Fix system boot slow when docker image is included in the original image disk

Makefile

@@ -62,7 +62,10 @@ create-tarball:
 
 	# copy source code to src/
 	git clone --no-hardlinks . /tmp/cryptpilot-tarball/cryptpilot-${VERSION}/src/
-	cd /tmp/cryptpilot-tarball/cryptpilot-${VERSION}/src && git clean -xdf
+	# apply uncommitted changes (staged + unstaged) to the cloned copy
+	git diff --binary HEAD | git -C /tmp/cryptpilot-tarball/cryptpilot-${VERSION}/src apply --binary --allow-empty
+	# copy untracked (new) files that are not ignored
+	if [ -n "$(git ls-files --others --exclude-standard)" ] ; then git ls-files --others --exclude-standard -z | xargs -0 tar -c -f - | tar -x -f - -C /tmp/cryptpilot-tarball/cryptpilot-${VERSION}/src/ ; fi
 
 	tar -czf /tmp/cryptpilot-${VERSION}-vendored-source.tar.gz -C /tmp/cryptpilot-tarball/ cryptpilot-${VERSION}
 

cryptpilot-convert.sh

@@ -213,7 +213,7 @@ proc::print_help_and_exit() {
     echo "      --out <output_file>                                 The output OS image file (vhd or qcow2)."
     echo "  -c, --config-dir <cryptpilot_config_dir>                The directory containing cryptpilot configuration files."
     echo "      --rootfs-passphrase <rootfs_encrypt_passphrase>     The passphrase for rootfs encryption."
-    echo "      --rootfs-no-encryption <rootfs_encrypt_passphrase>  Skip rootfs encryption, but keep the rootfs measuring feature enabled."
+    echo "      --rootfs-no-encryption                              Skip rootfs encryption, but keep the rootfs measuring feature enabled."
     echo "      --rootfs-part-num <rootfs_part_num>                 The partition number of the rootfs partition on the original disk. By default the tool will"
     echo "                                                          search for the rootfs partition by label='root' and fail if not found. You can override this"
     echo "                                                          behavior by specifying the partition number."
@@ -1109,8 +1109,8 @@ step::create_lvm_part() {
 
     log::info "Initializing LVM physical volume and volume group"
     proc::exec_subshell_flose_fds pvcreate --force "$lvm_part"
-    proc::exec_subshell_flose_fds vgcreate --force system "$lvm_part" --setautoactivation n # disable auto activation of LVM volumes to prevent it from being activated unexpectedly
-    proc::exec_subshell_flose_fds vgchange -a y system  # activate the volume group
+    proc::exec_subshell_flose_fds vgcreate --force cryptpilot "$lvm_part" --setautoactivation n # disable auto activation of LVM volumes to prevent it from being activated unexpectedly
+    proc::exec_subshell_flose_fds vgchange -a y cryptpilot  # activate the volume group
 }
 
 step::setup_rootfs_lv_with_encrypt() {
@@ -1121,15 +1121,15 @@ step::setup_rootfs_lv_with_encrypt() {
     rootfs_size_in_byte=$(stat --printf="%s" "${rootfs_file_path}")
     local rootfs_lv_size_in_bytes=$((rootfs_size_in_byte + 16 * 1024 * 1024)) # original rootfs partition size plus LUKS2 header size
     log::info "Creating rootfs logical volume"
-    proc::hook_exit "[[ -e /dev/mapper/system-rootfs ]] && disk::dm_remove_all ${device}"
-    proc::exec_subshell_flose_fds lvcreate -n rootfs --size ${rootfs_lv_size_in_bytes}B system # Note that the real size will be a little bit larger than the specified size, since they will be aligned to the Physical Extentsize (PE) size, which by default is 4MB.
+    proc::hook_exit "[[ -e /dev/mapper/cryptpilot-rootfs ]] && disk::dm_remove_all ${device}"
+    proc::exec_subshell_flose_fds lvcreate -n rootfs --size ${rootfs_lv_size_in_bytes}B cryptpilot # Note that the real size will be a little bit larger than the specified size, since they will be aligned to the Physical Extentsize (PE) size, which by default is 4MB.
     # Create a encrypted volume
     log::info "Encrypting rootfs logical volume with LUKS2"
-    echo -n "${rootfs_passphrase}" | cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --subsystem cryptpilot /dev/mapper/system-rootfs --key-file=-
+    echo -n "${rootfs_passphrase}" | cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --subsystem cryptpilot /dev/mapper/cryptpilot-rootfs --key-file=-
     proc::hook_exit "[[ -e /dev/mapper/rootfs ]] && disk::dm_remove_wait_busy rootfs"
 
