add CRYPTROOT_AUTOUNLOCK option and fix CRYPTROOT for uefi builds

[sashasimkin]

Description

This fixes #6280 and enables uefi-x86 builds with CRYPTROOT_ENABLE=yes.

Also, it adds CRYPTROOT_AUTOUNLOCK option, that will generate /etc/rootfs.key and use it for unattended unlocking.
This is useful for automated scenarios when such key can be further enrolled into TPM afterwards, or just to have illusion of security if user wants so.

Documentation summary for feature / change

armbian/documentation#836

How Has This Been Tested?

I've verified that it builds for uefi-x86 and orangepi5 with CRYPTROOT_ENABLE=yes and CRYPTROOT_AUTOUNLOCK=yes. Later, I'll confirm that it boots.

Checklist:

Please delete options that are not relevant.

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• My changes generate no new warnings

[github-actions]

Hey @sashasimkin! 👋

Thanks for submitting your first pull request to the Armbian project — we're excited to have you contributing! 🧡
Your effort doesn’t just improve Armbian — it benefits the entire community of users and developers.

If you'd like to stay informed about project updates or collaborate more closely with the team,
you can optionally share some personal contact preferences at armbian.com/update-data.
This helps us keep in touch without relying solely on GitHub notifications.

Also, don’t forget to ⭐ star the repo if you haven’t already — and welcome aboard! 🚀

[coderabbitai]

Walkthrough

Adds LUKS autounlock support and related wiring: when CRYPTROOT_AUTOUNLOCK=yes a temporary key file is created and used to format/open the root LUKS container (variable cryptroot_autounlock_key_file), and /etc/rootfs.key is written and referenced in crypttab and initramfs hooks. Configuration validation now accepts either CRYPTROOT_PASSPHRASE or CRYPTROOT_AUTOUNLOCK when CRYPTROOT_ENABLE=yes. Initramfs cache hashing now includes /etc/crypttab. GRUB setup gains UEFI_MOUNT_POINT, uses --efi-directory with grub-install, probes UUIDs for root and /boot, and forces UUID usage in GRUB config. The resize script switches many lsblk calls to operate on device nodes (-d) and supports unattended cryptsetup resize using the key file if present.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Areas to focus review on:

• extensions/fs-cryptroot-support.sh — keyfile generation, cleanup handler, interaction with existing passphrase path.
• lib/functions/partitioning.sh — creation/saving of /etc/rootfs.key, crypttab entry changes, initramfs conf.d and cryptsetup-initramfs hook entries (KEYFILE_PATTERN).
• lib/functions/configuration/main-config.sh — validation logic change for CRYPTROOT enablement.
• lib/functions/image/initrd.sh — addition of /etc/crypttab to initramfs cache hashing.
• extensions/grub.sh — UEFI_MOUNT_POINT declaration, use of --efi-directory, grub-probe UUID handling, and GRUB_DISABLE_* flags.
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem — extensive lsblk changes to use -d, device vs partition logic, and unattended cryptresize path (cryptsetup resize --key-file ...).

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The PR title "add CRYPTROOT_AUTOUNLOCK option and fix CRYPTROOT for uefi builds" directly and accurately captures the two main objectives of the changeset. The changes across multiple files implement both the new CRYPTROOT_AUTOUNLOCK feature (visible in fs-cryptroot-support.sh, partitioning.sh, and initrd.sh) and the UEFI CRYPTROOT fix (evident in grub.sh and armbian-resize-filesystem modifications). The title is concise, specific, and clearly communicates the primary changes without being vague or overly broad.
Linked Issues Check	✅ Passed	The PR successfully addresses the core objectives from linked issue #6280. The changes to extensions/grub.sh add UEFI-specific configuration (UEFI_MOUNT_POINT, --efi-directory, and UUID settings) to resolve the grub-install failure on encrypted UEFI systems. The modifications to fs-cryptroot-support.sh, main-config.sh, initrd.sh, and partitioning.sh implement the CRYPTROOT_AUTOUNLOCK feature that generates and uses /etc/rootfs.key. The armbian-resize-filesystem changes fix device detection logic to properly handle encrypted partitions, enabling unattended resizing. All modifications directly support enabling CRYPTROOT builds on UEFI systems and implementing the new autounlock functionality.
Out of Scope Changes Check	✅ Passed	All file modifications are within scope of the stated objectives. Changes to grub.sh, fs-cryptroot-support.sh, main-config.sh, initrd.sh, and partitioning.sh directly implement CRYPTROOT_AUTOUNLOCK support and fix CRYPTROOT for UEFI builds. The changes to armbian-resize-filesystem, while addressing filesystem resizing for encrypted partitions, are necessary for the overall encrypted root functionality to work properly during initialization and later resizing operations. These changes align with the PR's goal of enabling CRYPTROOT on UEFI builds and implementing unattended unlocking via autounlock keys.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4a7b997 and 28c1d21.

