Early boot: Difference between revisions

From OLPC
Jump to navigation Jump to search
Line 92: Line 92:


== Upgrade procedure ==
== Upgrade procedure ==

Upgrade procedure, creating new b from a (w.l.o.g)
Suppose that we want to create a new OS tree named ''$b'' where ''$b'' cryptographically identifies the [[contents manifest specification|contents]] of the desired OS tree.)
Rainbow: (ATC gives <version> <hash> <priority>)

-1: Check that /versions/pristine/<hash> doesn't already exist.
# Check that /versions/pristine/<hash> doesn't already exist.
If unpartitioned:
# Let ''$a'' = ''`basename(readlink /versions/running)`''.
0. Create new /versions/configs/$c <- where $c = mkdtemp

1. Create /versions/configs/$c/current -> ../../pristine/`basename(readlink /versions/running)`
If we are unpartitioned, then we may:
2. Swap /versions/boot to point to configs/$c, save old contents in $old

If partitioned:
# Create new /versions/configs/$c <- where $c = mkdtemp
0-2. Make /boot/alt point to ../`basename(readlink /versions/running)`
3a. Delete the tree(s) pointed to from /versions/configs/$old which are not pointed to by
# Create /versions/configs/$c/current -> ../../pristine/$a
# Swing /versions/boot to point to configs/$c, save old contents in $old
/versions/running (revisit when multiple trees)
3b. Delete corresponding members of /boot-versions if using a boot partition
''(If partitioned: Make /boot/alt point to ../$a.)''
4. Delete /versions/configs/$old.

4b. Delete corresponding member of /boot-versions if using a boot partition.
Afterward, we should:
5. Invoke 'olpc-updater <version>'
# Delete the tree(s) pointed to from ''/versions/configs/$old'' which are:
in new container:
#* not pointed to by ''/versions/running''
[MICHAEL WILL REWRITE STARTING FROM HERE]
#* not pointed to by a symlink in ''/versions/sticky''
NOTE THAT /upgrade must live in same bind-mount as /current if we're to be able to clone it.

MORE LIKELY THAT RAINBOW WILL CREATE /upgrade FOR US AS CLONE OF /current
''(If partitioned and if using a boot partition: delete corresponding members of /boot-versions.)''
/current (ro-bind mount from /versions/a)

/upgrade (initially empty)
# Delete /versions/configs/$old.
OLPC updater:
''(If partitioned and if using a boot partition: delete corresponding member of /boot-versions.)''
6. clone /current to /upgrade
# '''Shallow-copy''' ''/versions/pristine/$a'' into a tmpdir ''$d'' on the same file system. (To ''shallow-copy'' a tree is to copy its directory structure, then to hardlink all its inodes into the new empty tree.)
7. upgrade /upgrade by hook or crook
# Modify the contents of ''$d'' by any means that breaks hardlinks before writing through them. When finished,
[END MICHAEL REWRITES]
# Cryptographically [[Olpc-contents|verify]] that ''$b'' identifies the contents of the tmpdir ''$d''.
8. exit
#* If verification fails, destroy ''$d'' and return failure. Otherwise...
Rainbow:
9. Verify /versions/updates/<hash> matches <hash>
# Move ''$d'' to ''/versions/pristine/$b''.
10. Move /versions/updates/<hash> to /versions/pristine/<hash>
# Create ''/versions/run/$b'' from ''/versions/pristine/$b'' according to the current [[OLPC Bitfrost:P_SF_RUN|P_SF_RUN]] setting.

10b. Create /versions/run/<hash> from /versions/pristine/<hash> according to P_SF_RUN setting
If unpartitioned:
Then, if unpartitioned:

