30 files changed, 3586 insertions, 0 deletions

diff --git a/src/btrfs-functions.sh b/src/btrfs-functions.sh
new file mode 100644
index 0000000..b83b94d
--- /dev/null
+++ b/src/btrfs-functions.sh
@@ -0,0 +1,161 @@
+push()
+{
+    $(ARGS_NE mnt src dst_dir)
+
+    now=$(date +%F.%H%M%S) || die
+    snap_dir=$mnt/snapshot.$now
+    prev_dir=$mnt/snapshot.prev
+
+    local BTRFS_RECEIVE_DESTINATION_PATH="$dst_dir"
+    push_helper true "$snap_dir" "$prev_dir" "$src" local_btrfs_receiver
+}
+
+push_simple()
+{
+    $(ARGS_NE mnt src dst_dir)
+    local BTRFS_RECEIVE_DESTINATION_PATH="$dst_dir"
+    push_helper false "$mnt" "$src" local_btrfs_receiver
+}
+
+sex()
+{
+    (set -x; "$@")
+}
+
+local_btrfs_receiver()
+{
+    btrfs receive "$BTRFS_RECEIVE_DESTINATION_PATH"
+}
+
+shellescape()
+{
+    if [ "$BASH_VERSION" ]; then
+        printf %q "$1"
+    else
+        bash -c 'printf %q "$1"' bash "$1"
+    fi
+}
+
+remote_btrfs_receiver()
+{
+    ssh "$BTRFS_RECEIVE_DESTINATION_HOST" -- "btrfs receive $(shellescape "$BTRFS_RECEIVE_DESTINATION_PATH")"
+}
+
+push_helper()
+{
+    $(ARGS     keep_as_prev snap_dir prev_dir src dst_pipe)
+    $(NONEMPTY keep_as_prev snap_dir          src dst_pipe)
+
+    local full_dest rw_dest
+
+    btrfs subvolume snapshot -r "$src" "$snap_dir" || die
+
+    if [ "$prev_dir" -a -d "$prev_dir" ]; then
+        btrfs send -p "$prev_dir" "$snap_dir"
+    else
+        btrfs send "$snap_dir"
+    fi | "$dst_pipe" || die
+
+    if [ "$dst_pipe" = local_btrfs_receiver ]; then
+        local dst="$BTRFS_RECEIVE_DESTINATION_PATH"
+        full_dest=$dst/$(basename "$snap_dir")
+        rw_dest=$full_dest.rw
+        btrfs subvolume snapshot "$full_dest" "$rw_dest"  || die
+        btrfs_replace_default_subvolume_with "$rw_dest"
+    fi
+
+    if $keep_as_prev && [ "$prev_dir" ]
+    then
+        # keep the pushed snapshot in order to reuse it on subsequent pushes.
+        with_dir "$prev_dir"  btrfs subvolume delete  || die
+        sex mv "$snap_dir" "$prev_dir"                || die
+    else
+        btrfs subvolume delete "$snap_dir"
+    fi
+}
+
+btrfs_mountpoint()
+{
+    $(ARGS_NE dir)
+    btrfs filesystem show -m "$dir" >/dev/null 2>&1
+}
+
+btrfs_get_mountpoint()
+{
+    $(ARGS_NE dir)
+    while [ "$dir" -a "$dir" != '.' ]; do
+        if btrfs_mountpoint "$dir"
+        then printf '%s\n' "$dir"
+             return
+        fi
+        dir=$(dirname "$dir")
+    done
+    false
+}
+
+btrfs_show_default_path()
+{
+    $(ARGS_NE mp)
+    local path
+    mp=$(btrfs_get_mountpoint "$mp") || die # TODO: fix caller?
+    btrfs_mountpoint "$mp" || die "not a mountpoint: $mp"
+    path=$(btrfs subvolume get-default "$mp"/|sed -n -e 's/.* path //p')
+    if [ "$path" ]; then
+        printf '%s\n' "$mp/$path"
+    else
+        printf '%s\n' "$mp"
+    fi
+}
+
+btrfs_show_default_id()
+{
+    $(ARGS_NE mp)
+    local id
+    mp=$(btrfs_get_mountpoint "$mp") || die # TODO: fix caller?
+    btrfs_mountpoint "$mp" || die "not a mountpoint: $mp"
+    id=$(btrfs subvolume get-default "$mp"/|sed -n -e 's/^ID \([^ ]*\) .*/\1/p')
+    [ "$id" ] || return
+    echo $id
+}
+
+btrfs_replace_default_subvolume_with()
+{
+    $(ARGS_NE new_default)
+    local old_default old_default_id new_default_id
+    old_default_id=$(btrfs_show_default_id "$new_default")       || die
+    new_default_id=$(btrfs_show_subvolume_id "$new_default")     || die
+
+    [ "$new_default_id" = "$old_default_id" ] && return
+
+    if [ "$old_default_id" != 5 ]; then
+        old_default=$(btrfs_show_default_path "$new_default")    || die
+    else
+        old_default=
+    fi
+
+    btrfs subvolume set-default "$new_default_id" "$new_default" || die
+
+    if [ "$old_default" ]; then
+        btrfs subvolume delete "$old_default"
+        sex mv "$new_default" "$old_default"
+    fi
+}
+
+btrfs_show_subvolume_id()
+{
+    $(ARGS_NE path)
+    local result
+    result=$(btrfs subvolume show "$path" | sed -n -e 's/^[ \t]*Subvolume ID:[ \t]*//p; s/.*is toplevel subvolume/5/p')
+    if [ "$result" ]
+    then printf '%s\n' "$result"
+    else false
+    fi
+}
+
+with_dir()
+{
+    $(ARGS_NE d)
+    shift
+    [ -d "$d" ] || return 0
+    "$@" "$d"
+}
diff --git a/src/btrfs-receive-root.sh b/src/btrfs-receive-root.sh
new file mode 100644
index 0000000..f553c2c
--- /dev/null
+++ b/src/btrfs-receive-root.sh
@@ -0,0 +1,55 @@
+#!/bin/sh
+
+. sami/btrfs-functions.sh
+. sami/var.sh
+
+disable_stdout() { exec 3>&1; exec >&2; }
+enable_stdout() { exec >&3; }
+
+with_stdout() { enable_stdout; "$@"; disable_stdout; }
+
+create_layer_filesystem()
+{
+    [ ! -e "$layer_file" ] || return
+    ! mountpoint "$mountpoint" || return
+    mkdir -p "$mountpoint"                                         &&
+    sex dd if=/dev/zero of="$layer_file" bs=1M count="$layer_size" &&
+    sex mount -o subvol=/,compress "$seed_file" "$mountpoint"      &&
+    layer_dev=$(losetup -f --show "$layer_file")                   &&
+    sex btrfs device add "$layer_dev" "$mountpoint"                &&
+    mount -o rw,remount "$mountpoint"
+}
+
+finish()
+{
+    local subv_id
+    sex mv "$mountpoint"/ROOT "$mountpoint"/ROOT.old                              || return
+    sex btrfs subvolume snapshot "$mountpoint"/"$receive_subv" "$mountpoint"/ROOT || return
+    subv_id=$(btrfs_show_subvolume_id "$mountpoint"/ROOT)                         || return
+    sex btrfs subvolume set-default "$subv_id" "$mountpoint"                      || return
+    sex btrfs subvolume delete "$mountpoint"/ROOT.old                             || return
+    umount "$mountpoint"                                                          || return
+    sex btrfstune -S1 "$layer_file"                                               || return
+    losetup -d "$layer_dev"
+}
+
+set -e
+disable_stdout
+
+receive_dest=$1
+receive_subv=$2
+
+[ "$receive_subv" ]
+[ "$receive_dest" ]
+
+mountpoint=$(realpath -m --relative-base=. "$receive_dest")
+
+seed_file=sami/debian-live-8.4.0-amd64-standard.btrfs
+layer_file_FINAL=sami/debian-live-8.4.0-amd64-standard.layer.$receive_subv.btrfs
+layer_file=$layer_file_FINAL.part
+layer_size=1000
+
+create_layer_filesystem
+with_stdout sex btrfs receive "$mountpoint"
+finish
+mv "$layer_file" "$layer_file_FINAL"
diff --git a/src/btrfs-send-root.sh b/src/btrfs-send-root.sh
new file mode 100644
index 0000000..8a3a513
--- /dev/null
+++ b/src/btrfs-send-root.sh
@@ -0,0 +1,45 @@
+#!/bin/sh
+. samizdat-paths.sh
+. var.sh
+. btrfs-functions.sh
+
+rootfs_uuid ()
+{
+    btrfs filesystem show / | sed -ne 's/.*uuid: //p'
+}
+
+remote_btrfs_receiver()
+{
+#   ssh "$BTRFS_RECEIVE_DESTINATION_HOST" -- "sudo btrfs receive $(shellescape "$BTRFS_RECEIVE_DESTINATION_PATH")"
+    ssh "$BTRFS_RECEIVE_DESTINATION_HOST" -- \
+        "sudo sh sami/btrfs-receive-root.sh $(shellescape "$BTRFS_RECEIVE_DESTINATION_PATH") $(shellescape "$BTRFS_RECEIVE_SUBVOLUME_NAME")"
+}
+
+dummy_receiver()
+{
+    true
+}
+
+push_remote()
+{
+    $(ARGS_NE mnt src ssh_dst)
+
+    now=$(date +%F.%H%M%S) || die
+    snap_dir=$mnt/snapshot.$now
+    prev_dir=$mnt/SEED
+
+    case "$ssh_dst" in
+        *:*) ;;
+        *) return 1;;
+    esac
+    local BTRFS_RECEIVE_DESTINATION_PATH="${ssh_dst#*:}"
+    local BTRFS_RECEIVE_DESTINATION_HOST="${ssh_dst%%:*}"
+    local BTRFS_RECEIVE_SUBVOLUME_NAME="${snap_dir#$mnt/}"
+    push_helper false "$snap_dir" "$prev_dir" "$src" remote_btrfs_receiver
+}
+
+ssh_dst=d@fifty.local:sami/test_dest
+
+mkdir -p /mnt/rootfs || die
+mountpoint -q /mnt/rootfs || mount -o subvol=/ UUID=$(rootfs_uuid) /mnt/rootfs || die
+push_remote /mnt/rootfs / "$ssh_dst"
diff --git a/src/grub-efi.sh b/src/grub-efi.sh
new file mode 100755
index 0000000..e2d50f6
--- /dev/null
+++ b/src/grub-efi.sh
@@ -0,0 +1,50 @@
+#!/bin/sh
+. samizdat-paths.sh
+
+grub_config()
+{
+    cat <<EOF
+insmod echo
+echo GRUB
+insmod part_acorn
+insmod part_amiga
+insmod part_apple
+insmod part_bsd
+insmod part_dvh
+insmod part_gpt
+insmod part_msdos
+insmod part_plan
+insmod part_sun
+insmod part_sunpc
+
+insmod linux
+insmod iso9660
+
+echo Loading vmlinuz...
+linux /linux/vmlinuz boot=samizdat components quiet splash
+echo Loading initrd.img...
+initrd /linux/initrd.img
+echo Booting.
+echo
+boot
+
+EOF
+}
+
+real_destdir=$samizdat_grub_efi_dir
+destdir=$real_destdir.tmp
+
+set -e
+rm -r "${destdir}" 2>/dev/null || true
+mkdir -p "${destdir}"/grub/i386-pc/
+cp -r /usr/lib/grub/i386-pc/*  "${destdir}"/grub/i386-pc/
+rm "${destdir}"/grub/i386-pc/*.img || true
+
+grub_config > "${destdir}"/load_cfg
+set -x
+grub-mkimage -O i386-pc -d /usr/lib/grub/i386-pc/ -o "${destdir}"/core.img -c "${destdir}"/load_cfg  --prefix=/grub iso9660 biosdisk
+cat /usr/lib/grub/i386-pc/cdboot.img "${destdir}"/core.img > "${destdir}"/grub/i386-pc/eltorito.img
+cat /usr/lib/grub/i386-pc/boot.img "${destdir}"/core.img > "${destdir}"/embedded.img
+
+rm -r "$real_destdir" 2>/dev/null || true
+mv -T "$destdir" "$real_destdir"
diff --git a/src/initrd.sh b/src/initrd.sh
new file mode 100755
index 0000000..8cc8ea1
--- /dev/null
+++ b/src/initrd.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+
+initrd=${samizdat_isolinux_dir}/linux/initrd.img
+vmlinuz=${samizdat_isolinux_dir}/linux/vmlinuz
+
+version=$(uname -r)
+version=4.5.0-0.bpo.1-amd64
+conf_dir=initramfs-tools
+
+apt_dependencies=initrd-dependencies.txt
+
+find_source_dirs() {
+    set -- find "$conf_dir" ./old-school "$@"
+    "$@"
+}
+
+force_rebuild()
+{
+    touch "$conf_dir"
+    return 1
+}
+
+rebuild()
+{
+    [ ! -f "$apt_dependencies" ] || sudo apt-get install -q=10 --no-upgrade -y $(cat "$apt_dependencies")
+
+    set -ex
+    cp -f /boot/vmlinuz-${version} "$vmlinuz"
+    /usr/sbin/mkinitramfs -d "$conf_dir" -o "$initrd" ${version} || force_rebuild
+}
+
+if [ ! -e "$initrd" -o ! -e "$vmlinuz" ]; then
+    rebuild
+elif [ "$(find_source_dirs -newer "$initrd" -print -quit)" ]; then
+    rebuild
+fi
diff --git a/src/initrd/common.sh b/src/initrd/common.sh
new file mode 100644
index 0000000..4aa8528
--- /dev/null
+++ b/src/initrd/common.sh
@@ -0,0 +1,143 @@
+#!/bin/sh
+REQUIRED_MB=250 # minimum megabytes available to offer install
+MENUFIFO=/menu.fifo
+DEBUG=y
+LOGBASE=/var/log
+
+debug_log()
+{
+  if [ -n "$DEBUG" ]; then
+    if [ -n "$1" ]; then
+      DEBUG_LOG=$LOGBASE/"$1".$$.log
+    else
+      DEBUG_LOG=$LOGBASE/$(basename $0).$$.log
+    fi
+    mkdir -p $LOGBASE
+    exec >>$DEBUG_LOG 2>&1
+    set -x
+  fi
+}
+addmenu()
+{
+  cat <<END >>$MENUFIFO # mind the tabs
+setItem "$1" "dummy" "$2" "$3"
+END
+}
+menutitle()
+{
+  printf 'setTitle "%s"\n' "$1" >>$MENUFIFO
+  printf 'setWelcomeText "%s"\n' "$2" >>$MENUFIFO
+}
+bootmenu()
+{
+  local do_trigger="$1" no_panic="$2"
+  OpenVT -f -c 7 -- dynmenu "$MENUFIFO" &&
+  chvt 7 &&
+  menutitle 'Samizdat\n\nAs the Internet develops there are\ntransitions in the management arrangements.\nThe time has come to take\na small step in one of those transitions.' 'Choose an installation target.'
+# menutitle 'Samizdat\nfreedom from surveillance\nno trusted authorities' 'Choose an installation target.'
+  addmenu "ramdisk" "[ Boot to RAM without installing anything ]" "menu-select boot-ram"
+  if [ $? != 0 -a ! "$no_panic" ]; then
+    panic "error loading boot menu!  the system won't be usable :("
+  fi
+  if [ "$do_trigger" ]; then
+    udevadm trigger --subsystem-match=block --action=add
+  fi
+}
+find_squashfs_root()
+{
+  # TODO: "make" puts the correct location in $iso_squashfs_dir.  Get
+  # information into this function!
+
+  bootwait samizdat-cdrom
+  for dir in /cdrom/live /cdrom/liveos /cdrom/aptosid /cdrom/*
+  do
+    [ -d "$dir" ] || continue;
+    if [ -f "$dir"/filesystem.module ]; then
+      while read fs; do
+        [ -f "$dir"/"$fs" ] && echo "$dir" "$fs"
+      done < "$dir"/filesystem.module
+      return
+    fi
+  done
+  for fs in /cdrom/live/filesystem.squashfs /cdrom/live/grml-small.squashfs /cdrom/liveos/squashfs.img /cdrom/aptosid/aptosid.* /cdrom/*/*.squashfs
+  do
+    if [ -f "$fs" ]; then
+      echo "${fs%/*}" "${fs##*/}"
+      break
+    fi
+  done
+}
+xtrace()
+{
+  case "$-" in
+  *x*) "$@" ;;
+  *) set -x; "$@"; set +x ;;
+  esac
+}
+sleepcmd() {
+  local t=$1
+  shift
+  echo "about to run '$*' (in $t)"
+  sleep $t
+  "$@"
+}
+sleep_forever_verbose() {
+  sleep 4294967295 &
+  local sleep=$!
+  warn "sleeping until you kill $sleep..."
