add CRYPTROOT_AUTOUNLOCK option and fix CRYPTROOT for uefi builds

[sashasimkin]

Description

This fixes #6280 and enables uefi-x86 builds with CRYPTROOT_ENABLE=yes.

Also, it adds CRYPTROOT_AUTOUNLOCK option, that will generate /etc/rootfs.key and use it for unattended unlocking.
This is useful for automated scenarios when such key can be further enrolled into TPM afterwards, or just to have illusion of security if user wants so.

Documentation summary for feature / change

armbian/documentation#836

How Has This Been Tested?

I've verified that it builds for uefi-x86 and orangepi5 with CRYPTROOT_ENABLE=yes and CRYPTROOT_AUTOUNLOCK=yes. Later, I'll confirm that it boots.

Checklist:

Please delete options that are not relevant.

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• My changes generate no new warnings

[github-actions]

Hey @sashasimkin! 👋

Thanks for submitting your first pull request to the Armbian project — we're excited to have you contributing! 🧡
Your effort doesn’t just improve Armbian — it benefits the entire community of users and developers.

If you'd like to stay informed about project updates or collaborate more closely with the team,
you can optionally share some personal contact preferences at armbian.com/update-data.
This helps us keep in touch without relying solely on GitHub notifications.

Also, don’t forget to ⭐ star the repo if you haven’t already — and welcome aboard! 🚀

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Adds an autounlock path for LUKS root encryption: when CRYPTROOT_AUTOUNLOCK=yes a temporary key file is generated (e.g., /etc/rootfs.key) and used to format/open the root LUKS container and referenced in crypttab; the existing passphrase-based path remains. Configuration validation now accepts either CRYPTROOT_PASSPHRASE or CRYPTROOT_AUTOUNLOCK when CRYPTROOT_ENABLE=yes. Initramfs cache hashing includes /etc/crypttab. GRUB changes set a conditional UEFI_MOUNT_POINT, pass --efi-directory to grub-install, ensure UUID probing for root and /boot, and force UUID usage in GRUB config. LUKS resize uses /etc/rootfs.key when present.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title "add CRYPTROOT_AUTOUNLOCK option and fix CRYPTROOT for uefi builds" clearly and concisely summarizes the two main aspects of the changeset: the addition of a new CRYPTROOT_AUTOUNLOCK feature for unattended key-based unlocking, and the fix for CRYPTROOT compatibility with UEFI builds (addressing the grub-install failure in issue #6280). The title is specific, avoids vague terms, and accurately reflects the primary changes from the developer's perspective across the modified files.
Linked Issues Check	✅ Passed	The code changes address the primary objectives from linked issue #6280. The modifications to extensions/grub.sh add UEFI-specific configuration handling with UUID support and proper EFI directory specification, directly addressing the grub-install cryptodisk error reported in the issue. Additionally, the changes across extensions/fs-cryptroot-support.sh, lib/functions/configuration/main-config.sh, lib/functions/image/partitioning.sh, and related files implement the CRYPTROOT_AUTOUNLOCK feature for unattended key-based encryption unlocking, enabling CRYPTROOT_ENABLE=yes builds to succeed on UEFI platforms as required.
Out of Scope Changes Check	✅ Passed	All changes in the pull request are directly related to the stated objectives: fixing CRYPTROOT_ENABLE=yes builds for UEFI systems and implementing the new CRYPTROOT_AUTOUNLOCK feature. The modifications span configuration validation, GRUB setup, encryption support, initramfs caching, partitioning logic, and filesystem resizing utilities—all essential components for enabling encrypted root with optional autounlock across different architectures and build scenarios. No extraneous or unrelated code modifications are present.
Description Check	✅ Passed	The pull request description is directly related to the changeset, explaining that it fixes issue #6280 regarding CRYPTROOT_ENABLE=yes failures on UEFI builds and introduces the new CRYPTROOT_AUTOUNLOCK option for unattended unlocking with key generation. The description provides sufficient context about the feature purpose, references relevant documentation, and documents testing performed, all of which align with the code changes present in the PR.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4a7b997 and 28c1d21.

