From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH v2 6/6] secureboot: Prevent getting shell on panic
Date: Fri, 22 Apr 2022 09:47:38 +0200 [thread overview]
Message-ID: <4eaa5df2b217c0afa9e21c1f7adb4f189f54e4fc.1650613658.git.jan.kiszka@siemens.com> (raw)
In-Reply-To: <cover.1650613658.git.jan.kiszka@siemens.com>
From: Jan Kiszka <jan.kiszka@siemens.com>
On panic, initramfs-tools opens up a shell unless panic=X is set on the
kernel command line. Fix that because such a shell could break the chain
of trust.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
wic/qemu-amd64-efibootguard-secureboot.wks.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index affa299..4a0e987 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -12,4 +12,4 @@ part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE
part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024 --size 2G
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=5"
--
2.34.1
prev parent reply other threads:[~2022-04-22 16:52 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-22 7:47 [isar-cip-core][PATCH v2 0/6] Fix read-only rootfs setup /wrt etc overlay - and more Jan Kiszka
2022-04-22 7:47 ` [isar-cip-core][PATCH v2 1/6] wic: Align kernel command line of qemu-amd64-efibootguard* Jan Kiszka
2022-04-22 7:47 ` [isar-cip-core][PATCH v2 2/6] initramfs-abrootfs-hook: Convert to an initramfs-class recipe Jan Kiszka
2022-04-22 16:59 ` Jan Kiszka
2022-04-22 7:47 ` [isar-cip-core][PATCH v2 3/6] Convert /etc overlay from systemd mount unit to initramfs hook Jan Kiszka
2022-04-22 7:47 ` [isar-cip-core][PATCH v2 4/6] customizations: Relocate /root under /home Jan Kiszka
2022-04-22 12:22 ` Gylstorff Quirin
2022-04-22 12:53 ` Jan Kiszka
2022-04-22 7:47 ` [isar-cip-core][PATCH v2 5/6] initramfs-verify-hook: Optimize probing of partitions Jan Kiszka
2022-04-22 7:47 ` Jan Kiszka [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4eaa5df2b217c0afa9e21c1f7adb4f189f54e4fc.1650613658.git.jan.kiszka@siemens.com \
--to=jan.kiszka@siemens.com \
--cc=christian.storm@siemens.com \
--cc=cip-dev@lists.cip-project.org \
--cc=quirin.gylstorff@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.