+  wait $sleep
+}
+warn() { [ -z "$warnings" ] || echo "$@" >&2; }
+panic()
+{
+  set +x
+  exec </dev/tty1 >/dev/tty1 2>&1
+  reset
+  echo "[p$$] initramfs /init: fatal error: $@"
+  echo "[p$$] will now exec emergency shell"
+  export PS1="[p$$ \\w]# "
+  chvt 1
+  exec /bin/sh -i
+}
+bootwait()
+{
+  mkdir -p /bootwait
+  local i=$#; while [ $i -gt 0 ]; do
+    i=$((i-1))
+    local f="$1"; shift; set -- "$@" "/bootwait/$f" 
+  done
+  wait_for_files "$@"
+}
+bootdone()
+{
+  mkdir -p /bootwait
+  local i=$#; while [ $i -gt 0 ]; do
+    i=$((i-1))
+    local f="$1"; shift; set -- "$@" "/bootwait/$f" 
+  done
+  touch "$@"
+}
+my_openvt()
+{
+  /bin/openvt -c "$@"
+}
+
+# This runs before way before NTP and on a LiveCD we have no
+# reason to trust the system clock.
+gpg2_nobatch() { GPG_TTY=$(tty) command gpg2 --ignore-time-conflict --ignore-valid-from "$@"; }
+gpg2() { gpg2_nobatch --batch "$@"; }
+
+xcp() { if [ -f "$1" -a ! -f "$2" ]; then cp "$1" "$2"; fi; }
+
+mountsquashes()
+{
+  local name dirname basename
+  while read dirname basename && [ -d "$dirname" -a -f "$dirname/$basename" ]; do
+    name=${basename%.squashfs}
+    mkdir -p "/squashes/$name" || return 1
+    xcp "$dirname"/filesystem.module /squashes/filesystem.module || return 1
+    mountpoint -q "/squashes/$name" ||
+    mount -o ro,loop "$dirname/$basename" "/squashes/$name" || return 1
+  done
+}
+
diff --git a/src/initrd/grok-block b/src/initrd/grok-block
new file mode 100755
index 0000000..75d5120
--- /dev/null
+++ b/src/initrd/grok-block
@@ -0,0 +1,182 @@
+#!/bin/sh
+. common.sh
+
+DEVNAME=$1
+case "$DEVNAME" in /dev/loop*|/dev/ram*|/dev/dm-*|/dev/md*|/dev/fd*) exit ;; esac
+[ -b "$DEVNAME" ] || exit
+
+debug_log "grok-block.${DEVNAME##*/}"
+
+addmenu_choosekey() 
+{
+  dev=$1
+  dir=$2
+  addmenu "$dev//$dir" \
+          "[ Use the GPG key on $dev ]" \
+          "menu-select boot-gpg $dev $dir"
+}
+
+addmenu_repairhfs()
+{
+  local device="$1"
+  addmenu "$device//reboot" \
+    "[ Reboot into Mac OS X in order to repair disk $device ]" \
+    "eject /cdrom; sleep 2; reboot -f"
+  addmenu "$device//fsck" \
+    "[ (DANGEROUS) Try to repair errors on $device with fsck.hfsplus ]" \
+    "/bin/openvt -sw -- sh -c 'fsck.hfsplus $device && remenu'"
+}
+
+addmenu_chooseroot()
+{
+  local device="$1" loopfile="$2"
+
+  addmenu "$device//$loopfile" \
+    "[ Boot the system on $device${loopfile:+ in file $(basename $loopfile)} ]" \
+    "menu-select --fs=$ID_FS_TYPE boot-luks $device ${loopfile:-$device}"
+}
+
+addmenu_makeroot()
+{
+  local device="$1" loopfile="$2" megs="$3" copy_cdrom="$4"
+  (
+    addmenu "$device//$loopfile" \
+      "[ Install Samizdat to $device (in file $(basename $loopfile)) ]" \
+      "menu-select --fs=$ID_FS_TYPE boot-new $device $loopfile $megs $copy_cdrom"
+  ) &
+}
+
+retry_mount()
+{
+  tries=20
+  until mntout="$(mount "$@" 2>&1)"
+  do
+    tries=$(( tries - 1 ))
+    case "$mntout" in 
+      *"Device or resource busy"*) 
+        if [ $tries -le 0 ]; then
+          warn "mount $@ failed: $mntout"
+          return 1
+        else
+          sleep 1
+          continue
+        fi
+        ;;
+      *)
+        warn "mount $@ failed: $mntout"
+        break ;;
+    esac
+  done
+}
+
+gpg_verify()
+{
+  bootwait samizdat-cdrom
+  gpg2 --lock-never --no-permission-warning --no-auto-check-trustdb --no-options --homedir /cdrom/gnupghome --verify "$1"
+}
+is_lvm()
+{
+  for n in 0 1 2 3; do
+    [ "LVM2 001" = "$(dd if="$1" bs=1 skip=$((512*n+24)) count=8 2>/dev/null)" ] && return 0
+  done
+  return 1
+}
+
+grok_block()
+{
+  local mountpoint="/mnt/${DEVNAME##*/}"
+
+  mkdir -p "$mountpoint"
+
+  case "$ID_FS_TYPE" in
+    ntfs) mount_type='-t ntfs-3g' ;;
+    "")   mount_type= ;;
+    *)    mount_type="-t $ID_FS_TYPE" ;;
+  esac
+
+  if [ "$ID_FS_TYPE" = hfsplus ] && ! fsck.hfsplus -q "$DEVNAME"; then
+    (if fsck.hfsplus "$DEVNAME"; then
+      grok-block "$DEVNAME"
+    else
+      addmenu_repairhfs "$DEVNAME"
+    fi) &
+    return
+  fi
+
+  if ! mountpoint -q "$mountpoint"; then
+    retry_mount $mount_type -o ro "$DEVNAME" "$mountpoint"
+  fi
+
+  if mountpoint -q "$mountpoint"; then
+    umount=true
+    # Device has an unencrypted filesystem on it.
+    # So we mount it and look for loop-back overlays.
+
+    if [ -d "$mountpoint/samizdat.gpg" ]; then
+      # check the key somehow?
+      addmenu_choosekey "$DEVNAME" "$mountpoint/samizdat.gpg"
+    fi
+
+    N=1; while [ -e "$mountpoint/samizdat.$N" ]
+    do
+      if gpg_verify "$mountpoint/samizdat.$N"k; then
+        addmenu_chooseroot "$DEVNAME" "$mountpoint/samizdat.$N"
+        # this menu entry chooses the root fs, and should prompt and wait for the matching key
+        umount=false
+      fi
+      N=$((N+1))
+    done
+
+    freeblocks=$(stat -f -c %f "$mountpoint")
+    blocksize=$(stat -f -c %S "$mountpoint")
+    freemegs=$((freeblocks * blocksize / 1024 / 1024))
+
+    if [ "$freemegs" -ge 300 ]; then
+
+      umount=false
+      bootwait samizdat-cdrom
+      cdromblocks=$(stat -f -c %b /cdrom)
+      cdromblocksize=$(stat -f -c %S /cdrom)
+      cdrommegs=$((cdromblocks * cdromblocksize / 1024 / 1024))
+
+      if [ "$freemegs"   -ge "$((cdrommegs * 3))" ]; then
+        addmenu_makeroot "$DEVNAME" "${mountpoint}/samizdat.$N" "$((cdrommegs * 3))" 1
+      elif [ "$freemegs" -ge "$((cdrommegs * 2))" ]; then
+        addmenu_makeroot "$DEVNAME" "${mountpoint}/samizdat.$N" "$((cdrommegs * 2))" 1
+      elif [ "$freemegs" -ge "$cdrommegs" ]; then
+        addmenu_makeroot "$DEVNAME" "${mountpoint}/samizdat.$N" "$((freemegs / 2))" 0
+      else
+        addmenu_makeroot "$DEVNAME" "${mountpoint}/samizdat.$N" 256 0
+      fi
+    fi
+
+    if $umount; then
+      umount "$mountpoint"
+      rmdir "$mountpoint"
+    fi
+  else
+    rmdir "$mountpoint"
+  fi
+}
+
+# Get me all them nice udev variables
+eval "$(PATH=$PATH:/lib/udev vol_id "$DEVNAME" | 
+  sed "s/'/'\\\\''/; s/=\(.*\)/='\1'/"
+)"
+
+CDROM_ID_FS_UUID_ENC='73256269-4002-4e42-adbd-0e49ed1c7438'
+CDROM_ID_FS_LABEL_ENC=$(sed 's/ /\\x20/g' /lib/samizdat/vol_id.txt)
+if [ "$ID_FS_UUID_ENC"  = "$CDROM_ID_FS_UUID_ENC" -o \
+     "$ID_FS_LABEL_ENC" = "$CDROM_ID_FS_LABEL_ENC" ]
+then
+  # Recognize and mount the Samizdat 
+  if ! mountpoint -q /cdrom; then
+    mkdir -p /cdrom
+    . mdadm-dup.sh
+    dup_mount_cdrom "$DEVNAME" /cdrom && bootdone samizdat-cdrom
+  fi
+else
+  grok_block &
+fi
+
+# vim:set et sw=2:
diff --git a/src/initrd/halt.montecarlo b/src/initrd/halt.montecarlo
new file mode 100755
index 0000000..67dac17
--- /dev/null
+++ b/src/initrd/halt.montecarlo
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+cmd=${0##*/}
+dashf=
+for arg in "$@"; do
+  case "$arg" in -*f*) dashf=1 ;; esac
+  case "$arg" in -*p*) [ "$cmd" = halt ] && cmd=poweroff ;; esac
+done
+
+[ "$dashf" ] || exec -a "$0" /sbin/halt.distrib "$@"
+
+read pids < /run/sendsigs.omit.d/samizdat
+for p in $pids; do
+  if [ -e /proc/$p/root -a ! /proc/$p/root -ef / ]; then
+    initramfs=/proc/$p/root
+    break
+  fi
+done
+
+panic()
+{
+  set -x
+  sync
+  exec -a "$0" /sbin/halt.distrib "$@"
+}
+
+[ "$initramfs" ] || panic
+
+cp /sbin/init $initramfs/telinit
+
+# Apparently, linux does not allow a direct bind mount of a file on
+# the initramfs.  Therefore, copy the file from the initramfs and bind
+# mount the copy.
+
+mount -o remount,exec /run
+cp $initramfs/lib/samizdat/init.shutdown /run/ && mount --bind /run/init.shutdown /sbin/init || panic
+
+echo $cmd -f > $initramfs/halt
+$initramfs/telinit u
diff --git a/src/initrd/init b/src/initrd/init
new file mode 100755
index 0000000..3b62c0a
--- /dev/null
+++ b/src/initrd/init
@@ -0,0 +1,60 @@
+#!/bin/sh
+PATH=$PATH:/usr/lib/klibc/bin
+#if [ $$ = 1 ]; then
+#  "$0" "$@"
+#  exec sh -i
+#fi
+. init.functions
+warnings=y
+
+debug_log init
+mountvirt
+klogd -c1 # no kernel messages
+
+mkdir -p "$LOGBASE"
+sh -c "syslogd -O '$LOGBASE'/"'syslogd.$$.log';
+if [ "$DEBUG" != y ]; then
+  echo 0 > /proc/sys/kernel/printk
+fi
+
+makedev
+loadenv
+
+if [ -x /bin/kmod ]; then
+  ln -sf /bin/kmod /bin/depmod
+  /bin/depmod -a
+else
+  depmod -a
+fi
+
+PS1='[$$ \w]# ' my_openvt 8 -- sh -i
+
+mkfifo "$MENUFIFO" || panic "mkfifo '$MENUFIFO' failed"
+bootmenu
+mkdir -p /etc/udev/rules.d
+cat <<END >/etc/udev/rules.d/z00_blockdev_mountroot.rules
+ACTION=="add", SUBSYSTEM=="block", RUN+="/bin/grok-block \$env{DEVNAME}"
+END
+
+start_udev
+mountunionroot
+
+bootwait rw-overlay
+# killeverything
+# nuke /dev/.udev/queue/
+stop_udev
+insertoverlay
+
+movemounts
+gpg_agent_chroot
+patchroot
+clear >/dev/tty1
+chvt 1
+[ -e /do-delay-boot ] && bootwait 'launch-init-ready'
+launch_init "$@"
+
+# unreachable since launch_init will panic on failure
+panic 'inconceivable!'
+exec >/dev/tty1 2>&1 <&1
+reset
+exec sh -i
diff --git a/src/initrd/init.functions b/src/initrd/init.functions
new file mode 100644
index 0000000..7209b04
--- /dev/null
+++ b/src/initrd/init.functions
@@ -0,0 +1,345 @@
+#!/bin/sh
+. common.sh
+mountvirt()
+{
+  # TODO: simply put these dirs on the initrd itself
+  mkdir -m 0755 -p /dev /sys /proc /tmp /var /run
+  mkdir -m 0700 -p /root
+
+  mount -t sysfs -o nodev,noexec,nosuid none /sys 
+  mount -t proc  -o nodev,noexec,nosuid none /proc 
+  tmpfs_size="10M"
+# [ -f /etc/udev/udev.conf ] && . /etc/udev/udev.conf
+  mount -t tmpfs -o size=$tmpfs_size,mode=0755 udev /dev
+  mount -t tmpfs -o size=64M,mode=0755 run /run
+  mkdir -m 0755 /dev/pts /run/lock
+  mount -t devpts devpts /dev/pts
+  ln -s /run /run/lock /var/
+}
+makedev()
+{
+  # TODO: simply put these nodes on the initrd itself
+  mkdir -m 0755 -p /dev
+  mknod /dev/null    c 1 3
+  mknod /dev/zero    c 1 5
+  mknod /dev/tty     c 5 0
+  if [ "$FUCK_devconsole" ]; then # FUCK /dev/console
+    mknod /dev/console c 4 1 # tty1 is console; a saner alternative (TODO: fix shutdown to chvt)
+  else
+    mknod /dev/console c 5 1
+  fi
+  for i in 0 1 2 3 4 5 6 7 8; do
+    mknod /dev/tty${i} c 4 ${i}
+  done
+  # TODO: wait for udev?  pft.
+  for i in 0 1 2 3 4 5 6 7; do
+    mknod /dev/loop${i} b 7 ${i}
+  done
+}
+loadenv()
+{
+  # TODO: filter the wheat from the chaff here; most of this is unused.
+  # TODO: implement the various boot args
+
+  # Load config files
+# export DPKG_ARCH=
+# . /conf/arch.conf
+# export ROOT=
+# . /conf/initramfs.conf
+# for conf in conf/conf.d/*; do
+#   [ -f ${conf} ] && . ${conf}
+# done
+  # Make modprobe quiet
+  export MODPROBE_OPTIONS="-qb"
+  # Export constants
+  export rootmnt=/root
+  # Export bootparam variables
+  export init=/sbin/init
+  export readonly=y
+  export blacklist=
+
+  # Parse command line options
+  for x in $(cat /proc/cmdline); do
+    case $x in
+      init=*) init=${x#init=} ;;
+      root=*)
+        ROOT=${x#root=}
+        case $ROOT in
+          LABEL=*) ROOT="/dev/disk/by-label/${ROOT#LABEL=}" ;;
+          UUID=*) ROOT="/dev/disk/by-uuid/${ROOT#UUID=}" ;;
+          /dev/nfs) [ -z "${BOOT}" ] && BOOT=nfs ;;
+        esac
+      ;;
+      rootflags=*) ROOTFLAGS="-o ${x#rootflags=}" ;;
+      rootfstype=*) ROOTFSTYPE="${x#rootfstype=}" ;;
+      ro) readonly=y ;;
+      rw) readonly=n ;;
+
+      nfsroot=*) NFSROOT="${x#nfsroot=}" ;;
+      ip=*) IPOPTS="${x#ip=}" ;;
+      boot=*) BOOT=${x#boot=} ;;
+
+      resume=*) RESUME="${x#resume=}" ;;
+      noresume) noresume=y ;;
+      blacklist=*) blacklist=${x#blacklist=} ;;
+
+      hostname=*)
+        hostname=${x#hostname=}
+        hostname "$hostname"
+      ;;
+      bootcd_device=*) bootcd_device=${x#bootcd_device=}
+        mkdir -p /cdrom &&
+        mount -r -t hostfs -o "${bootcd_device#hostfs=}" hostfs /cdrom &&
+        bootdone samizdat-cdrom
+      ;;
+      overlay_device=*) overlay_device=${x#overlay_device=}
+        mkdir -p /overlay &&
+        mount -t hostfs -o "${overlay_device#hostfs=}" hostfs /overlay &&
+        bootdone rw-overlay
+      ;;
+      uml_modules=*) uml_modules=${x#uml_modules=}
+        mount -t hostfs -o "${uml_modules#hostfs=}" hostfs /lib/modules ;;
+    esac
+  done
+
+  if [ -z "${noresume}" ]; then
+    export resume=${RESUME}
+  else
+    export noresume
+  fi
+}
+mountunionroot()
+{
+  bootwait samizdat-cdrom squashfs-root
+
+  ufs=
+  if grep -q aufs /proc/filesystems || modprobe aufs; then
+    ufs=aufs
+  elif grep -q unionfs /proc/filesystems || modprobe unionfs; then
+    ufs=unionfs
+  fi
+
+  case $ufs in
+    unionfs) ro=ro;;
+    aufs) ro=rr;;
+    *) panic "mountunionroot: unionfs module not found";;
+  esac
+
+  dirs=;
+  if [ -f /squashes/filesystem.module ]; then
+    while read img; do
+      d=/squashes/"${img%.squashfs}" 
+      mountpoint -q /squashes/"${img%.squashfs}" || continue;
+      dirs="$d=$ro${dirs:+:$dirs}"
+    done < /squashes/filesystem.module
+  else
+    for d in /squashes/*; do
+      mountpoint -q "$d" || continue
+      dirs="$d=$ro${dirs:+:$dirs}"
+    done
+  fi
+  [ -n "$dirs" ] ||
+    panic "no squashes.  missing/broken images on cdrom?"