📒 Files selected for processing (6)

• extensions/fs-cryptroot-support.sh (2 hunks)
• extensions/grub.sh (4 hunks)
• lib/functions/configuration/main-config.sh (1 hunks)
• lib/functions/image/initrd.sh (1 hunks)
• lib/functions/image/partitioning.sh (1 hunks)
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (3)

lib/functions/image/partitioning.sh (1)

.github/generate_CODEOWNERS.sh (1)

• display_alert (6-6)

extensions/fs-cryptroot-support.sh (3)

.github/generate_CODEOWNERS.sh (1)

• display_alert (6-6)

extensions/lvm.sh (1)

• prepare_root_device__create_volume_group (41-68)

lib/functions/rootfs/trap-rootfs.sh (1)

• prepare_rootfs_build_params_and_trap (12-51)

extensions/grub.sh (2)

lib/functions/logging/runners.sh (1)

• chroot_custom (155-159)

extensions/grub-riscv64.sh (3)

• extension_prepare_config__prepare_grub-riscv64 (3-25)
• pre_umount_final_image__install_grub (27-100)
• configure_grub (102-142)

🔇 Additional comments (8)

lib/functions/configuration/main-config.sh (1)

172-173: LGTM: Prerequisite check correctly updated for autounlock support.

The logic now properly allows either passphrase-based or autounlock-based encryption, aligning with the new CRYPTROOT_AUTOUNLOCK feature introduced in this PR.

lib/functions/image/initrd.sh (1)

65-65: LGTM: Proper initramfs cache invalidation for crypttab changes.

Adding crypttab to the cache hash ensures the initramfs is correctly rebuilt when key file configuration changes, which is essential for the autounlock feature.

extensions/grub.sh (4)

170-170: LGTM: Explicit EFI directory specification.

The explicit --efi-directory=${UEFI_MOUNT_POINT} parameter correctly supports flexible EFI partition locations, which is essential for cryptroot configurations with separate boot partitions.

---

182-187: LGTM: UUID preparation for GRUB configuration.

The UUID symlink preparation is essential for proper GRUB configuration with encrypted root. The comments clearly explain:

• Root UUID is needed so grub-update discovers the unlocked /dev/mapper/armbian-root UUID
• Boot partition UUID is included to handle cases with separate boot partitions (LVM, cryptroot)

The implementation correctly handles both cases and won't fail if the symlinks already exist.

---

298-299: LGTM: Explicit UUID enablement in GRUB.

Explicitly setting both GRUB_DISABLE_UUID=false and GRUB_DISABLE_LINUX_UUID=false ensures GRUB uses UUIDs rather than device paths. This is essential for cryptroot support and aligns with the UUID symlink preparation (lines 182-187).

---

24-28: No action needed — variable has proper default defined.

The review comment's concern is unfounded. UEFI_MOUNT_POINT is initialized with a default value of /boot/efi in lib/functions/image/partitioning.sh. When BOOTPART_REQUIRED != "yes", the variable retains this default; it's only overridden to /boot when the condition is true. The unconditional use on line 28 is safe.

Likely an incorrect or invalid review comment.

lib/functions/image/partitioning.sh (1)

332-336: Configuration is correct and follows standard Debian/Ubuntu practice.

The KEYFILE_PATTERN mechanism in /etc/cryptsetup-initramfs/conf-hook and UMASK=0077 restriction are the standard approach documented by cryptsetup-initramfs for including key files in the initramfs. The implementation shown is correct.

extensions/fs-cryptroot-support.sh (1)

28-42: Now I need to search the codebase to verify the actual behavior. Let me check where the temp key file is moved and if TMPDIR is set:

Temp key file cleanup remains an unaddressed concern.

The temporary key file created at line 30 with mktemp is not guaranteed to be cleaned up. By default mktemp will use user's $TMPDIR. If not defined it will use /tmp. The cleanup_cryptroot function only closes the LUKS mapper and does not delete the temporary key file. If an error occurs before the file is moved to its permanent location, the temporary key file could be left behind on the system.

