changes.
• lib/functions/configuration/main-config.sh — validation logic change for CRYPTROOT options and error text.
• lib/functions/image/initrd.sh — inclusion of /etc/crypttab in cache hashing.
• extensions/grub.sh and extensions/grub-riscv64.sh — UEFI_MOUNT_POINT, grub-install --efi-directory, grub-probe UUID handling, and GRUB_DISABLE_* flags.
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem — lsblk -d refactors and unattended cryptsetup resize --key-file path.

Suggested labels

size/large, Patches

Suggested reviewers

• chraac
• leggewie
• EvilOlaf
• igorpecovnik

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 45.45% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "add CRYPTROOT_AUTOUNLOCK option and fix CRYPTROOT for uefi builds" directly and clearly summarizes the two primary changes in the changeset. The PR introduces the CRYPTROOT_AUTOUNLOCK feature across multiple files (fs-cryptroot-support.sh, partitioning.sh, etc.) and fixes CRYPTROOT support for UEFI builds through changes to grub.sh, grub-riscv64.sh, and related configuration files. The title is concise, specific, and accurately reflects the main objectives without unnecessary noise.
Linked Issues Check	✅ Passed	The PR successfully addresses the requirements of issue #6280. The changes to extensions/grub.sh and extensions/grub-riscv64.sh fix the grub-install failure by explicitly enabling UUID handling (setting GRUB_DISABLE_UUID=false and GRUB_DISABLE_LINUX_UUID=false), adding UUID path creation for root and boot partitions via grub-probe, and ensuring proper EFI directory configuration. Changes to lib/functions/configuration/main-config.sh update the LUKS validation logic to support either CRYPTROOT_PASSPHRASE or the new CRYPTROOT_AUTOUNLOCK option. Additional supporting changes to partitioning.sh, fs-cryptroot-support.sh, initrd.sh, and the resize script ensure the encrypted root feature works end-to-end, addressing the issue's core requirement to enable uefi-x86 builds with CRYPTROOT_ENABLE=yes.
Out of Scope Changes Check	✅ Passed	All code changes are directly aligned with the stated objectives. The changes to extensions/fs-cryptroot-support.sh, extensions/grub.sh, extensions/grub-riscv64.sh, lib/functions/configuration/main-config.sh, lib/functions/image/partitioning.sh, and lib/functions/image/initrd.sh all serve the primary objectives of adding CRYPTROOT_AUTOUNLOCK support and fixing CRYPTROOT for UEFI builds. The modifications to packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (switching to device-centric lsblk queries and supporting unattended crypt resize when key files are present) are necessary supporting changes that enable proper filesystem resizing with encrypted root partitions. No changes appear to be unrelated to the PR's stated goals.
Description Check	✅ Passed	The PR description is clearly related to the changeset and provides meaningful context. It explains that the changes fix issue #6280 (CRYPTROOT_ENABLE=yes failures on UEFI builds) and introduce the new CRYPTROOT_AUTOUNLOCK option that generates /etc/rootfs.key for unattended unlocking. The description includes testing verification for uefi-x86 and orangepi5, acknowledges the documentation PR, and confirms adherence to project guidelines. This level of detail appropriately communicates the scope and purpose of the changes.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4a7b997 and 28c1d21.

📒 Files selected for processing (6)

• extensions/fs-cryptroot-support.sh (2 hunks)
• extensions/grub.sh (4 hunks)
• lib/functions/configuration/main-config.sh (1 hunks)
• lib/functions/image/initrd.sh (1 hunks)
• lib/functions/image/partitioning.sh (1 hunks)
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (3)

lib/functions/image/partitioning.sh (1)

.github/generate_CODEOWNERS.sh (1)

• display_alert (6-6)

extensions/fs-cryptroot-support.sh (3)

.github/generate_CODEOWNERS.sh (1)

• display_alert (6-6)

extensions/lvm.sh (1)

• prepare_root_device__create_volume_group (41-68)

lib/functions/rootfs/trap-rootfs.sh (1)

• prepare_rootfs_build_params_and_trap (12-51)

extensions/grub.sh (2)

lib/functions/logging/runners.sh (1)

• chroot_custom (155-159)

extensions/grub-riscv64.sh (3)

• extension_prepare_config__prepare_grub-riscv64 (3-25)
• pre_umount_final_image__install_grub (27-100)
• configure_grub (102-142)

🔇 Additional comments (8)

lib/functions/configuration/main-config.sh (1)

172-173: LGTM: Prerequisite check correctly updated for autounlock support.

The logic now properly allows either passphrase-based or autounlock-based encryption, aligning with the new CRYPTROOT_AUTOUNLOCK feature introduced in this PR.

lib/functions/image/initrd.sh (1)

65-65: LGTM: Proper initramfs cache invalidation for crypttab changes.

Adding crypttab to the cache hash ensures the initramfs is correctly rebuilt when key file configuration changes, which is essential for the autounlock feature.

extensions/grub.sh (4)

170-170: LGTM: Explicit EFI directory specification.

The explicit --efi-directory=${UEFI_MOUNT_POINT} parameter correctly supports flexible EFI partition locations, which is essential for cryptroot configurations with separate boot partitions.

---

182-187: LGTM: UUID preparation for GRUB configuration.

The UUID symlink preparation is essential for proper GRUB configuration with encrypted root. The comments clearly explain:

• Root UUID is needed so grub-update discovers the unlocked /dev/mapper/armbian-root UUID
• Boot partition UUID is included to handle cases with separate boot partitions (LVM, cryptroot)

The implementation correctly handles both cases and won't fail if the symlinks already exist.

---

298-299: LGTM: Explicit UUID enablement in GRUB.