+
+  if true; then
+#   overlay_tmp=$(mktemp -d /overlay.XXXXXX) &&
+    overlay_tmp=/overlay.$$ && mkdir -p $overlay_tmp &&
+    mount -t tmpfs tmpfs $overlay_tmp &&
+    touch $overlay_tmp/samizdat-filesystem-is-new
+    dirs="$overlay_tmp:$dirs" ||
+    { rmdir $overlay_tmp;
+      panic "mountunionroot: failure creating tmpfs overlay"; }
+  fi
+
+  mount -t $ufs -o rw,dirs="$dirs" $ufs "$rootmnt" ||
+    panic "mountunionroot: $ufs: mount (dirs=$dirs): error: $?"
+}
+insertoverlay() # TODO: copy-up and umount tmpfs.  MASSIVELY IMPORTANT!
+{
+  if ! mountpoint -q /overlay; then
+    # rw-overlay was signalled without a mount on /overlay
+    # thus, boot with the current tmpfs overlay
+    mkdir -p /overlay
+    mount -o move $overlay_tmp /overlay
+    return 0
+  fi
+
+  ufs=$(sed -ne 's?^[^ ]* '"$rootmnt"' \(unionfs\|aufs\) .*?\1?p' /proc/mounts)
+
+  case $ufs in
+    unionfs)
+      panic 'insertoverlay: TODO: implement unionfs support'
+
+      mount -o remount,rw,add=/overlay "$rootmnt" ||
+      panic "insertoverlay: remount unionfs (add=/overlay): error: $?"
+
+      #mount -o remount,del=$overlay_tmp && # NO, WRONG, COPY-UP FIRST
+      #umount $overlay_tmp && rmdir $overlay_tmp
+      ;;
+    aufs)
+      mount -o remount,rw,prepend:/overlay=rw "$rootmnt" ||
+        panic "insertoverlay: remount aufs (prepend:/overlay=rw): error: $?"
+
+      mount -o remount,mod:"$overlay_tmp"=ro+wh "$rootmnt" ||
+        panic "insertoverlay: couldn't set aufs branch read-only: $overlay_tmp"
+
+      # copy everything the user reads (not just writes) to the overlay
+      # (this is appropriate for CD-ROM but not testing.  TODO: enable)
+      #mount -o remount,coo=all "$rootmnt"
+
+      mkdir -p "$rootmnt"/xino && mount -o move "$overlay_tmp" "$rootmnt"/xino ||
+        panic "insertoverlay: couldn't move mount $overlay_tmp to $rootmnt/xino"
+      ;;
+    *) panic "insertoverlay: unrecognized filesystem ($ufs)";;
+  esac
+
+  bootdone root-mounted
+}
+AppendIfNoSuchLine()
+{
+  local filename="$1"
+  shift
+  if grep -vqF "$1" < "$filename"; then 
+    printf '%s\n' "$@" >> "$filename"
+  fi
+}
+gpg_agent_chroot()
+{
+  chroot "$rootmnt" sh -c \
+    'export PATH=/usr/local/sbin:/usr/local/bin:$PATH;
+     killall gpg-agent;
+     samizdat-gpg-agent;
+     killall -USR2 samizdat-pinentry;'
+}
+remove_squashfs_mistakes()
+{
+  # Workaround for bad samizdat-generated upstream squashfs:
+  rm -f "$rootmnt"/etc/ipsec.conf
+  rm -rf "$rootmnt"/etc/samizdat/samizdat-receive-hooks
+  rm -f "$rootmnt"/etc/adjtime
+}
+patchroot_UNUSED()
+{
+  test -e "$rootmnt"/samizdat-filesystem-is-new || return
+  echo Patching livecd root -- $(date) >> /dev/tty7
+  rm -f /dev/console; mknod /dev/console c 4 1
+
+  remove_squashfs_mistakes
+
+  if [ -e /etc/adjtime -a ! -e "$rootmnt"/etc/adjtime ]; then
+    cp /etc/adjtime "$rootmnt"/etc/adjtime
+  fi
+
+  if [ -f "$rootmnt"/cdrom/samizdat/skel.tgz ]; then
+    chroot "$rootmnt" bin/tar -C / --no-same-owner -zxf /cdrom/samizdat/skel.tgz
+  fi
+  chroot "$rootmnt" hostname -F /etc/hostname
+
+  chroot "$rootmnt" update-rc.d samizdat-pids start 15 S
+
+  # We need debian-tor user so that hidden service directory can have the right owner
+  chroot "$rootmnt" adduser --quiet --system --disabled-password  --home /var/lib/tor \
+                --no-create-home --shell /bin/bash  --group  debian-tor
+
+  # TODO: check errors here
+  chroot "$rootmnt" sh -c \
+    'export PATH=/usr/local/sbin:/usr/local/bin:"$PATH" GNUPGHOME=/gpg/gnupghome verbose=1;
+     samizdat-receive -v < /cdrom/samizdat/secrets.mime && samizdat-receive -v < /cdrom/samizdat/public.mime'
+
+  for diversion in /etc/kernel/postinst.d/initramfs-tools /etc/init.d/live-boot /sbin/halt; do
+    chroot "$rootmnt" dpkg-divert --rename --package samizdat --add "$diversion"
+  done
+  cp /bin/halt.montecarlo "$rootmnt"/sbin/halt
+
+  if ! [ -f "$rootmnt"/var/lib/dpkg/info/linux-image-"$(uname -r)".list ]; then
+    chroot "$rootmnt" sh -c \
+      'dpkg --fsys-tarfile /cdrom/samizdat/debs/linux-image-$(uname -r)_*.deb | tar -C / -x; depmod -a'
+  fi
+
+  # disable some of GRML's many consoles.
+# sed -i -e 's/^\([3456789]\|1[012]\):/#\1:/' "$rootmnt"/etc/inittab
+# sed -i -e 's/^NUM_CONSOLES=12/NUM_CONSOLES=0/' "$rootmnt"/usr/bin/zsh-login
+
+  # these GRML scripts implement a "sendsigs" which does not respect omit.d
+  sed -i -e 's/^\(l0:.*\)grml-halt$/\1rc 0/' "$rootmnt"/etc/inittab
+  sed -i -e 's/^\(l6:.*\)grml-reboot$/\1rc 6/' "$rootmnt"/etc/inittab
+  chroot "$rootmnt" update-rc.d sendsigs stop 20 0 6
+
+  echo Done patching livecd root -- $(date) >>/dev/tty7
+  rm "$rootmnt"/samizdat-filesystem-is-new
+}
+movemounts()
+{
+  # Move mounted filesystems to the root filesystem
+  while read dev mp rest; do
+    case "$mp" in
+      "$rootmnt"|"$rootmnt"/*|/|/proc|/dev|/dev/pts|/sys) continue ;;
+      /mnt.samizdat.*)
+        #umount -l "$mp"
+        target="$rootmnt/media/${dev##*/}"
+      ;;
+      /overlay.*) umount -l $mp; continue ;;
+      *) target="$rootmnt$mp" ;;
+    esac
+    mkdir -p "$target"
+    mount -n -o move "$mp" "$target"
+  done </proc/mounts
+  mount --rbind /dev "$rootmnt"/dev
+  mount --bind /proc "$rootmnt"/proc
+  ln -sf /proc/mounts "$rootmnt"/etc/mtab
+}
+launch_init()
+{
+  # bad init= command line?
+  if [ ! -x "$rootmnt$init" ]; then
+    panic "init does not exist or is not executable (init=$init)"
+  fi
+  ln -sf /proc/mounts "$rootmnt"/etc/mtab
+  export CONSOLE=/dev/tty1
+  exec chroot "$rootmnt" "$init" "$@" <"$rootmnt$CONSOLE" >"$rootmnt$CONSOLE" 2>&1
+  panic "exec init failed (init=$init)"
+# exec run-init -c "$CONSOLE" "$rootmnt" "$init" "$@"
+# panic "exec run-init failed (init=$init)"
+}
+start_udev()
+{
+  echo > /proc/sys/kernel/hotplug
+  mkdir -p /dev/.udev/db/ /dev/.udev/queue/
+# mkdir -p "$LOGBASE"; sh -c "udevd --resolve-names=never --debug >$LOGBASE/udevd."'$$'".log 2>&1" &
+  udevd --resolve-names=never --daemon
+  udevadm trigger --action=add
+# udevadm settle
+}
+stop_udev()
+{
+  for proc in /proc/[0-9]*; do
+    [ -x $proc/exe ] || continue
+    [ "$(readlink $proc/exe)" = /sbin/udevd ] && kill ${proc#/proc/}
+  done
+  # ignore any failed event because the init script will trigger again all events
+  nuke /dev/.udev/queue/
+}
+killeverything()
+{
+  # TODO: exempt: interactive shell(s) (AND CHILDREN) (or: anything with
+  # a tty?), samizdat-agent, fsck(!!), ...?
+
+# exempt_cmdline="$(printf "sh\0-i\0")"
+  force=
+  while true; do
+    killme=
+    for proc in /proc/[0-9]*; do
+      [ $proc != /proc/1 -a $proc != /proc/$$ -a -x $proc/exe ] || continue
+#     [ "$(cat $proc/cmdline)" != "$exempt_cmdline" ] || continue
+      read pid tcomm state ppid pgrp sid tty_nr tty_pgrp rest < $proc/stat
+      [ $tty_nr = 0 ] || continue
+      killme="$killme ${proc#/proc/}"
+    done
+    if [ -n "$killme" ]; then
+      kill $force $killme
+    else
+      break
+    fi
+    force=-KILL
+  done
+}
diff --git a/src/initrd/init.shutdown b/src/initrd/init.shutdown
new file mode 100755
index 0000000..6bfce84
--- /dev/null
+++ b/src/initrd/init.shutdown
@@ -0,0 +1,30 @@
+#!/bin/sh
+read omitpids < /run/sendsigs.omit.d/samizdat
+for pid in $omitpids; do
+  if [ -e /proc/$pid/root ]; then
+    initroot=/proc/$pid/root
+    break
+  fi
+done
+
+warn() { echo "$*" >/dev/console; }
+error() { umount /sbin/init; exec /sbin/init; }
+
+[ -e "$initroot" ] || error
+
+if [ $$ != 1 ]; then
+  exec $initroot/init "$@"
+else
+  set --
+  for pid in $omitpids; do
+    set -- "$@" -o $pid
+  done
+  if killall5 -15 "$@"; then
+    sleep 5
+    killall5 -9 "$@"
+  fi
+  exec <$initroot/dev/console >$initroot/dev/console 2>$initroot/dev/console
+  exec chroot $initroot umountall.sh
+
+  error
+fi
diff --git a/src/initrd/loop-layer.sh b/src/initrd/loop-layer.sh
new file mode 100644
index 0000000..7e08e12
--- /dev/null
+++ b/src/initrd/loop-layer.sh
@@ -0,0 +1,15 @@
+losetup_snapshot()
+{
+    local ro_dev rw_dev new_dev_name size persist chunksize
+    ro_file=$1
+    rw_file=$2
+
+    ro_dev=$(LoSetup -r -f --show "$ro_file") || return
+    rw_dev=$(LoSetup -f --show "$rw_file") || return
+    new_dev_name=${ro_dev##*/}
+    size=$(blockdev --getsz "$ro_dev") || return
+    persist=p
+    chunksize=16
+    dmsetup create "$new_dev_name" --table "0 $size snapshot $ro_dev $rw_dev $persist $chunksize" || return
+    echo /dev/mapper/"$new_dev_name"
+}
diff --git a/src/initrd/lvm-create.sh b/src/initrd/lvm-create.sh
new file mode 100644
index 0000000..d4a8bdf
--- /dev/null
+++ b/src/initrd/lvm-create.sh
@@ -0,0 +1,299 @@
+#!/bin/sh
+
+losetup() { /sbin/losetup "$@"; }
+
+luks_secret()
+{
+  local parms=$-; # this junk keeps set -x from being too annoying
+  set +x
+  [ -n "$luks_secret" ] || luks_secret="$(head -c256 /dev/urandom)"
+  printf %s "$luks_secret"
+  case $parms in *x*) set -x; set -x ;; esac
+}
+
+floor4()
+{
+  # Negatives round up, but aren't used.
+  echo $(($1 / 4 * 4))
+}
+
+ceil4()
+{
+  local x="$1"
+  [ $((x % 4)) -eq 0 ] || x=$((x + 4 - x % 4))
+  printf '%d\n' "$x"
+}
+
+. loop-layer.sh
+
+losetup_layers()
+{
+    bootwait samizdat-cdrom
+    local fs fs_rw
+    for fs in /cdrom/rootfs/*.btrfs; do
+        fs_rw=/"${fs##*/}".rw
+        dd if=/dev/zero of="$fs_rw" bs=1M count=10
+        losetup_snapshot "$fs" "$fs_rw" || return
+    done
+}
+
+init_samizdat()
+{
+  local blockdev="$1" imgfile="$2" uuid
+
+  losetup_layers                                   || return
+  modprobe btrfs                                   || return
+  btrfs device scan                                || return
+
+  uuid=$(choose_uuid)                              || return
+  [ "$uuid" ]                                      || return
+
+  mount -t btrfs UUID="$uuid" /root || return
+
+  btrfs device add "$blockdev" /root               || return
+  mount -o rw,remount /root                        || return
+  samizdat_movemounts "$imgfile"                   || return
+
+  initialize_root_filesystem                       || return
+
+  bootdone root-mounted
+}
+
+samizdat_movemounts()
+{
+    local imgfile="$1" mountpoint
+
+    if [ "$imgfile" ]; then
+        mountpoint=$(mountpoint_of "$imgfile") || return
+        mkdir /root/outerfs
+        mount -o move "$mountpoint" /root/outerfs
+    fi
+    mkdir /root/cdrom
+    mount -o move /cdrom /root/cdrom
+    mkdir -p /run/initramfs/samizdat/log
+    cp /var/log/* /run/initramfs/samizdat/log
+    true
+}
+
+mountpoint_of()
+{
+    local f="$1"
+    while ! mountpoint -q "$f"; do
+        f=$(dirname "$f")
+        [ "$f" != '.' ] || return 1
+    done
+    printf '%s\n' "$f"
+}
+
+initialize_root_filesystem()
+{
+    rm -r /root/root
+    btrfs subvolume create /root/root                   || return
+    mv /gpg/gnupghome /root/root/.gnupg                 || return
+
+    rmdir /root/srv
+    btrfs subvolume create /root/srv
+    rm -r /root/var/cache/apt/archives
+    btrfs subvolume create /root/var/cache/apt/archives || return
+
+    rmdir /root/home
+    btrfs subvolume create /root/home                   || return
+
+    [ -x /root/sbin/mdadm ] || cp /sbin/mdadm /root/sbin/
+    # Copy these over unconditionally, because they ought to remain in sync with
+    # the initrd.
+    cp /bin/mdadm-dup.sh /root/sbin/
+    cp /bin/samizdat-eject.sh /root/sbin/
+
+    sed -i -e 's/^root:x:/root::/' /root/etc/passwd
+    cp /patchroot/* /root/root/
+
+    true
+}
+
+# Get the uuid of the filesystem with the most devices,
+# excluding filesystems that don't incorporate loop devices.
+# This is used to choose the latest seed -- which should have
+# the most layers.
