From: "Jan Kiszka" <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org, Michael Adler <michael.adler@siemens.com>
Subject: Re: [cip-dev] [PATCH 1/1] Secureboot: Disable initramfs debug shell
Date: Fri, 19 Mar 2021 09:57:28 +0100 [thread overview]
Message-ID: <9cb77dff-97da-0ada-37c0-5f10fd703425@siemens.com> (raw)
In-Reply-To: <20210319072036.16091-2-michael.adler@siemens.com>
[-- Attachment #1: Type: text/plain, Size: 3132 bytes --]
On 19.03.21 08:20, Michael Adler wrote:
> This closes a loophole introduced by the initramfs debug shell which is
> enabled by default:
>
> "The initramfs-tools package includes a debug shell in the initrds it
> generates. If for example the initrd is unable to mount your root file
> system, you will be dropped into this debug shell which has basic
> commands available to help trace the problem and possibly fix it." [1]
>
> [1] https://www.debian.org/releases/buster/amd64/release-notes/ch-upgrading.en.html#recovery-initrd
>
> Signed-off-by: Michael Adler <michael.adler@siemens.com>
> ---
> wic/qemu-amd64-efibootguard-secureboot.wks | 2 ++
> wic/qemu-amd64-efibootguard.wks | 2 ++
> wic/simatic-ipc227e-efibootguard.wks | 2 ++
> wic/swupdate-partition.inc | 2 --
> 4 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks
> index 9ccf501..ff351db 100644
> --- a/wic/qemu-amd64-efibootguard-secureboot.wks
> +++ b/wic/qemu-amd64-efibootguard-secureboot.wks
> @@ -7,3 +7,5 @@ part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhe
> part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
>
> include swupdate-partition.inc
> +
> +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=0"
> diff --git a/wic/qemu-amd64-efibootguard.wks b/wic/qemu-amd64-efibootguard.wks
> index a9a8446..6653068 100644
> --- a/wic/qemu-amd64-efibootguard.wks
> +++ b/wic/qemu-amd64-efibootguard.wks
> @@ -2,3 +2,5 @@
> # long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
> include ebg-sysparts.inc
> include swupdate-partition.inc
> +
> +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
> diff --git a/wic/simatic-ipc227e-efibootguard.wks b/wic/simatic-ipc227e-efibootguard.wks
> index 74446d3..f6191bc 100644
> --- a/wic/simatic-ipc227e-efibootguard.wks
> +++ b/wic/simatic-ipc227e-efibootguard.wks
> @@ -3,3 +3,5 @@
>
> include ebg-sysparts.inc
> include swupdate-partition.inc
> +
> +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
> diff --git a/wic/swupdate-partition.inc b/wic/swupdate-partition.inc
> index 15fbe80..7bec9d7 100644
> --- a/wic/swupdate-partition.inc
> +++ b/wic/swupdate-partition.inc
> @@ -1,4 +1,2 @@
> part --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000001" --size 1000M --extra-space 128M --overhead-factor 1 --label systema --align 1024 --fstype=ext4
> part --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000002" --size 1000M --extra-space 128M --overhead-factor 1 --label systemb --align 1024 --fstype=ext4
> -
> -bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
>
Thanks, applied.
Jan
--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux
[-- Attachment #2: Type: text/plain, Size: 428 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6302): https://lists.cip-project.org/g/cip-dev/message/6302
Mute This Topic: https://lists.cip-project.org/mt/81450090/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
prev parent reply other threads:[~2021-03-19 9:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-19 7:20 [cip-dev] [PATCH 0/1] [isar-cip-core] Secureboot: disable initramfs debug shell Michael Adler
2021-03-19 7:20 ` [cip-dev] [PATCH 1/1] Secureboot: Disable " Michael Adler
2021-03-19 8:57 ` Jan Kiszka [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9cb77dff-97da-0ada-37c0-5f10fd703425@siemens.com \
--to=jan.kiszka@siemens.com \
--cc=cip-dev@lists.cip-project.org \
--cc=michael.adler@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.