Implement boot parameter "netkeys"

This allows the keys to be loaded from the boot medium even when the root filesystem is loaded over the network. I.e., specifying nbdroot= no longer implies that the keys will be loaded over the network. The ISO images generated by xorriso-usb.sh will not specify 'netkeys' so the keys on the USB stick will be used. The idea is that after install, the network should not be needed at all; but that requires using a new mechanism instead of the nbdroot= parameter, to determine dynamically whether to use a network root fs device. Currently, the network is still needed to boot a device that has its root fs on the local disk and the keys on the boot medium, even though no data is fetched from the NBD server. You can force the machine to boot by going to the initramfs shell and running: for n in $(seq 1 20); do killall ipconfig; done Otherwise it blocks waiting for the network.
author: Andrew Cady <d@jerkface.net> 2017-03-28 09:30:51 -0400
committer: Andrew Cady <d@jerkface.net> 2017-03-28 09:30:51 -0400
commit: 42f0b3ff9b9e71da74ddca1b41f3f04787d571c4 (patch)
tree: 7fa5a368b3a82fac61c7c68edd2e29366c9a1e4b
parent: 2b948633f002af0dd1e428bfeca0453cb6ac72c3 (diff)
4 files changed, 62 insertions, 18 deletions
diff --git a/initramfs-tools/scripts/samizdat b/initramfs-tools/scripts/samizdat
index 0c511e8..b1752cd 100644
--- a/initramfs-tools/scripts/samizdat
+++ b/initramfs-tools/scripts/samizdat
@@ -7,28 +7,48 @@ mountroot()
  samizdat_install_udev_rules
  mkfifo "$MENUFIFO"
-  # Note: this blocks waiting for the network
  if [ "${nbdroot%%,*}" ]; then
-    try_nbd
+    # I guess this isn't getting called otherwise? I don't know why this should
+    # be necessary, but it is.
+    sh /scripts/local-top/nbd >/dev/null 2>&1
  fi
+  if keys_via_network; then
+    wait_for_gnupghome_tar "$tftp_key_server"
+  fi
+  bootwait samizdat-gpg
  bootmenu
  bootwait root-mounted
  chvt 1
 }
-try_nbd()
+# Sets $tftp_key_server or returns false.
+keys_via_network()
 {
-  sh /scripts/local-top/nbd >/dev/null 2>&1 & # I guess this isn't getting called otherwise?
+    [ "${nbdroot%%,*}" ] || return
-  wait_for_gnupghome_tar
+    local arg cmdline
-  (. common.sh && force_grok_block)
+    read cmdline < /proc/cmdline
+    for arg in $cmdline; do
+        case "$arg" in
+            netkeys)
+                tftp_key_server="${nbdroot%%,*}"
+                return 0
+            ;;
+            netkeys=*)
+                tftp_key_server="${arg#netkeys=}"
+                return 0
+            ;;
+        esac
+    done
+    return 1
 }
 wait_for_gnupghome_tar()
 {
+  local tftp_server="$1"
  [ -e /gnupghome.tar ] && return
  echo -n Waiting to receive GPG keys through the network...
-  (while ! tftp -g -r gnupghome.tar -l /gnupghome.tar.$$ ${nbdroot%%,*} 2>/dev/null; do
+  (while ! tftp -g -r gnupghome.tar -l /gnupghome.tar.$$ "$tftp_server" 2>/dev/null; do
    sleep 1;
    echo -n .
