From 42f0b3ff9b9e71da74ddca1b41f3f04787d571c4 Mon Sep 17 00:00:00 2001
From: Andrew Cady <d@jerkface.net>
Date: Tue, 28 Mar 2017 09:30:51 -0400
Subject: Implement boot parameter "netkeys"

This allows the keys to be loaded from the boot medium even when the
root filesystem is loaded over the network.  I.e., specifying nbdroot=
no longer implies that the keys will be loaded over the network.

The ISO images generated by xorriso-usb.sh will not specify 'netkeys' so
the keys on the USB stick will be used.

The idea is that after install, the network should not be needed at
all; but that requires using a new mechanism instead of the nbdroot=
parameter, to determine dynamically whether to use a network root fs
device.

Currently, the network is still needed to boot a device that has its
root fs on the local disk and the keys on the boot medium, even though
no data is fetched from the NBD server.

You can force the machine to boot by going to the initramfs shell and
running:

  for n in $(seq 1 20); do killall ipconfig; done

Otherwise it blocks waiting for the network.
---
 initramfs-tools/scripts/samizdat | 34 +++++++++++++++++++++++++++-------
 1 file changed, 27 insertions(+), 7 deletions(-)

(limited to 'initramfs-tools/scripts/samizdat')

diff --git a/initramfs-tools/scripts/samizdat b/initramfs-tools/scripts/samizdat
index 0c511e8..b1752cd 100644
--- a/initramfs-tools/scripts/samizdat
+++ b/initramfs-tools/scripts/samizdat
@@ -7,28 +7,48 @@ mountroot()
   samizdat_install_udev_rules
   mkfifo "$MENUFIFO"
 
-  # Note: this blocks waiting for the network
   if [ "${nbdroot%%,*}" ]; then
-    try_nbd
+    # I guess this isn't getting called otherwise? I don't know why this should
+    # be necessary, but it is.
+    sh /scripts/local-top/nbd >/dev/null 2>&1
   fi
 
+  if keys_via_network; then
+    wait_for_gnupghome_tar "$tftp_key_server"
+  fi
+  bootwait samizdat-gpg
   bootmenu
   bootwait root-mounted
   chvt 1
 }
 
-try_nbd()
+# Sets $tftp_key_server or returns false.
+keys_via_network()
 {
-  sh /scripts/local-top/nbd >/dev/null 2>&1 & # I guess this isn't getting called otherwise?
-  wait_for_gnupghome_tar
-  (. common.sh && force_grok_block)
+    [ "${nbdroot%%,*}" ] || return
+    local arg cmdline
+    read cmdline < /proc/cmdline
+    for arg in $cmdline; do
+        case "$arg" in
+            netkeys)
+                tftp_key_server="${nbdroot%%,*}"
+                return 0
+            ;;
+            netkeys=*)
+                tftp_key_server="${arg#netkeys=}"
+                return 0
+            ;;
+        esac
+    done
+    return 1
 }
 
 wait_for_gnupghome_tar()
 {
+  local tftp_server="$1"
   [ -e /gnupghome.tar ] && return
   echo -n Waiting to receive GPG keys through the network...
-  (while ! tftp -g -r gnupghome.tar -l /gnupghome.tar.$$ ${nbdroot%%,*} 2>/dev/null; do
+  (while ! tftp -g -r gnupghome.tar -l /gnupghome.tar.$$ "$tftp_server" 2>/dev/null; do
     sleep 1;
     echo -n .
   done
-- 
cgit v1.2.3