Explicitly setting both GRUB_DISABLE_UUID=false and GRUB_DISABLE_LINUX_UUID=false ensures GRUB uses UUIDs rather than device paths. This is essential for cryptroot support and aligns with the UUID symlink preparation (lines 182-187).

---

24-28: No action needed — variable has proper default defined.

The review comment's concern is unfounded. UEFI_MOUNT_POINT is initialized with a default value of /boot/efi in lib/functions/image/partitioning.sh. When BOOTPART_REQUIRED != "yes", the variable retains this default; it's only overridden to /boot when the condition is true. The unconditional use on line 28 is safe.

Likely an incorrect or invalid review comment.

lib/functions/image/partitioning.sh (1)

332-336: Configuration is correct and follows standard Debian/Ubuntu practice.

The KEYFILE_PATTERN mechanism in /etc/cryptsetup-initramfs/conf-hook and UMASK=0077 restriction are the standard approach documented by cryptsetup-initramfs for including key files in the initramfs. The implementation shown is correct.

extensions/fs-cryptroot-support.sh (1)

28-42: Now I need to search the codebase to verify the actual behavior. Let me check where the temp key file is moved and if TMPDIR is set:

Temp key file cleanup remains an unaddressed concern.

The temporary key file created at line 30 with mktemp is not guaranteed to be cleaned up. By default mktemp will use user's $TMPDIR. If not defined it will use /tmp. The cleanup_cryptroot function only closes the LUKS mapper and does not delete the temporary key file. If an error occurs before the file is moved to its permanent location, the temporary key file could be left behind on the system.

Adding explicit cleanup for $crytproot_autounlock_key_file in the cleanup_cryptroot function (line 99) would be a prudent safeguard to ensure the key material is not accidentally exposed on disk.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 28c1d21 and 2079ceb.

📒 Files selected for processing (6)

• extensions/fs-cryptroot-support.sh (2 hunks)
• extensions/grub.sh (4 hunks)
• lib/functions/configuration/main-config.sh (1 hunks)
• lib/functions/image/initrd.sh (1 hunks)
• lib/functions/image/partitioning.sh (1 hunks)
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• lib/functions/image/initrd.sh
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem
• lib/functions/configuration/main-config.sh
• lib/functions/image/partitioning.sh

🧰 Additional context used

🧬 Code graph analysis (2)

extensions/grub.sh (2)

lib/functions/logging/runners.sh (1)

• chroot_custom (155-159)

extensions/grub-riscv64.sh (3)

• extension_prepare_config__prepare_grub-riscv64 (3-25)
• pre_umount_final_image__install_grub (27-100)
• configure_grub (102-142)

extensions/fs-cryptroot-support.sh (3)

.github/generate_CODEOWNERS.sh (1)

• display_alert (6-6)

extensions/lvm.sh (1)

• prepare_root_device__create_volume_group (41-68)

lib/functions/rootfs/trap-rootfs.sh (1)

• prepare_rootfs_build_params_and_trap (12-51)

🔇 Additional comments (4)

extensions/fs-cryptroot-support.sh (2)

28-38: Verify temporary key file cleanup and handoff to target image.

The autounlock workflow generates a temporary key file (line 31) with mktemp, but I don't see explicit cleanup in cleanup_cryptroot() (line 99). While the global variable cryptroot_autounlock_key_file persists for use by other stages (e.g., writing to /etc/rootfs.key in partitioning.sh), ensure that the temporary file is properly cleaned up after it's written to the target image.

Please verify:

1. That cleanup_cryptroot() or the image finalization stage removes the temporary key file from the build host.
2. That the key file is correctly copied to /etc/rootfs.key in the target image (expected per AI summary mentioning partitioning.sh changes).
3. That the variable remains accessible for use by later build stages that need to reference it.

---

27-40: Autounlock encryption logic looks sound.

The conditional branching between autounlock (lines 28–33) and passphrase-based (lines 34–37) encryption is clear and correct. Key generation, LUKS formatting, and mapper opening flow properly for both paths.

extensions/grub.sh (2)

182-187: UUID handling for root and boot partitions is sound.

The use of grub-probe --target=fs_uuid to discover partition UUIDs and create symlinks in /dev/disk/by-uuid/ is a robust approach. This ensures GRUB references stable UUIDs rather than device paths, which is essential for encrypted root scenarios where /dev/mapper/... names may differ.

The addition of a second symlink for /boot (lines 185–187) correctly handles cases where a separate boot partition exists (e.g., with LVM or cryptroot), while remaining safe if no separate boot partition is present.

---

298-299: Explicit UUID settings improve GRUB configuration robustness.

Setting GRUB_DISABLE_UUID=false and GRUB_DISABLE_LINUX_UUID=false ensures GRUB uses UUIDs in the generated config, which is critical for correctness in encrypted and partitioned scenarios.

[igorpecovnik]

For the documentation:
https://docs.armbian.com/Developer-Guide_Build-Switches/#filesystem

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 2079ceb and 69ab7c2.

📒 Files selected for processing (6)

• extensions/fs-cryptroot-support.sh (2 hunks)
• extensions/grub.sh (4 hunks)
• lib/functions/configuration/main-config.sh (1 hunks)
• lib/functions/image/initrd.sh (1 hunks)
• lib/functions/image/partitioning.sh (1 hunks)
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem
• lib/functions/image/partitioning.sh
• lib/functions/image/initrd.sh
• extensions/grub.sh

🧰 Additional context used

🧬 Code graph analysis (1)

extensions/fs-cryptroot-support.sh (2)

.github/generate_CODEOWNERS.sh (1)

• display_alert (6-6)

extensions/lvm.sh (1)

• prepare_root_device__create_volume_group (41-68)

🔇 Additional comments (3)

extensions/fs-cryptroot-support.sh (2)

27-27: LGTM on conditional logic and passphrase branch.

