initramfs-secure-core: define the /init script for the initramfs image

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
author: Lans Zhang <jia.zhang@windriver.com> 2017-07-03 09:22:42 +0800
committer: Lans Zhang <jia.zhang@windriver.com> 2017-07-03 09:22:42 +0800
commit: c3f89c1931540302e0750442cb24c2b6ee7b9102 (patch)
tree: f1c2288d0d8cb6a5c260b5144788b4e7b50c9132
parent: 5135786fa32f957c6e912b1b899d4a886a7b1368 (diff)
download: meta-secure-core-c3f89c1931540302e0750442cb24c2b6ee7b9102.tar.gz
2 files changed, 162 insertions, 0 deletions
diff --git a/meta/recipes-core/initrdscripts/files/init b/meta/recipes-core/initrdscripts/files/init
new file mode 100644
index 0000000..628b307
--- /dev/null
+++ b/meta/recipes-core/initrdscripts/files/init
@@ -0,0 +1,135 @@
+#!/bin/sh
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+ROOT_MOUNT="/rootfs"
+MOUNT="/bin/mount"
+UMOUNT="/bin/umount"
+ROOT_DELAY="0"
+# Copied from initramfs-framework. The core of this script probably should be
+# turned into initramfs-framework modules to reduce duplication.
+udev_daemon() {
+        OPTIONS="/sbin/udev/udevd /sbin/udevd /lib/udev/udevd /lib/systemd/systemd-udevd"
+        for o in $OPTIONS; do
+                if [ -x "$o" ]; then
+                        echo $o
+                        return 0
+                fi
+        done
+        return 1
+}
+_UDEV_DAEMON=`udev_daemon`
+early_setup() {
+    mkdir -p /proc
+    mkdir -p /sys
+    mount -t proc proc /proc
+    mount -t sysfs sysfs /sys
+    mount -t devtmpfs none /dev
+    # support modular kernel
+#    modprobe isofs
+#    modprobe raid0
+    mkdir -p /run
+    mkdir -p /var/run
+    $_UDEV_DAEMON --daemon
+    udevadm trigger --action=add
+    if [ -x /sbin/mdadm ]; then
+        /sbin/mdadm -v --assemble --scan --auto=md
+    fi
+}
+read_args() {
+    [ -z "$CMDLINE" ] && CMDLINE=`cat /proc/cmdline`
+    for arg in $CMDLINE; do
+        optarg=`expr "x$arg" : 'x[^=]*=\(.*\)'`
+        case $arg in
+            root=*)
+                ROOT_DEVICE=$optarg ;;
+            rootdelay=*)
+                ROOT_DELAY=$optarg ;;
+            init=*)
+                INIT=$optarg ;;
+        esac
+    done
+}
+fatal() {
+    echo $1 >$CONSOLE
+    echo >$CONSOLE
+    exec sh
+}
+#######################################
+early_setup
+read_args
+[ -z "$CONSOLE" ] && CONSOLE="/dev/console"
+[ -z "$INIT" ] && INIT="/sbin/init"
+udevadm settle --timeout=3
+killall "${_UDEV_DAEMON##*/}" 2>/dev/null
+mkdir -p $ROOT_MOUNT/
+sleep ${ROOT_DELAY}
+try_to_mount_rootfs() {
+    local mount_flags="rw,noatime,iversion"
+    mount -o $mount_flags "${ROOT_DEVICE}" "${ROOT_MOUNT}" 2>/dev/null && return 0
+    [ -x /init.cryptfs ] &&
+        /init.cryptfs "${ROOT_MOUNT}" "${ROOT_DEVICE}" $mount_flags "OVERCROOTFS" && return 0
+    return 1
+}
+echo "Waiting for root device to be ready..."
+while [ 1 ] ; do
+    try_to_mount_rootfs && break
+    sleep 0.1
+done
+# Move the mount points of some filesystems over to
+# the corresponding directories under the real root filesystem.
+for dir in `cat /proc/mounts | grep -v rootfs | awk '{print $2}'` ; do
+    mkdir -p  ${ROOT_MOUNT}/${dir##*/}
+    mount -nv --move $dir ${ROOT_MOUNT}/${dir##*/}
+done
+cd $ROOT_MOUNT
+# If we pass args to bash, it will assume they are text files
+# to source and run.
