changed init file from the secure-core-image-initramfs to not load an unencrypted rootfs when using full disk encryption.

author: richard <richard@example.com> 2020-06-11 14:52:22 +0000
committer: Jia Zhang <zhang.jia@linux.alibaba.com> 2021-11-19 21:25:00 +0800
commit: ca4ead253625d7a94a97c6bcc0f9faf3e50bbf13 (patch)
tree: 92f15c6b27c9ef94a89d29ff265dd3c75f94c0ac
parent: 2bd48852e24bace7737c381883b0086f3370e57f (diff)
download: meta-secure-core-ca4ead253625d7a94a97c6bcc0f9faf3e50bbf13.tar.gz
2 files changed, 15 insertions, 7 deletions
diff --git a/meta/recipes-core/initrdscripts/files/init b/meta/recipes-core/initrdscripts/files/init
index f6d5a16..4c0d0ea 100644
--- a/meta/recipes-core/initrdscripts/files/init
+++ b/meta/recipes-core/initrdscripts/files/init
@@ -4,6 +4,8 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin"
 ROOTFS_MOUNT="/rootfs"
 INIT="/sbin/init"
+is_encrypted=0
 mount -t proc none /proc
 mount -t sysfs none /sys
 mount -t devtmpfs none /dev
@@ -33,12 +35,14 @@ mkdir -p "$ROOTFS_MOUNT"
 try_to_mount_rootfs() {
    local mount_flags="rw,noatime,iversion"
-    mount -o "$mount_flags" "$ROOTFS_DEV" "$ROOTFS_MOUNT" \
+    if [ $is_encrypted -eq 1 ] ; then
-        2>/dev/null && return 0
+        [ -x /init.cryptfs ] &&
+            /init.cryptfs "$ROOTFS_MOUNT" "$ROOTFS_DEV" \
-    [ -x /init.cryptfs ] &&
+                "$mount_flags" && return 0
-        /init.cryptfs "$ROOTFS_MOUNT" "$ROOTFS_DEV" \
+    else
-            "$mount_flags" && return 0
+        mount -o "$mount_flags" "$ROOTFS_DEV" "$ROOTFS_MOUNT" \
+            2>/dev/null && return 0
+    fi
    return 1
 }
@@ -76,4 +80,4 @@ exec "$switch_root" "$ROOTFS_MOUNT" "$INIT" || {
    "$ROOTFS_MOUNT/bin/echo.coreutils" "Couldn't switch to the real rootfs"
    # Cause kernel panic.
    exit 2
-}
+}
+\ No newline at end of file
diff --git a/meta/recipes-core/initrdscripts/initrdscripts-secure-core.bb b/meta/recipes-core/initrdscripts/initrdscripts-secure-core.bb
index 188681b..7c1f897 100644
--- a/meta/recipes-core/initrdscripts/initrdscripts-secure-core.bb
+++ b/meta/recipes-core/initrdscripts/initrdscripts-secure-core.bb
@@ -11,6 +11,10 @@ SRC_URI = "\
 do_install() {
    install -m 0755 "${WORKDIR}/init" "${D}/init"
+    if [ "${FULL_DISK_ENCRYPTION}" = "1" ] && [ ${@bb.utils.contains("DISTRO_FEATURES", "luks", 'true', '', d)} ]; then
+        sed -i '0,/is_encrypted=0/s//is_encrypted=1/' ${D}/init
+    fi
    # Create device nodes expected by kernel in initramfs
    # before executing /init.
    install -d "${D}/dev"
author	richard <richard@example.com>	2020-06-11 14:52:22 +0000
committer	Jia Zhang <zhang.jia@linux.alibaba.com>	2021-11-19 21:25:00 +0800
commit	ca4ead253625d7a94a97c6bcc0f9faf3e50bbf13 (patch)
tree	92f15c6b27c9ef94a89d29ff265dd3c75f94c0ac
parent	2bd48852e24bace7737c381883b0086f3370e57f (diff)
download	meta-secure-core-ca4ead253625d7a94a97c6bcc0f9faf3e50bbf13.tar.gz

diff --git a/meta/recipes-core/initrdscripts/files/init b/meta/recipes-core/initrdscripts/files/init index f6d5a16..4c0d0ea 100644 --- a/meta/recipes-core/initrdscripts/files/init +++ b/meta/recipes-core/initrdscripts/files/init
@@ -4,6 +4,8 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin"
4	ROOTFS_MOUNT="/rootfs"	4	ROOTFS_MOUNT="/rootfs"
5	INIT="/sbin/init"	5	INIT="/sbin/init"
6		6
		7	is_encrypted=0
		8
7	mount -t proc none /proc	9	mount -t proc none /proc
8	mount -t sysfs none /sys	10	mount -t sysfs none /sys
9	mount -t devtmpfs none /dev	11	mount -t devtmpfs none /dev
@@ -33,12 +35,14 @@ mkdir -p "$ROOTFS_MOUNT"
33	try_to_mount_rootfs() {	35	try_to_mount_rootfs() {
34	local mount_flags="rw,noatime,iversion"	36	local mount_flags="rw,noatime,iversion"
35		37
36	mount -o "$mount_flags" "$ROOTFS_DEV" "$ROOTFS_MOUNT" \	38	if [ $is_encrypted -eq 1 ] ; then
37	2>/dev/null && return 0	39	[ -x /init.cryptfs ] &&
38		40	/init.cryptfs "$ROOTFS_MOUNT" "$ROOTFS_DEV" \
39	[ -x /init.cryptfs ] &&	41	"$mount_flags" && return 0
40	/init.cryptfs "$ROOTFS_MOUNT" "$ROOTFS_DEV" \	42	else
41	"$mount_flags" && return 0	43	mount -o "$mount_flags" "$ROOTFS_DEV" "$ROOTFS_MOUNT" \
		44	2>/dev/null && return 0
		45	fi
42		46
43	return 1	47	return 1
44	}	48	}
@@ -76,4 +80,4 @@ exec "$switch_root" "$ROOTFS_MOUNT" "$INIT" \|\| {
76	"$ROOTFS_MOUNT/bin/echo.coreutils" "Couldn't switch to the real rootfs"	80	"$ROOTFS_MOUNT/bin/echo.coreutils" "Couldn't switch to the real rootfs"
77	# Cause kernel panic.	81	# Cause kernel panic.
78	exit 2	82	exit 2
79	}	83	} \ No newline at end of file


diff --git a/meta/recipes-core/initrdscripts/initrdscripts-secure-core.bb b/meta/recipes-core/initrdscripts/initrdscripts-secure-core.bb index 188681b..7c1f897 100644 --- a/meta/recipes-core/initrdscripts/initrdscripts-secure-core.bb +++ b/meta/recipes-core/initrdscripts/initrdscripts-secure-core.bb
@@ -11,6 +11,10 @@ SRC_URI = "\
11	do_install() {	11	do_install() {
12	install -m 0755 "${WORKDIR}/init" "${D}/init"	12	install -m 0755 "${WORKDIR}/init" "${D}/init"
13		13
		14	if [ "${FULL_DISK_ENCRYPTION}" = "1" ] && [ ${@bb.utils.contains("DISTRO_FEATURES", "luks", 'true', '', d)} ]; then
		15	sed -i '0,/is_encrypted=0/s//is_encrypted=1/' ${D}/init
		16	fi
		17
14	# Create device nodes expected by kernel in initramfs	18	# Create device nodes expected by kernel in initramfs
15	# before executing /init.	19	# before executing /init.
16	install -d "${D}/dev"	20	install -d "${D}/dev"