📒 Files selected for processing (6)

• extensions/fs-cryptroot-support.sh (2 hunks)
• extensions/grub.sh (4 hunks)
• lib/functions/configuration/main-config.sh (1 hunks)
• lib/functions/image/initrd.sh (1 hunks)
• lib/functions/image/partitioning.sh (1 hunks)
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (3)

lib/functions/image/partitioning.sh (1)

.github/generate_CODEOWNERS.sh (1)

• display_alert (6-6)

extensions/fs-cryptroot-support.sh (3)

.github/generate_CODEOWNERS.sh (1)

• display_alert (6-6)

extensions/lvm.sh (1)

• prepare_root_device__create_volume_group (41-68)

lib/functions/rootfs/trap-rootfs.sh (1)

• prepare_rootfs_build_params_and_trap (12-51)

extensions/grub.sh (2)

lib/functions/logging/runners.sh (1)

• chroot_custom (155-159)

extensions/grub-riscv64.sh (3)

• extension_prepare_config__prepare_grub-riscv64 (3-25)
• pre_umount_final_image__install_grub (27-100)
• configure_grub (102-142)

🔇 Additional comments (8)

lib/functions/configuration/main-config.sh (1)

172-173: LGTM: Prerequisite check correctly updated for autounlock support.

The logic now properly allows either passphrase-based or autounlock-based encryption, aligning with the new CRYPTROOT_AUTOUNLOCK feature introduced in this PR.

lib/functions/image/initrd.sh (1)

65-65: LGTM: Proper initramfs cache invalidation for crypttab changes.

Adding crypttab to the cache hash ensures the initramfs is correctly rebuilt when key file configuration changes, which is essential for the autounlock feature.

extensions/grub.sh (4)

170-170: LGTM: Explicit EFI directory specification.

The explicit --efi-directory=${UEFI_MOUNT_POINT} parameter correctly supports flexible EFI partition locations, which is essential for cryptroot configurations with separate boot partitions.

---

182-187: LGTM: UUID preparation for GRUB configuration.

The UUID symlink preparation is essential for proper GRUB configuration with encrypted root. The comments clearly explain:

• Root UUID is needed so grub-update discovers the unlocked /dev/mapper/armbian-root UUID
• Boot partition UUID is included to handle cases with separate boot partitions (LVM, cryptroot)

The implementation correctly handles both cases and won't fail if the symlinks already exist.

---

298-299: LGTM: Explicit UUID enablement in GRUB.

Explicitly setting both GRUB_DISABLE_UUID=false and GRUB_DISABLE_LINUX_UUID=false ensures GRUB uses UUIDs rather than device paths. This is essential for cryptroot support and aligns with the UUID symlink preparation (lines 182-187).

---

24-28: No action needed — variable has proper default defined.

The review comment's concern is unfounded. UEFI_MOUNT_POINT is initialized with a default value of /boot/efi in lib/functions/image/partitioning.sh. When BOOTPART_REQUIRED != "yes", the variable retains this default; it's only overridden to /boot when the condition is true. The unconditional use on line 28 is safe.

Likely an incorrect or invalid review comment.

lib/functions/image/partitioning.sh (1)

332-336: Configuration is correct and follows standard Debian/Ubuntu practice.

The KEYFILE_PATTERN mechanism in /etc/cryptsetup-initramfs/conf-hook and UMASK=0077 restriction are the standard approach documented by cryptsetup-initramfs for including key files in the initramfs. The implementation shown is correct.

extensions/fs-cryptroot-support.sh (1)

28-42: Now I need to search the codebase to verify the actual behavior. Let me check where the temp key file is moved and if TMPDIR is set:

Temp key file cleanup remains an unaddressed concern.

