anatol / booster Goto Github PK
View Code? Open in Web Editor NEWFast and secure initramfs generator
License: MIT License
Fast and secure initramfs generator
License: MIT License
Trying booster in Arch with zen kernel - no config files. The boot process hangs when trying to enter gnome shell. I get
gnome-session-binary[527]: Unrecoverable failure in required component org.gnome.Shell.desktop
in the journal. It does not happen when I use images from mkinitcpio. I can provide further info upon request.
EDIT: I realised that this is caused by not loading the amdgpu module. Same happens with mkinitcpio. However, if I include amdgpu to booster, it just does not boot.
With booster 0.2-1 on arch, running booster
fails with module virtio_pci does not exist
In case it helps, here is the output of booster -debug
no matches found for alias 'input:b0019v0000p0001e0000-e0,1,k74,ramlsfw' (/sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input1/modalias)
no matches found for alias 'acpi:LNXPWRBN:' (/sys/devices/LNXSYSTM:00/LNXPWRBN:00/modalias)
no matches found for alias 'acpi:PNP0C01:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/PNP0C01:00/modalias)
no matches found for alias 'acpi:PNP0C02:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/PNP0C02:03/modalias)
no matches found for alias 'acpi:INT0800:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/INT0800:00/modalias)
no matches found for alias 'acpi:INT3F0D:PNP0C02:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/INT3F0D:00/modalias)
no matches found for alias 'acpi:PNP0000:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/PNP0000:00/modalias)
no matches found for alias 'acpi:PNP0100:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/PNP0100:00/modalias)
no matches found for alias 'acpi:PNP0103:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/PNP0103:00/modalias)
no matches found for alias 'acpi:PNP0200:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/PNP0200:00/modalias)
no matches found for alias 'acpi:PNP0B00:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/PNP0B00:00/modalias)
no matches found for alias 'acpi:PNP0C02:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/PNP0C02:00/modalias)
no matches found for alias 'acpi:PNP0C02:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/PNP0C02:01/modalias)
no matches found for alias 'acpi:PNP0C02:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/PNP0C02:02/modalias)
no matches found for alias 'acpi:PNP0C04:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/PNP0C04:00/modalias)
no matches found for alias 'acpi:PNP0A08:PNP0A03:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/modalias)
no matches found for alias 'input:b0019v0000p0001e0000-e0,1,k74,ramlsfw' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0C:00/input/input0/modalias)
no matches found for alias 'acpi:PNP0C0C:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0C:00/modalias)
no matches found for alias 'acpi:PNP0C0F:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:00/modalias)
no matches found for alias 'acpi:PNP0C0F:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:01/modalias)
no matches found for alias 'acpi:PNP0C0F:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:02/modalias)
no matches found for alias 'acpi:PNP0C0F:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:03/modalias)
no matches found for alias 'acpi:PNP0C0F:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:04/modalias)
no matches found for alias 'acpi:PNP0C0F:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:05/modalias)
no matches found for alias 'acpi:PNP0C0F:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:06/modalias)
no matches found for alias 'acpi:PNP0C0F:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:07/modalias)
no matches found for alias 'acpi:LNXSYBUS:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/modalias)
no matches found for alias 'acpi:LNXSYBUS:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:01/modalias)
no matches found for alias 'acpi:LNXSYSTM:' (/sys/devices/LNXSYSTM:00/modalias)
no matches found for alias 'pci:v00008086d00000C00sv00001849sd00000C00bc06sc00i00' (/sys/devices/pci0000:00/0000:00:00.0/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw6,8,' (/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.1/sound/card2/input10/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw6,8,' (/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.1/sound/card2/input11/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw6,8,' (/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.1/sound/card2/input12/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw6,8,' (/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.1/sound/card2/input13/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw6,8,' (/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.1/sound/card2/input14/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw6,8,' (/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.1/sound/card2/input9/modalias)