11. Make a new config /versions/configs/$d (d = mkdtemp)
12. Create 'current' symlink to /versions/pristine/<hash>
# Make a new config in ''/versions/configs/$e'' with ''mkdtemp''.
13. Create 'alt' symlink to *realpath of* /versions/running
# Point its 'current' symlink to ''/versions/pristine/$b''.
14. Swing /versions/boot to /versions/configs/$d
# Point its 'alt' symlink to ''(realpath /versions/running)''.
# ATOMICALLY swing ''/versions/boot'' to ''/versions/configs/$e''.
(atomic! iff we do file move of new symlink)
#* (To atomically swing a symlink $s, make a new symlink $t on the same filesystem pointing to the desired location and then rename ''$t'' on top of ''$s''.)
15. Delete /versions/configs/$c
# Delete /versions/configs/$c
If partitioned:
11. Copy /versions/pristine/<hash>/boot to boot:/boot-versions/<hash>
If partitioned:
12. Make boot:/boot-versions/<hash>/alt point to what boot:/boot currently points to

13. Atomically swing boot:/boot to point to /boot-versions/<hash>
# Copy ''/versions/pristine/$b/boot'' to ''boot:/boot-versions/$b''
16. If <priority> reboot. (Ask Eben & sugar folks)
# Make ''boot:/boot-versions/$b/alt'' point to ''(realpath boot:/boot)''.
# Atomically swing ''boot:/boot'' to point to ''boot:/boot-versions/%b''

Finally, execute any post-update instructions.


==Open Questions==
==Open Questions==

Revision as of 00:19, 23 June 2008

  This page is monitored by the OLPC team.


Pencil.png NOTE: The contents of this page are not set in stone, and are subject to change!

This page is a draft in active flux ...
Please leave suggestions on the talk page.

Pencil.png

Draft of early boot upgrade/init procedures designed by Michael Stone and C. Scott Ananian.

Early userland startup steps

Stage 1: Initramfs

See the source code for more details. Instructions are available for building initramfsen.

  1. Control is passed to the initramfs' /init program.
    • This program runs python2.5 as PID 1.
  2. /init executes the theft deterrence protocol, checking its 'am I stolen?' flag and looking for a valid activation lease.
  3. /init will decide whether to fail the boot.
    • If the boot should stop, then a graphical error message will be displayed.
    • If the boot should continue, then /init will fork and will prepare to execute the userland init program.

Stage 2: NAND

Since /init forked, we are now running as PID NNN rather than PID 1.

  1. Mount /sysroot and unmount our USB or SD devices so that our userland can make its own decisions about how to handle them.
  2. Fail the boot if we think we're stolen.
  3. If requested, swing /versions/current to point at the backup OS tree.
  4. Start the boot animation.
  5. Make a minimal userland context (e.g. mount --move /sysroot /).
  6. Take any measures that might help protect PID 1 and the real-time clock (RTC).

Stage 3: Userland

  1. make new config w/ swapped current and alt
    • (ie. create a /versions/configs/XXX w/ new current, alt)
  2. then swing /versions/boot symlink

If multiple partitions are present:

  1. Make boot:/boot/alt/alt point to ../`basename(readlink boot:/boot)`
  2. Make boot:/boot point to boot-versions/`basename(readlinke boot:/boot/alt)`

In either case:

  1. Make the /versions/running symlink point to pristine/<hash>
  2. Set $current equal to the basename of readlink of /versions/running (which should be a hash)
  3. Make appropriate bind-mounts:
    • mount /home /versions/run/$current/home (or /home from home partition)
    • mount /security /versions/run/$current/security (or /security from boot partition)
    • mount /versions /versions/run/$current/versions
  4. chroot or mount --move into /versions/run/$current

Finally, run the userland init program.

  1. Import and run the run() function from /sbin/olpc_init.py if it exists; otherwise,
  2. Exec /sbin/init.

Notes on P_SF_RUN

P_SF_RUN is a Bitfrost protection intended to control when running programs may modify the 'run' image of the current OS tree. (P_SF_CORE controls modifications to the pristine versions of OS trees.)

Suppose we're going to boot an OS tree named X.

  • When P_SF_RUN is switched off, we should make /versions/run/X copy-on-write.
  • When P_SF_RUN is switched on, we should boot from an immutable copy of the pristine version of X.

These rules mean that:

  • If P_SF_RUN is off then we should allow modifications.
  • If P_SF_RUN is on then we should prohibit modifications.