The conditional structure properly branches between autounlock (lines 28-33) and passphrase (lines 34-37) paths. The passphrase branch uses existing patterns and the autounlock branch correctly generates a random key. Note: the previous typo (crytproot_autounlock_key_file) has been corrected to cryptroot_autounlock_key_file in line 30.

Also applies to: 34-37

---

28-38: Global variable scope and cleanup handler verified as correct.

The verification confirms the code properly handles the concerns raised:

1. Global variable scope: declare -g cryptroot_autounlock_key_file correctly exposes the variable globally, making it accessible to lib/functions/image/partitioning.sh at line 331 where it's moved to the final filesystem.

2. Cleanup timing: The cleanup handler registered at line 39 only executes cryptsetup luksClose and does not delete the key file. Since the file is moved (not copied) to the final image at ${SDCARD}/etc/rootfs.key during partitioning, it no longer exists in /tmp when the post-mount cleanup runs.

The implementation is correct and requires no changes.

lib/functions/configuration/main-config.sh (1)

172-173: Configuration validation correctly enforces new requirement.

The updated conditional properly validates that either CRYPTROOT_PASSPHRASE or CRYPTROOT_AUTOUNLOCK is set when CRYPTROOT_ENABLE=yes. The error message clearly communicates both options to the user.

[sashasimkin]

@igorpecovnik I think this is R4R now :)

[igorpecovnik]

Bot suggestions are not harmful ... but yeah, many segments in the code is not done perfect, so generally we at least try to improve what is being added.

[sashasimkin]

Got it - fixed. I usually try to keep changes to bare minimum to avoid unintended side-effects.

[sashasimkin]

quick update (both target trixie):

• uefi-x86 did boot, however, the fs resize doesn't work as expected.
• orangepi5 didn't boot with the current branch, so I compiled vendor branch and will try that.

[EvilOlaf]

orangepi5 [...] current [...]

I hope all those boot issues for rk3588/s are sorted once current is being rolled-over to the next LTS kernel which may be 6.18 which is edge atm.

[github-actions]

✅ This PR has been reviewed and approved — all set for merge!

[sashasimkin]

I converted it to draft to figure out and fix why growpart wasn’t executed as expected.

[sashasimkin]

When you are doing testing, also check at least one uefi target without enabling CRYPTOROOT.

Good point! will do that.

Does it works if you use daily image from trunk?

That's the next thing that I'll try, but most likely it doesn't - last thing I noticed it had root=/dev/mmcblk0p1 in the /proc/cmdline. So I flushed the image to an SD card and it's awaiting to boot. Also gonna try using label for the nvme cmdline boot to check if it works.

Currently I have another nvme with older armbian there(24.11 I think), which does work - if nothing from the above works - gonna inspect what's going on there.

./compile.sh build BOARD=uefi-riscv64 BRANCH=current BUILD_DESKTOP=no BUILD_MINIMAL=yes EXPERT=yes KERNEL_CONFIGURE=no RELEASE=plucky

-> [🐳|🔨] mount: /armbian/.tmp/mount-bfd681dd-a979-4326-85b7-020b65854ccf/boot/efi: wrong fs type, bad option, bad superblock on /dev/loop0p1, missing codepage or helper program, or other error.

wow - haven't seen anything like that, yet, what error is there with cryptroot?

[sashasimkin]

So I got my orangepi5 to boot, but only from SD card - still it was a useful experience - I verified that both CRYPTROOT_ENABLED and without it I have the expanded root filesystem(although I recorded only the cryptroot one :( )

root@orangepi5:~# lsblk
NAME             MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
mtdblock0         31:0    0   16M  0 disk
mmcblk1          179:0    0 28.9G  0 disk
├─mmcblk1p1      179:1    0  256M  0 part  /boot
└─mmcblk1p2      179:2    0 28.3G  0 part
  └─armbian-root 253:0    0 28.3G  0 crypt /var/log.hdd
                                           /
zram0            252:0    0  3.7G  0 disk  [SWAP]
zram1            252:1    0   50M  0 disk  /var/log
zram2            252:2    0    0B  0 disk
root@orangepi5:~# uname -a
Linux orangepi5 6.1.115-vendor-rk35xx #1 SMP Thu Oct 16 07:30:53 UTC 2025 aarch64 GNU/Linux

The issue with my NVME on OPI5 is very weird, especially given that I have a working NVME drive, so I think that issue is out of scope for this PR.

UPD: I found what is the issue with NVME - and it actually is in scope of this pr! the initrd image generated for OPI5 doesn't contain /etc/rootfs.key - that's why it can't find the device. Although it's still weird that the /proc/cmdline in that case has /dev/mmcblk0p1 as rootdev.
UDP2: The file and key was there - just under different path, but the crypttab matches - the issue is something else. Still looking into it.

---

Nevertheless, generated and flushed the plain image to uefi-x86 with EMMC, this is the result:

root@uefi-x86:~# lsblk
NAME         MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
mmcblk0      179:0    0 29,1G  0 disk
├─mmcblk0p1  179:1    0  260M  0 part /boot/efi
└─mmcblk0p2  179:2    0 28,9G  0 part /var/log.hdd
                                      /
mmcblk0boot0 179:8    0    4M  1 disk
mmcblk0boot1 179:16   0    4M  1 disk
zram0        251:0    0  1,8G  0 disk [SWAP]
zram1        251:1    0   50M  0 disk /var/log
zram2        251:2    0    0B  0 disk
root@uefi-x86:~# uname -a
Linux uefi-x86 6.12.55-current-x86 #2 SMP PREEMPT_DYNAMIC Thu Oct 23 14:20:48 UTC 2025 x86_64 GNU/Linux

Tomorrow I will write plain image to NVME and will verify that works too, but I'm pretty positive the changes are fine :)

[sashasimkin]

@igorpecovnik I now see what you meant about riscv - I checked the code in extensions/grub-riscv64.sh while searching for initrd stuff for OPI5 - that will need similar to grub.sh modifications or some sort of refactoring - but I don't have any riskv hardware to test this on.
So later I'll do modification blindly there - would you be able to test them?