  done
diff --git a/isolinux/pxelinux.cfg/default b/isolinux/pxelinux.cfg/default
index 386012f..77796b3 100644
--- a/isolinux/pxelinux.cfg/default
+++ b/isolinux/pxelinux.cfg/default
@@ -2,4 +2,4 @@ default samizdat
 label samizdat
        linux linux/vmlinuz
        initrd linux/initrd.img
-        append boot=samizdat components quiet splash nbdroot=192.168.10.1,samizdat.btrfs nbddev=/dev/nbd0 ip=dhcp
+        append boot=samizdat components quiet splash nbdroot=192.168.10.1,samizdat.btrfs nbddev=/dev/nbd0 ip=dhcp netkeys
diff --git a/src/grub-efi.sh b/src/grub-efi.sh
index f96149d..44b9dec 100755
--- a/src/grub-efi.sh
+++ b/src/grub-efi.sh
@@ -1,11 +1,20 @@
-#!/bin/sh
+#!/bin/bash
 . samizdat-paths.sh
+linux_kernel_commandline='boot=samizdat components quiet splash nbdroot=192.168.10.1,samizdat.btrfs nbddev=/dev/nbd0 ip=dhcp'
 grub_config()
 {
    cat <<EOF
 insmod echo
 echo GRUB
+insmod normal
+insmod keystatus
+insmod linux
+insmod iso9660
 insmod part_acorn
 insmod part_amiga
 insmod part_apple
@@ -17,13 +26,13 @@ insmod part_plan
 insmod part_sun
 insmod part_sunpc
-insmod linux
-insmod iso9660
 echo Loading vmlinuz...
-linux /linux/vmlinuz boot=samizdat components quiet splash
+linux /linux/vmlinuz ${linux_kernel_commandline}
 echo Loading initrd.img...
 initrd /linux/initrd.img
 echo Booting.
 echo
 boot
diff --git a/src/qemu.sh b/src/qemu.sh
index f9982c4..b095eb8 100755
--- a/src/qemu.sh
+++ b/src/qemu.sh
@@ -21,17 +21,32 @@ NET='tap,vlan=0,ifname=tap0,script=no,downscript=no'
 initrd=${samizdat_isolinux_dir}/linux/initrd.img
 kernel=${samizdat_isolinux_dir}/linux/vmlinuz
-kcmdline_NET='boot=samizdat components quiet splash nbdroot=192.168.10.1,samizdat.btrfs nbddev=/dev/nbd0 ip=dhcp'
+      kcmdline_NET='boot=samizdat components quiet splash nbdroot=192.168.10.1,samizdat.btrfs nbddev=/dev/nbd0 ip=dhcp netkeys'
+kcmdline_CDROM_NET='boot=samizdat components quiet splash nbdroot=192.168.10.1,samizdat.btrfs nbddev=/dev/nbd0 ip=dhcp'
 kcmdline_CDROM='boot=samizdat components quiet splash'
+set --
 if [ "$USE_ISO" ]; then
-    [ "$QEMU_LOADS_LINUX" ] && set -- -initrd "$initrd" -kernel "$kernel" -append "$kcmdline_CDROM"
+    set -- "$@" -cdrom "$iso"
-    set -- -cdrom "$iso"
+    if [ "$QEMU_LOADS_LINUX" ]; then
+        set -- "$@" -initrd "$initrd" -kernel "$kernel"
+        if [ "$NO_NET" ]; then
+            set -- "$@" -append "$kcmdline_CDROM"
+        else
+            set -- "$@" -append "$kcmdline_CDROM_NET"
+        fi
+    else
+        set -- "$@" -boot d
+    fi
 else
-    [ "$QEMU_LOADS_LINUX" ] && set -- -initrd "$initrd" -kernel "$kernel" -append "$kcmdline_NET"
+    if [ "$QEMU_LOADS_LINUX" ]; then
-    set -- -boot n
+        set -- "$@" -initrd "$initrd" -kernel "$kernel" -append "$kcmdline_NET"
+    else
+        set -- "$@" -boot n
+    fi
 fi
+set -x
 sudo qemu-system-x86_64 -enable-kvm -smp 2 -m 640 -k en-us \
     -vga qxl \
     -net nic,vlan=0,model=virtio \
author	Andrew Cady <d@jerkface.net>	2017-03-28 09:30:51 -0400
committer	Andrew Cady <d@jerkface.net>	2017-03-28 09:30:51 -0400
commit	42f0b3ff9b9e71da74ddca1b41f3f04787d571c4 (patch)
tree	7fa5a368b3a82fac61c7c68edd2e29366c9a1e4b
parent	2b948633f002af0dd1e428bfeca0453cb6ac72c3 (diff)

diff --git a/initramfs-tools/scripts/samizdat b/initramfs-tools/scripts/samizdat index 0c511e8..b1752cd 100644 --- a/initramfs-tools/scripts/samizdat +++ b/initramfs-tools/scripts/samizdat
@@ -7,28 +7,48 @@ mountroot()
7	samizdat_install_udev_rules	7	samizdat_install_udev_rules
8	mkfifo "$MENUFIFO"	8	mkfifo "$MENUFIFO"
9		9
10	# Note: this blocks waiting for the network
11	if [ "${nbdroot%%,*}" ]; then	10	if [ "${nbdroot%%,*}" ]; then
12	try_nbd	11	# I guess this isn't getting called otherwise? I don't know why this should
		12	# be necessary, but it is.
