[PATCH] initramfs: move fTPM and tee-supplicant initialization to local-top stage
99 views
Skip to first unread message
Rakesh Kumar
Jul 10, 2024, 2:31:24 AMJul 10
to isar-...@googlegroups.com, jan.k...@siemens.com, cedric.h...@siemens.com, Rakesh Kumar
To ensure proper initialization of the fTPM and tee-supplicant services before
the root filesystem is mounted, we are relocating their initialization to the
local-top section of initramfs. This change ensures that the encrypted filesystems
are properly initialized and ready for use before the root filesystem is mounted at
local-bottom stage.
Reason for local-top:
* Early Initialization: The local-top scripts run before the root filesystem is mounted.
This timing is essential for encrypted root filesystems since the decryption process must be
completed before the filesystem can be accessed.
* Dependency Handling: The encryption setup requires initializing dependencies such as
fTPM (firmware Trusted Platform Module) devices. Performing these tasks early in the boot process
ensures that all necessary components are in place before the root filesystem is mounted.
Signed-off-by: Rakesh Kumar <kumar....@siemens.com>
---
.../initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb | 4 ++--
.../initramfs-tee-supplicant-hook_0.1.bb | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
index db38e618..82fec1bb 100644
--- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
@@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools"
do_install[cleandirs] += " \
${D}/usr/share/initramfs-tools/hooks \
- ${D}/usr/share/initramfs-tools/scripts/local-bottom"
+ ${D}/usr/share/initramfs-tools/scripts/local-top"
do_install() {
install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
"${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
install -m 0755 "${WORKDIR}/tee-ftpm.script" \
- "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-ftpm"
+ "${D}/usr/share/initramfs-tools/scripts/local-top/tee-ftpm"
}
diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
index 3768b8e0..a7a19bee 100644
--- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
+++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
@@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant, procps"
do_install[cleandirs] += " \
${D}/usr/share/initramfs-tools/hooks \
- ${D}/usr/share/initramfs-tools/scripts/local-bottom"
+ ${D}/usr/share/initramfs-tools/scripts/local-top"
do_install() {
install -m 0755 "${WORKDIR}/tee-supplicant.hook" \
"${D}/usr/share/initramfs-tools/hooks/tee-supplicant"
install -m 0755 "${WORKDIR}/tee-supplicant.script" \
- "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-supplicant"
+ "${D}/usr/share/initramfs-tools/scripts/local-top/tee-supplicant"
}
--
2.39.2
the root filesystem is mounted, we are relocating their initialization to the
local-top section of initramfs. This change ensures that the encrypted filesystems
are properly initialized and ready for use before the root filesystem is mounted at
local-bottom stage.
Reason for local-top:
* Early Initialization: The local-top scripts run before the root filesystem is mounted.
This timing is essential for encrypted root filesystems since the decryption process must be
completed before the filesystem can be accessed.
* Dependency Handling: The encryption setup requires initializing dependencies such as
fTPM (firmware Trusted Platform Module) devices. Performing these tasks early in the boot process
ensures that all necessary components are in place before the root filesystem is mounted.
Signed-off-by: Rakesh Kumar <kumar....@siemens.com>
---
.../initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb | 4 ++--
.../initramfs-tee-supplicant-hook_0.1.bb | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
index db38e618..82fec1bb 100644
--- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
@@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools"
do_install[cleandirs] += " \
${D}/usr/share/initramfs-tools/hooks \
- ${D}/usr/share/initramfs-tools/scripts/local-bottom"
+ ${D}/usr/share/initramfs-tools/scripts/local-top"
do_install() {
install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
"${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
install -m 0755 "${WORKDIR}/tee-ftpm.script" \
- "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-ftpm"
+ "${D}/usr/share/initramfs-tools/scripts/local-top/tee-ftpm"
}
diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
index 3768b8e0..a7a19bee 100644
--- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
+++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
@@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant, procps"
do_install[cleandirs] += " \
${D}/usr/share/initramfs-tools/hooks \
- ${D}/usr/share/initramfs-tools/scripts/local-bottom"
+ ${D}/usr/share/initramfs-tools/scripts/local-top"
do_install() {
install -m 0755 "${WORKDIR}/tee-supplicant.hook" \
"${D}/usr/share/initramfs-tools/hooks/tee-supplicant"
install -m 0755 "${WORKDIR}/tee-supplicant.script" \
- "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-supplicant"
+ "${D}/usr/share/initramfs-tools/scripts/local-top/tee-supplicant"
}
--
2.39.2
Jan Kiszka
Jul 10, 2024, 7:21:11 AMJul 10
to Rakesh Kumar, isar-...@googlegroups.com, Quirin Gylstorff, cedric.h...@siemens.com
On 10.07.24 07:33, Rakesh Kumar wrote:
> To ensure proper initialization of the fTPM and tee-supplicant services before
> the root filesystem is mounted, we are relocating their initialization to the
> local-top section of initramfs. This change ensures that the encrypted filesystems
> are properly initialized and ready for use before the root filesystem is mounted at
> local-bottom stage.
