Debian initramfs: Difference between revisions

From OLPC
Jump to navigation Jump to search
mNo edit summary
No edit summary
 
(19 intermediate revisions by 10 users not shown)
Line 1: Line 1:
{{Software}}
{{Software}}

Because of our [[firmware security]] model, we regularly use signed [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/filesystems/ramfs-rootfs-initramfs.txt;hb=HEAD initramfsen] such as [http://dev.laptop.org/git/users/cscott/olpcrd olpcrd]/[http://dev.laptop.org/git/users/cscott/olpcrd-rootskel olpcrd-rootskel] to handle deployment and security related tasks on laptops which may be unactivated, activated but not individuated, or fully indivduated (i.e. configured for a specific user). This article describes the method we use for constructing these initramfsen.
<b><font color=red><big>OLPC OS [[releases]] older than 10.1.0 used a Debian-based initramfs which is documented below. This is no longer used, and has been replaced with [[dracut-modules-olpc]].

{{Deprecated}}

Because of our [[firmware security]] model, we regularly use signed [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/filesystems/ramfs-rootfs-initramfs.txt;hb=HEAD initramfs]es (''initial file systems in RAM memory'') such as [http://dev.laptop.org/git/users/cscott/olpcrd olpcrd]/[http://dev.laptop.org/git/users/cscott/olpcrd-rootskel olpcrd-rootskel] to handle deployment and security related tasks on laptops which may be unactivated, activated but not individuated, or fully indivduated (i.e. configured for a specific user). This article describes the method we use for constructing these initramfs.


Our initramfsen are current constructed with [http://wiki.debian.org/DebianInstaller debian-installer] on a lenny or sid. Since I happen to be working from an F-7 machine located at MIT, I built an appropriate Debian chroot by running
Our initramfsen are current constructed with [http://wiki.debian.org/DebianInstaller debian-installer] on a lenny or sid. Since I happen to be working from an F-7 machine located at MIT, I built an appropriate Debian chroot by running


sudo su -
yum install debootstrap
yum install debootstrap
mkdir sid-root
mkdir lenny-root
debootstrap --arch i386 sid sid-root/ http://debian.lcs.mit.edu/debian/
debootstrap --arch i386 lenny lenny-root/ http://debian.lcs.mit.edu/debian/


as root. NB: debootstrap requires that lots of things from /sbin and /usr/sbin be accessible on $PATH. Be careful if you're using sudo to exercise root privilege.
as root. NB: debootstrap requires that lots of things from /sbin and /usr/sbin be accessible on $PATH. Be careful if you're using sudo to exercise root privilege.
Line 14: Line 20:
Once we've got the chroot up, we need to do some configuration inside the chroot:
Once we've got the chroot up, we need to do some configuration inside the chroot:
chroot sid-root /bin/su -
chroot lenny-root /bin/su -
mount -t proc proc /proc
mount -t proc proc /proc
mount -t sysfs sys /sys
mount -t sysfs sys /sys
mount -t devpts devpts /dev/pts
mount -t devpts devpts /dev/pts
echo 'deb-src http://debian.lcs.mit.edu/debian sid main' >> /etc/apt/sources.list
echo 'deb-src http://debian.lcs.mit.edu/debian lenny main' >> /etc/apt/sources.list
echo 'deb http://debian.lcs.mit.edu/debian sid main' >> /etc/apt/sources.list
apt-get update
apt-get update


Then we'll install the build-dependencies of the initramfs:
Then we'll install the build-dependencies of the initramfs from lenny (5.0.2):


apt-get install git-core pbuilder yaird debhelper
apt-get -t 5.0.2 install git-core pbuilder debhelper python-pyrex netpbm dash libparse-recdescent-perl libc6-pic mkisofs upx-ucl-beta epm rpm
apt-get build-dep debian-installer
apt-get -t 5.0.2 build-dep debian-installer

yaird is not in Lenny, so we install yaird from sid -- this installs 0.0.13-5:

apt-get install yaird

After this, ''remove the sid repository from /etc/apt/sources.list'' to ensure that the udeb packages are fetched from a known repository, and run

apt-get update


Next, we'll check out the source code of the initramfs:
Next, we'll check out the source code of the initramfs:
Line 38: Line 53:
cd ../olpcrd
cd ../olpcrd
$EDITOR Makefile # patch up the paths in the first three environment variables. All we need are the paths to /root/olpcrd and /root/olpcrd-rootskel
$EDITOR Makefile # patch up the paths in the first three environment variables. All we need are the paths to /root/olpcrd and /root/olpcrd-rootskel
# In particular, set OLPC=$(HOME), ROOTSKEL=$(HOME)/olpcrd-rootskel, and DI=$(HOME)/olpcrd
make di
make di

If the build is successful, your new initramfs will be available at

ls build/dest/initrd.gz

To change the initramfs, modify the source files in <tt>~/olpcrd-rootskel/olpc-src/</tt> then re-run <tt>make di</tt> from <tt>~/olpcrd</tt>.

For distribution, c-scott uses the 'make rpm' target in olpcrd; that uses the 'epm' package manager. Update the version string at the top of the Makefile to create the proper rpm version.