		13	sh /scripts/local-top/nbd >/dev/null 2>&1
13	fi	14	fi
14		15
		16	if keys_via_network; then
		17	wait_for_gnupghome_tar "$tftp_key_server"
		18	fi
		19	bootwait samizdat-gpg
15	bootmenu	20	bootmenu
16	bootwait root-mounted	21	bootwait root-mounted
17	chvt 1	22	chvt 1
18	}	23	}
19		24
20	try_nbd()	25	# Sets $tftp_key_server or returns false.
		26	keys_via_network()
21	{	27	{
22	sh /scripts/local-top/nbd >/dev/null 2>&1 & # I guess this isn't getting called otherwise?	28	[ "${nbdroot%%,*}" ] \|\| return
23	wait_for_gnupghome_tar	29	local arg cmdline
24	(. common.sh && force_grok_block)	30	read cmdline < /proc/cmdline
		31	for arg in $cmdline; do
		32	case "$arg" in
		33	netkeys)
		34	tftp_key_server="${nbdroot%%,*}"
		35	return 0
		36	;;
		37	netkeys=*)
		38	tftp_key_server="${arg#netkeys=}"
		39	return 0
		40	;;
		41	esac
		42	done
		43	return 1
25	}	44	}
26		45
27	wait_for_gnupghome_tar()	46	wait_for_gnupghome_tar()
28	{	47	{
		48	local tftp_server="$1"
29	[ -e /gnupghome.tar ] && return	49	[ -e /gnupghome.tar ] && return
30	echo -n Waiting to receive GPG keys through the network...	50	echo -n Waiting to receive GPG keys through the network...
31	(while ! tftp -g -r gnupghome.tar -l /gnupghome.tar.$$ ${nbdroot%%,*} 2>/dev/null; do	51	(while ! tftp -g -r gnupghome.tar -l /gnupghome.tar.$$ "$tftp_server" 2>/dev/null; do
32	sleep 1;	52	sleep 1;
33	echo -n .	53	echo -n .
34	done	54	done


diff --git a/isolinux/pxelinux.cfg/default b/isolinux/pxelinux.cfg/default index 386012f..77796b3 100644 --- a/isolinux/pxelinux.cfg/default +++ b/isolinux/pxelinux.cfg/default
@@ -2,4 +2,4 @@ default samizdat
2	label samizdat	2	label samizdat
3	linux linux/vmlinuz	3	linux linux/vmlinuz
4	initrd linux/initrd.img	4	initrd linux/initrd.img
5	append boot=samizdat components quiet splash nbdroot=192.168.10.1,samizdat.btrfs nbddev=/dev/nbd0 ip=dhcp	5	append boot=samizdat components quiet splash nbdroot=192.168.10.1,samizdat.btrfs nbddev=/dev/nbd0 ip=dhcp netkeys


diff --git a/src/grub-efi.sh b/src/grub-efi.sh index f96149d..44b9dec 100755 --- a/src/grub-efi.sh +++ b/src/grub-efi.sh
@@ -1,11 +1,20 @@
1	#!/bin/sh	1	#!/bin/bash
2	. samizdat-paths.sh	2	. samizdat-paths.sh
3		3
		4	linux_kernel_commandline='boot=samizdat components quiet splash nbdroot=192.168.10.1,samizdat.btrfs nbddev=/dev/nbd0 ip=dhcp'
		5
4	grub_config()	6	grub_config()
5	{	7	{
6	cat <<EOF	8	cat <<EOF
7	insmod echo	9	insmod echo
8	echo GRUB	10	echo GRUB
		11
		12	insmod normal
		13	insmod keystatus
		14
		15	insmod linux
		16	insmod iso9660
		17
9	insmod part_acorn	18	insmod part_acorn
10	insmod part_amiga	19	insmod part_amiga
11	insmod part_apple	20	insmod part_apple
@@ -17,13 +26,13 @@ insmod part_plan
17	insmod part_sun	26	insmod part_sun
18	insmod part_sunpc	27	insmod part_sunpc
19		28
20	insmod linux
21	insmod iso9660
22
23	echo Loading vmlinuz...	29	echo Loading vmlinuz...
