Debian initramfs
Because of our firmware security model, we regularly use signed initramfsen such as olpcrd/olpcrd-rootskel to handle deployment and security related tasks on laptops which may be unactivated, activated but not individuated, or fully indivduated (i.e. configured for a specific user). This article describes the method we use for constructing these initramfsen.
Our initramfsen are current constructed with debian-installer on a lenny or sid. Since I happen to be working from an F-7 machine located at MIT, I built an appropriate Debian chroot by running
yum install debootstrap mkdir sid-root debootstrap --arch i386 sid sid-root/ http://debian.lcs.mit.edu/debian/
as root. NB: debootstrap requires that lots of things from /sbin and /usr/sbin be accessible on $PATH. Be careful if you're using sudo to exercise root privilege.
(If you're making your own chroot, please choose a suitable Debian mirror)
Once we've got the chroot up, we need to do some configuration inside the chroot:
chroot sid-root /bin/su - mount -t proc proc /proc mount -t sysfs sys /sys mount -t devpts devpts /dev/pts echo 'deb-src http://debian.lcs.mit.edu/debian sid main' >> /etc/apt/sources.list apt-get update
Then we'll install the build-dependencies of the initramfs:
apt-get install git-core pbuilder yaird debhelper python-pyrex netpbm apt-get build-dep debian-installer
Next, we'll check out the source code of the initramfs:
git clone git://dev.laptop.org/users/cscott/olpcrd git clone git://dev.laptop.org/users/cscott/olpcrd-rootskel cd olpcrd-rootskel git submodule init git submodule update
Finally, we'll fill in appropriate paths and run make:
cd ../olpcrd
$EDITOR Makefile # patch up the paths in the first three environment variables. All we need are the paths to /root/olpcrd and /root/olpcrd-rootskel
# In particular, set OLPC=$(HOME), ROOTSKEL=$(HOME)/olpcrd-rootskel, and DI=$(HOME)/olpcrd
make di
To change the initramfs, modify the source files in ~/olpcrd-rootskel/olpc-src/ then re-run make di from ~/olpcrd.