[igorpecovnik]

would you be able to test them?

Unfortunately not, but it seems this was a problem on my host machine. Wasn't been able to reproduce on another.

[sashasimkin]

@igorpecovnik regarding the tests - I meant to test cryptroot w/ autounlock after I port the modifications there.

---

Regarding other stuff - I tested it on plain uefi-x86 - works great!

root@uefi-x86:~# lsblk
NAME        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
zram0       251:0    0   7.7G  0 disk [SWAP]
zram1       251:1    0    50M  0 disk /var/log
zram2       251:2    0     0B  0 disk
nvme0n1     259:0    0 238.5G  0 disk
├─nvme0n1p1 259:5    0   260M  0 part /boot/efi
└─nvme0n1p2 259:6    0 238.2G  0 part /var/log.hdd
                                      /
root@uefi-x86:~# uname -a
Linux uefi-x86 6.12.55-current-x86 #2 SMP PREEMPT_DYNAMIC Thu Oct 23 14:20:48 UTC 2025 x86_64 GNU/Linux

Regarding OPI5 - the NVME boot seems to be broken in both trunk and release version - it seems to have /dev/mmcblk0p1 hardcoded somewhere. I tried the following images, and all of them failed to boot with the same /dev/mmcblk0p1 not found error and initramfs shell. So it it out of scope of this PR, but I'll return to it later on, likely as a separate PR/issue.

• Armbian-unofficial_25.11.0-trunk_Orangepi5_trixie_vendor_6.1.115-crypt_minimal.img
• Armbian-unofficial_25.11.0-trunk_Orangepi5_trixie_current_6.12.55_minimal.img
• Armbian_25.8.2_Orangepi5_trixie_vendor_6.1.115_minimal.img

At the same time the first two I build - boot perfectly fine from SD card.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

extensions/fs-cryptroot-support.sh (1)

30-30: Quote the command substitution for robustness.

While mktemp output is predictable, command substitutions should be quoted to follow shell best practices and handle any edge cases.

Apply this diff:

-		declare -g cryptroot_autounlock_key_file=$(mktemp)
+		declare -g cryptroot_autounlock_key_file="$(mktemp)"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between c5e7630 and d34d2a7.

📒 Files selected for processing (6)

• extensions/fs-cryptroot-support.sh (2 hunks)
• extensions/grub.sh (4 hunks)
• lib/functions/configuration/main-config.sh (1 hunks)
• lib/functions/image/initrd.sh (1 hunks)
• lib/functions/image/partitioning.sh (1 hunks)
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (5 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• extensions/grub.sh
• lib/functions/image/partitioning.sh
• lib/functions/image/initrd.sh

🧰 Additional context used

🧠 Learnings (9)

📓 Common learnings

Learnt from: tabrisnet
PR: armbian/build#0
File: :0-0
Timestamp: 2025-10-24T04:46:22.901Z
Learning: In lib/functions/rootfs/rootfs-create.sh, the FIXME comment about mmdebstrap usage with --aptopt is a future note related to PR #8785, which hasn't been merged yet.

📚 Learning: 2025-09-01T06:11:43.476Z

Learnt from: wei633
PR: armbian/build#8557
File: config/bootscripts/boot-xpressreal-t3.cmd:0-0
Timestamp: 2025-09-01T06:11:43.476Z
Learning: In Armbian boot scripts without initramfs support, UUID= and LABEL= style device paths cannot be used for rootdev as they require initramfs to resolve during boot. Only direct device paths (/dev/mmcblkXpY) or PARTUUID= references (which U-Boot can resolve) will work.

Applied to files:

• lib/functions/configuration/main-config.sh
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem

📚 Learning: 2025-09-27T21:50:04.845Z

Learnt from: tabrisnet
PR: armbian/build#8678
File: config/kernel/linux-sm8250-edge.config:80-82
Timestamp: 2025-09-27T21:50:04.845Z
Learning: In the Armbian build system, kernel configuration files are generated through this automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem

📚 Learning: 2025-09-27T21:49:55.796Z

Learnt from: tabrisnet
PR: armbian/build#8678
File: config/kernel/linux-sm8250-current.config:78-80
Timestamp: 2025-09-27T21:49:55.796Z
Learning: In the Armbian build system, kernel configuration files are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem

📚 Learning: 2025-09-27T21:50:15.915Z

Learnt from: tabrisnet
PR: armbian/build#8678
File: config/kernel/linux-sunxi64-current.config:94-94
Timestamp: 2025-09-27T21:50:15.915Z
Learning: When kernel config files are generated through Armbian's automated process (previous config → armbian-kernel.sh changes → make oldconfig → Armbian machinery processing), manual config file edits are not appropriate since they would be overwritten. Deprecated option handling should be implemented in the automated tooling instead.

Applied to files:

• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem

📚 Learning: 2025-10-24T04:46:22.901Z

Learnt from: tabrisnet
PR: armbian/build#0
File: :0-0
Timestamp: 2025-10-24T04:46:22.901Z
Learning: In lib/functions/rootfs/rootfs-create.sh, the FIXME comment about mmdebstrap usage with --aptopt is a future note related to PR #8785, which hasn't been merged yet.