24	linux /linux/vmlinuz boot=samizdat components quiet splash	30
		31	linux /linux/vmlinuz ${linux_kernel_commandline}
		32
25	echo Loading initrd.img...	33	echo Loading initrd.img...
26	initrd /linux/initrd.img	34	initrd /linux/initrd.img
		35
27	echo Booting.	36	echo Booting.
28	echo	37	echo
29	boot	38	boot


diff --git a/src/qemu.sh b/src/qemu.sh index f9982c4..b095eb8 100755 --- a/src/qemu.sh +++ b/src/qemu.sh
@@ -21,17 +21,32 @@ NET='tap,vlan=0,ifname=tap0,script=no,downscript=no'
21		21
22	initrd=${samizdat_isolinux_dir}/linux/initrd.img	22	initrd=${samizdat_isolinux_dir}/linux/initrd.img
23	kernel=${samizdat_isolinux_dir}/linux/vmlinuz	23	kernel=${samizdat_isolinux_dir}/linux/vmlinuz
24	kcmdline_NET='boot=samizdat components quiet splash nbdroot=192.168.10.1,samizdat.btrfs nbddev=/dev/nbd0 ip=dhcp'	24	kcmdline_NET='boot=samizdat components quiet splash nbdroot=192.168.10.1,samizdat.btrfs nbddev=/dev/nbd0 ip=dhcp netkeys'
		25	kcmdline_CDROM_NET='boot=samizdat components quiet splash nbdroot=192.168.10.1,samizdat.btrfs nbddev=/dev/nbd0 ip=dhcp'
25	kcmdline_CDROM='boot=samizdat components quiet splash'	26	kcmdline_CDROM='boot=samizdat components quiet splash'
26		27
		28	set --
27	if [ "$USE_ISO" ]; then	29	if [ "$USE_ISO" ]; then
28	[ "$QEMU_LOADS_LINUX" ] && set -- -initrd "$initrd" -kernel "$kernel" -append "$kcmdline_CDROM"	30	set -- "$@" -cdrom "$iso"
29	set -- -cdrom "$iso"	31	if [ "$QEMU_LOADS_LINUX" ]; then
		32	set -- "$@" -initrd "$initrd" -kernel "$kernel"
		33	if [ "$NO_NET" ]; then
		34	set -- "$@" -append "$kcmdline_CDROM"
		35	else
		36	set -- "$@" -append "$kcmdline_CDROM_NET"
		37	fi
		38	else
		39	set -- "$@" -boot d
		40	fi
30	else	41	else
31	[ "$QEMU_LOADS_LINUX" ] && set -- -initrd "$initrd" -kernel "$kernel" -append "$kcmdline_NET"	42	if [ "$QEMU_LOADS_LINUX" ]; then
32	set -- -boot n	43	set -- "$@" -initrd "$initrd" -kernel "$kernel" -append "$kcmdline_NET"
		44	else
		45	set -- "$@" -boot n
		46	fi
33	fi	47	fi
34		48
		49	set -x
35	sudo qemu-system-x86_64 -enable-kvm -smp 2 -m 640 -k en-us \	50	sudo qemu-system-x86_64 -enable-kvm -smp 2 -m 640 -k en-us \
36	-vga qxl \	51	-vga qxl \
37	-net nic,vlan=0,model=virtio \	52	-net nic,vlan=0,model=virtio \