Adding explicit cleanup for $crytproot_autounlock_key_file in the cleanup_cryptroot function (line 99) would be a prudent safeguard to ensure the key material is not accidentally exposed on disk.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 28c1d21 and 2079ceb.

📒 Files selected for processing (6)

• extensions/fs-cryptroot-support.sh (2 hunks)
• extensions/grub.sh (4 hunks)
• lib/functions/configuration/main-config.sh (1 hunks)
• lib/functions/image/initrd.sh (1 hunks)
• lib/functions/image/partitioning.sh (1 hunks)
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• lib/functions/image/initrd.sh
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem
• lib/functions/configuration/main-config.sh
• lib/functions/image/partitioning.sh

🧰 Additional context used

🧬 Code graph analysis (2)

extensions/grub.sh (2)

lib/functions/logging/runners.sh (1)

• chroot_custom (155-159)

extensions/grub-riscv64.sh (3)

• extension_prepare_config__prepare_grub-riscv64 (3-25)
• pre_umount_final_image__install_grub (27-100)
• configure_grub (102-142)

extensions/fs-cryptroot-support.sh (3)

.github/generate_CODEOWNERS.sh (1)

• display_alert (6-6)

extensions/lvm.sh (1)

• prepare_root_device__create_volume_group (41-68)

lib/functions/rootfs/trap-rootfs.sh (1)

• prepare_rootfs_build_params_and_trap (12-51)

🔇 Additional comments (4)

extensions/fs-cryptroot-support.sh (2)

28-38: Verify temporary key file cleanup and handoff to target image.

The autounlock workflow generates a temporary key file (line 31) with mktemp, but I don't see explicit cleanup in cleanup_cryptroot() (line 99). While the global variable cryptroot_autounlock_key_file persists for use by other stages (e.g., writing to /etc/rootfs.key in partitioning.sh), ensure that the temporary file is properly cleaned up after it's written to the target image.

Please verify:

1. That cleanup_cryptroot() or the image finalization stage removes the temporary key file from the build host.
2. That the key file is correctly copied to /etc/rootfs.key in the target image (expected per AI summary mentioning partitioning.sh changes).
3. That the variable remains accessible for use by later build stages that need to reference it.

---

27-40: Autounlock encryption logic looks sound.

The conditional branching between autounlock (lines 28–33) and passphrase-based (lines 34–37) encryption is clear and correct. Key generation, LUKS formatting, and mapper opening flow properly for both paths.

extensions/grub.sh (2)

182-187: UUID handling for root and boot partitions is sound.

The use of grub-probe --target=fs_uuid to discover partition UUIDs and create symlinks in /dev/disk/by-uuid/ is a robust approach. This ensures GRUB references stable UUIDs rather than device paths, which is essential for encrypted root scenarios where /dev/mapper/... names may differ.

The addition of a second symlink for /boot (lines 185–187) correctly handles cases where a separate boot partition exists (e.g., with LVM or cryptroot), while remaining safe if no separate boot partition is present.

---

298-299: Explicit UUID settings improve GRUB configuration robustness.

Setting GRUB_DISABLE_UUID=false and GRUB_DISABLE_LINUX_UUID=false ensures GRUB uses UUIDs in the generated config, which is critical for correctness in encrypted and partitioned scenarios.

[igorpecovnik]

For the documentation:
https://docs.armbian.com/Developer-Guide_Build-Switches/#filesystem

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 2079ceb and 69ab7c2.

📒 Files selected for processing (6)

• extensions/fs-cryptroot-support.sh (2 hunks)
• extensions/grub.sh (4 hunks)
• lib/functions/configuration/main-config.sh (1 hunks)
• lib/functions/image/initrd.sh (1 hunks)
• lib/functions/image/partitioning.sh (1 hunks)
• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• packages/bsp/common/usr/lib/armbian/armbian-resize-filesystem
• lib/functions/image/partitioning.sh
• lib/functions/image/initrd.sh
• extensions/grub.sh

🧰 Additional context used

🧬 Code graph analysis (1)

extensions/fs-cryptroot-support.sh (2)

.github/generate_CODEOWNERS.sh (1)

• display_alert (6-6)

extensions/lvm.sh (1)

• prepare_root_device__create_volume_group (41-68)

🔇 Additional comments (3)

extensions/fs-cryptroot-support.sh (2)

27-27: LGTM on conditional logic and passphrase branch.