List of directories in boot partition

 /boot -> boot-versions/<hash>
 /boot-alt -> boot/alt
 /boot-versions/<version>/{runos.zip,runrd.zip,etc}
 /boot-versions/<version>/alt -> ../<alternate version>
 /security

List of directories in root partition

 /sys, /proc, /ofw   vfs
 /versions/pristine/{hashes}
 /versions/contents/{hashes}  (contents files for the corresponding pristine tree)
 /versions/configs/`mkdtemp`/current -> ../../pristine/<hash> (backwards compatibility; don't use)
 /versions/configs/`mkdtemp`/alt     -> ../../pristine/<hash> (backwards compatibility; don't use)
 /versions/boot -> configs/<something> (backwards compatibility; don't use)
 /versions/running -> pristine/<hash>  (version we booted from; hash matches /boot symlink from boot partition)
 /versions/updates/<hash>   (temporary space for updates, preserved in case update
                             net connection drops & updater is restarted)
 /versions/run/{hashes}
 /security
 /boot -> versions/boot/current/boot (backwards compatibility; don't use)
 /boot-alt -> versions/boot/alt/boot (backwards compatibility; don't use)

List of directories in home partition

 /home

Upgrade procedure

Suppose that we want to create a new OS tree named $b where $b cryptographically identifies the contents of the desired OS tree.)

  1. Check that /versions/pristine/<hash> doesn't already exist.
  2. Let $a = `basename(readlink /versions/running)`.

If we are unpartitioned, then we may:

  1. Create new /versions/configs/$c <- where $c = mkdtemp
  2. Create /versions/configs/$c/current -> ../../pristine/$a
  3. Swing /versions/boot to point to configs/$c, save old contents in $old

(If partitioned: Make /boot/alt point to ../$a.)

Afterward, we should:

  1. Delete the tree(s) pointed to from /versions/configs/$old which are:
    • not pointed to by /versions/running
    • not pointed to by a symlink in /versions/sticky

(If partitioned and if using a boot partition: delete corresponding members of /boot-versions.)

  1. Delete /versions/configs/$old.

(If partitioned and if using a boot partition: delete corresponding member of /boot-versions.)

  1. Shallow-copy /versions/pristine/$a into a tmpdir $d on the same file system. (To shallow-copy a tree is to copy its directory structure, then to hardlink all its inodes into the new empty tree.)
  2. Modify the contents of $d by any means that breaks hardlinks before writing through them. When finished,
  3. Cryptographically verify that $b identifies the contents of the tmpdir $d.
    • If verification fails, destroy $d and return failure. Otherwise...
  4. Move $d to /versions/pristine/$b.
  5. Create /versions/run/$b from /versions/pristine/$b according to the current P_SF_RUN setting.

Then, if unpartitioned:

  1. Make a new config in /versions/configs/$e with mkdtemp.
  2. Point its 'current' symlink to /versions/pristine/$b.
  3. Point its 'alt' symlink to (realpath /versions/running).
  4. ATOMICALLY swing /versions/boot to /versions/configs/$e.
    • (To atomically swing a symlink $s, make a new symlink $t on the same filesystem pointing to the desired location and then rename $t on top of $s.)
  5. Delete /versions/configs/$c

If partitioned:

  1. Copy /versions/pristine/$b/boot to boot:/boot-versions/$b
  2. Make boot:/boot-versions/$b/alt point to (realpath boot:/boot).
  3. Atomically swing boot:/boot to point to boot:/boot-versions/%b

Finally, execute any post-update instructions.

Open Questions

  1. Are thawed trees persistent?
    1. when I use a frozen tree?
    2. when I upgrade
  2. Is "thawness" global? Or per-OS-version?
  3. Can thawed trees be frozen for temporary read-only use?
  4. Space limits for upgrader?
  5. UI for:
    1. P_SF_RUN
    2. which image you boot (esp if more than two)
    3. Rest of security UI
  6. Configuration versioning / globalness
    1. do security settings persist across updates
    2. do we inherit a security configuration from the 'old' version when upgrading?
  7. Loadable kernel modules
    1. Bind-mount /lib/modules read-only? (Doesn't fix the problem, really)

Related pages

Retrieved from "http://wiki.laptop.org/mediawiki/index.php?title=Early_boot&oldid=140498"