The temporary key file created at line 30 with mktemp is not guaranteed to be cleaned up. By default mktemp will use user's $TMPDIR. If not defined it will use /tmp. The cleanup_cryptroot function only closes the LUKS mapper and does not delete the temporary key file. If an error occurs before the file is moved to its permanent location, the temporary key file could be left behind on the system.

Adding explicit cleanup for $crytproot_autounlock_key_file in the cleanup_cryptroot function (line 99) would be a prudent safeguard to ensure the key material is not accidentally exposed on disk.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 28c1d21 and 2079ceb.

📒 Files selected for processing (6)

• extensions/fs-cryptroot-support.sh (2 hunks)
• extensions/grub.sh (4 hunks)
• lib/functions/configuration/main-config.sh (1 hunks)
• lib/functions/image/initrd.sh (1 hunks)
• lib/functions/image/partitioning.sh (1 hunks)
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• lib/functions/image/initrd.sh
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem
• lib/functions/configuration/main-config.sh
• lib/functions/image/partitioning.sh

🧰 Additional context used

🧬 Code graph analysis (2)

extensions/grub.sh (2)

lib/functions/logging/runners.sh (1)

• chroot_custom (155-159)

extensions/grub-riscv64.sh (3)

• extension_prepare_config__prepare_grub-riscv64 (3-25)
• pre_umount_final_image__install_grub (27-100)
• configure_grub (102-142)

extensions/fs-cryptroot-support.sh (3)

.github/generate_CODEOWNERS.sh (1)

• display_alert (6-6)

extensions/lvm.sh (1)

• prepare_root_device__create_volume_group (41-68)

lib/functions/rootfs/trap-rootfs.sh (1)

• prepare_rootfs_build_params_and_trap (12-51)

🔇 Additional comments (4)

extensions/fs-cryptroot-support.sh (2)

28-38: Verify temporary key file cleanup and handoff to target image.

The autounlock workflow generates a temporary key file (line 31) with mktemp, but I don't see explicit cleanup in cleanup_cryptroot() (line 99). While the global variable cryptroot_autounlock_key_file persists for use by other stages (e.g., writing to /etc/rootfs.key in partitioning.sh), ensure that the temporary file is properly cleaned up after it's written to the target image.

Please verify:

1. That cleanup_cryptroot() or the image finalization stage removes the temporary key file from the build host.
2. That the key file is correctly copied to /etc/rootfs.key in the target image (expected per AI summary mentioning partitioning.sh changes).
3. That the variable remains accessible for use by later build stages that need to reference it.

---

27-40: Autounlock encryption logic looks sound.

The conditional branching between autounlock (lines 28–33) and passphrase-based (lines 34–37) encryption is clear and correct. Key generation, LUKS formatting, and mapper opening flow properly for both paths.

extensions/grub.sh (2)

182-187: UUID handling for root and boot partitions is sound.

The use of grub-probe --target=fs_uuid to discover partition UUIDs and create symlinks in /dev/disk/by-uuid/ is a robust approach. This ensures GRUB references stable UUIDs rather than device paths, which is essential for encrypted root scenarios where /dev/mapper/... names may differ.

The addition of a second symlink for /boot (lines 185–187) correctly handles cases where a separate boot partition exists (e.g., with LVM or cryptroot), while remaining safe if no separate boot partition is present.

---

298-299: Explicit UUID settings improve GRUB configuration robustness.

Setting GRUB_DISABLE_UUID=false and GRUB_DISABLE_LINUX_UUID=false ensures GRUB uses UUIDs in the generated config, which is critical for correctness in encrypted and partitioned scenarios.

[igorpecovnik]

For the documentation:
https://docs.armbian.com/Developer-Guide_Build-Switches/#filesystem

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 2079ceb and 69ab7c2.

