From 956aa79a8a27162e3ca5e346967a51806c9bfc48 Mon Sep 17 00:00:00 2001
From: Sahil Shah <shahs@ainfosec.com>
Date: Mon, 25 Aug 2025 11:44:25 -0400
Subject: [PATCH] Ensure directories/mountpoints exist for initial scripts

With changes to crypsetup (LUKS2), the boot timing seems to be altered slightly - /run now needs to be mounted earlier to allow cryptsetup calls in unlock_config to pass, and /storage needs to be mounted earlier so that xenmgr.initscript succeeds in creating null.iso. Also add safeguard to ensure they exist when needed.
---
 recipes-core/base-files/files/fstab.early                    | 3 +++
 recipes-openxt/manager/xenmgr/xenmgr.initscript              | 4 ++++
 .../xenclient-root-ro/xenclient-root-ro/init.root-ro         | 5 +++++
 3 files changed, 12 insertions(+)

diff --git a/recipes-core/base-files/files/fstab.early b/recipes-core/base-files/files/fstab.early
index bb270c797c..4788a72126 100644
--- a/recipes-core/base-files/files/fstab.early
+++ b/recipes-core/base-files/files/fstab.early
@@ -16,3 +16,6 @@ tmpfs       /var/cache              tmpfs       defaults,rootcontext=system_u:ob
 
 # OpenXT: modutils.sh loads before mountall.sh, and modutils.sh will load the txt module, which needs this:
 securityfs  /sys/kernel/security    securityfs  defaults                                                        0 0
+
+# OpenXT: xenmgr.initscript requires early storage mount with new boot timing introduced by LUKS2
+/dev/mapper/xenclient-storage  /storage                ext4        errors=remount-ro,user_xattr,noatime         1 5
\ No newline at end of file
diff --git a/recipes-openxt/manager/xenmgr/xenmgr.initscript b/recipes-openxt/manager/xenmgr/xenmgr.initscript
index 79ff35524d..096aef9b6c 100644
--- a/recipes-openxt/manager/xenmgr/xenmgr.initscript
+++ b/recipes-openxt/manager/xenmgr/xenmgr.initscript
@@ -58,6 +58,10 @@ cmdline_options() {
 
 # Create/Label /storage/isos/null.iso if not present.
 check_null_iso() {
+    # Ensure /storage exists
+    [ -d /storage ] || mkdir -p /storage
+    mountpoint -q /storage || mount /storage
+
     if [ -f "/storage/isos/null.iso" ]; then
         return 0
     fi
diff --git a/recipes-openxt/xenclient-root-ro/xenclient-root-ro/init.root-ro b/recipes-openxt/xenclient-root-ro/xenclient-root-ro/init.root-ro
index 1ed92d5d65..f5e4e7fd9f 100755
--- a/recipes-openxt/xenclient-root-ro/xenclient-root-ro/init.root-ro
+++ b/recipes-openxt/xenclient-root-ro/xenclient-root-ro/init.root-ro
@@ -284,6 +284,11 @@ unlock_config()
     local tss_path="${SYS_TPM_DIR}/config.tss"
     local measured_flag="/config/tpm/measured-boot"
 
+    # LUKS2 changes some early boot timing, so /run may not be mounted yet.
+    # Perform check here to ensure it is mounted to prevent cryptsetup failures
+    [ -d /run ] || mkdir -p /run
+    mountpoint -q /run  || mount -t tmpfs -o mode=0755,nosuid,nodev tmpfs /run
+
     local sig=$(dd if="${lv_path}" bs=4 count=1 2>/dev/null)
     case "${sig}" in
     LUKS)