-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathREADME.mkinitfs
More file actions
94 lines (80 loc) · 4.48 KB
/
README.mkinitfs
File metadata and controls
94 lines (80 loc) · 4.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
mkinitfs
usage: mkinitfs [-nKklLh] [-b basedir] [-o outfile] [-t tempdir]
[-c configfile] [-F features] [-P featuresdir]
[-f fstab] [-i initfile] [kernelversion]
options:
-b prefix files and kernel modules with basedir
-o set another outfile
-t use tempdir when creating initramfs image
-c use configfile instead of default
-F use specified features
-P additional paths to find features
-f use fstab instead of default
-i use initfile as init instead of default
-n don't include kernel modules or firmware
-K copy also host keys to initramfs
-k keep tempdir
-q Quiet mode
-l only list files that would have been used
-L list available features
-h print this help
---
Inputs:
Directory structure containing needed files.
List of initfs features.
Requested kernel version.
Output:
Compressed cpio archive containg initramfs.
Steps:
base
kmods
firmware
apk_keys
cpio
Usage:
mkinitfs_main <source dir> <temp dir> <outfile> <kernel version> <initfs-features...>
mkinitfs_feature_files <source> <type> <features...>
mkinitfs_find_files <source> <features...>
mkinitfs_initfs_base <source> <target> <features...>
<list of modules...> | mkinitfs_find_kmod_deps <source> <kernel version>
mkinitfs_find_kmods <source> <kernel version> <features...>
mkinitfs_initfs_kmods <source> <target> <kernel version> <features...>
mkinitfs_find_firmware <source> <kernel version> <features...>
mkinitfs_initfs_firmware <source> <target> <kernel version> <features...>
mkinitfs_initfs_apk_keys <source> <target>
mkinitfs_cpio_sources <source>
mkinitfs_initfs_cpio <source> <output file>
Wrapper:
mkinitfs_wrapper_usage
mkinitfs <opts> <kernel version>
mkinitfs rewrite and compatibilty wrapper
Existing mkinitfs:
- Called with root directory to copy files from, defaults to /.
- Called with output filename.
- Gets list of features from /etc/mkinitfs/mkinitfs.conf or on command line via flag -F.
- Features consist of single level of files named <feature>.files and <feature>.modules.
- Files for features are included by glob, no current means to even verify presence of required files.
- mkinitfs has no idea what packages must be installed to supply the aforementioned files, thus missing deps are possible.
- modules are copied from kernel module directory with the same issue as file above.
- No provision for anything other than files and modules, nor setting perms and ownership.
- None of the installed files currently have their checksums tracked nor is their origin validated.
mkimage mkinitfs:
- Mostly identical with above, but feature information stored in functions in shell scripts rather than flat text files.
- This allows for inclusion and dependency tracking between features and more specific subsets of broad features such as 'ata'.
- All functionality provided through compatibility wrapper.
- Currently uses features found in mkimage tree. These could be extracted for system installation.
Proposed redesign:
- Split core init logic off from features and their required files and modules.
- Use init-stub to load only signed, apk verified tarballs in initfs.
- Explicitly set DIRTY flag to let subsequent scripts know that something unverified has been introduced to the environment.
- Allow for CANARY value which can be modified and handed off by each stage to detect an unexpected execution path (skipping or inserting a step).
- Package stock init stub, base, and features (these should be the only kernel specific part) as standard apk packages to be included in initramfs image.
- This would allow building features at kernel-build time, leaving only assembly on the client machine for stock use.
- Allow user to use custom initramfs by signing and baking their own stub and features. Support use of a nonce signature per build for positive versioning.
- Ideally, use bootloader to append all initfs features. Alternately, append all feature cpio.gz directly to the stub cpio.gz before installing.
- Draw files to include in initramfs only from signed apks (or at the very least, verify checksums match those in signed manifest) without explicit request.
- Output one signed artifact per feature, including its script(s), userspace binaries, and modules.
- Maintain manifest of source package and hash for each file included.
- Use globs to generate file lists only, then subtract files provided by deps before creating manifests and packaging.
- Provide hooks in base to call any included features needed.
- For very simple static cases, provide a minimal shim init instead.