     log::info "Opening encrypted rootfs volume"
-    echo -n "${rootfs_passphrase}" | cryptsetup open /dev/mapper/system-rootfs rootfs --key-file=-
+    echo -n "${rootfs_passphrase}" | cryptsetup open /dev/mapper/cryptpilot-rootfs rootfs --key-file=-
     # Copy rootfs content to the encrypted volume
     log::info "Copying rootfs content to the encrypted volume"
     dd status=progress "if=${rootfs_file_path}" of=/dev/mapper/rootfs bs=4M
@@ -1143,11 +1143,11 @@ step::setup_rootfs_lv_without_encrypt() {
     rootfs_size_in_byte=$(stat --printf="%s" "${rootfs_file_path}")
     local rootfs_lv_size_in_bytes=$((rootfs_size_in_byte + 16 * 1024 * 1024)) # original rootfs partition size plus LUKS2 header size
     log::info "Creating rootfs logical volume"
-    proc::hook_exit "[[ -e /dev/mapper/system-rootfs ]] && disk::dm_remove_all ${device}"
-    proc::exec_subshell_flose_fds lvcreate -n rootfs --size ${rootfs_lv_size_in_bytes}B system # Note that the real size will be a little bit larger than the specified size, since they will be aligned to the Physical Extentsize (PE) size, which by default is 4MB.
+    proc::hook_exit "[[ -e /dev/mapper/cryptpilot-rootfs ]] && disk::dm_remove_all ${device}"
+    proc::exec_subshell_flose_fds lvcreate -n rootfs --size ${rootfs_lv_size_in_bytes}B cryptpilot # Note that the real size will be a little bit larger than the specified size, since they will be aligned to the Physical Extentsize (PE) size, which by default is 4MB.
     # Copy rootfs content to the lvm volume
     log::info "Copying rootfs content to the logical volume"
-    dd status=progress "if=${rootfs_file_path}" of=/dev/mapper/system-rootfs bs=4M
+    dd status=progress "if=${rootfs_file_path}" of=/dev/mapper/cryptpilot-rootfs bs=4M
 }
 
 step::setup_rootfs_hash_lv() {
@@ -1161,9 +1161,9 @@ step::setup_rootfs_hash_lv() {
 
     local rootfs_hash_size_in_byte
     rootfs_hash_size_in_byte=$(stat --printf="%s" "${rootfs_hash_file_path}")
-    proc::hook_exit "[[ -e /dev/mapper/system-rootfs_hash ]] && disk::dm_remove_all ${device}"
-    proc::exec_subshell_flose_fds lvcreate -n rootfs_hash --size "${rootfs_hash_size_in_byte}"B system
-    dd status=progress "if=${rootfs_hash_file_path}" of=/dev/mapper/system-rootfs_hash bs=4M
+    proc::hook_exit "[[ -e /dev/mapper/cryptpilot-rootfs_hash ]] && disk::dm_remove_all ${device}"
+    proc::exec_subshell_flose_fds lvcreate -n rootfs_hash --size "${rootfs_hash_size_in_byte}"B cryptpilot
+    dd status=progress "if=${rootfs_hash_file_path}" of=/dev/mapper/cryptpilot-rootfs_hash bs=4M
     rm -f "${rootfs_hash_file_path}"
     disk::dm_remove_all "${device}"
 

cryptpilot-crypt/src/config/fs.rs

@@ -58,7 +58,7 @@ impl FileSystemConfigSource {
                         volume_names.insert(volume_config.volume.to_owned());
                         Ok(volume_config)
                     })
-                    .with_context(|| format!("Failed to loading volume config file: {}", path.display()))?;
+                    .with_context(|| format!("Failed to loading volume config file: {:?}", path))?;
 