+choose_uuid()
+{
+    local seen_loop= seen_uuid= seen_devs=
+    btrfs filesystem show |
+        while read line; do
+            case "$line" in
+                Label*)
+                    seen_uuid=${line##*uuid: }
+                    seen_devs=
+                    seen_loop=
+                    ;;
+                *Total\ devices*)
+                    seen_devs=${line#*Total devices }
+                    seen_devs=${seen_devs%% *}
+                    ;;
+                *path\ /dev/mapper/*)
+                    seen_loop=t;;
+            esac
+            [ "$seen_loop" ] && echo "$seen_devs $seen_uuid"
+        done |
+        uniq | sort -nr | head -n1 | (read _ x; echo $x)
+}
+
+filesystem_incomplete()
+{
+    local n
+    n=$(btrfs filesystem show "$1" | sed -ne 's/.*Total devices \([^ ]*\) .*/\1/p')
+    [ "$n" != 1 ]
+}
+
+open_samizdat()
+{
+  local imgfile="$1" keyfile="$2"
+  open_samizdat_blockdev "$imgfile" "$keyfile" || return
+  local blockdev=/dev/mapper/samizdatcrypt fs
+
+  # For this part, we don't necessarily need the cdrom.
+  # Unfortunately the init_gpg code is still getting the GPG key there.
+  if filesystem_incomplete "$blockdev"; then
+     losetup_layers
+  fi
+  modprobe btrfs || return
+  btrfs device scan || return
+  mount -t btrfs "$blockdev" /root || return
+  samizdat_movemounts "$imgfile"
+  LoSetup -D
+  bootdone root-mounted
+}
+
+init_samizdat_lodev()
+{
+  local imgfile="$1" megs=$(ceil4 "$2") dev
+  truncate -s ${megs}M "$imgfile" || return
+  dev=$(losetup -f) && losetup "$dev" "$imgfile" || return
+  echo "$dev"
+}
+
+open_samizdat_blockdev()
+{
+  local imgfile="$1" keyfile="$2" dev
+  local cryptname=samizdatcrypt
+  dev=$(losetup -f) && losetup "$dev" "$imgfile" || return
+
+  gpg2 --verify "$keyfile" || return
+  # The first --decrypt merely strips the signature.  The option is
+  # poorly named for that case.
+  gpg2 --decrypt "$keyfile" | gpg2 --decrypt | cryptsetup --key-file - luksOpen "$dev" "$cryptname" || return
+
+  [ -b /dev/mapper/"$cryptname" ] || return
+
+}
+
+init_samizdat_blockdev()
+{
+  local imgfile="$1" megs="$2" keyfile="$3" dev
+  local cryptname=samizdatcrypt
+
+  dev=$(init_samizdat_lodev "$imgfile" "$megs") || return
+
+  [ ! -b /dev/mapper/"$cryptname" ] || return
+
+  luks_secret >/dev/null
+  luks_secret | gpg2 --default-recipient-self --encrypt --armor | gpg2 --clearsign --output "$keyfile" || return
+
+  luks_secret | cryptsetup luksFormat "$dev" - || return
+  cryptsetup luksDump "$dev" >&2
+  luks_secret | cryptsetup --key-file - luksOpen "$dev" "$cryptname" || return
+
+  [ -b /dev/mapper/"$cryptname" ] || return
+}
+
+majmin()
+{
+  local dev="$1" major minor
+  eval $(stat -c 'major=%t minor=%T' "$dev") || return
+  [ "$major" -a "$minor" ] || return
+  printf '%d:%d\n' 0x$major 0x$minor
+}
+
+cryptdev_to_dev()
+{
+  local dev="$1" majmin
+  majmin=$(majmin "$dev") || return
+  set -- /sys/dev/block/$majmin/slaves/*
+  [ $# = 1 ] || return
+
+  cryptsetup status "$dev" |while read k v; do if [ "$k" = device: ]; then echo $v; break; fi; done
+}
+
+cryptdev_to_backing_file()
+{
+  local dev="$1" majmin result
+  majmin="$(majmin "$dev")" || return
+  set -- /sys/dev/block/$majmin/slaves/*
+  [ $# = 1 ] || return
+  read result < "$1"/loop/backing_file || return
+  printf '%s\n' "$result"
+}
+
+lodev_to_file()
+{
+  local result majmin dev="$1"
+  majmin="$(majmin "$dev")" || return
+  read result < /sys/dev/block/$majmin/loop/backing_file || return
+  printf '%s' "$result"
+}
+
+mountpoint_to_dev()
+{
+  local wantmp="$1" dev mp rest
+  mountpoint -q "$wantmp" || return
+  while read dev mp rest; do if [ "$mp" = "$wantmp" ]; then echo "$dev"; return; fi; done < /proc/mounts
+  return 1
+}
+
+get_cdrom_sizelimit()
+{
+  # returns bytes
+  local dev="$1" sectors
+  sectors=$(blockdev --getsz "$dev") || return
+  if dd count=2 if="$dev" bs=2048 skip=$((sectors/4 - 2)) of=/dev/null 2>/dev/null; then
+    return
+  else
+    echo $(((sectors-8)*512))
+  fi
+}
+
+init_gpg()
+{
+  bootwait samizdat-cdrom
+  export GNUPGHOME=/gpg/gnupghome
+  mkdir -p "$GNUPGHOME"
+  (umask 077; rsync --exclude '/luks-key*' --ignore-existing -rpP /cdrom/gnupghome/ "$GNUPGHOME")
+
+  if samizdat-password-agent >/var/log/samizdat-password-agent.log 2>&1; then
+    clear
+    true
+  else
+    false
+  fi
+}
+
+start_meter()
+{
+  local startmsg="$*"
+  (exec >&4
+  clear
+  echo -n $startmsg
+  set +x
+  while sleep 2; do
+    echo -n .
+  done) &
+  meterpid=$!
+}
+
+stop_meter()
+{
+  local endmsg="$*"
+  kill $meterpid
+  echo "  $endmsg" >&4
+}
+
diff --git a/src/initrd/lvm.conf b/src/initrd/lvm.conf
new file mode 100644
index 0000000..0c1289f
--- /dev/null
+++ b/src/initrd/lvm.conf
@@ -0,0 +1,773 @@
+# This is an example configuration file for the LVM2 system.
+# It contains the default settings that would be used if there was no
+# /etc/lvm/lvm.conf file.
+#
+# Refer to 'man lvm.conf' for further information including the file layout.
+#
+# To put this file in a different directory and override /etc/lvm set
+# the environment variable LVM_SYSTEM_DIR before running the tools.
+#
+# N.B. Take care that each setting only appears once if uncommenting
+# example settings in this file.
+
+
+# This section allows you to configure which block devices should
+# be used by the LVM system.
+devices {
+
+    # Where do you want your volume groups to appear ?
+    dir = "/dev"
+
+    # An array of directories that contain the device nodes you wish
+    # to use with LVM2.
+    scan = [ "/dev" ]
+
+    # If set, the cache of block device nodes with all associated symlinks
+    # will be constructed out of the existing udev database content.
+    # This avoids using and opening any inapplicable non-block devices or
+    # subdirectories found in the device directory. This setting is applied
+    # to udev-managed device directory only, other directories will be scanned
+    # fully. LVM2 needs to be compiled with udev support for this setting to
+    # take effect. N.B. Any device node or symlink not managed by udev in
+    # udev directory will be ignored with this setting on.
+    obtain_device_list_from_udev = 1
+
+    # If several entries in the scanned directories correspond to the
+    # same block device and the tools need to display a name for device,
+    # all the pathnames are matched against each item in the following
+    # list of regular expressions in turn and the first match is used.
+    preferred_names = [ ]
+
+    # Try to avoid using undescriptive /dev/dm-N names, if present.
+    # preferred_names = [ "^/dev/mpath/", "^/dev/mapper/mpath", "^/dev/[hs]d" ]
+
+    # A filter that tells LVM2 to only use a restricted set of devices.
+    # The filter consists of an array of regular expressions.  These
+    # expressions can be delimited by a character of your choice, and
+    # prefixed with either an 'a' (for accept) or 'r' (for reject).
+    # The first expression found to match a device name determines if
+    # the device will be accepted or rejected (ignored).  Devices that
+    # don't match any patterns are accepted.
+
+    # Be careful if there there are symbolic links or multiple filesystem 
+    # entries for the same device as each name is checked separately against
+    # the list of patterns.  The effect is that if the first pattern in the 
+    # list to match a name is an 'a' pattern for any of the names, the device
+    # is accepted; otherwise if the first pattern in the list to match a name
+    # is an 'r' pattern for any of the names it is rejected; otherwise it is
+    # accepted.
+
+    # Don't have more than one filter line active at once: only one gets used.
+
+    # Run vgscan after you change this parameter to ensure that
+    # the cache file gets regenerated (see below).
+    # If it doesn't do what you expect, check the output of 'vgscan -vvvv'.
+
+
+    # By default we accept every block device:
+    filter = [ "a/.*/" ]
+
+    # Exclude the cdrom drive
+    # filter = [ "r|/dev/cdrom|" ]
+
+    # When testing I like to work with just loopback devices:
+    # filter = [ "a/loop/", "r/.*/" ]
+
+    # Or maybe all loops and ide drives except hdc:
+    # filter =[ "a|loop|", "r|/dev/hdc|", "a|/dev/ide|", "r|.*|" ]
+
+    # Use anchors if you want to be really specific
+    # filter = [ "a|^/dev/hda8$|", "r/.*/" ]
+
+    # The results of the filtering are cached on disk to avoid
+    # rescanning dud devices (which can take a very long time).
+    # By default this cache is stored in the /etc/lvm/cache directory
+    # in a file called '.cache'.
+    # It is safe to delete the contents: the tools regenerate it.
+    # (The old setting 'cache' is still respected if neither of
+    # these new ones is present.)
+    cache_dir = "/run/lvm"
+    cache_file_prefix = ""
+
+    # You can turn off writing this cache file by setting this to 0.
+    write_cache_state = 1
+
+    # Advanced settings.
+
+    # List of pairs of additional acceptable block device types found 
+    # in /proc/devices with maximum (non-zero) number of partitions.
+    # types = [ "fd", 16 ]
+
+    # If sysfs is mounted (2.6 kernels) restrict device scanning to 
+    # the block devices it believes are valid.
+    # 1 enables; 0 disables.
+    sysfs_scan = 1
+
+    # By default, LVM2 will ignore devices used as component paths
+    # of device-mapper multipath devices.
+    # 1 enables; 0 disables.
+    multipath_component_detection = 1
+
+    # By default, LVM2 will ignore devices used as components of
+    # software RAID (md) devices by looking for md superblocks.
+    # 1 enables; 0 disables.
+    md_component_detection = 1
+
+    # By default, if a PV is placed directly upon an md device, LVM2
+    # will align its data blocks with the md device's stripe-width.
+    # 1 enables; 0 disables.
+    md_chunk_alignment = 1
+
+    # Default alignment of the start of a data area in MB.  If set to 0,
+    # a value of 64KB will be used.  Set to 1 for 1MiB, 2 for 2MiB, etc.
+    # default_data_alignment = 1
+
+    # By default, the start of a PV's data area will be a multiple of
+    # the 'minimum_io_size' or 'optimal_io_size' exposed in sysfs.
+    # - minimum_io_size - the smallest request the device can perform
+    #   w/o incurring a read-modify-write penalty (e.g. MD's chunk size)
+    # - optimal_io_size - the device's preferred unit of receiving I/O
+    #   (e.g. MD's stripe width)
+    # minimum_io_size is used if optimal_io_size is undefined (0).
+    # If md_chunk_alignment is enabled, that detects the optimal_io_size.
+    # This setting takes precedence over md_chunk_alignment.
+    # 1 enables; 0 disables.
+    data_alignment_detection = 1
+
+    # Alignment (in KB) of start of data area when creating a new PV.
+    # md_chunk_alignment and data_alignment_detection are disabled if set.
+    # Set to 0 for the default alignment (see: data_alignment_default)
+    # or page size, if larger.
+    data_alignment = 0
+
+    # By default, the start of the PV's aligned data area will be shifted by
+    # the 'alignment_offset' exposed in sysfs.  This offset is often 0 but
+    # may be non-zero; e.g.: certain 4KB sector drives that compensate for
+    # windows partitioning will have an alignment_offset of 3584 bytes
+    # (sector 7 is the lowest aligned logical block, the 4KB sectors start
+    # at LBA -1, and consequently sector 63 is aligned on a 4KB boundary).
+    # But note that pvcreate --dataalignmentoffset will skip this detection.
+    # 1 enables; 0 disables.
+    data_alignment_offset_detection = 1
+
+    # If, while scanning the system for PVs, LVM2 encounters a device-mapper
+    # device that has its I/O suspended, it waits for it to become accessible.
+    # Set this to 1 to skip such devices.  This should only be needed
+    # in recovery situations.
+    ignore_suspended_devices = 0
+
+    # During each LVM operation errors received from each device are counted.
+    # If the counter of a particular device exceeds the limit set here, no
+    # further I/O is sent to that device for the remainder of the respective
+    # operation. Setting the parameter to 0 disables the counters altogether.
+    disable_after_error_count = 0
+
+    # Allow use of pvcreate --uuid without requiring --restorefile.
+    require_restorefile_with_uuid = 1
+
+    # Minimum size (in KB) of block devices which can be used as PVs.
+    # In a clustered environment all nodes must use the same value.
+    # Any value smaller than 512KB is ignored.
+
+    # Ignore devices smaller than 2MB such as floppy drives.
+    pv_min_size = 2048
+
+    # The original built-in setting was 512 up to and including version 2.02.84.
+    # pv_min_size = 512
+
+    # Issue discards to a logical volumes's underlying physical volume(s) when
+    # the logical volume is no longer using the physical volumes' space (e.g.
+    # lvremove, lvreduce, etc).  Discards inform the storage that a region is
+    # no longer in use.  Storage that supports discards advertise the protocol
+    # specific way discards should be issued by the kernel (TRIM, UNMAP, or
+    # WRITE SAME with UNMAP bit set).  Not all storage will support or benefit
+    # from discards but SSDs and thinly provisioned LUNs generally do.  If set
+    # to 1, discards will only be issued if both the storage and kernel provide
+    # support.
+    # 1 enables; 0 disables.
+    issue_discards = 0
+}
+
+# This section allows you to configure the way in which LVM selects
+# free space for its Logical Volumes.
+#allocation {
+#    When searching for free space to extend an LV, the "cling"
+#    allocation policy will choose space on the same PVs as the last
+#    segment of the existing LV.  If there is insufficient space and a
+#    list of tags is defined here, it will check whether any of them are
+#    attached to the PVs concerned and then seek to match those PV tags
+#    between existing extents and new extents.
+#    Use the special tag "@*" as a wildcard to match any PV tag.
+#    
+#    Example: LVs are mirrored between two sites within a single VG.
+#    PVs are tagged with either @site1 or @site2 to indicate where
+#    they are situated.
+#
+#    cling_tag_list = [ "@site1", "@site2" ]
+#    cling_tag_list = [ "@*" ]
+#
+#    Changes made in version 2.02.85 extended the reach of the 'cling'
+#    policies to detect more situations where data can be grouped
+#    onto the same disks.  Set this to 0 to revert to the previous
+#    algorithm.
+#
+#    maximise_cling = 1
+#
+#    Set to 1 to guarantee that mirror logs will always be placed on 
+#    different PVs from the mirror images.  This was the default
+#    until version 2.02.85.
+#
+#    mirror_logs_require_separate_pvs = 0
+#
+#    Set to 1 to guarantee that thin pool metadata will always
+#    be placed on different PVs from the pool data.
+#
+#    thin_pool_metadata_require_separate_pvs = 0
+#}
+
+# This section that allows you to configure the nature of the
+# information that LVM2 reports.
+log {
+
+    # Controls the messages sent to stdout or stderr.
+    # There are three levels of verbosity, 3 being the most verbose.
+    verbose = 0
+
+    # Should we send log messages through syslog?
+    # 1 is yes; 0 is no.
+    syslog = 1
+
+    # Should we log error and debug messages to a file?
+    # By default there is no log file.
+    #file = "/var/log/lvm2.log"
+
+    # Should we overwrite the log file each time the program is run?
+    # By default we append.
+    overwrite = 0
+
+    # What level of log messages should we send to the log file and/or syslog?
+    # There are 6 syslog-like log levels currently in use - 2 to 7 inclusive.
+    # 7 is the most verbose (LOG_DEBUG).
+    level = 0
+
+    # Format of output messages
+    # Whether or not (1 or 0) to indent messages according to their severity
+    indent = 1
+
+    # Whether or not (1 or 0) to display the command name on each line output
+    command_names = 0
+
+    # A prefix to use before the message text (but after the command name,
+    # if selected).  Default is two spaces, so you can see/grep the severity
+    # of each message.
+    prefix = "  "
+
+    # To make the messages look similar to the original LVM tools use:
+    #   indent = 0
+    #   command_names = 1
+    #   prefix = " -- "
+
+    # Set this if you want log messages during activation.
+    # Don't use this in low memory situations (can deadlock).