📒 Files selected for processing (6)

• extensions/fs-cryptroot-support.sh (2 hunks)
• extensions/grub.sh (4 hunks)
• lib/functions/configuration/main-config.sh (1 hunks)
• lib/functions/image/initrd.sh (1 hunks)
• lib/functions/image/partitioning.sh (1 hunks)
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem
• lib/functions/image/partitioning.sh
• lib/functions/image/initrd.sh
• extensions/grub.sh

🧰 Additional context used

🧬 Code graph analysis (1)

extensions/fs-cryptroot-support.sh (2)

.github/generate_CODEOWNERS.sh (1)

• display_alert (6-6)

extensions/lvm.sh (1)

• prepare_root_device__create_volume_group (41-68)

🔇 Additional comments (3)

extensions/fs-cryptroot-support.sh (2)

27-27: LGTM on conditional logic and passphrase branch.

The conditional structure properly branches between autounlock (lines 28-33) and passphrase (lines 34-37) paths. The passphrase branch uses existing patterns and the autounlock branch correctly generates a random key. Note: the previous typo (crytproot_autounlock_key_file) has been corrected to cryptroot_autounlock_key_file in line 30.

Also applies to: 34-37

---

28-38: Global variable scope and cleanup handler verified as correct.

The verification confirms the code properly handles the concerns raised:

1. Global variable scope: declare -g cryptroot_autounlock_key_file correctly exposes the variable globally, making it accessible to lib/functions/image/partitioning.sh at line 331 where it's moved to the final filesystem.

2. Cleanup timing: The cleanup handler registered at line 39 only executes cryptsetup luksClose and does not delete the key file. Since the file is moved (not copied) to the final image at ${SDCARD}/etc/rootfs.key during partitioning, it no longer exists in /tmp when the post-mount cleanup runs.

The implementation is correct and requires no changes.

lib/functions/configuration/main-config.sh (1)

172-173: Configuration validation correctly enforces new requirement.

The updated conditional properly validates that either CRYPTROOT_PASSPHRASE or CRYPTROOT_AUTOUNLOCK is set when CRYPTROOT_ENABLE=yes. The error message clearly communicates both options to the user.

[sashasimkin]

@igorpecovnik I think this is R4R now :)

[igorpecovnik]

Bot suggestions are not harmful ... but yeah, many segments in the code is not done perfect, so generally we at least try to improve what is being added.

[sashasimkin]

Got it - fixed. I usually try to keep changes to bare minimum to avoid unintended side-effects.

[sashasimkin]

quick update (both target trixie):

• uefi-x86 did boot, however, the fs resize doesn't work as expected.
• orangepi5 didn't boot with the current branch, so I compiled vendor branch and will try that.

[EvilOlaf]

orangepi5 [...] current [...]

I hope all those boot issues for rk3588/s are sorted once current is being rolled-over to the next LTS kernel which may be 6.18 which is edge atm.

[github-actions]

✅ This PR has been reviewed and approved — all set for merge!

[sashasimkin]

I converted it to draft to figure out and fix why growpart wasn’t executed as expected.

[sashasimkin]

here's the log of armbian-resize-filesystem. This worked with my changes in 25.02 in bookworm, but now doesn't in trixie. And I checked changes to resize script - there's nothing that could've caused the issue.

Oct 25 16:49:07 uefi-x86 systemd[1]: Starting armbian-resize-filesystem.service - Armbian filesystem resize...
Oct 25 16:49:07 uefi-x86 armbian-resize-filesystem[657]: Sat Oct 25 04:49:07 PM EEST 2025 | UEFI x86 | 25.11.0-trunk | amd64 | x86_64 | 6.12.54-current-x86
Oct 25 16:49:07 uefi-x86 armbian-resize-filesystem[657]: ### [resize2fs] Trying to resize partition /dev/nvme0n1p2:
Oct 25 16:49:07 uefi-x86 armbian-resize-filesystem[657]: /dev/nvme0n1p2 isn't a partition: crypt
Oct 25 16:49:07 uefi-x86 armbian-resize-filesystem[657]: ### [resize2fs] Start resizing LUKS container now
Oct 25 16:49:08 uefi-x86 armbian-resize-filesystem[657]: ### [resize2fs] Automated reboot needed to finish the resize procedure
Oct 25 16:49:08 uefi-x86 armbian-resize-filesystem[657]: ### [resize2fs] Trying to resize ext4 filesystem on /dev/mapper/armbian-root:
Oct 25 16:49:08 uefi-x86 armbian-resize-filesystem[657]: Running 'resize2fs /dev/mapper/armbian-root' now...
Oct 25 16:49:08 uefi-x86 armbian-resize-filesystem[657]: resize2fs 1.47.2 (1-Jan-2025)
Oct 25 16:49:08 uefi-x86 armbian-resize-filesystem[657]: The filesystem is already 31187025 (4k) blocks long.  Nothing to do!
Oct 25 16:49:08 uefi-x86 systemd[1]: Finished armbian-resize-filesystem.service - Armbian filesystem resize.

