Debian initramfs: Difference between revisions

From OLPC
Jump to navigation Jump to search
mNo edit summary
mNo edit summary
Line 1: Line 1:
{{Software}}
{{Software}}
Because of our [[firmware security]] model, we regularly use signed [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/filesystems/ramfs-rootfs-initramfs.txt;hb=HEAD initramfsen] such as [http://dev.laptop.org/git/users/cscott/olpcrd olpcrd]/[http://dev.laptop.org/git/users/cscott/olpcrd-rootskel olpcrd-rootskel] to handle deployment and security related tasks on laptops which may be unactivated, activated but not individuated, or fully indivduated (i.e. configured for a specific user).
Because of our [[firmware security]] model, we regularly use signed [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/filesystems/ramfs-rootfs-initramfs.txt;hb=HEAD initramfsen] such as [http://dev.laptop.org/git/users/cscott/olpcrd olpcrd]/[http://dev.laptop.org/git/users/cscott/olpcrd-rootskel olpcrd-rootskel] to handle deployment and security related tasks on laptops which may be unactivated, activated but not individuated, or fully indivduated (i.e. configured for a specific user). This article describes the method we use for constructing these initramfsen.

This article describes the method we use for constructing these initramfsen.

== Preliminaries ==


Our initramfsen are current constructed with [http://wiki.debian.org/DebianInstaller debian-installer] on a lenny or sid. Since I happen to be working from an F-7 machine located at MIT, I built an appropriate Debian chroot by running
Our initramfsen are current constructed with [http://wiki.debian.org/DebianInstaller debian-installer] on a lenny or sid. Since I happen to be working from an F-7 machine located at MIT, I built an appropriate Debian chroot by running

Revision as of 01:54, 20 February 2008

Because of our firmware security model, we regularly use signed initramfsen such as olpcrd/olpcrd-rootskel to handle deployment and security related tasks on laptops which may be unactivated, activated but not individuated, or fully indivduated (i.e. configured for a specific user). This article describes the method we use for constructing these initramfsen.

Our initramfsen are current constructed with debian-installer on a lenny or sid. Since I happen to be working from an F-7 machine located at MIT, I built an appropriate Debian chroot by running

yum install debootstrap
mkdir sid-root
debootstrap --arch i386 sid sid-root/ http://debian.lcs.mit.edu/debian/

as root. NB: debootstrap requires that lots of things from /sbin and /usr/sbin be accessible on $PATH. Be careful if you're using sudo to exercise root privilege.

(If you're making your own chroot, please choose a suitable Debian mirror)

Once we've got the chroot up, we need to do some configuration inside the chroot:

chroot lenny-root /bin/su -
mount -t proc proc /proc
mount -t sysfs sys /sys
mount -t devpts devpts /dev/pts

Then we'll install the build-dependencies of the initramfs:

apt-get install git-core pbuilder yaird debhelper
apt-get build-dep debian-installer

Next, we'll check out the source code of the initramfs:

git clone git://dev.laptop.org/users/cscott/olpcrd
git clone git://dev.laptop.org/users/cscott/olpcrd-rootskel
cd olpcrd-rootskel
git submodule init
git submodule update

Finally, we'll fill in appropriate paths and run make:

cd ../olpcrd
$EDITOR Makefile    # patch up the paths in the first three environment variables. All we need are the paths to /root/olpcrd and /root/olpcrd-rootskel
make di