+if [ "$INIT" == "/bin/bash" ] || [ "$INIT" == "/bin/sh" ]; then
+    CMDLINE=""
+fi
+# !!! The Big Fat Warnings !!!
+#
+# The IMA policy may enforce appraising the executable and verifying the
+# signature stored in xattr. However, ramfs doesn't support xattr, and all
+# other initializations must *NOT* be placed after IMA initialization!
+[ -x /init.ima ] && /init.ima $ROOT_MOUNT && {
+    # switch_root is an exception. We call it in the real rootfs and it
+    # should be already signed properly.
+    switch_root="usr/sbin/switch_root.static"
+} || {
+    switch_root="switch_root"
+}
+exec $switch_root $ROOT_MOUNT $INIT $CMDLINE ||
+    fatal "Couldn't switch_root, dropping to shell"
diff --git a/meta/recipes-core/initrdscripts/initramfs-secure-core.bb b/meta/recipes-core/initrdscripts/initramfs-secure-core.bb
new file mode 100644
index 0000000..989038d
--- /dev/null
+++ b/meta/recipes-core/initrdscripts/initramfs-secure-core.bb
@@ -0,0 +1,27 @@
+SUMMARY = "Basic init for initramfs to mount and pivot root"
+LICENSE = "MIT"
+SRC_URI = "file://init"
+do_install() {
+        install -m 0755 "${WORKDIR}/init" "${D}/init"
+        # Create device nodes expected by kernel in initramfs
+        # before executing /init.
+        install -d "${D}/dev"
+        mknod -m 0600 "${D}/dev/console" c 5 1
+}
+FILES_${PN} = "/init /dev"
+RDEPENDS_${PN} = "\
+    bash \
+    kmod \
+    sed \
+    grep \
+    coreutils \
+    util-linux \
+    gawk \
+    mdadm \
+    udev \
+"
author	Lans Zhang <jia.zhang@windriver.com>	2017-07-03 09:22:42 +0800
committer	Lans Zhang <jia.zhang@windriver.com>	2017-07-03 09:22:42 +0800
commit	c3f89c1931540302e0750442cb24c2b6ee7b9102 (patch)
tree	f1c2288d0d8cb6a5c260b5144788b4e7b50c9132
parent	5135786fa32f957c6e912b1b899d4a886a7b1368 (diff)
download	meta-secure-core-c3f89c1931540302e0750442cb24c2b6ee7b9102.tar.gz

diff --git a/meta/recipes-core/initrdscripts/files/init b/meta/recipes-core/initrdscripts/files/init new file mode 100644 index 0000000..628b307 --- /dev/null +++ b/meta/recipes-core/initrdscripts/files/init
@@ -0,0 +1,135 @@
	1	#!/bin/sh
	2
	3	PATH=/sbin:/bin:/usr/sbin:/usr/bin
	4
	5	ROOT_MOUNT="/rootfs"
	6	MOUNT="/bin/mount"
	7	UMOUNT="/bin/umount"
	8	ROOT_DELAY="0"
	9
	10	# Copied from initramfs-framework. The core of this script probably should be
	11	# turned into initramfs-framework modules to reduce duplication.