Applied to files:

• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem

📚 Learning: 2025-07-17T04:12:33.125Z

Learnt from: pyavitz
PR: armbian/build#8388
File: config/boards/kickpik2b.conf:1-14
Timestamp: 2025-07-17T04:12:33.125Z
Learning: In the Armbian build system, board configuration files (*.conf) follow a project standard of not including shebang lines, even though they contain bash code and are sourced by the build system. This is an established Armbian convention that individual contributors are expected to follow, and changes to this standard would require broader project maintainer approval.

Applied to files:

• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem

📚 Learning: 2025-09-27T21:47:58.020Z

Learnt from: tabrisnet
PR: armbian/build#8678
File: config/kernel/linux-bcm2711-edge.config:859-861
Timestamp: 2025-09-27T21:47:58.020Z
Learning: In the Armbian build system, kernel configuration files in config/kernel/ are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem

📚 Learning: 2025-08-30T06:48:09.091Z

Learnt from: tabrisnet
PR: armbian/build#0
File: :0-0
Timestamp: 2025-08-30T06:48:09.091Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the user prefers flexible grep patterns over anchored ones for BTRFS configuration checks, but agrees to use quiet grep (-q) to avoid polluting build logs.

Applied to files:

• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem

🧬 Code graph analysis (1)

extensions/fs-cryptroot-support.sh (2)

.github/generate_CODEOWNERS.sh (1)

• display_alert (6-6)

lib/functions/rootfs/trap-rootfs.sh (1)

• prepare_rootfs_build_params_and_trap (12-51)

🔇 Additional comments (4)

lib/functions/configuration/main-config.sh (1)

172-173: LGTM! Configuration validation correctly updated.

The validation logic now properly allows either CRYPTROOT_PASSPHRASE or CRYPTROOT_AUTOUNLOCK when encryption is enabled. The condition correctly uses && to ensure at least one option is set, and the error message clearly communicates both alternatives.

packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (3)

20-20: LGTM! Device-level queries correctly implemented.

The addition of -d (device-level) flag to lsblk calls and removal of | head -n1 pipe correctly implements the device-focused query approach. This addresses the partition type detection issues mentioned in the PR discussion where lsblk output order varied between devices and util-linux versions.

Also applies to: 26-26, 169-169

---

193-197: LGTM! Unattended cryptsetup resize properly implemented.

The conditional logic for unattended LUKS resize is well-structured and correctly implements the autounlock feature. When /etc/rootfs.key is present, cryptsetup resize can proceed without user interaction, which aligns with the CRYPTROOT_AUTOUNLOCK feature added in this PR. The variable is properly quoted to handle any edge cases.

---

275-276: LGTM! Crypt detection updated consistently.

The device-level queries for crypt detection are consistent with the overall refactoring approach in this file, ensuring reliable type and name resolution across different device types and util-linux versions.

[sashasimkin]

so this is it, I applied the same fixes to riscv64 grub blindly and it should build and work with CRYPTROOT now too

I think it is R4R/R4M now

@igorpecovnik @rpardini (I saw you authored that code) please check

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (7)

extensions/fs-cryptroot-support.sh (1)

30-30: Quote the command substitution.

The output of mktemp should be quoted to handle edge cases and follow shell best practices.

Apply this diff:

-		declare -g cryptroot_autounlock_key_file=$(mktemp)
+		declare -g cryptroot_autounlock_key_file="$(mktemp)"

packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (4)

20-20: Quote variables in lsblk commands.

Device path variables should be quoted to follow shell best practices and handle edge cases.

Apply this diff to lines 20, 26, and 169:

-	local parttype=$(lsblk -n -d -o TYPE $partdev)
+	local parttype=$(lsblk -n -d -o TYPE "$partdev")

-	local diskdevname=$(lsblk -n -d -o PKNAME $partdev)
+	local diskdevname=$(lsblk -n -d -o PKNAME "$partdev")

-	local partsize=$(lsblk -n -d -b -o SIZE $partdev)
+	local partsize=$(lsblk -n -d -b -o SIZE "$partdev")

Also applies to: 26-26, 169-169

---

186-186: Quote variables in lsblk commands.

Device path variables should be quoted to follow shell best practices.

Apply this diff:

-	local name=$(lsblk -n -d -o NAME $dev)
+	local name=$(lsblk -n -d -o NAME "$dev")

-	local parentsize=$(lsblk -n -d -b -o SIZE $parentdev)
+	local parentsize=$(lsblk -n -d -b -o SIZE "$parentdev")

Also applies to: 199-199

---

275-276: Quote variables in lsblk commands.

Device path variables should be quoted to follow shell best practices.

Apply this diff:

-	if [[ "$(lsblk -n -d -o TYPE $rootdev)" == "crypt" ]]; then
-		local cryptname=$(lsblk -n -d -o NAME $rootdev)
+	if [[ "$(lsblk -n -d -o TYPE "$rootdev")" == "crypt" ]]; then
+		local cryptname=$(lsblk -n -d -o NAME "$rootdev")

---

246-246: Quote variable in lsblk command.

Device path variable should be quoted to follow shell best practices.

Apply this diff:

-	local devsize=$(lsblk -n -d -b -o SIZE $partdev)
+	local devsize=$(lsblk -n -d -b -o SIZE "$partdev")

extensions/grub-riscv64.sh (1)

74-74: Quote the variable expansion.

The UEFI_MOUNT_POINT variable should be quoted to handle paths with spaces.

Apply this diff:

-	local install_grub_cmdline="grub-install --target=${UEFI_GRUB_TARGET} --efi-directory=${UEFI_MOUNT_POINT} --no-nvram --removable"
+	local install_grub_cmdline="grub-install --target=${UEFI_GRUB_TARGET} --efi-directory=\"${UEFI_MOUNT_POINT}\" --no-nvram --removable"

Note: Since this is inside a string assigned to a variable, the inner quotes need to be escaped.

lib/functions/image/partitioning.sh (1)

331-336: Quote variable expansions and file paths.