I'll build bookworm and check if that works.

This is the issue:

Oct 25 16:49:07 uefi-x86 armbian-resize-filesystem[657]: /dev/nvme0n1p2 isn't a partition: crypt

here's some debug output:

root@uefi-x86:~# lsblk --version
lsblk from util-linux 2.41
root@uefi-x86:~# lsblk -n -o TYPE /dev/nvme0n1p2
crypt
part
root@uefi-x86:~# lsblk -n -o TYPE --nodeps /dev/nvme0n1p2
part

[sashasimkin]

so, I checked the following combinations in addition to trixie/current:

• uefi bookworm, current kernel 6.12
• uefi bookworm, legacy kernel 6.6
• uefi bookworm, ddk kernel 6.1

All combinations have the same output(except uname):

root@uefi-x86:~# lsblk
NAME             MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
zram0            253:0    0   7.7G  0 disk  [SWAP]
zram1            253:1    0    50M  0 disk  /var/log
zram2            253:2    0     0B  0 disk
nvme0n1          259:0    0 119.2G  0 disk
├─nvme0n1p1      259:1    0   260M  0 part  /boot
└─nvme0n1p2      259:2    0   1.2G  0 part
  └─armbian-root 254:0    0   1.2G  0 crypt /var/log.hdd
                                            /
root@uefi-x86:~# lsblk -n -o TYPE /dev/nvme0n1p2
crypt
part
root@uefi-x86:~# lsblk
NAME             MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
zram0            253:0    0   7.7G  0 disk  [SWAP]
zram1            253:1    0    50M  0 disk  /var/log
zram2            253:2    0     0B  0 disk
nvme0n1          259:0    0 119.2G  0 disk
├─nvme0n1p1      259:1    0   260M  0 part  /boot
└─nvme0n1p2      259:2    0   1.2G  0 part
  └─armbian-root 254:0    0   1.2G  0 crypt /var/log.hdd
                                            /
root@uefi-x86:~# lsblk -n -o TYPE /dev/nvme0n1p2
crypt
part
root@uefi-x86:~# lsblk --version
lsblk from util-linux 2.38.1
root@uefi-x86:~# uname -a
Linux uefi-x86 6.1.0-40-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.153-1 (2025-09-20) x86_64 GNU/Linux

But then I went and compared this with the image I built earlier for RPi CM4:

root@rpi4b:/home/wl# lsblk
NAME             MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
mmcblk0          179:0    0 29.1G  0 disk
├─mmcblk0p1      179:1    0  256M  0 part  /boot/firmware
└─mmcblk0p2      179:2    0 28.6G  0 part
  └─armbian-root 254:0    0 28.6G  0 crypt /var/log.hdd
                                           /
mmcblk0boot0     179:32   0    4M  1 disk
mmcblk0boot1     179:64   0    4M  1 disk
zram0            253:0    0  1.8G  0 disk  [SWAP]
zram1            253:1    0   50M  0 disk  /var/log
zram2            253:2    0    0B  0 disk
root@rpi4b:/home/wl# lsblk -n -o TYPE /dev/mmcblk0p2
part
crypt
root@rpi4b:/home/wl# lsblk --version
lsblk from util-linux 2.38.1
root@rpi4b:/home/wl# uname -a
Linux rpi4b 6.12.34-current-bcm2711 #1 SMP PREEMPT Tue Jun 24 08:48:26 UTC 2025 aarch64 GNU/Linux

Later I'm gonna find a uefi-x86 image that I built earlier and will check the situation there. x86 was built with 6.12.28 kernel and I also used bookworm.

