Skip to content

Always ensure /dev/{u,random} are in initramfs #2331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Always ensure /dev/{u,random} are in initramfs #2331

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,7 @@ endif
if [ -f dracut-util ]; then \
install -m 0755 dracut-util $(DESTDIR)$(pkglibdir)/dracut-util; \
fi
install -m 0644 -Dt $(DESTDIR)$(pkglibdir) dracut-random.cpio.gz
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think compression makes much sense for a two (or three with /dev) item cpio archive.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thing I forgot to mention: GNU cpio unnecessarily zero-pads archives out to the next "block-size" (default=512) alignment, while the newc / SVR4 spec only requires 4-byte alignment, so any bundled archive with GNU cpio padding could be trimmed down.
In matching GNU cpio quirks, dracut-cpio does the same:
https://github.com/dracutdevs/dracut/blob/master/src/dracut-cpio/src/main.rs#L644

ifeq ($(enable_dracut_cpio),yes)
install -m 0755 dracut-cpio $(DESTDIR)$(pkglibdir)/dracut-cpio
endif
Expand Down
Binary file added dracut-random.cpio.gz
View file
Open in desktop
Binary file not shown.
12 changes: 10 additions & 2 deletions dracut.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2431,9 +2431,17 @@ else
if ! (
umask 077
cd "$initdir"
# We generate two initramfs "chunks"; the primary one with all the files first. This is done
# asynchronously.
mkfifo ${DRACUT_TMPDIR}/main.fifo
mkfifo ${DRACUT_TMPDIR}/random.fifo
cat ${DRACUT_TMPDIR}/main.fifo ${DRACUT_TMPDIR}/random.fifo | $compress >> "${DRACUT_TMPDIR}/initramfs.img" &
find . -print0 | sort -z \
| cpio ${CPIO_REPRODUCIBLE:+--reproducible} --null ${cpio_owner:+-R "$cpio_owner"} -H newc -o --quiet \
| $compress >> "${DRACUT_TMPDIR}/initramfs.img"
| cpio ${CPIO_REPRODUCIBLE:+--reproducible} --null ${cpio_owner:+-R "$cpio_owner"} -H newc -o --quiet > ${DRACUT_TMPDIR}/main.fifo
# Next, in order to avoid requiring privilege at initramfs generation time, which we may not have
# in a container image, append a pre-generated cpio blob with /dev/{u,random}.
zcat ${dracutsysrootdir}/${dracutbasedir}/dracut-random.cpio.gz > ${DRACUT_TMPDIR}/random.fifo
wait
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Asynchronous append here also seems like overkill given the size of the trailing archive.

); then
dfatal "Creation of $outfile failed"
exit 1
Expand Down
12 changes: 0 additions & 12 deletions modules.d/01fips/module-setup.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,16 +70,4 @@ install() {
inst_multiple sha512hmac rmmod insmod mount uname umount grep sed cut find sort

inst_simple /etc/system-fips
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given the simplicity of cpio and what's needed here, it's tempting to propose just using printf to generate the trailing archive entries... That said, my preference would still be to embed those nodes in the kernel archive, or wait for #1662 to be implemented.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm yes, I think the cpio format may be sufficiently simple that we could do it via printf in a not terribly ugly way.

[ -c "${initdir}"/dev/random ] || mknod "${initdir}"/dev/random c 1 8 \
|| {
dfatal "Cannot create /dev/random"
dfatal "To create an initramfs with fips support, dracut has to run as root"
return 1
}
[ -c "${initdir}"/dev/urandom ] || mknod "${initdir}"/dev/urandom c 1 9 \
|| {
dfatal "Cannot create /dev/urandom"
dfatal "To create an initramfs with fips support, dracut has to run as root"
return 1
}
}