Variables and file paths should be quoted to handle spaces and special characters correctly.

Apply this diff:

-				mv ${cryptroot_autounlock_key_file:?} ${SDCARD}${luks_key_file}
-				mkdir -p $SDCARD/etc/initramfs-tools/conf.d/
-				echo "UMASK=0077" > $SDCARD/etc/initramfs-tools/conf.d/key-umask.conf
-				echo "" >> $SDCARD/etc/cryptsetup-initramfs/conf-hook
-				echo "KEYFILE_PATTERN=${luks_key_file}" >> $SDCARD/etc/cryptsetup-initramfs/conf-hook
+				mv "${cryptroot_autounlock_key_file:?}" "${SDCARD}${luks_key_file}"
+				mkdir -p "${SDCARD}/etc/initramfs-tools/conf.d/"
+				echo "UMASK=0077" > "${SDCARD}/etc/initramfs-tools/conf.d/key-umask.conf"
+				echo "" >> "${SDCARD}/etc/cryptsetup-initramfs/conf-hook"
+				echo "KEYFILE_PATTERN=${luks_key_file}" >> "${SDCARD}/etc/cryptsetup-initramfs/conf-hook"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d34d2a7 and d7c6817.

📒 Files selected for processing (7)

• extensions/fs-cryptroot-support.sh (2 hunks)
• extensions/grub-riscv64.sh (3 hunks)
• extensions/grub.sh (4 hunks)
• lib/functions/configuration/main-config.sh (1 hunks)
• lib/functions/image/initrd.sh (1 hunks)
• lib/functions/image/partitioning.sh (1 hunks)
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (5 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• extensions/grub.sh
• lib/functions/configuration/main-config.sh

🧰 Additional context used

🧠 Learnings (13)

📓 Common learnings

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-10-24T04:46:22.901Z
Learning: In lib/functions/rootfs/rootfs-create.sh, the FIXME comment about mmdebstrap usage with --aptopt is a future note related to PR #8785, which hasn't been merged yet.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub API (https://api.github.com/repos/armbian/build/pulls/{pr_number}/files) to get the complete picture of what files are being added or modified, especially for U-Boot patches that will be applied during the build process.

📚 Learning: 2025-07-23T10:02:11.019Z

Learnt from: amazingfate
Repo: armbian/build PR: 8419
File: extensions/grub.sh:41-49
Timestamp: 2025-07-23T10:02:11.019Z
Learning: In Debian sid, the GRUB EFI packages for loong64 architecture are named "grub-efi-loong64" and "grub-efi-loong64-bin", following the ARCH variable naming convention (loong64) rather than the architecture name (loongarch64).

Applied to files:

• extensions/grub-riscv64.sh

📚 Learning: 2025-07-23T10:02:11.019Z

Learnt from: amazingfate
Repo: armbian/build PR: 8419
File: extensions/grub.sh:41-49
Timestamp: 2025-07-23T10:02:11.019Z
Learning: In Debian sid, the GRUB EFI packages for loong64 architecture are named "grub-efi-loong64" and "grub-efi-loong64-bin" (version 2.12-9), following the ARCH variable naming convention (loong64) rather than the architecture name (loongarch64). The packages grub-efi-loongarch64 and grub-efi-loongarch64-bin do not exist in Debian sid.

Applied to files:

• extensions/grub-riscv64.sh

📚 Learning: 2025-07-23T10:01:37.338Z

Learnt from: amazingfate
Repo: armbian/build PR: 8419
File: extensions/grub.sh:41-43
Timestamp: 2025-07-23T10:01:37.338Z
Learning: The GRUB EFI package for Loong64 architecture in Debian is named "grub-efi-loong64", following the dpkg architecture name pattern rather than the target triplet "grub-efi-loongarch64".

Applied to files:

• extensions/grub-riscv64.sh

📚 Learning: 2025-07-23T10:01:45.014Z

Learnt from: amazingfate
Repo: armbian/build PR: 8419
File: extensions/grub.sh:41-43
Timestamp: 2025-07-23T10:01:45.014Z
Learning: In Debian sid, the GRUB EFI packages for Loong64 architecture use the naming convention `grub-efi-loong64` and `grub-efi-loong64-bin`, not `grub-efi-loongarch64`. These packages are available from the official Debian sid repository as part of the debports infrastructure.

Applied to files:

• extensions/grub-riscv64.sh

📚 Learning: 2025-10-18T11:52:36.964Z

Learnt from: rpardini
Repo: armbian/build PR: 8780
File: config/sources/families/include/uefi_common.inc:44-44
Timestamp: 2025-10-18T11:52:36.964Z
Learning: The uefi-riscv64 and uefi-x86 UEFI families in the Armbian build system do not have kernel patches and never have had patches. Missing patch directories like archive/uefi-riscv64-6.18 and archive/uefi-x86-6.18 are expected and normal for these families.

Applied to files:

• extensions/grub-riscv64.sh

📚 Learning: 2025-09-14T06:32:29.806Z

Learnt from: amazingfate
Repo: armbian/build PR: 8619
File: config/sources/families/rockchip.conf:222-230
Timestamp: 2025-09-14T06:32:29.806Z
Learning: In the Armbian build system, the write_uboot_platform() function implementations follow different patterns across Rockchip family files. The newer standard (used in rockchip64_common.inc and rk3506) includes 'status=none' parameter in dd commands, while older implementations (rk3288, rk322x) use an older pattern without this parameter. The rk3506 implementation correctly follows the current Rockchip family standard.