no matches found for alias 'pci:v00001022d00001471sv00001022sd00001471bc06sc04i00' (/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/modalias)
no matches found for alias 'pci:v00001022d00001470sv00000000sd00000000bc06sc04i00' (/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/modalias)
no matches found for alias 'pci:v00008086d00000C01sv00001849sd00000C01bc06sc04i00' (/sys/devices/pci0000:00/0000:00:01.0/modalias)
no matches found for alias 'pci:v00008086d00000C05sv00001849sd00000C05bc06sc04i00' (/sys/devices/pci0000:00/0000:00:01.1/modalias)
no matches found for alias 'usb:v1D6Bp0002d0510dc09dsc00dp01ic09isc00ip00in00' (/sys/devices/pci0000:00/0000:00:14.0/usb3/3-0:1.0/modalias)
no matches found for alias 'input:b0003v046DpC333e0111-e0,1,4,11,14,k71,72,73,74,75,77,79,7A,7B,7C,7D,7E,7F,80,81,82,83,84,85,86,87,88,89,8A,8C,8E,96,98,9E,9F,A1,A3,A4,A5,A6,AD,B0,B1,B2,B3,B4,B7,B8,B9,BA,BB,BC,BD,BE,BF,C0,C1,C2,F0,ram4,l0,1,2,sfw' (/sys/devices/pci0000:00/0000:00:14.0/usb3/3-13/3-13:1.0/0003:046D:C333.0005/input/input26/modalias)
no matches found for alias 'hid:b0003g0001v0000046Dp0000C333' (/sys/devices/pci0000:00/0000:00:14.0/usb3/3-13/3-13:1.0/0003:046D:C333.0005/modalias)
no matches found for alias 'input:b0003v046DpC333e0111-e0,1,4,14,k71,72,73,74,75,77,79,7A,7B,7C,7D,7E,7F,80,81,82,83,84,85,86,87,88,89,8A,B3,B4,B7,B8,B9,BA,BB,BC,BD,BE,BF,C0,C1,C2,F0,ram4,lsfw' (/sys/devices/pci0000:00/0000:00:14.0/usb3/3-13/3-13:1.1/0003:046D:C333.0006/input/input27/modalias)
no matches found for alias 'input:b0003v046DpC333e0111-e0,1,4,k71,72,73,A3,A4,A5,A6,ram4,lsfw' (/sys/devices/pci0000:00/0000:00:14.0/usb3/3-13/3-13:1.1/0003:046D:C333.0006/input/input28/modalias)
no matches found for alias 'hid:b0003g0001v0000046Dp0000C333' (/sys/devices/pci0000:00/0000:00:14.0/usb3/3-13/3-13:1.1/0003:046D:C333.0006/modalias)
no matches found for alias 'usb:v174Cp2074d0100dc09dsc00dp02ic09isc00ip02in00' (/sys/devices/pci0000:00/0000:00:14.0/usb3/3-3/3-3:1.0/modalias)
no matches found for alias 'usb:v1D6Bp0003d0510dc09dsc00dp03ic09isc00ip00in00' (/sys/devices/pci0000:00/0000:00:14.0/usb4/4-0:1.0/modalias)
no matches found for alias 'usb:v174Cp3074d0100dc09dsc00dp03ic09isc00ip00in00' (/sys/devices/pci0000:00/0000:00:14.0/usb4/4-3/4-3:1.0/modalias)
no matches found for alias 'mei::309dcde8-ccb1-4062-8f78-600115a34327:01:' (/sys/devices/pci0000:00/0000:00:16.0/0000:00:16.0-309dcde8-ccb1-4062-8f78-600115a34327/modalias)
no matches found for alias 'mei::3c4852d6-d47b-4f46-b05e-b5edc1aa440e:01:' (/sys/devices/pci0000:00/0000:00:16.0/0000:00:16.0-3c4852d6-d47b-4f46-b05e-b5edc1aa440e/modalias)
no matches found for alias 'mei::55213584-9a29-4916-badf-0fb7ed682aeb:01:' (/sys/devices/pci0000:00/0000:00:16.0/0000:00:16.0-55213584-9a29-4916-badf-0fb7ed682aeb/modalias)
no matches found for alias 'mei::8c2f4425-77d6-4755-aca3-891fdbc66a58:01:' (/sys/devices/pci0000:00/0000:00:16.0/0000:00:16.0-8c2f4425-77d6-4755-aca3-891fdbc66a58/modalias)
no matches found for alias 'mei::f908627d-13bf-4a04-b91f-a64e9245323d:01:' (/sys/devices/pci0000:00/0000:00:16.0/0000:00:16.0-f908627d-13bf-4a04-b91f-a64e9245323d/modalias)
no matches found for alias 'pci:v00008086d00008C2Dsv00001849sd00008C2Dbc0Csc03i20' (/sys/devices/pci0000:00/0000:00:1a.0/modalias)
no matches found for alias 'usb:v1D6Bp0002d0510dc09dsc00dp00ic09isc00ip00in00' (/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-0:1.0/modalias)
no matches found for alias 'usb:v8087p8008d0005dc09dsc00dp01ic09isc00ip00in00' (/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1:1.0/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw4,' (/sys/devices/pci0000:00/0000:00:1b.0/sound/card1/input2/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw4,' (/sys/devices/pci0000:00/0000:00:1b.0/sound/card1/input3/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfwD,' (/sys/devices/pci0000:00/0000:00:1b.0/sound/card1/input4/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw6,' (/sys/devices/pci0000:00/0000:00:1b.0/sound/card1/input5/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw6,' (/sys/devices/pci0000:00/0000:00:1b.0/sound/card1/input6/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw6,' (/sys/devices/pci0000:00/0000:00:1b.0/sound/card1/input7/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw2,' (/sys/devices/pci0000:00/0000:00:1b.0/sound/card1/input8/modalias)