+    # activation = 0
+}
+
+# Configuration of metadata backups and archiving.  In LVM2 when we
+# talk about a 'backup' we mean making a copy of the metadata for the
+# *current* system.  The 'archive' contains old metadata configurations.
+# Backups are stored in a human readeable text format.
+backup {
+
+    # Should we maintain a backup of the current metadata configuration ?
+    # Use 1 for Yes; 0 for No.
+    # Think very hard before turning this off!
+    backup = 1
+
+    # Where shall we keep it ?
+    # Remember to back up this directory regularly!
+    backup_dir = "/etc/lvm/backup"
+
+    # Should we maintain an archive of old metadata configurations.
+    # Use 1 for Yes; 0 for No.
+    # On by default.  Think very hard before turning this off.
+    archive = 1
+
+    # Where should archived files go ?
+    # Remember to back up this directory regularly!
+    archive_dir = "/etc/lvm/archive"
+
+    # What is the minimum number of archive files you wish to keep ?
+    retain_min = 10
+
+    # What is the minimum time you wish to keep an archive file for ?
+    retain_days = 30
+}
+
+# Settings for the running LVM2 in shell (readline) mode.
+shell {
+
+    # Number of lines of history to store in ~/.lvm_history
+    history_size = 100
+}
+
+
+# Miscellaneous global LVM2 settings
+global {
+
+    # The file creation mask for any files and directories created.
+    # Interpreted as octal if the first digit is zero.
+    umask = 077
+
+    # Allow other users to read the files
+    #umask = 022
+
+    # Enabling test mode means that no changes to the on disk metadata
+    # will be made.  Equivalent to having the -t option on every
+    # command.  Defaults to off.
+    test = 0
+
+    # Default value for --units argument
+    units = "h"
+
+    # Since version 2.02.54, the tools distinguish between powers of
+    # 1024 bytes (e.g. KiB, MiB, GiB) and powers of 1000 bytes (e.g.
+    # KB, MB, GB).
+    # If you have scripts that depend on the old behaviour, set this to 0
+    # temporarily until you update them.
+    si_unit_consistency = 1
+
+    # Whether or not to communicate with the kernel device-mapper.
+    # Set to 0 if you want to use the tools to manipulate LVM metadata 
+    # without activating any logical volumes.
+    # If the device-mapper kernel driver is not present in your kernel
+    # setting this to 0 should suppress the error messages.
+    activation = 1
+
+    # If we can't communicate with device-mapper, should we try running 
+    # the LVM1 tools?
+    # This option only applies to 2.4 kernels and is provided to help you
+    # switch between device-mapper kernels and LVM1 kernels.
+    # The LVM1 tools need to be installed with .lvm1 suffices
+    # e.g. vgscan.lvm1 and they will stop working after you start using
+    # the new lvm2 on-disk metadata format.
+    # The default value is set when the tools are built.
+    # fallback_to_lvm1 = 0
+
+    # The default metadata format that commands should use - "lvm1" or "lvm2".
+    # The command line override is -M1 or -M2.
+    # Defaults to "lvm2".
+    # format = "lvm2"
+
+    # Location of proc filesystem
+    proc = "/proc"
+
+    # Type of locking to use. Defaults to local file-based locking (1).
+    # Turn locking off by setting to 0 (dangerous: risks metadata corruption
+    # if LVM2 commands get run concurrently).
+    # Type 2 uses the external shared library locking_library.
+    # Type 3 uses built-in clustered locking.
+    # Type 4 uses read-only locking which forbids any operations that might 
+    # change metadata.
+    locking_type = 1
+
+    # Set to 0 to fail when a lock request cannot be satisfied immediately.
+    wait_for_locks = 1
+
+    # If using external locking (type 2) and initialisation fails,
+    # with this set to 1 an attempt will be made to use the built-in
+    # clustered locking.
+    # If you are using a customised locking_library you should set this to 0.
+    fallback_to_clustered_locking = 1
+
+    # If an attempt to initialise type 2 or type 3 locking failed, perhaps
+    # because cluster components such as clvmd are not running, with this set
+    # to 1 an attempt will be made to use local file-based locking (type 1).
+    # If this succeeds, only commands against local volume groups will proceed.
+    # Volume Groups marked as clustered will be ignored.
+    fallback_to_local_locking = 1
+
+    # Local non-LV directory that holds file-based locks while commands are
+    # in progress.  A directory like /tmp that may get wiped on reboot is OK.
+    locking_dir = "/run/lock/lvm"
+
+    # Whenever there are competing read-only and read-write access requests for
+    # a volume group's metadata, instead of always granting the read-only
+    # requests immediately, delay them to allow the read-write requests to be
+    # serviced.  Without this setting, write access may be stalled by a high
+    # volume of read-only requests.
+    # NB. This option only affects locking_type = 1 viz. local file-based
+    # locking.
+    prioritise_write_locks = 1
+
+    # Other entries can go here to allow you to load shared libraries
+    # e.g. if support for LVM1 metadata was compiled as a shared library use
+    #   format_libraries = "liblvm2format1.so" 
+    # Full pathnames can be given.
+
+    # Search this directory first for shared libraries.
+    #   library_dir = "/lib/lvm2"
+
+    # The external locking library to load if locking_type is set to 2.
+    #   locking_library = "liblvm2clusterlock.so"
+
+    # Treat any internal errors as fatal errors, aborting the process that
+    # encountered the internal error. Please only enable for debugging.
+    abort_on_internal_errors = 0
+
+    # Check whether CRC is matching when parsed VG is used multiple times.
+    # This is useful to catch unexpected internal cached volume group
+    # structure modification. Please only enable for debugging.
+    detect_internal_vg_cache_corruption = 0
+
+    # If set to 1, no operations that change on-disk metadata will be permitted.
+    # Additionally, read-only commands that encounter metadata in need of repair
+    # will still be allowed to proceed exactly as if the repair had been 
+    # performed (except for the unchanged vg_seqno).
+    # Inappropriate use could mess up your system, so seek advice first!
+    metadata_read_only = 0
+
+    # 'mirror_segtype_default' defines which segtype will be used when the
+    # shorthand '-m' option is used for mirroring.  The possible options are:
+    #
+    # "mirror" - The original RAID1 implementation provided by LVM2/DM.  It is
+    #            characterized by a flexible log solution (core, disk, mirrored)
+    #            and by the necessity to block I/O while reconfiguring in the
+    #            event of a failure.  Snapshots of this type of RAID1 can be
+    #            problematic.
+    #
+    # "raid1"  - This implementation leverages MD's RAID1 personality through
+    #            device-mapper.  It is characterized by a lack of log options.
+    #            (A log is always allocated for every device and they are placed
+    #            on the same device as the image - no separate devices are
+    #            required.)  This mirror implementation does not require I/O
+    #            to be blocked in the kernel in the event of a failure.
+    #
+    # Specify the '--type <mirror|raid1>' option to override this default
+    # setting.
+    mirror_segtype_default = "mirror"
+
+    # The default format for displaying LV names in lvdisplay was changed 
+    # in version 2.02.89 to show the LV name and path separately.
+    # Previously this was always shown as /dev/vgname/lvname even when that
+    # was never a valid path in the /dev filesystem.
+    # Set to 1 to reinstate the previous format.
+    #
+    # lvdisplay_shows_full_device_path = 0
+
+    # Whether to use (trust) a running instance of lvmetad. If this is set to
+    # 0, all commands fall back to the usual scanning mechanisms. When set to 1
+    # *and* when lvmetad is running (it is not auto-started), the volume group
+    # metadata and PV state flags are obtained from the lvmetad instance and no
+    # scanning is done by the individual commands. In a setup with lvmetad,
+    # lvmetad udev rules *must* be set up for LVM to work correctly. Without
+    # proper udev rules, all changes in block device configuration will be
+    # *ignored* until a manual 'vgscan' is performed.
+    use_lvmetad = 0
+}
+
+activation {
+    # Set to 1 to perform internal checks on the operations issued to
+    # libdevmapper.  Useful for debugging problems with activation.
+    # Some of the checks may be expensive, so it's best to use this
+    # only when there seems to be a problem.
+    checks = 0
+
+    # Set to 0 to disable udev synchronisation (if compiled into the binaries).
+    # Processes will not wait for notification from udev.
+    # They will continue irrespective of any possible udev processing
+    # in the background.  You should only use this if udev is not running
+    # or has rules that ignore the devices LVM2 creates.
+    # The command line argument --nodevsync takes precedence over this setting.
+    # If set to 1 when udev is not running, and there are LVM2 processes
+    # waiting for udev, run 'dmsetup udevcomplete_all' manually to wake them up.
+    udev_sync = 1
+
+    # Set to 0 to disable the udev rules installed by LVM2 (if built with
+    # --enable-udev_rules). LVM2 will then manage the /dev nodes and symlinks
+    # for active logical volumes directly itself.
+    # N.B. Manual intervention may be required if this setting is changed
+    # while any logical volumes are active.
+    udev_rules = 1
+
+    # Set to 1 for LVM2 to verify operations performed by udev. This turns on
+    # additional checks (and if necessary, repairs) on entries in the device
+    # directory after udev has completed processing its events. 
+    # Useful for diagnosing problems with LVM2/udev interactions.
+    verify_udev_operations = 1
+
+    # If set to 1 and if deactivation of an LV fails, perhaps because
+    # a process run from a quick udev rule temporarily opened the device,
+    # retry the operation for a few seconds before failing.
+    retry_deactivation = 1
+
+    # How to fill in missing stripes if activating an incomplete volume.
+    # Using "error" will make inaccessible parts of the device return
+    # I/O errors on access.  You can instead use a device path, in which 
+    # case, that device will be used to in place of missing stripes.
+    # But note that using anything other than "error" with mirrored 
+    # or snapshotted volumes is likely to result in data corruption.
+    missing_stripe_filler = "error"
+
+    # The linear target is an optimised version of the striped target
+    # that only handles a single stripe.  Set this to 0 to disable this
+    # optimisation and always use the striped target.
+    use_linear_target = 1
+
+    # How much stack (in KB) to reserve for use while devices suspended
+    # Prior to version 2.02.89 this used to be set to 256KB
+    reserved_stack = 64
+
+    # How much memory (in KB) to reserve for use while devices suspended
+    reserved_memory = 8192
+
+    # Nice value used while devices suspended
+    process_priority = -18
+
+    # If volume_list is defined, each LV is only activated if there is a
+    # match against the list.
+    #   "vgname" and "vgname/lvname" are matched exactly.
+    #   "@tag" matches any tag set in the LV or VG.
+    #   "@*" matches if any tag defined on the host is also set in the LV or VG
+    #
+    # volume_list = [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
+
+    # If read_only_volume_list is defined, each LV that is to be activated 
+    # is checked against the list, and if it matches, it as activated
+    # in read-only mode.  (This overrides '--permission rw' stored in the
+    # metadata.)
+    #   "vgname" and "vgname/lvname" are matched exactly.
+    #   "@tag" matches any tag set in the LV or VG.
+    #   "@*" matches if any tag defined on the host is also set in the LV or VG
+    #
+    # read_only_volume_list = [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
+
+    # Size (in KB) of each copy operation when mirroring
+    mirror_region_size = 512
+
+    # Setting to use when there is no readahead value stored in the metadata.
+    #
+    # "none" - Disable readahead.
+    # "auto" - Use default value chosen by kernel.
+    readahead = "auto"
+
+    # 'raid_fault_policy' defines how a device failure in a RAID logical
+    # volume is handled.  This includes logical volumes that have the following
+    # segment types: raid1, raid4, raid5*, and raid6*.
+    #
+    # In the event of a failure, the following policies will determine what
+    # actions are performed during the automated response to failures (when
+    # dmeventd is monitoring the RAID logical volume) and when 'lvconvert' is
+    # called manually with the options '--repair' and '--use-policies'.
+    #
+    # "warn"    - Use the system log to warn the user that a device in the RAID
+    #             logical volume has failed.  It is left to the user to run
+    #             'lvconvert --repair' manually to remove or replace the failed
+    #             device.  As long as the number of failed devices does not
+    #             exceed the redundancy of the logical volume (1 device for
+    #             raid4/5, 2 for raid6, etc) the logical volume will remain
+    #             usable.
+    #
+    # "allocate" - Attempt to use any extra physical volumes in the volume
+    #             group as spares and replace faulty devices.
+    #
+    raid_fault_policy = "warn"
+
+    # 'mirror_image_fault_policy' and 'mirror_log_fault_policy' define
+    # how a device failure affecting a mirror (of "mirror" segment type) is
+    # handled.  A mirror is composed of mirror images (copies) and a log.
+    # A disk log ensures that a mirror does not need to be re-synced
+    # (all copies made the same) every time a machine reboots or crashes.
+    #
+    # In the event of a failure, the specified policy will be used to determine
+    # what happens. This applies to automatic repairs (when the mirror is being
+    # monitored by dmeventd) and to manual lvconvert --repair when
+    # --use-policies is given.
+    #
+    # "remove" - Simply remove the faulty device and run without it.  If
+    #            the log device fails, the mirror would convert to using
+    #            an in-memory log.  This means the mirror will not
+    #            remember its sync status across crashes/reboots and
+    #            the entire mirror will be re-synced.  If a
+    #            mirror image fails, the mirror will convert to a
+    #            non-mirrored device if there is only one remaining good
+    #            copy.
+    #
+    # "allocate" - Remove the faulty device and try to allocate space on
+    #            a new device to be a replacement for the failed device.
+    #            Using this policy for the log is fast and maintains the
+    #            ability to remember sync state through crashes/reboots.
+    #            Using this policy for a mirror device is slow, as it
+    #            requires the mirror to resynchronize the devices, but it
+    #            will preserve the mirror characteristic of the device.
+    #            This policy acts like "remove" if no suitable device and
+    #            space can be allocated for the replacement.
+    #
+    # "allocate_anywhere" - Not yet implemented. Useful to place the log device
+    #            temporarily on same physical volume as one of the mirror
+    #            images. This policy is not recommended for mirror devices
+    #            since it would break the redundant nature of the mirror. This
+    #            policy acts like "remove" if no suitable device and space can
+    #            be allocated for the replacement.
+
+    mirror_log_fault_policy = "allocate"
+    mirror_image_fault_policy = "remove"
+
+    # 'snapshot_autoextend_threshold' and 'snapshot_autoextend_percent' define
+    # how to handle automatic snapshot extension. The former defines when the
+    # snapshot should be extended: when its space usage exceeds this many
+    # percent. The latter defines how much extra space should be allocated for
+    # the snapshot, in percent of its current size.
+    #
+    # For example, if you set snapshot_autoextend_threshold to 70 and
+    # snapshot_autoextend_percent to 20, whenever a snapshot exceeds 70% usage,
+    # it will be extended by another 20%. For a 1G snapshot, using up 700M will
+    # trigger a resize to 1.2G. When the usage exceeds 840M, the snapshot will
+    # be extended to 1.44G, and so on.
+    #
+    # Setting snapshot_autoextend_threshold to 100 disables automatic
+    # extensions. The minimum value is 50 (A setting below 50 will be treated
+    # as 50).
+
+    snapshot_autoextend_threshold = 100
+    snapshot_autoextend_percent = 20
+
+    # 'thin_pool_autoextend_threshold' and 'thin_pool_autoextend_percent' define
+    # how to handle automatic pool extension. The former defines when the
+    # pool should be extended: when its space usage exceeds this many
+    # percent. The latter defines how much extra space should be allocated for
+    # the pool, in percent of its current size.
+    #
+    # For example, if you set thin_pool_autoextend_threshold to 70 and
+    # thin_pool_autoextend_percent to 20, whenever a pool exceeds 70% usage,
+    # it will be extended by another 20%. For a 1G pool, using up 700M will
+    # trigger a resize to 1.2G. When the usage exceeds 840M, the pool will
+    # be extended to 1.44G, and so on.
+    #
+    # Setting thin_pool_autoextend_threshold to 100 disables automatic
+    # extensions. The minimum value is 50 (A setting below 50 will be treated
+    # as 50).
+
+    thin_pool_autoextend_threshold = 100
+    thin_pool_autoextend_percent = 20
+
+    # Full path of the utility called to check that a thin metadata device
+    # is in a state that allows it to be used.
+    # Each time a thin pool needs to be activated, this utility is executed.
+    # The activation will only proceed if the utility has an exit status of 0.
+    # Set to "" to skip this check.  (Not recommended.)
+    # The thin tools are available as part of the device-mapper-persistent-data
+    # package from https://github.com/jthornber/thin-provisioning-tools.
+    #
+    thin_check_executable = "/sbin/thin_check -q"
+
+    # While activating devices, I/O to devices being (re)configured is
+    # suspended, and as a precaution against deadlocks, LVM2 needs to pin
+    # any memory it is using so it is not paged out.  Groups of pages that
+    # are known not to be accessed during activation need not be pinned
+    # into memory.  Each string listed in this setting is compared against
+    # each line in /proc/self/maps, and the pages corresponding to any
+    # lines that match are not pinned.  On some systems locale-archive was
+    # found to make up over 80% of the memory used by the process.