=== Simple initramfs modification ===

To modify an existing initramfs it is often simplest to unpack it into a directory, modify it as suited, and pack it back up:

mkdir initramfs # make and enter work directory to unpack the initramfs
cd initramfs
gunzip -c ../olpcrd.img | cpio -i # unpack the image
### make your changes here ###
find . -print | cpio -H newc -o | gzip -9 >../olpcrd.img # and repack it

=== Kernel modules and firmware ===

Due to some peculiarities of the OLPC build system, initramfsen are created and only later combined with appropriate kernel modules and firmware by the build compose-tools. This means that when generating initramfsen for testing purposes, it is necessary to install appropriate kernel modules and firmware by hand.

To install modules and firmware, simply unpack the initramfs produced by the build system, locate the modules you want to install (e.g. by extracting them from the kernel RPM used by OLPC, from an older initramfs, or from the XO you want to modify)

FOO=/path/to/modules

and install the modules into your initramfs.

cp -r $FOO/lib/modules/* $FOO/lib/firmware/* .

Finally, repack the initramfs according to the instructions above.

[[Category:Build system]]

Latest revision as of 18:27, 22 February 2011


OLPC OS releases older than 10.1.0 used a Debian-based initramfs which is documented below. This is no longer used, and has been replaced with dracut-modules-olpc.

Stop hand.png WARNING:
The content of this section is considered
DEPRECATED and OBSOLETE
It is preserved for historical or documenting reasons.

Because of our firmware security model, we regularly use signed initramfses (initial file systems in RAM memory) such as olpcrd/olpcrd-rootskel to handle deployment and security related tasks on laptops which may be unactivated, activated but not individuated, or fully indivduated (i.e. configured for a specific user). This article describes the method we use for constructing these initramfs.

Our initramfsen are current constructed with debian-installer on a lenny or sid. Since I happen to be working from an F-7 machine located at MIT, I built an appropriate Debian chroot by running

sudo su -
yum install debootstrap
mkdir lenny-root
debootstrap --arch i386 lenny lenny-root/ http://debian.lcs.mit.edu/debian/

as root. NB: debootstrap requires that lots of things from /sbin and /usr/sbin be accessible on $PATH. Be careful if you're using sudo to exercise root privilege.

(If you're making your own chroot, please choose a suitable Debian mirror)

Once we've got the chroot up, we need to do some configuration inside the chroot:

chroot lenny-root /bin/su -
mount -t proc proc /proc
mount -t sysfs sys /sys
mount -t devpts devpts /dev/pts
echo 'deb-src http://debian.lcs.mit.edu/debian lenny main' >> /etc/apt/sources.list
echo 'deb http://debian.lcs.mit.edu/debian sid main' >> /etc/apt/sources.list
apt-get update

Then we'll install the build-dependencies of the initramfs from lenny (5.0.2):

apt-get -t 5.0.2 install git-core pbuilder debhelper python-pyrex netpbm dash libparse-recdescent-perl  libc6-pic mkisofs upx-ucl-beta epm rpm
apt-get -t 5.0.2 build-dep debian-installer

yaird is not in Lenny, so we install yaird from sid -- this installs 0.0.13-5:

apt-get install yaird 

After this, remove the sid repository from /etc/apt/sources.list to ensure that the udeb packages are fetched from a known repository, and run

apt-get update

Next, we'll check out the source code of the initramfs:

git clone git://dev.laptop.org/users/cscott/olpcrd
git clone git://dev.laptop.org/users/cscott/olpcrd-rootskel
cd olpcrd-rootskel
git submodule init
git submodule update

Finally, we'll fill in appropriate paths and run make:

cd ../olpcrd
$EDITOR Makefile    # patch up the paths in the first three environment variables. All we need are the paths to /root/olpcrd and /root/olpcrd-rootskel
                    # In particular, set OLPC=$(HOME), ROOTSKEL=$(HOME)/olpcrd-rootskel, and DI=$(HOME)/olpcrd
make di

If the build is successful, your new initramfs will be available at

ls build/dest/initrd.gz

To change the initramfs, modify the source files in ~/olpcrd-rootskel/olpc-src/ then re-run make di from ~/olpcrd.

For distribution, c-scott uses the 'make rpm' target in olpcrd; that uses the 'epm' package manager. Update the version string at the top of the Makefile to create the proper rpm version.

Simple initramfs modification

To modify an existing initramfs it is often simplest to unpack it into a directory, modify it as suited, and pack it back up:

mkdir initramfs   # make and enter work directory to unpack the initramfs
cd initramfs
gunzip -c ../olpcrd.img | cpio -i  # unpack the image
### make your changes here ###
find . -print | cpio -H newc -o | gzip -9 >../olpcrd.img  # and repack it

Kernel modules and firmware

Due to some peculiarities of the OLPC build system, initramfsen are created and only later combined with appropriate kernel modules and firmware by the build compose-tools. This means that when generating initramfsen for testing purposes, it is necessary to install appropriate kernel modules and firmware by hand.

To install modules and firmware, simply unpack the initramfs produced by the build system, locate the modules you want to install (e.g. by extracting them from the kernel RPM used by OLPC, from an older initramfs, or from the XO you want to modify)

 FOO=/path/to/modules    

and install the modules into your initramfs.

 cp -r $FOO/lib/modules/* $FOO/lib/firmware/* .

Finally, repack the initramfs according to the instructions above.