The conditional structure properly branches between autounlock (lines 28-33) and passphrase (lines 34-37) paths. The passphrase branch uses existing patterns and the autounlock branch correctly generates a random key. Note: the previous typo (crytproot_autounlock_key_file) has been corrected to cryptroot_autounlock_key_file in line 30.

Also applies to: 34-37

---

28-38: Global variable scope and cleanup handler verified as correct.

The verification confirms the code properly handles the concerns raised:

1. Global variable scope: declare -g cryptroot_autounlock_key_file correctly exposes the variable globally, making it accessible to lib/functions/image/partitioning.sh at line 331 where it's moved to the final filesystem.

2. Cleanup timing: The cleanup handler registered at line 39 only executes cryptsetup luksClose and does not delete the key file. Since the file is moved (not copied) to the final image at ${SDCARD}/etc/rootfs.key during partitioning, it no longer exists in /tmp when the post-mount cleanup runs.

The implementation is correct and requires no changes.

lib/functions/configuration/main-config.sh (1)

172-173: Configuration validation correctly enforces new requirement.

The updated conditional properly validates that either CRYPTROOT_PASSPHRASE or CRYPTROOT_AUTOUNLOCK is set when CRYPTROOT_ENABLE=yes. The error message clearly communicates both options to the user.

[sashasimkin]

@igorpecovnik I think this is R4R now :)

[igorpecovnik]

Bot suggestions are not harmful ... but yeah, many segments in the code is not done perfect, so generally we at least try to improve what is being added.

[sashasimkin]

Got it - fixed. I usually try to keep changes to bare minimum to avoid unintended side-effects.

[sashasimkin]

quick update (both target trixie):

• uefi-x86 did boot, however, the fs resize doesn't work as expected.
• orangepi5 didn't boot with the current branch, so I compiled vendor branch and will try that.

[EvilOlaf]

orangepi5 [...] current [...]

I hope all those boot issues for rk3588/s are sorted once current is being rolled-over to the next LTS kernel which may be 6.18 which is edge atm.

[github-actions]

✅ This PR has been reviewed and approved — all set for merge!

[sashasimkin]

I converted it to draft to figure out and fix why growpart wasn’t executed as expected.

[sashasimkin]

here's the log of armbian-resize-filesystem. This worked with my changes in 25.02 in bookworm, but now doesn't in trixie. And I checked changes to resize script - there's nothing that could've caused the issue.

Oct 25 16:49:07 uefi-x86 systemd[1]: Starting armbian-resize-filesystem.service - Armbian filesystem resize...
Oct 25 16:49:07 uefi-x86 armbian-resize-filesystem[657]: Sat Oct 25 04:49:07 PM EEST 2025 | UEFI x86 | 25.11.0-trunk | amd64 | x86_64 | 6.12.54-current-x86
Oct 25 16:49:07 uefi-x86 armbian-resize-filesystem[657]: ### [resize2fs] Trying to resize partition /dev/nvme0n1p2:
Oct 25 16:49:07 uefi-x86 armbian-resize-filesystem[657]: /dev/nvme0n1p2 isn't a partition: crypt
Oct 25 16:49:07 uefi-x86 armbian-resize-filesystem[657]: ### [resize2fs] Start resizing LUKS container now
Oct 25 16:49:08 uefi-x86 armbian-resize-filesystem[657]: ### [resize2fs] Automated reboot needed to finish the resize procedure
Oct 25 16:49:08 uefi-x86 armbian-resize-filesystem[657]: ### [resize2fs] Trying to resize ext4 filesystem on /dev/mapper/armbian-root:
Oct 25 16:49:08 uefi-x86 armbian-resize-filesystem[657]: Running 'resize2fs /dev/mapper/armbian-root' now...
Oct 25 16:49:08 uefi-x86 armbian-resize-filesystem[657]: resize2fs 1.47.2 (1-Jan-2025)
Oct 25 16:49:08 uefi-x86 armbian-resize-filesystem[657]: The filesystem is already 31187025 (4k) blocks long.  Nothing to do!
Oct 25 16:49:08 uefi-x86 systemd[1]: Finished armbian-resize-filesystem.service - Armbian filesystem resize.