+    # mlock_filter = [ "locale/locale-archive", "gconv/gconv-modules.cache" ]
+
+    # Set to 1 to revert to the default behaviour prior to version 2.02.62
+    # which used mlockall() to pin the whole process's memory while activating
+    # devices.
+    use_mlockall = 0
+
+    # Monitoring is enabled by default when activating logical volumes.
+    # Set to 0 to disable monitoring or use the --ignoremonitoring option.
+    monitoring = 0
+
+    # When pvmove or lvconvert must wait for the kernel to finish
+    # synchronising or merging data, they check and report progress
+    # at intervals of this number of seconds.  The default is 15 seconds.
+    # If this is set to 0 and there is only one thing to wait for, there
+    # are no progress reports, but the process is awoken immediately the
+    # operation is complete.
+    polling_interval = 15
+}
+
+
+####################
+# Advanced section #
+####################
+
+# Metadata settings
+#
+# metadata {
+    # Default number of copies of metadata to hold on each PV.  0, 1 or 2.
+    # You might want to override it from the command line with 0 
+    # when running pvcreate on new PVs which are to be added to large VGs.
+
+    # pvmetadatacopies = 1
+
+    # Default number of copies of metadata to maintain for each VG.
+    # If set to a non-zero value, LVM automatically chooses which of
+    # the available metadata areas to use to achieve the requested
+    # number of copies of the VG metadata.  If you set a value larger
+    # than the the total number of metadata areas available then
+    # metadata is stored in them all.
+    # The default value of 0 ("unmanaged") disables this automatic
+    # management and allows you to control which metadata areas
+    # are used at the individual PV level using 'pvchange
+    # --metadataignore y/n'.
+
+    # vgmetadatacopies = 0
+
+    # Approximate default size of on-disk metadata areas in sectors.
+    # You should increase this if you have large volume groups or
+    # you want to retain a large on-disk history of your metadata changes.
+
+    # pvmetadatasize = 255
+
+    # List of directories holding live copies of text format metadata.
+    # These directories must not be on logical volumes!
+    # It's possible to use LVM2 with a couple of directories here,
+    # preferably on different (non-LV) filesystems, and with no other 
+    # on-disk metadata (pvmetadatacopies = 0). Or this can be in
+    # addition to on-disk metadata areas.
+    # The feature was originally added to simplify testing and is not
+    # supported under low memory situations - the machine could lock up.
+    #
+    # Never edit any files in these directories by hand unless you
+    # you are absolutely sure you know what you are doing! Use
+    # the supplied toolset to make changes (e.g. vgcfgrestore).
+
+    # dirs = [ "/etc/lvm/metadata", "/mnt/disk2/lvm/metadata2" ]
+#}
+
+# Event daemon
+#
+dmeventd {
+    # mirror_library is the library used when monitoring a mirror device.
+    #
+    # "libdevmapper-event-lvm2mirror.so" attempts to recover from
+    # failures.  It removes failed devices from a volume group and
+    # reconfigures a mirror as necessary. If no mirror library is
+    # provided, mirrors are not monitored through dmeventd.
+
+    mirror_library = "libdevmapper-event-lvm2mirror.so"
+
+    # snapshot_library is the library used when monitoring a snapshot device.
+    #
+    # "libdevmapper-event-lvm2snapshot.so" monitors the filling of
+    # snapshots and emits a warning through syslog when the use of
+    # the snapshot exceeds 80%. The warning is repeated when 85%, 90% and
+    # 95% of the snapshot is filled.
+
+    snapshot_library = "libdevmapper-event-lvm2snapshot.so"
+
+    # thin_library is the library used when monitoring a thin device.
+    #
+    # "libdevmapper-event-lvm2thin.so" monitors the filling of
+    # pool and emits a warning through syslog when the use of
+    # the pool exceeds 80%. The warning is repeated when 85%, 90% and
+    # 95% of the pool is filled.
+
+    thin_library = "libdevmapper-event-lvm2thin.so"
+
+    # Full path of the dmeventd binary.
+    #
+    # executable = "/sbin/dmeventd"
+}
diff --git a/src/initrd/mdadm-dup.sh b/src/initrd/mdadm-dup.sh
new file mode 100644
index 0000000..70163a5
--- /dev/null
+++ b/src/initrd/mdadm-dup.sh
@@ -0,0 +1,217 @@
+LoSetup()
+{
+    local losetup_binary="$(which LoSetup)"
+    if [ "$losetup_binary" ]; then
+        "$losetup_binary" "$@"
+    else
+        losetup "$@"
+    fi
+}
+
+dm_snapshot()
+{
+    # TODO: eliminate duplication; this function exists elsewhere in a less generalized form
+    local ro_file rw_file cutoff_size
+    ro_file=$1
+    rw_file=$2
+    cutoff_size=$3
+
+    local ro_dev rw_dev size new_dev_name persist chunksize
+
+    if [ -b "$ro_file" ];
+    then ro_dev=$ro_file
+    else ro_dev=$(LoSetup -r -f --show "$ro_file") || return
+    fi
+
+    if [ -b "$rw_file" ];
+    then rw_dev=$rw_file
+    else rw_dev=$(LoSetup -f --show "$rw_file") || return
+    fi
+
+    if [ "$cutoff_size" -a "$cutoff_size" -gt 0 ]; then
+        size=$cutoff_size
+    else
+        size=$(blockdev --getsz "$ro_dev") || return
+    fi
+
+    new_dev_name=${ro_dev##*/}
+    persist=p
+    chunksize=16
+    dmsetup create "$new_dev_name" --table "0 $size snapshot $ro_dev $rw_dev $persist $chunksize" || return
+    wait_for_dm_device /dev/mapper/"$new_dev_name"
+    echo /dev/mapper/"$new_dev_name"
+}
+
+dm_snapshot_teardown()
+{
+    local dev="$1"
+    case "$dev" in
+        /dev/dm-*)
+            dmsetup table "$dev" | (
+                read _ _ snapshot ro_dev rw_dev _ crypt_dev _
+                case "$snapshot" in
+                    snapshot)
+                        dmsetup remove "$dev"           || exit 1
+                        # errors ignored because the loop dev can be configured to be
+                        # automatically removed upon disuse
+                        losetup -d /dev/block/"$rw_dev" || true
+                        eject /dev/block/"$ro_dev"      || true
+                        ;;
+                    crypt)
+                        cryptsetup remove "$dev" || exit 1
+                        losetup -d /dev/block/"$crypt_dev" || true
+                        ;;
+                esac
+            ) || return
+            ;;
+        *) return 1 ;;
+    esac
+}
+
+wait_for_dm_device()
+{
+    # TODO: improve
+    while ! [ -e "$1" ]; do
+        sleep 1
+    done
+}
+
+dup_mount_cdrom()
+{
+    local cdrom_dev="$1" mountpoint="$2"
+
+    local sectors md_dev=/dev/md55 cdrom_rw_file=/"${cdrom_dev##*/}".rw
+
+    sectors=$(get_cdrom_sizelimit "$cdrom_dev") || return
+
+    # TODO: do we even need this backing file? We do need to trick mdadm into
+    # thinking that this is a RW device, but previously we got away with just
+    # creating a loopback device.
+    dd if=/dev/zero of="$cdrom_rw_file" bs=1K count=32 || return
+    cdrom_rw_dev=$(dm_snapshot "$cdrom_dev" "$cdrom_rw_file" "$sectors") || return
+    mdadm_dup "$cdrom_rw_dev" "$md_dev" "$sectors" || return
+    mount -t iso9660 -r $md_dev "$mountpoint"
+}
+
+get_cdrom_sizelimit()
+{
+    # returns 512-byte sectors
+    local dev="$1" sectors
+    sectors=$(blockdev --getsz "$dev") || return
+
+    # Check if we can read the last 8 sectors. With a TAO CDROM, we can't --
+    # these sectors are faux, and not part of the ISO fs. If mdadm is allowed to
+    # read them, it will mark the device failed.
+    if dd count=2 if="$dev" bs=2048 skip=$((sectors/4 - 2)) of=/dev/null 2>/dev/null; then
+        echo $sectors
+    else
+        echo $((sectors - 8))
+    fi
+}
+
+mdadm_dup()
+{
+    local input_dev="$1" md_name="$2" sectors="$3"
+
+    mdadm --build "$md_name" "${sectors:+--size=$((sectors / 2))}" \
+          --level=1 --raid-devices=1 --force --write-mostly "$input_dev" || return
+}
+
+mdadm_subdevices()
+{
+    local md_dev="$1"
+    mdadm -D "$md_dev" -Y | sed -ne 's/^MD_DEVICE_.*_DEV=//p'
+}
+
+cryptsetup_temp()
+{
+    local sectors="$1" cryptname="$2" temp_file="$3" parms=$- secret
+    set +x
+    # Add 4096 sectors for LUKS header
+    truncate -s $(((sectors + 4096) * 512)) "$temp_file" || return
+    cleartext_dev=$(LoSetup -f --show "$temp_file")      || return
+    secret="$(head -c256 /dev/urandom)"                  || return
+    printf %s "$secret" |
+        cryptsetup luksFormat "$cleartext_dev" - || return
+    printf %s "$secret" |
+        cryptsetup --key-file - luksOpen "$cleartext_dev" "$cryptname" || return
+    unset secret
+    set "$parms"
+
+    wait_for_dm_device /dev/mapper/"$cryptname"
+    rm "$temp_file"
+    echo /dev/mapper/"$cryptname"
+}
+
+mdadm_copy_eject_crypt()
+{
+    local md_dev="$1" temp_file="$2"
+
+    [ -b "$md_dev" ]                                  || return
+
+    local output_dev sectors
+
+    old_subdev=$(mdadm_subdevices "$md_dev"|head -n1) || return
+    [ -b "$old_subdev" ]                              || return
+    # TODO: truncate to the ISO fs size if the device is larger
+    sectors=$(blockdev --getsz "$md_dev")             || return
+
+    output_dev=$(cryptsetup_temp "$sectors" samizdatiso "$temp_file") || return
+
+    mdadm "$md_dev" --add "$output_dev"               || return
+    mdadm "$md_dev" --grow -n2                        || return
+
+    mdadm_wait_remove "$md_dev" "$old_subdev"         || return
+
+    mdadm "$md_dev" --grow -n1 --force                || return
+    dm_snapshot_teardown "$old_subdev"
+}
+
+mdadm_copy_eject()
+{
+    local md_dev="$1" output_file="$2"
+
+    [ -b "$md_dev" ]                                  || return
+    [ ! -e "$output_file" ]                           || return
+
+    local output_dev sectors
+
+    old_subdev=$(mdadm_subdevices "$md_dev"|head -n1) || return
+    [ -b "$old_subdev" ]                              || return
+    sectors=$(blockdev --getsz "$md_dev")             || return
+
+    truncate -s $((sectors * 512)) "$output_file"     || return
+    output_dev=$(LoSetup -f --show "$output_file")    || return
+
+    mdadm "$md_dev" --add "$output_dev"               || return
+    mdadm "$md_dev" --grow -n2                        || return
+
+    mdadm_wait_remove "$md_dev" "$old_subdev"         || return
+
+    mdadm "$md_dev" --grow -n1 --force                || return
+    dm_snapshot_teardown "$old_subdev"
+}
+
+mdadm_wait_remove()
+{
+    # We should perhaps use mdadm --monitor's RebuildFinished event.
+
+    local dev="$1" disk="$2" tries
+    if ! mdadm --wait "$dev"; then
+        tries=1000
+        while ! mdadm --detail --test "$dev"; do
+            [ $tries -gt 0 ] || return 1
+            sleep 1
+            tries=$((tries-1))
+        done
+    fi
+
+    mdadm "$dev" --fail "$disk" || return 1
+    tries=100
+    while ! mdadm "$dev" --remove "$disk"; do
+        [ $tries -gt 0 ] || return 1
+        sleep 1
+        tries=$((tries-1))
+    done
+    return 0
+}
diff --git a/src/initrd/menu-select b/src/initrd/menu-select
new file mode 100755
index 0000000..f059052
--- /dev/null
+++ b/src/initrd/menu-select
@@ -0,0 +1,123 @@
+#!/bin/sh
+# usage:
+#  $0 boot-ram                                          - use memory-only overlay
+#  $0 boot-new       [dev name] [loop file] [megabytes] - create new luks-encrypted overlay
+#  $0 boot-overwrite [dev name] [loop file] [megabytes] - overwrite with new luks overlay
+#  $0 boot-luks      [dev name] [loop file]             - boot existing luks-encrypted overlay
+#  $0 boot-gpg       [key id] [gnupg homedir] [???]     - boot any device signed with the key
+
+. lvm-create.sh
+. common.sh
+exec 4>&1
+debug_log
+
+error()
+{
+  local sleep=3
+
+  clear >&4
+  echo "error -- ${*:-:(}" >&4
+
+  if [ $sleep -gt 0 ]; then
+    echo "will try again in $sleep seconds..." >&4
+    sleep $sleep
+  fi
+  bootmenu do_trigger no_panic
+  exit
+}
+
+badopts=
+fs=
+while [ $# -ge 1 ]; do
+  case $1 in
+    --fs=*) fs="${1#--fs=}"; shift; continue ;;
+    --*) echo "error: unknown option $1"; badopts=true; shift; continue ;;
+  esac
+  break
+done
+[ -z "$badopts" ] || error 'usage error'
+
+[ $# -ge 2 -o "$1" = 'boot-ram' ] || error 'usage error'
+
+remountrw()
+{
+  local fs="$1" dev="$2" loopfile="$3"
+  if [ "$fs" = hfsplus ]; then
+    mountpoint="/mnt/${dev##*/}"
+    umount "$dev" || error
+    fsck.hfsplus -q "$dev" || error
+    mount -o force "$dev" "$mountpoint" || error
+  else
+    mount -o remount,rw "$dev" || error
+  fi
+}
+
+hwclock_to_system()
+{
+  local fs="$1" UTC=UTC
+  case "$fs" in ntfs|vfat) UTC=LOCAL ;; esac
+  printf '0.0 0 0.0\n0\n%s' $UTC > /etc/adjtime
+  hwclock --hctosys
+}
+
+case "$1" in
+  boot-ram)
+    read _ memtotal_kb _ < /proc/meminfo
+    # This doesn't make sense to me, but setting rd_size _lower_ than total
+    # memory seems to be what breaks things ('btrfs device add' hangs forever).
+    # Somehow you can fill up the filesystem and there's still space for
+    # programs and btrfs does not complain. I don't know what is going on here.
+
+    # BTW, I verified with blockdev that the device size really is being
+    # specified in KB here. I did not really believe it.
+    modprobe brd rd_nr=1 rd_size=$memtotal_kb
+
+    init_gpg || error
+    init_samizdat /dev/ram0 '' || {
+        umount /root/cdrom
+        umount /root/outerfs
+        umount /root
+        error
+    }
+  ;;
+  boot-overwrite|boot-new|boot-luks)
+    dev="$2"
+    loopfile="$3"
+    megs="$4"
+
+    [ "$1" != 'boot-new' -o ! -e "$loopfile" ] || error
+
+    remountrw "$fs" "$dev" "$loopfile" || error
+
+    hwclock_to_system "$fs"
+
+    if [ "$1" = 'boot-overwrite' ]; then
+      rm "$loopfile" "$loopfile"k
+    fi
+
+    init_gpg || error
+
+    if [ "$1" = 'boot-luks' ]; then
+      open_samizdat "$loopfile" "$loopfile"k || error
+      exit
+    fi
+
+    start_meter "Allocating ${megs}MB in '$loopfile' on $dev..."
+
+    if init_samizdat_blockdev "$loopfile" "$megs" "$loopfile"k &&
+            init_samizdat /dev/mapper/samizdatcrypt "$loopfile"; then
+      stop_meter done.
+    else
+      stop_meter error!
+      rm "$loopfile" "$loopfile"k
+      dmsetup remove samizdatcrypt
+      # TODO: more teardown
+      error
+    fi
+  ;;
+  *)
+    error "Unimplemented boot command: $*"
+  ;;
+esac
+
+# vim:ts=2 sw=2 et
diff --git a/src/initrd/samizdat-cdrom-copy b/src/initrd/samizdat-cdrom-copy
new file mode 100755
index 0000000..d4920b9
--- /dev/null
+++ b/src/initrd/samizdat-cdrom-copy
@@ -0,0 +1,75 @@
+#!/bin/sh
+md_name=$1
+lv_name=$2
+lv_dev=$3
+cdrom_loopdev=$4
+cdrom_dev=$5
+
+. lvm-create.sh
+
+mdadm_wait_remove()
+{
+  # We should perhaps use mdadm --monitor's RebuildFinished event.