                 volume_configs.push(volume_config);
             }

cryptpilot-fde/README.md

@@ -2,15 +2,43 @@
 
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 
-`cryptpilot-fde` provides full disk encryption (FDE) capabilities for confidential computing environments. It encrypts the entire system disk, protects boot integrity, and enables secure boot with remote attestation.
+`cryptpilot-fde` provides Full Disk Encryption (FDE) capabilities for confidential computing environments. It encrypts the entire system disk, protects boot integrity, and enables secure boot with remote attestation.
+
+The usage workflow is shown below:
+
+```mermaid
+graph LR
+    %% Trusted Environment
+    subgraph TrustedEnv [Trusted Environment]
+        User((User)) -->|1. Prepare| Trustee[Trustee Service]
+        Trustee -->|2. Create| Image1[Confidential System Disk Image]
+    end
+
+    %% Cloud Service Provider Environment
+    subgraph CloudEnv [Cloud Service Provider Environment]
+        Image2[Confidential System Disk Image] -->|4. Create| Instance[Confidential Computing Instance]
+    end
+
+    %% Cross-region Actions
+    Image1 -->|3. Import| Image2
+
+    %% Dashed Interaction Logic
+    Instance -.->|Access Trustee at boot time<br>Remote attestation and obtain decryption key| Trustee
+
+    %% Style Adjustments
+    style TrustedEnv fill:#f9f9f9,stroke:#333,stroke-width:1px
+    style CloudEnv fill:#eef3ff,stroke:#333,stroke-width:1px
+    style Instance fill:#fff,stroke:#0277bd,stroke-width:2px
+
+```
 
 ## Features
 
 - **Full Disk Encryption**: Encrypts both rootfs and data partitions
 - **Integrity Protection**: Uses dm-verity to protect read-only rootfs
 - **Measurement & Attestation**: Measures boot artifacts for remote attestation
 - **Flexible Key Management**: Supports KBS, KMS, OIDC, TPM2, and custom exec providers
-- **Overlay File System**: Provides writable overlay on read-only encrypted rootfs
+- **Overlay Filesystem**: Provides writable overlay on read-only encrypted rootfs
 
 ## Installation
 
@@ -34,7 +62,7 @@ cryptpilot-convert --in ./original.qcow2 --out ./encrypted.qcow2 \
 
 📖 [Detailed Quick Start Guide](docs/quick-start.md)
 
-## Commands
+## Configuration
 
 Configuration files are located in `/etc/cryptpilot/`:
 
@@ -43,7 +71,7 @@ Configuration files are located in `/etc/cryptpilot/`:
 
 See [Configuration Guide](docs/configuration.md) for detailed options.
 
-### Configuration Example Templates
+### Configuration Templates
 
 - [fde.toml.template](../dist/etc/fde.toml.template)
 - [global.toml.template](../dist/etc/global.toml.template)
@@ -55,7 +83,7 @@ See [Configuration Guide](docs/configuration.md) for detailed options.
 Display cryptographic reference values for attestation:
 
 ```sh
-cryptpilot-fde show-reference-value --stage system --disk /path/to/disk.qcow2
+cryptpilot-fde show-reference-value --disk /path/to/disk.qcow2
 ```
 
 ### `cryptpilot-fde config check`
@@ -76,7 +104,7 @@ cryptpilot-fde config dump --disk /dev/sda
 
 ### `cryptpilot-fde boot-service`
 
-Internal command used by systemd during boot (do not call manually):
+Internal commands used by systemd during boot (do not call manually):
 
 ```sh
 cryptpilot-fde boot-service --stage before-sysroot
@@ -95,7 +123,7 @@ cryptpilot-convert --help
 
 ### cryptpilot-enhance
 
-Harden VM disk images before encryption (remove cloud agents, secure SSH):
+Harden VM disk images before encryption (removes cloud agents, protects SSH):
 
 ```sh
 cryptpilot-enhance --mode full --image ./disk.qcow2
@@ -112,11 +140,11 @@ See [cryptpilot-enhance documentation](docs/cryptpilot_enhance.md) for details.
 