I'll build bookworm and check if that works.

This is the issue:

Oct 25 16:49:07 uefi-x86 armbian-resize-filesystem[657]: /dev/nvme0n1p2 isn't a partition: crypt

here's some debug output:

root@uefi-x86:~# lsblk --version
lsblk from util-linux 2.41
root@uefi-x86:~# lsblk -n -o TYPE /dev/nvme0n1p2
crypt
part
root@uefi-x86:~# lsblk -n -o TYPE --nodeps /dev/nvme0n1p2
part

[sashasimkin]

so, I checked the following combinations in addition to trixie/current:

• uefi bookworm, current kernel 6.12
• uefi bookworm, legacy kernel 6.6
• uefi bookworm, ddk kernel 6.1

All combinations have the same output(except uname):

root@uefi-x86:~# lsblk
NAME             MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
zram0            253:0    0   7.7G  0 disk  [SWAP]
zram1            253:1    0    50M  0 disk  /var/log
zram2            253:2    0     0B  0 disk
nvme0n1          259:0    0 119.2G  0 disk
├─nvme0n1p1      259:1    0   260M  0 part  /boot
└─nvme0n1p2      259:2    0   1.2G  0 part
  └─armbian-root 254:0    0   1.2G  0 crypt /var/log.hdd
                                            /
root@uefi-x86:~# lsblk -n -o TYPE /dev/nvme0n1p2
crypt
part
root@uefi-x86:~# lsblk
NAME             MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
zram0            253:0    0   7.7G  0 disk  [SWAP]
zram1            253:1    0    50M  0 disk  /var/log
zram2            253:2    0     0B  0 disk
nvme0n1          259:0    0 119.2G  0 disk
├─nvme0n1p1      259:1    0   260M  0 part  /boot
└─nvme0n1p2      259:2    0   1.2G  0 part
  └─armbian-root 254:0    0   1.2G  0 crypt /var/log.hdd
                                            /
root@uefi-x86:~# lsblk -n -o TYPE /dev/nvme0n1p2
crypt
part
root@uefi-x86:~# lsblk --version
lsblk from util-linux 2.38.1
root@uefi-x86:~# uname -a
Linux uefi-x86 6.1.0-40-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.153-1 (2025-09-20) x86_64 GNU/Linux

But then I went and compared this with the image I built earlier for RPi CM4:

root@rpi4b:/home/wl# lsblk
NAME             MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
mmcblk0          179:0    0 29.1G  0 disk
├─mmcblk0p1      179:1    0  256M  0 part  /boot/firmware
└─mmcblk0p2      179:2    0 28.6G  0 part
  └─armbian-root 254:0    0 28.6G  0 crypt /var/log.hdd
                                           /
mmcblk0boot0     179:32   0    4M  1 disk
mmcblk0boot1     179:64   0    4M  1 disk
zram0            253:0    0  1.8G  0 disk  [SWAP]
zram1            253:1    0   50M  0 disk  /var/log
zram2            253:2    0    0B  0 disk
root@rpi4b:/home/wl# lsblk -n -o TYPE /dev/mmcblk0p2
part
crypt
root@rpi4b:/home/wl# lsblk --version
lsblk from util-linux 2.38.1
root@rpi4b:/home/wl# uname -a
Linux rpi4b 6.12.34-current-bcm2711 #1 SMP PREEMPT Tue Jun 24 08:48:26 UTC 2025 aarch64 GNU/Linux

Later I'm gonna find a uefi-x86 image that I built earlier and will check the situation there. x86 was built with 6.12.28 kernel and I also used bookworm.

