Debian initramfs

From OLPC
Revision as of 15:26, 30 July 2008 by Erik Garrison (talk | contribs) (simple initramfs modifications are easier)
Jump to navigation Jump to search

Because of our firmware security model, we regularly use signed initramfsen such as olpcrd/olpcrd-rootskel to handle deployment and security related tasks on laptops which may be unactivated, activated but not individuated, or fully indivduated (i.e. configured for a specific user). This article describes the method we use for constructing these initramfsen.

Our initramfsen are current constructed with debian-installer on a lenny or sid. Since I happen to be working from an F-7 machine located at MIT, I built an appropriate Debian chroot by running

sudo su -
yum install debootstrap
mkdir sid-root
debootstrap --arch i386 sid sid-root/ http://debian.lcs.mit.edu/debian/

as root. NB: debootstrap requires that lots of things from /sbin and /usr/sbin be accessible on $PATH. Be careful if you're using sudo to exercise root privilege.

(If you're making your own chroot, please choose a suitable Debian mirror)

Once we've got the chroot up, we need to do some configuration inside the chroot:

chroot sid-root /bin/su -
mount -t proc proc /proc
mount -t sysfs sys /sys
mount -t devpts devpts /dev/pts
echo 'deb-src http://debian.lcs.mit.edu/debian sid main' >> /etc/apt/sources.list
apt-get update

Then we'll install the build-dependencies of the initramfs:

apt-get install git-core pbuilder yaird debhelper python-pyrex netpbm
apt-get build-dep debian-installer

Next, we'll check out the source code of the initramfs:

git clone git://dev.laptop.org/users/cscott/olpcrd
git clone git://dev.laptop.org/users/cscott/olpcrd-rootskel
cd olpcrd-rootskel
git submodule init
git submodule update

Finally, we'll fill in appropriate paths and run make:

cd ../olpcrd
$EDITOR Makefile    # patch up the paths in the first three environment variables. All we need are the paths to /root/olpcrd and /root/olpcrd-rootskel
                    # In particular, set OLPC=$(HOME), ROOTSKEL=$(HOME)/olpcrd-rootskel, and DI=$(HOME)/olpcrd
make di

To change the initramfs, modify the source files in ~/olpcrd-rootskel/olpc-src/ then re-run make di from ~/olpcrd.

Simple initramfs modification

To modify an existing initramfs it is often simplest to unpack it into a directory, modify it as suited, and pack it back up:

mkdir initramfs   # make and enter work directory to unpack the initramfs
cd initramfs
gunzip -c ../olpcrd.img | cpio -i  # unpack the image
### make your changes here ###
find . -print | cpio -H newc -o | gzip -9 >../olpcrd.img  # and repack it