+
+  local dev="$1" disk="$2" tries
+  if ! mdadm --wait "$dev"; then
+    tries=1000
+    while ! mdadm --detail --test "$dev"; do
+      [ $tries -gt 0 ] || return 1
+      sleep 1
+      tries=$((tries-1))
+    done
+  fi
+
+  mdadm "$dev" --fail "$disk" || return 1
+  tries=100
+  while ! mdadm "$dev" --remove "$disk"; do
+    [ $tries -gt 0 ] || return 1
+    sleep 1
+    tries=$((tries-1))
+  done
+  return 0
+}
+
+
+Done()
+{
+  mdadm --grow "$md_name" -n 1 --force
+  lvm lvrename "$lv_name".tmp "${lv_name#*/}"
+  losetup -d "$cdrom_loopdev"
+  [ -e /etc/mtab ] || ln -sf /proc/mounts /etc/mtab
+  eject "$cdrom_dev"
+  echo "[$$] Done."
+}
+
+exec >>/var/log/samizdat-cdrom-copy.log 2>&1
+echo "[$$] Waiting for $cdrom_loopdev ($cdrom_dev) to be removed from $md_name."
+
+if mdadm_wait_remove "$md_name" "$cdrom_loopdev"; then
+  Done;
+else
+  echo "[$$] Warning: mdadm_wait_remove() returned $?.  Doing manual copy with sg_dd (using continue-on-error)."
+  mdadm -D "$md_name"
+  mdadm "$md_name" --fail "$lv_dev".tmp
+  mdadm -D "$md_name"
+  mdadm "$md_name" --remove "$lv_dev".tmp
+  mdadm -D "$md_name"
+  mdadm  /dev/md55 --grow -n1 --force
+  mdadm -D "$md_name"
+
+  sizelimit=$(get_cdrom_sizelimit "$cdrom_dev")
+
+  if sg_dd bs=2048 ${sizelimit:+count=$((sizelimit/2048))} iflag=coe,coe,coe if="$cdrom_dev" of="$lv_dev".tmp retries=42; then
+    echo "[$$] sg_dd succeeded."
+    mdadm "$md_name" --grow -n 2 --assume-clean --add "$lv_dev".tmp
+    mdadm -D "$md_name"
+    if mdadm_wait_remove "$md_name" "$cdrom_loopdev"; then
+      Done;
+    else
+      echo "[$$] Error: mdadm_wait_remove() returned $? after sg_dd.  Cannot eject CDROM!"
+    fi
+  else
+    echo "[$$] Error: sg_dd returned $?.  Cannot eject CDROM!"
+  fi
+fi
+
diff --git a/src/initrd/samizdat-eject.sh b/src/initrd/samizdat-eject.sh
new file mode 100755
index 0000000..d95a49d
--- /dev/null
+++ b/src/initrd/samizdat-eject.sh
@@ -0,0 +1,92 @@
+#!/bin/sh
+die()
+{
+    printf '%s\n' "$*" >&2
+    exit 1
+}
+
+btrfs_subdevices()
+{
+    local mountpoint="$1"
+    btrfs filesystem show "$mountpoint" | sed -ne 's/^[ \t]*devid.* path //p'
+}
+
+btrfs_subdevice_count()
+{
+    btrfs_subdevices "$1" | wc -l
+}
+
+remove()
+{
+    for dev; do
+        (set -x; btrfs device remove "$dev" /)
+        dmsetup remove "$dev" 2>/dev/null
+        losetup -D
+    done
+}
+
+dm_name()
+{
+    dmsetup info "$1" | sed -ne 's/^Name: *//p'
+}
+
+md_ready()
+{
+    local mountpoint="$1" count dev
+    count=$(mdadm_subdevices /dev/md55|wc -l)
+    [ "$count" = 1 ] || return
+    dev=$(mdadm_subdevices /dev/md55)
+    [ "$(dm_name "$dev")" = samizdatiso ]
+}
+
+copy()
+{
+    temp_target=$(mktemp --tmpdir=/outerfs)
+    mdadm_copy_eject_crypt /dev/md55 "$temp_target"
+}
+
+. mdadm-dup.sh || exit 1
+
+target=$1
+
+if [ ! "$target" ] && mountpoint -q /srv && [ ! -e /srv/samizdat.iso ]; then
+    target=/srv/samizdat.iso
+fi
+
+[ "$target" ] || die "Usage: $0 <target filename>"
+[ ! -e "$target" ] || die "Error: file exists: $target"
+
+if ! mountpoint -q /outerfs; then
+    die "Error: /outerfs is not a mountpoint.  Please mount a safe filesystem to temporarily store the ISO on /outerfs"
+fi
+
+devices=$(btrfs_subdevices /) || exit 1
+
+set --
+seen=
+for dev in $devices; do
+    [ -b "$dev" ] || exit 1
+    case "$dev" in
+        /dev/mapper/loop*) set -- "$@" "$dev" ;;
+        /dev/mapper/samizdatcrypt) seen=y ;;
+    esac
+done
+[ "$seen" ] || set -- # avoid messing up someone's btrfs!
+
+
+
+
+
+
+if ! md_ready; then
+    copy &
+fi
+
+remove "$@"
+
+wait
+
+if [ "$(btrfs_subdevice_count /)" = 1 ] && md_ready; then
+    mdadm_copy_eject /dev/md55 "$target".part &&
+        mv "$target".part "$target"
+fi
diff --git a/src/initrd/squashfs-size b/src/initrd/squashfs-size
new file mode 100755
index 0000000..74b67d7
--- /dev/null
+++ b/src/initrd/squashfs-size
@@ -0,0 +1,88 @@
+#!/bin/sh
+
+squashfs_size_ratio()
+{
+  local fn="$1"
+  #FSIZE="$(stat -c "%s" "$fn")"
+  word5() { echo $5; }
+  FSIZE="$(word5 `ls -l "$fn"`)"
+  echo $(( $FSIZE * 3367 / 1000 ))
+}
+
+squashfs_size_magicdb()
+{
+
+  get()
+  {
+    local len=$1
+    local off=$2
+    local fn="$3"
+    #local OUT=( $(od -t d$len -N$len -j $off "$fn") )
+    #echo "${OUT[1]}"
+    od -t u$len -N$len -j $off "$fn" | head -n1 |  sed 's/.* //'
+  }
+
+#   getReversedEndian()
+#   {
+#     local len=$1
+#     local off=$2
+#     local fn="$3"
+#     #local B=( $(od -t x$len -N$len -j $off "$fn") )
+#     #B="${B[1]}"
+#     local B="$(od -t x$len -N$len -j $off "$fn" | head -n1 | cut -d' ' -f2)" 
+#     local D=
+#     local C=$(( $len * 2 ))
+#     while [ $C -gt 0 ]
+#     do
+#       C=$(( $C - 2 ))
+#       D="$D${B:$C:2}"
+#     done
+#     D="0x$D"
+#     echo $D
+#   }
+  getReversedEndian()
+  {
+    local len=$1
+    local off=$2
+    local fn="$3"
+    local D=
+    local C=$len 
+    while [ $C -gt 0 ]
+    do
+      C=$(( $C - 1 ))
+      D="$(od -t x1 -N1 -j $(($off+$C)) "$fn" | head -n1 | cut -d' ' -f2)$D" 
+    done
+    D=$((0x$D))
+    echo $D
+  }
+
+
+  local fn="$1"
+
+  local M=$(get 4 0 "$fn")
+  local N=$(getReversedEndian 4 0 "$fn")
+  if [ $M -eq 1936814952 ]
+  then
+    # Proper endian.
+    local get=get
+  elif [ $N -eq 1936814952 ]
+  then
+    # Reversed endian.
+    local get=getReversedEndian
+  else
+    error not squashfs
+  fi
+
+  local T=$($get 2 28 "$fn")
+  if [ $T -lt 3 ]
+  then
+    local BC=$($get 4 8 "$fn") 
+  else
+    local BC=$($get 8 63 "$fn")
+  fi
+
+  echo $BC
+}
+
+
+squashfs_size_ratio "$1"
diff --git a/src/initrd/umountall.sh b/src/initrd/umountall.sh
new file mode 100755
index 0000000..bf89838
--- /dev/null
+++ b/src/initrd/umountall.sh
@@ -0,0 +1,126 @@
+#!/bin/sh
+OPEN_SHELL_BEFORE_SHUTDOWN=
+
+movemount() {
+  if mountpoint -q "$1"; then
+    umount /root/"$1"
+  else
+    mkdir -p "$1"
+    mount --move /root/"$1" "$1"
+  fi
+}
+
+retry_n_delay() {
+  local n="$1" delay="$2"
+  shift 2
+  while [ "$n" -gt 0 ]; do "$@" && break; sleep $delay; n=$((n-1)); done
+}
+
+umount_all_novirtual()
+{
+  # EQUIVALENT: umount -a -t norootfs,nosysfs,noproc,notmpfs,nodevpts,nodevtmpfs
+  # busyboxy umount does not support -t, therefore:
+  tac /proc/mounts | {
+    errors=0
+    while read dev mp type opts _; do
+      case $type in
+        rootfs|sysfs|proc|tmpfs|devpts|devtmpfs) ;;
+        *) umount "$mp" || errors=$((errors+1)) ;;
+      esac
+    done 
+    return $errors
+  }
+}
+
+losetup_delete_all()
+{
+  local f dev
+  for f in /sys/dev/block/7:*/loop; do
+    dev=${f#/sys/dev/block/7:}
+    dev=/dev/loop${dev%%/*}
+    losetup -d $dev
+  done
+}
+
+mdadm_stop_all()
+{
+  for md in /dev/md* /dev/md/*; do 
+    test -b "$md" && mdadm --stop "$md"
+  done
+}
+
+lvm_deactivate() { lvm lvchange -v -an samizdat 11>&-; }
+
+killemdead() {
+  force= pids="$(pidof "$@")"
+  while [ "$pids" ]; do
+    kill $force $pids
+    living=
+    for p in $pids; do
+      if [ -e /proc/$p ]; then
+        living=1
+        break
+      fi
+    done
+    [ ! "$living" ] && break
+    force=-9
+  done
+}
+
+specials= movemounts= umounts=
+while read dev mp type opts _; do # N.B. order is reversed in variables
+case $mp in
+  /root/dev|/root/proc)
+    specials="$mp $specials" ;;
+  /root/sys|/root/cdrom|/root/mnt/*|/root/gpg|/root/overlay|/root/xino|/root/squashes/*) 
+    movemounts="$mp $movemounts" ;; 
+  /root/*)
+    umounts="$mp $umounts" ;;
+esac
+done < /proc/mounts
+
+# Unmount mounts under /root that we didn't put there
+while true; do
+  error=0; success=0
+  for m in $umounts; do
+    if umount $m; then
+      success=$((success+1))
+    else
+      error=$((error+1))
+    fi
+  done
+  [ $error = 0 ] && break
+  [ $success = 0 ] && break
+done
+
+# Move back mounts that we moved
+for m in $movemounts; do
+  movemount "${m#/root}" # TODO: error handling
+done
+
+killemdead gpg-agent samizdat-pinentry
+
+umount /root/dev
+umount /root/proc
+ln -sf /proc/mounts /etc/mtab
+
+umount_all_novirtual
+mdadm_stop_all
+losetup_delete_all
+lvm_deactivate
+cryptsetup remove samizdatcrypt
+losetup_delete_all
+umount_all_novirtual
+
+if [ "$OPEN_SHELL_BEFORE_SHUTDOWN" ]; then
+  read cmd < /halt
+  echo
+  echo "Remove cdrom and press ctrl-d to run '$cmd'."
+  /bin/sh -i
+fi
+
+read cmd < /halt && $cmd
+sleep 1
+
+echo "Error!  Starting emergency shell with pid 1."
+exec /bin/sh -i
diff --git a/src/initrd/vol_id b/src/initrd/vol_id
new file mode 100755
index 0000000..5cd24a1
--- /dev/null
+++ b/src/initrd/vol_id
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec blkid -p -o udev "$@"
diff --git a/src/keygen.sh b/src/keygen.sh
new file mode 100755
index 0000000..716359b
--- /dev/null
+++ b/src/keygen.sh
@@ -0,0 +1,122 @@
+#!/bin/sh
+
+gpg_set_ultimate_trust()
+{
+    local keygrip
+    keygrip=$(gpg -K --with-colons|sed -ne '/^sec:/{p;q}'|cut -d: -f5) || return
+
+    expect - -- "$keygrip" <<'END'
+
+        set keygrip "[lindex $argv 0]"
+
+        spawn gpg --edit-key "$keygrip" trust
+
+        expect "Your decision?"
+        send -- "5\n"
+        expect "Do you really want to set this key to ultimate trust?"
+        send -- "y\n"
+        expect "gpg>"
+        send -- "save\n"
+        send_tty "\r"
+
+END
+}
+
+add()
+{
+    kiki merge \
+        --flow=sync \
+        --home${2:+="$2"} \
+        --create=rsa:4096 \
+        --flow=spill,match="$1" \
+        --type=pem \
+        --access=secret \
+        nil
+}
+
+init()
+{
+    local root="$1"
+
+    if [ "$root" ]; then
+        mkdir -m0600 -p "$root"/root/.gnupg
+    fi
+
+    kiki init   ${root:+--chroot "$root"}
+    add encrypt ${root:+"$root/root/.gnupg"}
+    add sign    ${root:+"$root/root/.gnupg"}
+
+    (
+        [ "$root" ] && export GNUPGHOME="$root/root/.gnupg/"
+        gpg_set_ultimate_trust
+    )
+}
+
+sync()
+{
+    local home1="$1"/root/.gnupg home2="$2"/root/.gnupg
+    kiki sync-public \
+        --homedir "$home1" \
+        --passphrase-fd=0 \
+        --import-if-authentic \
+        --autosign \
+        --keyrings "$home2"/pubring.gpg
+    kiki sync-secret \
+        --homedir "$home1" \
+        --autosign --import
+}
+
+doublecheck()
+{
+    gpg2 --clearsign </dev/null | gpg2 --homedir "$1"/root/.gnupg --verify
+    gpg2 --clearsign --homedir "$1"/root/.gnupg </dev/null | gpg2 --verify
+}
+
+silent()
+{
+    exec 3>&1 4>&2
+    exec >/dev/null 2>&1
+}
+
+noisy()
+{
+    exec >&3 2>&1
+}
+
+new_child()
+{
+    local root="$1"
+    init "$root"
+
+    sync "$root" ''
+    sync '' "$root"
+
+    gpg2 --check-trustdb
+    gpg2 --check-trustdb --homedir "$root"/root/.gnupg
+
+    doublecheck "$root"
+}
+
+
+child_dir=$1
+
+set -e
+
+[ "$(id -u)" = 0 ]
+[ "$child_dir" ]
+[ ! -d "$child_dir" ]
+which expect >/dev/null
+
+mkdir "$child_dir"
+trap -- 'umount "$child_dir"; rmdir "$child_dir"' EXIT
+mount -t tmpfs -o mode=0700 tmpfs "$child_dir"
+
+silent
+init
+new_child "$child_dir"
+noisy
+
+trap EXIT
+
+# gpg2 -k
+# gpg2 -k --homedir "$child_dir"/root/.gnupg
diff --git a/src/patchroot.sh b/src/patchroot.sh
new file mode 100755
index 0000000..738beac
--- /dev/null
+++ b/src/patchroot.sh
@@ -0,0 +1,43 @@
+#!/bin/sh
+
+pkgs='avahi-daemon git tmux btrfs-tools/jessie-backports sshfs eject'
+pkgs="$pkgs $(cat initrd-dependencies.txt)"
+pkgs="$pkgs linux-image-$(uname -r)/jessie-backports"
+
+default_sources_list()
+{
+    cat <<'END'
+deb      http://httpredir.debian.org/debian  jessie            main contrib non-free
+deb      http://security.debian.org          jessie/updates    main contrib non-free
+deb      http://httpredir.debian.org/debian  jessie-backports  main contrib non-free
+deb-src  http://httpredir.debian.org/debian  jessie            main contrib non-free
+deb-src  http://security.debian.org          jessie/updates    main contrib non-free
+deb-src  http://httpredir.debian.org/debian  jessie-backports  main contrib non-free
+END
+}
+
+network_devs()
+{
+    ip -oneline link |
+        while read _ dev _; do
+            echo ${dev%:}
+        done
+}
+
+if [ -e /root/sources.list ]; then
+    cp /root/sources.list /etc/apt/sources.list
+else
+    default_sources_list > /etc/apt/sources.list
+fi
+
+if [ -e /sys/module/hid_apple/parameters/fnmode ]; then
+    echo 2 > /sys/module/hid_apple/parameters/fnmode
+fi
+echo options hid_apple fnmode=2 > /etc/modprobe.d/apple.conf
+
+if [ "$(ifquery -a --list)" = lo ]; then
+    # No configured interfaces.  Do something!