---

I found a fix for this to be the --nodeps switch to lsblk - it returns part for both cases:

root@uefi-x86:~# lsblk -n --nodeps -o TYPE /dev/nvme0n1p2
part

and

root@rpi4b:~# lsblk -n --nodeps -o TYPE /dev/mmcblk0p2
part

but also a simple way to confirm it works as expected for non-crypt scenarios:

root@uefi-x86:~# lsblk -n --nodeps -o TYPE /dev/nvme0n1p1
part

I'm also reading online that the output is not sorted and man pages have this:

The default output, as well as the default output from options
       like --fs and --topology, is subject to change. So whenever
       possible, you should avoid using default outputs in your scripts.
       Always explicitly define expected columns by using --output
       columns-list and --list in environments where a stable output is
       required.

It's weird why same version returns different order though. But anyways - I'm gonna add --nodeps there later.

One thing I wanted to understand before doing that - @igorpecovnik do you think it's okay solution? Could you explain the reason why there was such validation in the first place?

[igorpecovnik]

It's weird why same version returns different order though

We should probably lean toward JSON / machine output of those tools and process that. If that is available here?

Could you explain the reason why there was such validation in the first place?

Not sure I follow - which validation in specific you are asking.

[sashasimkin]

We should probably lean toward JSON / machine output of those tools and process that. If that is available here?

yep, it has both --json and --raw (that they call for machine-readable format). Not sure it'll help here though, but may simplify the whole script on the other hand.

Not sure I follow - which validation in specific you are asking.

Ah, sorry, I already have an idea in my head but didn't explain it out loud :D this is the part that is failing:

# make sure the target is a partition
	local parttype=$(lsblk -n -o TYPE $partdev | head -1)
	if [[ "$parttype" != "part" ]]; then
		echo -e "\n$partdev isn't a partition: $parttype" >&2
		return 1
	fi

I'm trying to understand what else there could be besides "part" ?

P.s: I already checked that adding --nodeps to the relevant parts - make the resize script work as expected. Now the final part is to confirm it works on uefi build with 25.2

[sashasimkin]

so, I just flushed one of the older uefi-x86 images(bookworm, 6.12.28) to this nvme drive, and... the behavior is the same.

However, I realized that all previous times for uefi-x86, and rpi4b the storage was EMMC, and not the nvme drive that I'm using now. And this was the key!

When flushing the same dkk image(faster) to EMMC storage the output is the following:

root@uefi-x86:~# lsblk
NAME             MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
mmcblk0          179:0    0 29.1G  0 disk
├─mmcblk0p1      179:1    0  260M  0 part  /boot
└─mmcblk0p2      179:2    0 28.6G  0 part
  └─armbian-root 254:0    0 28.6G  0 crypt /var/log.hdd
                                           /
zram0            253:0    0  1.8G  0 disk  [SWAP]
zram1            253:1    0   50M  0 disk  /var/log
zram2            253:2    0    0B  0 disk
mmcblk0boot0     179:256  0    4M  1 disk
mmcblk0boot1     179:512  0    4M  1 disk
root@uefi-x86:~# lsblk -n -o TYPE /dev/mmcblk0p2
part
crypt
root@uefi-x86:~# lsblk --version
lsblk from util-linux 2.38.1
root@uefi-x86:~# uname -a
Linux uefi-x86 6.1.0-40-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.153-1 (2025-09-20) x86_64 GNU/Linux

Just to confirm it works as expected:

root@uefi-x86:~# lsblk -n --nodeps /dev/mmcblk0p2
mmcblk0p2 179:2    0 28.6G  0 part

So I'm gonna add --nodeps and will perform another round of tests.

Will need to check the case with cryptroot disabled, and most likely that's gonna be organepi5 :(

---

@EvilOlaf Regarding orangepi5 - the vendor kernel has booted once, but it seems that it has /dev/mmcblk0 hardcoded there somewhere - I saw that the boot process successfully opened armbian-root device, but then it failed waiting for /dev/mmcblk0... I don't remember what it was exactly and the image doesn't boot anymore for some reason :(

[EvilOlaf]

I don't know that much about those internals. But if it works for current and edge that be a good starting point. At some point vendor will be abandoned.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (1)

189-191: Update comment to reflect actual behavior.