Close but not fully correct: The rootfs is mounted AFTER the top stage
> To ensure proper initialization of the fTPM and tee-supplicant services before
> the root filesystem is mounted, we are relocating their initialization to the
> local-top section of initramfs. This change ensures that the encrypted filesystems
> are properly initialized and ready for use before the root filesystem is mounted at
> local-bottom stage.
and BEFORE bottom.
>
> Reason for local-top:
>
> * Early Initialization: The local-top scripts run before the root filesystem is mounted.
> This timing is essential for encrypted root filesystems since the decryption process must be
> completed before the filesystem can be accessed.
>
> * Dependency Handling: The encryption setup requires initializing dependencies such as
> fTPM (firmware Trusted Platform Module) devices. Performing these tasks early in the boot process
> ensures that all necessary components are in place before the root filesystem is mounted.
on fTPM if a concrete target using fTPM for disk encryption. But Quirin
just had another idea, leaving the stage to him now. :)
Jan
Linux Expert Center
Rakesh Kumar
Jul 10, 2024, 8:31:16 AMJul 10
to isar-...@googlegroups.com, jan.k...@siemens.com, cedric.h...@siemens.com, Rakesh Kumar
To ensure proper initialization of the fTPM and tee-supplicant services before
the root filesystem is mounted, we are relocating their initialization to the
local-top section of initramfs. This change ensures that the encrypted root filesystems
the root filesystem is mounted, we are relocating their initialization to the
are properly initialized and mounted before the local-bottom scripts run.
Reason for local-top:
* Early Initialization: The local-top scripts run before the root filesystem is mounted.
This timing is essential for encrypted root filesystems since the decryption process must be
completed before the filesystem can be accessed.
* Dependency Handling: The encryption setup requires initializing dependencies such as
fTPM (firmware Trusted Platform Module) devices. Performing these tasks early in the boot process
ensures that all necessary components are in place before the root filesystem is mounted.
Rakesh Kumar
Jul 10, 2024, 9:27:20 AMJul 10
to isar-users
thanks, Jan Kiszka, for pointing that out! I have made the corrections in git message now.
Regards,
Rakesh
Rakesh Kumar
Jul 13, 2024, 10:55:49 AMJul 13
to isar-users
Hi all,
Any update on this patch?
Rakesh
Kumar, Rakesh
Jul 22, 2024, 1:44:01 AM (6 days ago) Jul 22
to Kiszka, Jan, isar-...@googlegroups.com, quirin.g...@siemens.com, cedric.h...@siemens.com
Hi all,
Any updates on this patch.
If this patch needs any correction/improvement then please give your inputs on this.
Regards,
Rakesh
> +++ m-hook_0.1.bb
Any updates on this patch.
If this patch needs any correction/improvement then please give your inputs on this.
Regards,
Rakesh
> @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools"
>
> do_install[cleandirs] += " \
> ${D}/usr/share/initramfs-tools/hooks \
> - ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> + ${D}/usr/share/initramfs-tools/scripts/local-top"
>
> do_install() {
> install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
> "${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
> install -m 0755 "${WORKDIR}/tee-ftpm.script" \
> - "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-ftpm"
> + "${D}/usr/share/initramfs-tools/scripts/local-top/tee-ftpm"
> }
> diff --git
> a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-s
> upplicant-hook_0.1.bb
> b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-s
> upplicant-hook_0.1.bb
> index 3768b8e0..a7a19bee 100644
> ---
> a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-s
> upplicant-hook_0.1.bb
> +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-t
> +++ ee-supplicant-hook_0.1.bb
>
> do_install[cleandirs] += " \
> ${D}/usr/share/initramfs-tools/hooks \
> - ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> + ${D}/usr/share/initramfs-tools/scripts/local-top"
>
> do_install() {
> install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
> "${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
> install -m 0755 "${WORKDIR}/tee-ftpm.script" \
> - "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-ftpm"
> + "${D}/usr/share/initramfs-tools/scripts/local-top/tee-ftpm"
> }
> diff --git
> a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-s
> upplicant-hook_0.1.bb
> b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-s
> upplicant-hook_0.1.bb
> index 3768b8e0..a7a19bee 100644
> ---
> a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-s
> upplicant-hook_0.1.bb
> +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-t
Uladzimir Bely
Jul 22, 2024, 4:52:35 AM (6 days ago) Jul 22
to Kumar, Rakesh, Kiszka, Jan, isar-...@googlegroups.com, quirin.g...@siemens.com
On Mon, 2024-07-22 at 05:43 +0000, 'Kumar, Rakesh' via isar-users
wrote:
testing is due, among other things, to the lack of "v2" suffix in new
patch version. So, in e-mail hierarchy it still looks like first
version of the patch under discussion. Please further use "v2", "v3...
when sending new versions of the patches.