+    dhclient $(network_devs)
+fi
+apt-get update
+apt-get -y install --no-upgrade $pkgs
diff --git a/src/qemu.sh b/src/qemu.sh
new file mode 100755
index 0000000..dfed521
--- /dev/null
+++ b/src/qemu.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+. samizdat-path.sh
+
+# iso=debian-live-8.4.0-amd64-gnome-desktop.iso
+# iso=debian-live-8.4.0-amd64-standard.iso
+# iso=debian-live-8.4.0-amd64-standard.btrfs.iso
+iso=${samizdat_iso_dir}/samizdat.iso
+disk=${samizdat_iso_dir}/debian-live-8.4.0-amd64-standard.btrfs.disk
+layered=${samizdat_iso_dir}/${iso%.iso}.layered.iso
+
+[ -f "$layered" ] && iso=$layered
+
+[ "$1" ] && iso=$1
+
+initrd.sh || { echo "initrd.sh failed" >&2; exit 1; };
+
+NET='tap,vlan=0,ifname=tap0,script=no,downscript=no'
+
+# To test local pxe boot server:
+# NET='user,tftp=isolinux,bootfile=/pxelinux.0'
+
+initrd=${samizdat_isolinux_dir}/linux/initrd.img
+kernel=${samizdat_isolinux_dir}/linux/vmlinuz
+kcmdline='boot=samizdat components quiet splash'
+
+sudo qemu-system-x86_64 -enable-kvm -smp 2 -m 640 -k en-us \
+     -vga qxl \
+     -net nic,vlan=0,model=virtio \
+     -net "$NET" \
+     -rtc base=localtime \
+     -cdrom "$iso" \
+     -hda "$disk" \
+     -initrd "$initrd" -kernel "$kernel" -append "$kcmdline"
diff --git a/src/samizdat-paths.sh b/src/samizdat-paths.sh
new file mode 100644
index 0000000..c437c5b
--- /dev/null
+++ b/src/samizdat-paths.sh
@@ -0,0 +1,5 @@
+samizdat_initrd_files_dir=/home/d/sami/src/initrd
+samizdat_execs_dir=/home/d/src/samizdat
+samizdat_child_dir=./child
+samizdat_isolinux_dir=/home/d/sami/isolinux
+PATH=${libexecdir}/${PACKAGE}/bin:${PATH}
diff --git a/src/var.sh b/src/var.sh
new file mode 100644
index 0000000..d0c7df5
--- /dev/null
+++ b/src/var.sh
@@ -0,0 +1,75 @@
+die()
+{
+    if [ "$*" ]; then
+        printf 'Error: %s\n' "$*" >&2
+    else
+        echo 'Error: fatal error' >&2
+    fi
+    exit 1
+}
+
+nosex()
+{
+    case $- in
+        *x*) set +x; "$@"; set -x;;
+        *) "$@";;
+    esac
+}
+
+_nonempty()
+{
+    printf '[ "${%s}" ] || die \"mandatory parameter is empty: %s\";\n' "$1" "$1"
+}
+
+_mandatory()
+{
+    printf '[ $# -ge %d ] || die \"mandatory parameter is missing: %s\";\n' "$2" "$1"
+}
+
+_assign()
+{
+    printf 'local %s="${%d}";\n' "$1" "$2"
+}
+
+_args()
+{
+    local v i=1 check="$1" assign="$2"
+    shift
+    shift
+    for v; do
+        $assign "$v" "$i"
+        $check "$v" "$i"
+        i=$((i+1))
+    done
+}
+
+_ARGS()
+{
+    echo eval "$(_args _mandatory _assign "$@")"
+}
+
+_ARGS_NONEMPTY()
+{
+    echo eval "$(_args _nonempty _assign "$@")"
+}
+
+_ARGS_OPTIONAL()
+{
+    echo eval "$(_args : _assign "$@")"
+}
+
+_NONEMPTY()
+{
+    echo eval "$(_args _nonempty : "$@")"
+}
+
+ARGS()          { nosex _ARGS "$@"; }
+ARGS_NONEMPTY() { nosex _ARGS_NONEMPTY "$@"; }
+ARGS_OPTIONAL() { nosex _ARGS_OPTIONAL "$@"; }
+NONEMPTY()      { nosex _NONEMPTY "$@"; }
+
+ARGS_NE() { ARGS_NONEMPTY "$@"; }
+
+if [ "${0#-}" = bash ]; then
+    export -f die _nonempty _mandatory _args ARGS ARGS_NONEMPTY ARGS_OPTIONAL
+fi
diff --git a/src/xorriso-layer.sh b/src/xorriso-layer.sh
new file mode 100755
index 0000000..7ce4776
--- /dev/null
+++ b/src/xorriso-layer.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+outdev=debian-live-8.4.0-amd64-standard.btrfs.layered.iso
+indev=debian-live-8.4.0-amd64-standard.btrfs.iso
+volid=SamizdatLive
+btrfs_layer_iso_path=live/layer%s.btrfs
+btrfs_layer_filesystem="$1"
+
+die() { printf '%s\n' "$*"; exit 1; }
+
+[ -f "$btrfs_layer_filesystem" ] || die "Usage: $0 <layer.btrfs> [layer2.btrfs ...]"
+
+i=0
+while [ $i -lt $# ]; do
+    arg=$1
+    [ $i -eq 0 ] && n='' || n=$((i + 1))
+    arg=$(printf "${btrfs_layer_iso_path}=%s" "$n" "$arg")
+    shift
+    set -- "$@" "$arg"
+    i=$((i + 1))
+done
+
+for arg; do echo "a=$arg"; done; exit;
+
+set -ex
+
+cp --reflink "$indev" "$outdev"~
+time xorriso \
+        -drive_class clear_list all \
+        -outdev "$outdev"~ -indev "$outdev"~ \
+        -report_about mishap \
+        -volid "$volid" \
+        -return_with sorry 0 \
+        -pathspecs on -overwrite on \
+        -add_plainly any \
+        "$@"
+
+mv -f "$outdev"~ "$outdev"
diff --git a/src/xorriso-usb.sh b/src/xorriso-usb.sh
new file mode 100644
index 0000000..61fcda0
--- /dev/null
+++ b/src/xorriso-usb.sh
@@ -0,0 +1,182 @@
+#!/bin/bash
+
+. samizdat-paths.sh || exit 1
+
+outdev=
+volid=SamizdatLive
+gpg_iso_path=gnupghome
+gnupghome=
+child_dir=$samizdat_child_dir
+vmlinuz_dir=$samizdat_isolinux_dir
+efi_dir=$samizdat_grub_efi_dir
+
+die() { printf "%s: Error: %s\n" "$0" "$*" >&2; exit 1; }
+
+TEMP="$(getopt -o '' --long adam,usb,detach,out:,test -n "$0" -- "$@")" ||
+    die 'getopt error'
+eval set -- "$TEMP"
+
+ADAM=; DETACH=; USB=
+while [ $# -gt 0 ]; do
+    case "$1" in
+        --adam)   shift; ADAM=y;;
+        --usb)    shift; USB=y;;
+        --detach) shift; DETACH=y;;
+        --test)   shift; QUICK_TEST=y;;
+        --out)    CMDLINE_OUTDEV="$2"; shift 2;;
+        --)       shift; break;;
+        *) die 'getopt error';;
+    esac
+done
+
+if [ $# = 0 ]; then
+    set -- debian-live-8.4.0-amd64-standard.btrfs layer.btrfs
+fi
+
+for fs; do
+    [ -f "$fs" ] || die "not a file: $fs"
+    shift
+    set -- "$@" "rootfs/${fs##*/}=$fs"
+done
+
+
+whole_device()
+{
+    case "$1" in
+        *-part?) false ;;
+        *-part??) false ;;
+        *-part???) false ;;
+        */usb\*) false ;;
+        *) true ;;
+    esac
+}
+
+confirm_usb()
+{
+    local msg="This will completely overwrite device:\n\n\t%s\n\nType 'yes' to confirm.\nContinue? "
+    printf "$msg" "$1" >&2
+    read line
+    case "$line" in
+        [yY][eE][sS]) return ;;
+        *) die "Aborted by user." ;;
+    esac
+}
+
+choose_usb()
+{
+    local devs maj
+    set -- /dev/disk/by-id/usb*
+    for dev; do
+        shift
+        whole_device "$dev" || continue
+        set -- "$@" "$dev"
+    done
+    if [ $# = 0 ]; then
+        die "no usb device found"
+    elif [ $# = 1 ]; then
+        confirm_usb "$1" || die impossible
+        outdev="$1"
+    else
+        die "multiple USB devices connected and choice between them is unimplemented.  ($*)"
+    fi
+}
+
+choose_cdrom()
+{
+    die 'choose_cdrom: unimplemented'
+}
+
+choose_outdev()
+{
+    if [ "$CMDLINE_OUTDEV" ]; then
+        outdev=$CMDLINE_OUTDEV~
+        NEED_STDIO=y
+    elif [ "$USB" ]; then
+        choose_usb
+        NEED_STDIO=y
+    else
+        choose_cdrom
+        NEED_STDIO=
+    fi
+}
+
+generate_keys()
+{
+    if [ "$ADAM" ]; then
+        kiki init || die 'kiki init failed'
+        gnupghome=/root/.gnupg
+    else
+        keygen.sh "$child_dir" || die "keygen.sh failed"
+        gnupghome=$child_dir/root/.gnupg
+        trap 'umount "$child_dir"; rmdir "$child_dir"' EXIT
+    fi
+}
+
+
+[ "$(id -u)" = 0 ] || die "you are not root."
+
+grub-efi.sh || die "grub-efi.sh failed"
+
+choose_outdev
+
+generate_keys
+
+if [ "$INPUT_DEVICE" ]; then
+    REPLACE_INITRD=
+    REMOVE_BTRFS=
+    ADD_BTRFS=
+else
+    REPLACE_INITRD=y
+    REMOVE_BTRFS=y
+    ADD_BTRFS=y
+fi
+
+if [ "$QUICK_TEST" ]; then
+    REMOVE_BTRFS=y
+    ADD_BTRFS=
+fi
+
+if [ "$REPLACE_INITRD" ]; then
+    initrd.sh
+fi
+
+(set -x
+xorriso \
+        ${INPUT_DEVICE:+ -indev "$INPUT_DEVICE" } \
+        -outdev ${NEED_STDIO:+stdio:}"$outdev" \
+        -blank as_needed \
+        -report_about mishap \
+        -return_with sorry 0 \
+        -volid "$volid" \
+        -pathspecs on \
+        \
+        \
+        ${REPLACE_INITRD:+ -rm_r linux -- -add linux="${vmlinuz_dir}" -- } \
+        ${REMOVE_BTRFS:+   -rm_r btrfs -- } \
+        ${ADD_BTRFS:+      -follow link -add "$@" -- -follow default } \
+        \
+        \
+        -rm_r "${gpg_iso_path}" -- \
+        -add "${gpg_iso_path}=${gnupghome}" -- \
+        \
+        \
+        -chown_r 0 / -- \
+        -chgrp_r 0 / -- \
+        -chmod_r go-rwx "${gpg_iso_path}" -- \
+        \
+        \
+        -as mkisofs -graft-points \
+        -b grub/i386-pc/eltorito.img  \
+        -no-emul-boot -boot-info-table \
+        --embedded-boot "${efi_dir}"/embedded.img \
+        --protective-msdos-label \
+        grub="${efi_dir}"/grub
+) || die "xorriso exited $?"
+
+case "$outdev" in
+    *~) [ -f "$outdev" ] && mv "$outdev" "${outdev%\~}" ;;
+esac
+
+if [ "$USB" -a "$DETACH" -a $? = 0 ]; then
+    udisks --detach "$outdev"
+fi
diff --git a/src/xorriso.sh b/src/xorriso.sh
new file mode 100755
index 0000000..5068d4b
--- /dev/null
+++ b/src/xorriso.sh
@@ -0,0 +1,66 @@
+#!/bin/sh
+
+outdev=samizdat.iso
+indev=debian-live-8.4.0-amd64-standard.iso
+volid=SamizdatLive
+gpg_iso_path=gnupghome
+gnupghome=gnupghome
+secrets=secrets
+
+if [ $# = 0 ]; then
+    set -- debian-live-8.4.0-amd64-standard.btrfs layer.btrfs
+fi
+
+for fs; do
+    [ -f "$fs" ] || exit 1
+    shift
+    set -- "$@" "rootfs/${fs##*/}=$fs"
+done
+
+die() { printf '%s\n' "$*"; exit 1; }
+
+make_gnupghome()
+{
+  [ -d "$gnupghome" ] && return
+  local reset=$-
+  set -e
+  [ ! -d "$gnupghome".tmp ] || die "Error: refusing to overwrite $gnupghome.tmp"
+  [ ! -d "$secrets".tmp   ] || die "Error: refusing to overwrite $secrets.tmp"
+  mkdir -p "$gnupghome".tmp "$secrets".tmp
+  local PATH="$HOME"/src/samizdat/src:"$PATH" NO_USE_RAMFS=y
+  NEW_GNUPGHOME="$gnupghome".tmp SECRETS_DIRECTORY="$secrets".tmp ~/src/samizdat/src/samizdat-make-key --adam
+  mv "$secrets".tmp "$secrets"
+  mv "$gnupghome".tmp "$gnupghome"
+  set -$reset
+}
+
+make_gnupghome
+
+if [ grub-efi.sh -nt grub-efi ]; then
+    ./grub-efi.sh || die "Error: grub-efi.sh failed"
+fi
+
+set -ex
+
+xorriso \
+        -drive_class clear_list all \
+        -outdev "$outdev"~ \
+        -report_about mishap \
+        -return_with sorry 0 \
+        -volid "$volid" \
+        -pathspecs on \
+        \
+        \
+        -add "${gpg_iso_path}=${gnupghome}" -- \
+        -add linux=isolinux/linux -- \
+        -follow link -add "$@" -- -follow default \
+        \
+        \
+        -as mkisofs -graft-points \
+        -b grub/i386-pc/eltorito.img  \
+        -no-emul-boot -boot-info-table \
+        --embedded-boot grub-efi/embedded.img \
+        --protective-msdos-label \
+        grub=grub-efi/grub
+
+mv -f "$outdev"~ "$outdev"
diff --git a/src/xorriso.test-efi.sh b/src/xorriso.test-efi.sh
new file mode 100755
index 0000000..3591528
--- /dev/null
+++ b/src/xorriso.test-efi.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+
+outdev=samizdat.iso
+indev=debian-live-8.4.0-amd64-standard.iso
+volid=SamizdatLive
+gpg_iso_path=gnupghome
+gnupghome=gnupghome
+secrets=secrets
+
+if [ $# = 0 ]; then
+    set -- debian-live-8.4.0-amd64-standard.btrfs layer.btrfs
+fi
+
+for fs; do
+    [ -f "$fs" ] || exit 1
+    shift
+    set -- "$@" "rootfs/${fs##*/}=$fs"
+done
+
+die() { printf '%s\n' "$*"; exit 1; }
+
+make_gnupghome()
+{
+  [ -d "$gnupghome" ] && return
+  local reset=$-
+  set -e
+  [ ! -d "$gnupghome".tmp ] || die "Error: refusing to overwrite $gnupghome.tmp"
+  [ ! -d "$secrets".tmp   ] || die "Error: refusing to overwrite $secrets.tmp"
+  mkdir -p "$gnupghome".tmp "$secrets".tmp
+  local PATH="$HOME"/src/samizdat/src:"$PATH" NO_USE_RAMFS=y
+  NEW_GNUPGHOME="$gnupghome".tmp SECRETS_DIRECTORY="$secrets".tmp ~/src/samizdat/src/samizdat-make-key --adam
+  mv "$secrets".tmp "$secrets"
+  mv "$gnupghome".tmp "$gnupghome"
+  set -$reset
+}
+
+make_gnupghome
+
+if [ grub-efi.sh -nt grub-efi ]; then
+    ./grub-efi.sh || die "Error: grub-efi.sh failed"
+fi
+
+set -ex
+
+xorriso \
+        -drive_class clear_list all \
+        -outdev "$outdev"~ \
+        -report_about mishap \
+        -return_with sorry 0 \
+        -volid "$volid" \
+        -pathspecs on \
+        \
+        \
+        -add "${gpg_iso_path}=${gnupghome}" -- \
+        -add linux=isolinux/linux -- \
+        \
+        \
+        -as mkisofs -graft-points \
+        -b grub/i386-pc/eltorito.img  \
+        -no-emul-boot -boot-info-table \
+        --embedded-boot grub-efi/embedded.img \
+        --protective-msdos-label \
+        grub=grub-efi/grub
+
+mv -f "$outdev"~ "$outdev"