2 files changed, 79 insertions, 24 deletions

diff --git a/src/initrd/btrfs-create.sh b/src/initrd/btrfs-create.sh
index 39c89ca..cdf73ef 100644
--- a/src/initrd/btrfs-create.sh
+++ b/src/initrd/btrfs-create.sh
@@ -27,16 +27,41 @@ ceil4()
   printf '%d\n' "$x"
 }
 
+kernel_commandline_has()
+{
+    local v="$1" c
+    read c < /proc/cmdline
+    for c in $c
+    do
+        case "$c" in
+            "$v"|"$v"=*) true; return;;
+        esac
+    done
+    false
+}
+
+netbooted()
+{
+    kernel_commandline_has BOOTIF
+}
+
 cdrom_has_rootfs()
 {
-    [ ! "$BOOTIF" ] || return
-    bootwait samizdat-cdrom
-    [ -d /cdrom/rootfs ]
+    if netbooted
+    then
+        false
+    else
+        bootwait samizdat-cdrom
+        [ -d /cdrom/rootfs ]
+    fi
 }
 
 losetup_layers()
 {
     if cdrom_has_rootfs; then
+        # TODO: This is some kind of shortcut or short circuit to find these
+        # files, that ought to be found through the grok-block system (i.e.,
+        # event-driven rather than polling).
         local fs fs_rw
         for fs in /cdrom/rootfs/*.btrfs; do
             fs_rw=/"${fs##*/}".rw
@@ -45,8 +70,11 @@ losetup_layers()
         done
     else
         bootwait samizdat-nbd-dev
-        dd if=/dev/zero of=/nbd0.rw bs=1M count=10
-        dm_snapshot /dev/nbd0 /nbd0.rw
+        local dev
+        for dev in nbd0 nbd1; do
+            dd if=/dev/zero of=/$dev.rw bs=1M count=10
+            dm_snapshot /dev/$dev /$dev.rw
+        done
         return
     fi
 }
@@ -210,15 +238,24 @@ filesystem_incomplete()
 
 partition_new_hard_drive_DESTROYING_EVERYTHING()
 {
-    local target="$1"
+    # TODO: get the actual size of the btrfs master and actually triple it. The empty
+    # space can be left available to allow the local machine to boot a
+    # locally-regenerated rootfs seed.
+    sz=3
+    u=GiB
+    actual_sz=$sz$u
+    tripled_sz=$((sz * 3))$u
+    pct=100% # TODO: use 50%
+
+    local target="$1" sz=6GiB
     # [ "$(parted -sm "$target" print | grep -c :)"  = 1 ] || return
-    parted "$target" -sm                                        \
-           unit B                                               \
-           mklabel gpt                                          \
-           mkpart samizdat-grub-incomplete 32KiB 8160KiB        \
-           set 1 bios_grub on                                   \
-           mkpart samizdat-plaintext-incomplete btrfs 8MiB 1GiB \
-           mkpart samizdat-luks-encrypted-incomplete 1GiB 100%  \
+    parted "$target" -sm                                                     \
+           unit B                                                            \
+           mklabel gpt                                                       \
+           mkpart samizdat-grub-incomplete 32KiB 8MiB                        \
+           set 1 bios_grub on                                                \
+           mkpart samizdat-plaintext-incomplete btrfs 64MiB $actual_sz       \
+           mkpart samizdat-luks-encrypted-incomplete $tripled_sz $pct        \
         &&
         udevadm settle
 }
diff --git a/src/initrd/grok-block b/src/initrd/grok-block
index 86ff499..ee23b38 100755
--- a/src/initrd/grok-block
+++ b/src/initrd/grok-block
@@ -167,18 +167,29 @@ grok_block()
       # Avoid mouting this multiple times in case this script gets called multiple times,
       # because while it's mounted, the dmsetup stuff will fail with device busy.
     /dev/nbd0)
-      if [ -e /bootwait/samizdat-nbd-dev ]
-        then
-            return
-        else
-            bootwait nbd-script
-            wait_for_files_ /sys/block/nbd0/pid
-      fi
+        bootdone nbd0-dev
+        return ;;
+    /dev/nbd1)
+        bootwait nbd-script nbd0-dev
+        wait_for_files_ /sys/block/nbd0/pid /sys/block/nbd1/pid
     ;;
   esac
   case "$ID_PART_ENTRY_NAME" in
       samizdat-grub-incomplete|samizdat-plaintext-incomplete|samizdat-luks-encrypted-incomplete) return ;;
-      samizdat-grub|samizdat-luks-encrypted) return ;;
+      samizdat-plaintext)
+          . /verity.sh
+          cp /verity.sh /run/initramfs/samizdat/
+          veritysetup --hash-offset="$verity_hash_offset" \
+                      create samizverity \
+                      "$DEVNAME" "$DEVNAME" "$verity_root_hash"
+          bootdone veritysetup
+          return
+          ;;
+      samizdat-grub) return ;;
+      samizdat-luks-encrypted)
+          menu-select boot-native "$(parent_device "$DEVNAME")"
+          return
+          ;;
   esac
 
   if [ "$ID_FS_TYPE" = hfsplus ] && ! fsck.hfsplus -q "$DEVNAME"; then
@@ -191,7 +202,11 @@ grok_block()
   fi
 
   if ! mountpoint -q "$mountpoint"; then
-    retry_mount $mount_type -o ro "$DEVNAME" "$mountpoint"
+    if [ "$DEVNAME" = /dev/nbd1 ]
+    then OPTIONS='-o device=/dev/nbd0'
+    else OPTIONS=
+    fi
+    retry_mount $mount_type -r $OPTIONS "$DEVNAME" "$mountpoint"
   fi
 
   if ! mountpoint -q "$mountpoint"; then
@@ -206,10 +221,13 @@ grok_block()
   elif [ "$ID_PART_ENTRY_NAME" = samizdat-plaintext ]; then
     if gpg_verify "$mountpoint"/disk.key && gpg_can_decrypt "$mountpoint"/disk.key; then
       addmenu_choose_native_root "$(parent_device "$DEVNAME")"
+      umount "$mountpoint"
+      bootdone key-mounted
+    else
+      umount "$mountpoint"
     fi
-    umount "$mountpoint"
 
-  elif [ "$DEVNAME" = /dev/nbd0 ]; then
+  elif [ "$DEVNAME" = /dev/nbd1 ]; then
     # This is our rootfs, over the network
     umount "$mountpoint"
     rmdir "$mountpoint"