Applied to files:

• extensions/grub-riscv64.sh

📚 Learning: 2025-09-01T06:11:43.476Z

Learnt from: wei633
Repo: armbian/build PR: 8557
File: config/bootscripts/boot-xpressreal-t3.cmd:0-0
Timestamp: 2025-09-01T06:11:43.476Z
Learning: In Armbian boot scripts without initramfs support, UUID= and LABEL= style device paths cannot be used for rootdev as they require initramfs to resolve during boot. Only direct device paths (/dev/mmcblkXpY) or PARTUUID= references (which U-Boot can resolve) will work.

Applied to files:

• extensions/grub-riscv64.sh
• lib/functions/image/partitioning.sh
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem

📚 Learning: 2025-08-30T06:48:09.091Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:48:09.091Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the user prefers flexible grep patterns over anchored ones for BTRFS configuration checks, but agrees to use quiet grep (-q) to avoid polluting build logs.

Applied to files:

• extensions/grub-riscv64.sh
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem

📚 Learning: 2025-09-27T21:50:15.915Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sunxi64-current.config:94-94
Timestamp: 2025-09-27T21:50:15.915Z
Learning: When kernel config files are generated through Armbian's automated process (previous config → armbian-kernel.sh changes → make oldconfig → Armbian machinery processing), manual config file edits are not appropriate since they would be overwritten. Deprecated option handling should be implemented in the automated tooling instead.

Applied to files:

• extensions/grub-riscv64.sh
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem

📚 Learning: 2025-08-30T04:13:16.457Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T04:13:16.457Z
Learning: Armbian kernel configuration files like linux-filogic-current.config are autogenerated overlays on top of arch defconfig. Comments added manually will be lost during future updates by maintainers, and explicit "CONFIG_OPTION is not set" statements aren't needed for mutually exclusive options since these are overlay configs that only specify changes from the base configuration.

Applied to files:

• extensions/grub-riscv64.sh

📚 Learning: 2025-09-12T19:28:38.491Z

Learnt from: Grippy98
Repo: armbian/build PR: 8622
File: config/sources/families/k3.conf:66-66
Timestamp: 2025-09-12T19:28:38.491Z
Learning: In the Armbian k3 family build system (config/sources/families/k3.conf), builds do not fail when TIBOOT3_BOOTCONFIG is unset, even though tiboot3.bin is still listed in UBOOT_TARGET_MAP. The gating mechanism in pre_config_uboot_target__build_first_stage function works as intended to conditionally build/copy tiboot3.bin only when TIBOOT3_BOOTCONFIG is defined.

Applied to files:

• extensions/grub-riscv64.sh

📚 Learning: 2025-10-24T04:46:22.901Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-10-24T04:46:22.901Z
Learning: In lib/functions/rootfs/rootfs-create.sh, the FIXME comment about mmdebstrap usage with --aptopt is a future note related to PR #8785, which hasn't been merged yet.

Applied to files:

• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem

🧬 Code graph analysis (3)

extensions/fs-cryptroot-support.sh (2)

.github/generate_CODEOWNERS.sh (1)

• display_alert (6-6)

extensions/lvm.sh (1)

• prepare_root_device__create_volume_group (41-68)

extensions/grub-riscv64.sh (3)

lib/functions/logging/runners.sh (1)

• chroot_custom (155-159)

.github/generate_CODEOWNERS.sh (1)

• display_alert (6-6)

lib/functions/bsp/armbian-bsp-cli-deb.sh (1)

• board_side_bsp_cli_postinst_update_uboot_bootscript (331-358)

lib/functions/image/partitioning.sh (1)

.github/generate_CODEOWNERS.sh (1)

• display_alert (6-6)

🔇 Additional comments (6)

lib/functions/image/initrd.sh (1)

65-65: LGTM!

Adding /etc/crypttab to the initramfs cache hash ensures that changes to the LUKS container configuration properly invalidate the cache, which is essential for the autounlock feature.

extensions/fs-cryptroot-support.sh (1)

28-38: LGTM!

The autounlock flow is implemented correctly, with proper branching between key-file-based and passphrase-based LUKS setup. The logic aligns with the PR objectives to enable unattended boot scenarios.

packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (1)

193-197: LGTM!

The conditional logic for unattended cryptsetup resize using the key file is correctly implemented and addresses the past review feedback.

extensions/grub-riscv64.sh (2)

18-21: LGTM!

The conditional UEFI_MOUNT_POINT setup correctly handles the cryptroot requirement for a unified boot partition. The comment provides helpful context.

---

136-140: LGTM!

Explicitly enabling os-prober and UUID usage ensures GRUB generates proper UUID-based boot entries, which is essential for encrypted root partitions to boot correctly.

lib/functions/image/partitioning.sh (1)

327-339: LGTM!

The autounlock key file handling logic correctly:

1. Initializes luks_key_file to "none" by default
2. Sets up the key file path and initramfs configuration when autounlock is enabled
3. Updates the crypttab entry to reference the key file

This implementation aligns with the PR objectives to enable unattended unlocking.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

extensions/fs-cryptroot-support.sh (1)

30-30: Consider quoting the command substitution.

While the current code works correctly, bash best practices suggest quoting command substitutions even in assignments for consistency and robustness:

-declare -g cryptroot_autounlock_key_file=$(mktemp)
+declare -g cryptroot_autounlock_key_file="$(mktemp)"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d7c6817 and ed41d5f.

📒 Files selected for processing (7)

• extensions/fs-cryptroot-support.sh (2 hunks)
• extensions/grub-riscv64.sh (3 hunks)
• extensions/grub.sh (4 hunks)
• lib/functions/configuration/main-config.sh (1 hunks)
• lib/functions/image/initrd.sh (1 hunks)
• lib/functions/image/partitioning.sh (1 hunks)
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (5 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• lib/functions/image/initrd.sh
• extensions/grub-riscv64.sh
• extensions/grub.sh
• lib/functions/image/partitioning.sh

🧰 Additional context used

🧠 Learnings (7)

📓 Common learnings

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-10-24T04:46:22.901Z
Learning: In lib/functions/rootfs/rootfs-create.sh, the FIXME comment about mmdebstrap usage with --aptopt is a future note related to PR #8785, which hasn't been merged yet.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub API (https://api.github.com/repos/armbian/build/pulls/{pr_number}/files) to get the complete picture of what files are being added or modified, especially for U-Boot patches that will be applied during the build process.