The comment states "It's probably no need to run 'cryptsetup resize'" and "'cryptsetup resize' requires passphrase, so it will fail", but the code now always attempts cryptsetup resize (with keyfile if available). Consider updating the comment to reflect that resize is attempted and can succeed unattended when /etc/rootfs.key exists.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b9f5bb0 and c5e7630.

📒 Files selected for processing (6)

• extensions/fs-cryptroot-support.sh (2 hunks)
• extensions/grub.sh (4 hunks)
• lib/functions/configuration/main-config.sh (1 hunks)
• lib/functions/image/initrd.sh (1 hunks)
• lib/functions/image/partitioning.sh (1 hunks)
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (5 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• extensions/fs-cryptroot-support.sh
• extensions/grub.sh

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-09-01T06:11:43.476Z

Learnt from: wei633
PR: armbian/build#8557
File: config/bootscripts/boot-xpressreal-t3.cmd:0-0
Timestamp: 2025-09-01T06:11:43.476Z
Learning: In Armbian boot scripts without initramfs support, UUID= and LABEL= style device paths cannot be used for rootdev as they require initramfs to resolve during boot. Only direct device paths (/dev/mmcblkXpY) or PARTUUID= references (which U-Boot can resolve) will work.

Applied to files:

• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem

🧬 Code graph analysis (1)

lib/functions/image/partitioning.sh (1)

.github/generate_CODEOWNERS.sh (1)

• display_alert (6-6)

🔇 Additional comments (7)

lib/functions/configuration/main-config.sh (1)

172-174: LGTM! Clear validation logic for autounlock option.

The updated validation correctly requires either a passphrase or autounlock when cryptroot is enabled, and the error message clearly communicates both options to users.

lib/functions/image/partitioning.sh (1)

327-341: Solid autounlock implementation with proper defensive coding.

The key file handling logic is well-structured:

• Defaults to "none" and conditionally switches to /etc/rootfs.key
• Uses ${cryptroot_autounlock_key_file:?} expansion to fail fast if the extension hasn't set the variable
• Properly configures initramfs UMASK and KEYFILE_PATTERN for secure key handling
• Coordinates the crypttab entry with the selected key file path

lib/functions/image/initrd.sh (1)

65-65: Correct cache invalidation for crypttab changes.

Adding /etc/crypttab to the initramfs hash ensures that changes to the crypttab (such as autounlock keyfile configuration) properly invalidate the cache and trigger initramfs regeneration.

packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (4)

20-20: Correct fix for lsblk output inconsistency.

Adding the -d (--nodeps) flag prevents lsblk from listing dependent devices, which addresses the issue described in the PR comments where lsblk output ordering varied between NVMe and eMMC storage types. This ensures consistent "part" type detection and reliable parent device resolution.

Based on learnings

Also applies to: 26-26, 169-169

---

186-186: Consistent device node querying in crypt resize logic.

The -d flag usage here correctly queries the device itself without listing holders, ensuring reliable name extraction and size calculation for LUKS containers.

Also applies to: 199-199

---

193-197: Clean unattended resize implementation.

The conditional logic for keyfile-based resize is clear and properly handles both attended and unattended scenarios. Proper variable quoting and modern syntax (no backticks) improve robustness.

---

246-246: Proper device type detection with -d flag.

Using -d in these queries (especially line 275 for crypt detection) ensures we're checking the device type of the target device itself without interference from dependent/holder devices, which is the core fix for the resize script issues mentioned in testing.

Also applies to: 275-276

[sashasimkin]

I confirmed that with the latest changed (-d instead of | head 1) the code works for:

• uefi-x86 on EMMC
• uefi-x86 on NVME drive
• rpi4b on EMMC

unfortunately, I still can't get my orangepi to boot on NVME, even without my changes and with the current branch - it has /dev/mmcblk0 hardcoded in there somewhere, and I didn't find yet where. Trying to figure out the whole sata booting thing.

[igorpecovnik]

OK. BTW. When you are doing testing, also check at least one uefi target without enabling CRYPTOROOT.

I still can't get my orangepi to boot on NVME

Does it works if you use daily image from trunk?