Yocto - Building initramfs to run a shell script for the support of IMA/EVM

Yocto - Building initramfs to run a shell script for the support of IMA/EVM

[Eswaran Vinothkumar (BEG-PT/PJ-IOT1)]

[-- Attachment #1: Type: text/plain, Size: 1360 bytes --]

Hello Yocto community developers,

I am currently working on the task of porting an existing build system to Yocto to create customized Linux distribution for an embedded product. I have successfully created a bare box image, the kernel and root file system image and the system startup is working fine.

I am now investigating on creating the initramfs using Yocto and have gone through the Yocto documents for the same.

Adding the options :
INITRAMFS_FSTYPES = "cpio.gz"
INITRAMFS_IMAGE = "custom-initramfs"  --> my recipe which inherited core-image.bb recipe

Results in the creation of 'custom-image-20170120105621.rootfs.cpio.gz' file.

We are using initramfs to run a script which before mounting the root file system checks for ima policy and also responsible for loading the evm-keys. In short, the initramfs contains a script which is executed before mounting the main root file system. So I think I need to follow a different procedure than the one I mentioned above for my use case. Also we are using systemd as the init system and for the initramfs I don't need sysv or systemd as all I will do is running a script in initramfs.

Is there a better way of creating this structure in Yocto, any information would be helpful.


Mit freundlichen Grüßen / Best regards

Vinothkumar Eswaran
BEG-PT/PJ-IOT1

Tel. +49(7062)911-02


[-- Attachment #2: Type: text/html, Size: 5648 bytes --]

Re: Yocto - Building initramfs to run a shell script for the support of IMA/EVM

[Rick Altherr]

[-- Attachment #1: Type: text/plain, Size: 2346 bytes --]

Did you look at
http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-core/images/core-image-minimal-initramfs.bb?
You do want to use the core-image class but some of the variables need to
be adjusted to build an initramfs.  OpenBMC does something similar to what
you are describing with their obmc-phosphor-initramfs (
https://github.com/openbmc/openbmc/blob/master/meta-phosphor/common/recipes-phosphor/images/obmc-phosphor-initramfs.bb)
that does a few things like applying staged rootfs updates before mounting
the rootfs.

On Fri, Jan 20, 2017 at 4:44 AM, Eswaran Vinothkumar (BEG-PT/PJ-IOT1) <
Vinothkumar.Eswaran@de.bosch.com> wrote:

> Hello Yocto community developers,
>
>
>
> I am currently working on the task of porting an existing build system to
> Yocto to create customized Linux distribution for an embedded product. I
> have successfully created a bare box image, the kernel and root file system
> image and the system startup is working fine.
>
>
>
> I am now investigating on creating the initramfs using Yocto and have gone
> through the Yocto documents for the same.
>
>
>
> Adding the options :
>
> INITRAMFS_FSTYPES = "cpio.gz"
>
> INITRAMFS_IMAGE = "custom-initramfs"  à my recipe which inherited
> core-image.bb recipe
>
>
>
> Results in the creation of ‘custom-image-20170120105621.rootfs.cpio.gz’
> file.
>
>
>
> We are using initramfs to run a script which before mounting the root file
> system checks for ima policy and also responsible for loading the evm-keys.
> In short, the initramfs contains a script which is executed before mounting
> the main root file system. So I think I need to follow a different
> procedure than the one I mentioned above for my use case. Also we are using
> systemd as the init system and for the initramfs I don’t need sysv or
> systemd as all I will do is running a script in initramfs.
>
>
>
> Is there a better way of creating this structure in Yocto, any information
> would be helpful.
>
>
>
>
>
> Mit freundlichen Grüßen / Best regards
>
>
>
> *Vinothkumar Eswaran BEG-PT/PJ-IOT1 *
> Tel. +49(7062)911-02 <+49%207062%2091102>
>
>
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>
>

[-- Attachment #2: Type: text/html, Size: 5715 bytes --]

Re: Yocto - Building initramfs to run a shell script for the support of IMA/EVM

[Patrick Ohly]

On Fri, 2017-01-20 at 12:44 +0000, Eswaran Vinothkumar (BEG-PT/PJ-IOT1)
wrote:
> We are using initramfs to run a script which before mounting the root
> file system checks for ima policy and also responsible for loading the
> evm-keys. In short, the initramfs contains a script which is executed
> before mounting the main root file system.