	12	udev_daemon() {
	13	OPTIONS="/sbin/udev/udevd /sbin/udevd /lib/udev/udevd /lib/systemd/systemd-udevd"
	14
	15	for o in $OPTIONS; do
	16	if [ -x "$o" ]; then
	17	echo $o
	18	return 0
	19	fi
	20	done
	21
	22	return 1
	23	}
	24
	25	_UDEV_DAEMON=`udev_daemon`
	26
	27	early_setup() {
	28	mkdir -p /proc
	29	mkdir -p /sys
	30	mount -t proc proc /proc
	31	mount -t sysfs sysfs /sys
	32	mount -t devtmpfs none /dev
	33
	34	# support modular kernel
	35	# modprobe isofs
	36	# modprobe raid0
	37
	38	mkdir -p /run
	39	mkdir -p /var/run
	40
	41	$_UDEV_DAEMON --daemon
	42	udevadm trigger --action=add
	43
	44	if [ -x /sbin/mdadm ]; then
	45	/sbin/mdadm -v --assemble --scan --auto=md
	46	fi
	47	}
	48
	49	read_args() {
	50	[ -z "$CMDLINE" ] && CMDLINE=`cat /proc/cmdline`
	51	for arg in $CMDLINE; do
	52	optarg=`expr "x$arg" : 'x[^=]=\(.\)'`
	53	case $arg in
	54	root=*)
	55	ROOT_DEVICE=$optarg ;;
	56	rootdelay=*)
	57	ROOT_DELAY=$optarg ;;
	58	init=*)
	59	INIT=$optarg ;;
	60	esac
	61	done
	62	}
	63
	64	fatal() {
	65	echo $1 >$CONSOLE
	66	echo >$CONSOLE
	67	exec sh
	68	}
	69
	70
	71
	72	#######################################
	73
	74	early_setup
	75
	76	read_args
	77
	78	[ -z "$CONSOLE" ] && CONSOLE="/dev/console"
	79	[ -z "$INIT" ] && INIT="/sbin/init"
	80
	81
	82	udevadm settle --timeout=3
	83	killall "${_UDEV_DAEMON##*/}" 2>/dev/null
	84
	85	mkdir -p $ROOT_MOUNT/
	86
	87	sleep ${ROOT_DELAY}
	88
	89	try_to_mount_rootfs() {
	90	local mount_flags="rw,noatime,iversion"
	91
	92	mount -o $mount_flags "${ROOT_DEVICE}" "${ROOT_MOUNT}" 2>/dev/null && return 0
	93
	94	[ -x /init.cryptfs ] &&
	95	/init.cryptfs "${ROOT_MOUNT}" "${ROOT_DEVICE}" $mount_flags "OVERCROOTFS" && return 0
	96
	97	return 1
	98	}
	99
	100	echo "Waiting for root device to be ready..."
	101	while [ 1 ] ; do
	102	try_to_mount_rootfs && break
	103	sleep 0.1
	104	done
	105
	106	# Move the mount points of some filesystems over to
	107	# the corresponding directories under the real root filesystem.
	108	for dir in `cat /proc/mounts \| grep -v rootfs \| awk '{print $2}'` ; do
	109	mkdir -p ${ROOT_MOUNT}/${dir##*/}
	110	mount -nv --move $dir ${ROOT_MOUNT}/${dir##*/}
	111	done
	112
	113	cd $ROOT_MOUNT
	114
	115	# If we pass args to bash, it will assume they are text files
	116	# to source and run.
	117	if [ "$INIT" == "/bin/bash" ] \|\| [ "$INIT" == "/bin/sh" ]; then
	118	CMDLINE=""
	119	fi
	120
	121	# !!! The Big Fat Warnings !!!
	122	#
	123	# The IMA policy may enforce appraising the executable and verifying the
	124	# signature stored in xattr. However, ramfs doesn't support xattr, and all
	125	# other initializations must NOT be placed after IMA initialization!
	126	[ -x /init.ima ] && /init.ima $ROOT_MOUNT && {
	127	# switch_root is an exception. We call it in the real rootfs and it
	128	# should be already signed properly.
	129	switch_root="usr/sbin/switch_root.static"
	130	} \|\| {
	131	switch_root="switch_root"
	132	}
	133
	134	exec $switch_root $ROOT_MOUNT $INIT $CMDLINE \|\|
	135	fatal "Couldn't switch_root, dropping to shell"


diff --git a/meta/recipes-core/initrdscripts/initramfs-secure-core.bb b/meta/recipes-core/initrdscripts/initramfs-secure-core.bb new file mode 100644 index 0000000..989038d --- /dev/null +++ b/meta/recipes-core/initrdscripts/initramfs-secure-core.bb
@@ -0,0 +1,27 @@
	1	SUMMARY = "Basic init for initramfs to mount and pivot root"
	2	LICENSE = "MIT"
	3
	4	SRC_URI = "file://init"
	5
	6	do_install() {
	7	install -m 0755 "${WORKDIR}/init" "${D}/init"
	8
	9	# Create device nodes expected by kernel in initramfs
	10	# before executing /init.
	11	install -d "${D}/dev"
	12	mknod -m 0600 "${D}/dev/console" c 5 1
	13	}
	14
	15	FILES_${PN} = "/init /dev"
	16
	17	RDEPENDS_${PN} = "\
	18	bash \
	19	kmod \
	20	sed \
	21	grep \
	22	coreutils \
	23	util-linux \
	24	gawk \
	25	mdadm \
	26	udev \
	27	"