 ## How It Works
 
-`cryptpilot-fde` runs in initrd during boot, in two stages:
+`cryptpilot-fde` runs in the initrd and operates in two stages:
 
 1. **Before Sysroot Mount** (`before-sysroot` stage):
    - Decrypts rootfs (if encrypted)
-   - Sets up dm-verity for integrity protection
+   - Sets up dm-verity integrity protection
    - Measures boot artifacts and generates attestation evidence
    - Decrypts and mounts data partition
 
@@ -129,12 +157,12 @@ See [Boot Process Documentation](docs/boot.md) for details.
 
 ## Key Providers
 
-Supports multiple key providers for flexible key management:
+Multiple key providers are supported for flexible key management:
 
 - **KBS**: Key Broker Service with remote attestation
 - **KMS**: Alibaba Cloud Key Management Service
-- **OIDC**: KMS with OpenID Connect authentication
-- **Exec**: Custom executable providing keys
+- **OIDC**: KMS using OpenID Connect authentication
+- **Exec**: Custom executable that provides the key
 
 See [Key Providers](../docs/key-providers.md) for detailed configuration.
 
@@ -150,5 +178,5 @@ Apache-2.0
 ## See Also
 
 - [cryptpilot-crypt](../cryptpilot-crypt/) - Runtime volume encryption
-- [cryptpilot-verity](../cryptpilot-verity/) - dm-verity utilities
+- [cryptpilot-verity](../cryptpilot-verity/) - dm-verity tools
 - [Main Project README](../README.md)

cryptpilot-fde/README_zh.md

@@ -4,13 +4,41 @@
 
 `cryptpilot-fde` 为机密计算环境提供全盘加密（FDE）能力。它加密整个系统磁盘、保护启动完整性，并支持远程证明的安全启动。
 
+其使用方式如下图所示
+
+```mermaid
+graph LR
+    %% 受信任环境
+    subgraph TrustedEnv [受信任环境]
+        User((用户)) -->|1.准备| Trustee[Trustee服务]
+        Trustee -->|2.制作| Image1[机密系统盘镜像]
+    end
+
+    %% 云服务提供商环境
+    subgraph CloudEnv [云服务提供商环境]
+        Image2[机密系统盘镜像] -->|4.创建| Instance[机密计算实例]
+    end
+
+    %% 跨区域动作
+    Image1 -->|3.导入| Image2
+
+    %% 虚线交互逻辑
+    Instance -.->|启动时访问Trustee<br>远程证明并获取解密密钥| Trustee
+
+    %% 样式调整
+    style TrustedEnv fill:#f9f9f9,stroke:#333,stroke-width:1px
+    style CloudEnv fill:#eef3ff,stroke:#333,stroke-width:1px
+    style Instance fill:#fff,stroke:#0277bd,stroke-width:2px
+
+```
+
 ## 功能特性
 
 - **全盘加密**：同时加密 rootfs 和数据分区
 - **完整性保护**：使用 dm-verity 保护只读 rootfs
 - **度量与证明**：度量启动工件用于远程证明
 - **灵活的密钥管理**：支持 KBS、KMS、OIDC、TPM2 和自定义 exec 提供者
-- **覆盖文件系统**：在只读加密 rootfs 上提供可写覆盖层
+- **差异层机制**：在只读加密 rootfs 上提供可写差异层（支持 overlayfs 或 dm-snapshot）
 
 ## 安装
 
@@ -55,7 +83,7 @@ cryptpilot-convert --in ./original.qcow2 --out ./encrypted.qcow2 \
 显示用于证明的加密参考值：
 
 ```sh
-cryptpilot-fde show-reference-value --stage system --disk /path/to/disk.qcow2
+cryptpilot-fde show-reference-value --disk /path/to/disk.qcow2
 ```
 
 ### `cryptpilot-fde config check`
@@ -121,8 +149,8 @@ cryptpilot-enhance --mode full --image ./disk.qcow2
    - 解密并挂载数据分区
 
 2. **Sysroot 挂载后**（`after-sysroot` 阶段）：
-   - 在只读 rootfs 上设置可写覆盖层
-   - 覆盖层存储在加密数据分区或 tmpfs 上
+   - 在只读 rootfs 上设置可写差异层
+   - 差异层存储在加密 delta 分区或内存中
    - 为 switch_root 准备系统
 
 详情请参阅[启动过程文档](docs/boot_zh.md)。