--
Best regards,
Uladzimir.
wrote:
> Hi all,
>
> Any updates on this patch.
>
> If this patch needs any correction/improvement then please give your
> inputs on this.
>
We are going to check the patch in CI and merge as usually. A delay in
>
> Any updates on this patch.
>
> If this patch needs any correction/improvement then please give your
> inputs on this.
>
testing is due, among other things, to the lack of "v2" suffix in new
patch version. So, in e-mail hierarchy it still looks like first
version of the patch under discussion. Please further use "v2", "v3...
when sending new versions of the patches.
Best regards,
Uladzimir.
Rakesh Kumar
Jul 22, 2024, 9:31:25 AM (6 days ago) Jul 22
to isar-users
Sure Uladzimir, I will take care of that
going forward. thanks!
Regards,
Regards,
Rakesh
Uladzimir Bely
Jul 23, 2024, 3:37:33 AM (5 days ago) Jul 23
to Rakesh Kumar, isar-...@googlegroups.com
> index db38e618..82fec1bb 100644
> --- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-
> ftpm-hook_0.1.bb
> +++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-
> --- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-
> ftpm-hook_0.1.bb
> +++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-
> ftpm-hook_0.1.bb
> @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools"
>
> do_install[cleandirs] += " \
> ${D}/usr/share/initramfs-tools/hooks \
> - ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> + ${D}/usr/share/initramfs-tools/scripts/local-top"
>
> do_install() {
> install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
> "${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
> install -m 0755 "${WORKDIR}/tee-ftpm.script" \
> - "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-
> ftpm"
> + "${D}/usr/share/initramfs-tools/scripts/local-top/tee-ftpm"
> }
> diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-
> hook/initramfs-tee-supplicant-hook_0.1.bb b/meta/recipes-
> @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools"
>
> do_install[cleandirs] += " \
> ${D}/usr/share/initramfs-tools/hooks \
> - ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> + ${D}/usr/share/initramfs-tools/scripts/local-top"
>
> do_install() {
> install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
> "${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
> install -m 0755 "${WORKDIR}/tee-ftpm.script" \
> - "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-
> ftpm"
> + "${D}/usr/share/initramfs-tools/scripts/local-top/tee-ftpm"
> }
> diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-
> initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-
> hook_0.1.bb
> index 3768b8e0..a7a19bee 100644
> --- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-
> tee-supplicant-hook_0.1.bb
> +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-
> --- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-
> tee-supplicant-hook_0.1.bb
> +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-
> tee-supplicant-hook_0.1.bb
> @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools, tee-
> supplicant, procps"
>
> do_install[cleandirs] += " \
> ${D}/usr/share/initramfs-tools/hooks \
> - ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> + ${D}/usr/share/initramfs-tools/scripts/local-top"
>
> do_install() {
> install -m 0755 "${WORKDIR}/tee-supplicant.hook" \
> "${D}/usr/share/initramfs-tools/hooks/tee-supplicant"
> install -m 0755 "${WORKDIR}/tee-supplicant.script" \
> @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools, tee-
> supplicant, procps"
>
> do_install[cleandirs] += " \
> ${D}/usr/share/initramfs-tools/hooks \
> - ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> + ${D}/usr/share/initramfs-tools/scripts/local-top"
>
> do_install() {
> install -m 0755 "${WORKDIR}/tee-supplicant.hook" \
> "${D}/usr/share/initramfs-tools/hooks/tee-supplicant"
> install -m 0755 "${WORKDIR}/tee-supplicant.script" \
> - "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-
> supplicant"
> + "${D}/usr/share/initramfs-tools/scripts/local-top/tee-
> supplicant"
> }
> --
> 2.39.2
> supplicant"
> + "${D}/usr/share/initramfs-tools/scripts/local-top/tee-
> supplicant"
> }
> --
>
Applied v2 to next, thanks.
--
Best regards,
Uladzimir.
Reply all
Reply to author
Forward
0 new messages