Ostro OS does the same, with IMA activated via a plugin for the
initramfs-framework (a set of scripts in OE-core).

meta-integrity:
https://github.com/01org/meta-intel-iot-security/tree/master/meta-integrity

IMA plugin:
https://github.com/01org/meta-intel-iot-security/tree/master/meta-integrity/recipes-core/initrdscripts

Full initramfs using this is ostro-initramfs.bb in:
https://github.com/ostroproject/ostro-os/tree/master/meta-ostro/recipes-image/images

Perhaps this will give you some ideas how to do this, or can even be
used as-is?

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: Yocto - Building initramfs to run a shell script for the support of IMA/EVM

[Jeremy Thien]

[-- Attachment #1: Type: text/plain, Size: 1646 bytes --]

I suggest the debug-iniramfs-image from meta-openembedded/meta-initramfs.

On Sun, Jan 22, 2017, 6:42 AM Patrick Ohly <patrick.ohly@intel.com> wrote:

> On Fri, 2017-01-20 at 12:44 +0000, Eswaran Vinothkumar (BEG-PT/PJ-IOT1)
> wrote:
> > We are using initramfs to run a script which before mounting the root
> > file system checks for ima policy and also responsible for loading the
> > evm-keys. In short, the initramfs contains a script which is executed
> > before mounting the main root file system.
>
> Ostro OS does the same, with IMA activated via a plugin for the
> initramfs-framework (a set of scripts in OE-core).
>
> meta-integrity:
> https://github.com/01org/meta-intel-iot-security/tree/master/meta-integrity
>
> IMA plugin:
>
> https://github.com/01org/meta-intel-iot-security/tree/master/meta-integrity/recipes-core/initrdscripts
>
> Full initramfs using this is ostro-initramfs.bb in:
>
> https://github.com/ostroproject/ostro-os/tree/master/meta-ostro/recipes-image/images
>
> Perhaps this will give you some ideas how to do this, or can even be
> used as-is?
>
> --
> Best Regards, Patrick Ohly
>
> The content of this message is my personal opinion only and although
> I am an employee of Intel, the statements I make here in no way
> represent Intel's position on the issue, nor am I authorized to speak
> on behalf of Intel on this matter.
>
>
>
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>
-- 
Jeremy Thien
Adtec Digital
adtecdigital.com
jeremy.thien@adtecdigital.net

[-- Attachment #2: Type: text/html, Size: 3582 bytes --]

Re: Yocto - Building initramfs to run a shell script for the support of IMA/EVM

[Jeremy Thien]

[-- Attachment #1: Type: text/plain, Size: 1954 bytes --]

Sorry, mangled the name. It should be initramfs-debug-image. It is very
simple, but you have to handle switch root yourself.

On Mon, Jan 23, 2017 at 9:08 AM Jeremy Thien <jeremyt@adtecinc.com> wrote:

> I suggest the debug-iniramfs-image from meta-openembedded/meta-initramfs.
>
> On Sun, Jan 22, 2017, 6:42 AM Patrick Ohly <patrick.ohly@intel.com> wrote:
>
> On Fri, 2017-01-20 at 12:44 +0000, Eswaran Vinothkumar (BEG-PT/PJ-IOT1)
> wrote:
> > We are using initramfs to run a script which before mounting the root
> > file system checks for ima policy and also responsible for loading the
> > evm-keys. In short, the initramfs contains a script which is executed
> > before mounting the main root file system.
>
> Ostro OS does the same, with IMA activated via a plugin for the
> initramfs-framework (a set of scripts in OE-core).
>
> meta-integrity:
> https://github.com/01org/meta-intel-iot-security/tree/master/meta-integrity
>
> IMA plugin:
>
> https://github.com/01org/meta-intel-iot-security/tree/master/meta-integrity/recipes-core/initrdscripts
>
> Full initramfs using this is ostro-initramfs.bb in:
>
> https://github.com/ostroproject/ostro-os/tree/master/meta-ostro/recipes-image/images
>
> Perhaps this will give you some ideas how to do this, or can even be
> used as-is?
>
> --
> Best Regards, Patrick Ohly
>
> The content of this message is my personal opinion only and although
> I am an employee of Intel, the statements I make here in no way
> represent Intel's position on the issue, nor am I authorized to speak
> on behalf of Intel on this matter.
>
>
>
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>
> --
> Jeremy Thien
> Adtec Digital
> adtecdigital.com
> jeremy.thien@adtecdigital.net
>
-- 
Jeremy Thien
Adtec Digital
adtecdigital.com
jeremy.thien@adtecdigital.net

[-- Attachment #2: Type: text/html, Size: 4629 bytes --]