---

I found a fix for this to be the --nodeps switch to lsblk - it returns part for both cases:

root@uefi-x86:~# lsblk -n --nodeps -o TYPE /dev/nvme0n1p2
part

and

root@rpi4b:~# lsblk -n --nodeps -o TYPE /dev/mmcblk0p2
part

but also a simple way to confirm it works as expected for non-crypt scenarios:

root@uefi-x86:~# lsblk -n --nodeps -o TYPE /dev/nvme0n1p1
part

I'm also reading online that the output is not sorted and man pages have this:

The default output, as well as the default output from options
       like --fs and --topology, is subject to change. So whenever
       possible, you should avoid using default outputs in your scripts.
       Always explicitly define expected columns by using --output
       columns-list and --list in environments where a stable output is
       required.

It's weird why same version returns different order though. But anyways - I'm gonna add --nodeps there later.

One thing I wanted to understand before doing that - @igorpecovnik do you think it's okay solution? Could you explain the reason why there was such validation in the first place?

[igorpecovnik]

It's weird why same version returns different order though

We should probably lean toward JSON / machine output of those tools and process that. If that is available here?

Could you explain the reason why there was such validation in the first place?

Not sure I follow - which validation in specific you are asking.

[sashasimkin]

We should probably lean toward JSON / machine output of those tools and process that. If that is available here?

yep, it has both --json and --raw (that they call for machine-readable format). Not sure it'll help here though, but may simplify the whole script on the other hand.

Not sure I follow - which validation in specific you are asking.

Ah, sorry, I already have an idea in my head but didn't explain it out loud :D this is the part that is failing:

# make sure the target is a partition
	local parttype=$(lsblk -n -o TYPE $partdev | head -1)
	if [[ "$parttype" != "part" ]]; then
		echo -e "\n$partdev isn't a partition: $parttype" >&2
		return 1
	fi

I'm trying to understand what else there could be besides "part" ?

P.s: I already checked that adding --nodeps to the relevant parts - make the resize script work as expected. Now the final part is to confirm it works on uefi build with 25.2

[sashasimkin]

so, I just flushed one of the older uefi-x86 images(bookworm, 6.12.28) to this nvme drive, and... the behavior is the same.

However, I realized that all previous times for uefi-x86, and rpi4b the storage was EMMC, and not the nvme drive that I'm using now. And this was the key!

When flushing the same dkk image(faster) to EMMC storage the output is the following:

root@uefi-x86:~# lsblk
NAME             MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
mmcblk0          179:0    0 29.1G  0 disk
├─mmcblk0p1      179:1    0  260M  0 part  /boot
└─mmcblk0p2      179:2    0 28.6G  0 part
  └─armbian-root 254:0    0 28.6G  0 crypt /var/log.hdd
                                           /
zram0            253:0    0  1.8G  0 disk  [SWAP]
zram1            253:1    0   50M  0 disk  /var/log
zram2            253:2    0    0B  0 disk
mmcblk0boot0     179:256  0    4M  1 disk
mmcblk0boot1     179:512  0    4M  1 disk
root@uefi-x86:~# lsblk -n -o TYPE /dev/mmcblk0p2
part
crypt
root@uefi-x86:~# lsblk --version
lsblk from util-linux 2.38.1
root@uefi-x86:~# uname -a
Linux uefi-x86 6.1.0-40-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.153-1 (2025-09-20) x86_64 GNU/Linux

Just to confirm it works as expected:

root@uefi-x86:~# lsblk -n --nodeps /dev/mmcblk0p2
mmcblk0p2 179:2    0 28.6G  0 part

So I'm gonna add --nodeps and will perform another round of tests.

Will need to check the case with cryptroot disabled, and most likely that's gonna be organepi5 :(

---

@EvilOlaf Regarding orangepi5 - the vendor kernel has booted once, but it seems that it has /dev/mmcblk0 hardcoded there somewhere - I saw that the boot process successfully opened armbian-root device, but then it failed waiting for /dev/mmcblk0... I don't remember what it was exactly and the image doesn't boot anymore for some reason :(

[EvilOlaf]

I don't know that much about those internals. But if it works for current and edge that be a good starting point. At some point vendor will be abandoned.