📚 Learning: 2025-09-01T06:11:43.476Z

Learnt from: wei633
Repo: armbian/build PR: 8557
File: config/bootscripts/boot-xpressreal-t3.cmd:0-0
Timestamp: 2025-09-01T06:11:43.476Z
Learning: In Armbian boot scripts without initramfs support, UUID= and LABEL= style device paths cannot be used for rootdev as they require initramfs to resolve during boot. Only direct device paths (/dev/mmcblkXpY) or PARTUUID= references (which U-Boot can resolve) will work.

Applied to files:

• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem
• lib/functions/configuration/main-config.sh

📚 Learning: 2025-09-27T21:50:15.915Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sunxi64-current.config:94-94
Timestamp: 2025-09-27T21:50:15.915Z
Learning: When kernel config files are generated through Armbian's automated process (previous config → armbian-kernel.sh changes → make oldconfig → Armbian machinery processing), manual config file edits are not appropriate since they would be overwritten. Deprecated option handling should be implemented in the automated tooling instead.

Applied to files:

• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem

📚 Learning: 2025-07-21T04:12:02.439Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-07-21T04:12:02.439Z
Learning: In the Armbian build system, for recurring maintenance tasks like kernel version bumping, TODO comments should use generic version formats (e.g., "MAJOR.MINOR-rc1") rather than specific version numbers (e.g., "6.17-rc1") to avoid the need for frequent comment updates that would create unnecessary maintenance overhead.

Applied to files:

• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem

📚 Learning: 2025-09-27T21:50:04.845Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-edge.config:80-82
Timestamp: 2025-09-27T21:50:04.845Z
Learning: In the Armbian build system, kernel configuration files are generated through this automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem

📚 Learning: 2025-10-24T04:46:22.901Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-10-24T04:46:22.901Z
Learning: In lib/functions/rootfs/rootfs-create.sh, the FIXME comment about mmdebstrap usage with --aptopt is a future note related to PR #8785, which hasn't been merged yet.

Applied to files:

• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem

📚 Learning: 2025-08-30T06:48:09.091Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:48:09.091Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the user prefers flexible grep patterns over anchored ones for BTRFS configuration checks, but agrees to use quiet grep (-q) to avoid polluting build logs.

Applied to files:

• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem

🧬 Code graph analysis (2)

packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (1)

lib/functions/bsp/armbian-bsp-cli-deb.sh (1)

• board_side_bsp_cli_preinst (360-415)

extensions/fs-cryptroot-support.sh (2)

.github/generate_CODEOWNERS.sh (1)

• display_alert (6-6)

extensions/lvm.sh (2)

• prepare_root_device__create_volume_group (41-68)
• extension_prepare_config__prepare_lvm (26-32)

🔇 Additional comments (5)

lib/functions/configuration/main-config.sh (1)

172-173: LGTM! Validation logic correctly supports both unlock methods.

The updated condition properly validates that at least one of CRYPTROOT_PASSPHRASE or CRYPTROOT_AUTOUNLOCK is set when CRYPTROOT_ENABLE is enabled, and the error message clearly communicates both options to the user.

extensions/fs-cryptroot-support.sh (1)

28-38: LGTM! Autounlock implementation is sound.

The CRYPTROOT_AUTOUNLOCK flow correctly:

• Generates a secure random key using openssl rand -base64 32 (256 bits of entropy)
• Stores the key file path in a global variable for later use
• Applies the key file to LUKS format and open operations
• Preserves the existing passphrase flow in the else branch

The variable quoting is appropriate: CRYPTROOT_PARAMETERS is intentionally unquoted to allow multi-argument expansion (e.g., --pbkdf pbkdf2), while file paths are properly quoted.

packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (3)

20-20: LGTM! Device-level lsblk queries resolve the type detection issue.

Adding the -d (--nodeps) flag to lsblk queries ensures only the specified device's properties are returned, without holder or slave devices. This resolves the issue mentioned in the PR where lsblk was returning both "crypt" and "part" types in unpredictable order, causing partition type validation failures.

For example, at line 20, querying the TYPE of a partition that has a LUKS container will now reliably return "part" rather than potentially showing both the partition and its cryptographic holder.

Also applies to: 26-26, 169-169

---

186-186: LGTM! Consistent device-level queries throughout.

The remaining lsblk queries have been consistently updated with -d to ensure device-level output:

• Line 186: Get crypt device NAME without showing slaves
• Line 199: Get parent device SIZE for crypt resize validation
• Line 246: Get partition SIZE for filesystem resize validation
• Lines 275-276: Check if root device TYPE is "crypt" and retrieve its NAME

This consistent approach prevents the lsblk ordering issues that were causing resize failures on encrypted systems.

Also applies to: 199-199, 246-246, 275-276

---

193-197: LGTM! Unattended cryptsetup resize properly implemented.

The conditional logic correctly handles both scenarios:

• If /etc/rootfs.key exists (CRYPTROOT_AUTOUNLOCK mode): uses --key-file for unattended resize
• Otherwise: attempts resize without key file (may prompt for passphrase or auto-resize on reboot)

This implementation addresses the previous review feedback and enables the CRYPTROOT_AUTOUNLOCK workflow introduced in this PR.

[github-actions]

✅ This PR has been reviewed and approved — all set for merge!