no matches found for alias 'pci:v00008086d00008C10sv00001849sd00008C10bc06sc04i00' (/sys/devices/pci0000:00/0000:00:1c.0/modalias)
no matches found for alias 'pci:v00001B21d00000612sv00001849sd00000612bc01sc06i01' (/sys/devices/pci0000:00/0000:00:1c.2/0000:06:00.0/modalias)
no matches found for alias 'pci:v00008086d00008C14sv00001849sd00008C14bc06sc04i00' (/sys/devices/pci0000:00/0000:00:1c.2/modalias)
no matches found for alias 'pci:v00008086d00008C16sv00001849sd00008C16bc06sc04i00' (/sys/devices/pci0000:00/0000:00:1c.3/modalias)
no matches found for alias 'scsi:t-0x00' (/sys/devices/pci0000:00/0000:00:1c.4/0000:08:00.0/ata9/host8/target8:0:0/8:0:0:0/modalias)
no matches found for alias 'pci:v00001B21d00000612sv00001849sd00000612bc01sc06i01' (/sys/devices/pci0000:00/0000:00:1c.4/0000:08:00.0/modalias)
no matches found for alias 'pci:v00008086d00008C18sv00001849sd00008C18bc06sc04i00' (/sys/devices/pci0000:00/0000:00:1c.4/modalias)
no matches found for alias 'pci:v00008086d00008C26sv00001849sd00008C26bc0Csc03i20' (/sys/devices/pci0000:00/0000:00:1d.0/modalias)
no matches found for alias 'usb:v1D6Bp0002d0510dc09dsc00dp00ic09isc00ip00in00' (/sys/devices/pci0000:00/0000:00:1d.0/usb2/2-0:1.0/modalias)
no matches found for alias 'usb:v8087p8000d0005dc09dsc00dp01ic09isc00ip00in00' (/sys/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1:1.0/modalias)
no matches found for alias 'acpi:INT0800:' (/sys/devices/pci0000:00/0000:00:1f.0/INT0800:00/modalias)
no matches found for alias 'acpi:PNP0103:' (/sys/devices/pci0000:00/0000:00:1f.0/PNP0103:00/modalias)
no matches found for alias 'acpi:PNP0C04:' (/sys/devices/pci0000:00/0000:00:1f.0/PNP0C04:00/modalias)
no matches found for alias 'platform:iTCO_wdt' (/sys/devices/pci0000:00/0000:00:1f.0/iTCO_wdt.1.auto/modalias)
no matches found for alias 'platform:intel-spi' (/sys/devices/pci0000:00/0000:00:1f.0/intel-spi/modalias)
no matches found for alias 'scsi:t-0x00' (/sys/devices/pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/modalias)
no matches found for alias 'scsi:t-0x00' (/sys/devices/pci0000:00/0000:00:1f.2/ata4/host3/target3:0:0/3:0:0:0/modalias)
no matches found for alias 'scsi:t-0x00' (/sys/devices/pci0000:00/0000:00:1f.2/ata5/host4/target4:0:0/4:0:0:0/modalias)
no matches found for alias 'pci:v00008086d00008C02sv00001849sd00008C02bc01sc06i01' (/sys/devices/pci0000:00/0000:00:1f.2/modalias)
no matches found for alias 'acpi:PNP0C0C:' (/sys/devices/platform/PNP0C0C:00/modalias)
no matches found for alias 'platform:coretemp' (/sys/devices/platform/coretemp.0/modalias)
no matches found for alias 'platform:efi-framebuffer' (/sys/devices/platform/efi-framebuffer.0/modalias)
no matches found for alias 'platform:efivars' (/sys/devices/platform/efivars.0/modalias)
no matches found for alias 'platform:microcode' (/sys/devices/platform/microcode/modalias)
no matches found for alias 'platform:nct6775' (/sys/devices/platform/nct6775.656/modalias)
no matches found for alias 'platform:reg-dummy' (/sys/devices/platform/reg-dummy/modalias)
no matches found for alias 'platform:regulatory' (/sys/devices/platform/regulatory.0/modalias)
no matches found for alias 'platform:rtc-efi' (/sys/devices/platform/rtc-efi.0/modalias)
no matches found for alias 'platform:serial8250' (/sys/devices/platform/serial8250/modalias)
no matches found for alias 'platform:snd_aloop' (/sys/devices/platform/snd_aloop.0/modalias)
no matches found for alias 'platform:vboxdrv' (/sys/devices/platform/vboxdrv.0/modalias)
no matches found for alias 'platform:alarmtimer' (/sys/devices/pnp0/00:02/rtc/rtc0/alarmtimer.0.auto/modalias)
no matches found for alias 'dmi:bvnAmericanMegatrendsInc.:bvrP2.90:bd03/11/2018:br4.6:svnToBeFilledByO.E.M.:pnToBeFilledByO.E.M.:pvrToBeFilledByO.E.M.:rvnASRock:rnZ87Extreme6:rvr:cvnToBeFilledByO.E.M.:ct3:cvrToBeFilledByO.E.M.:' (/sys/devices/virtual/dmi/id/modalias)
2021/02/17 16:38:34 module virtio_pci does not exist
Add an option for xz image compression.
Golang has 2 xz libraries:
Reader
functionality only. currently used to unpack modulesWriter()
but Reader path is slower ulikunitz/xz#23Images compressed with https://github.com/ulikunitz/xz are not unpacked correctly with Arch kernel for some reason. Figure out why.
Per comments at reddit lz4 compression is quite popular for modules and image compression. Booster should be able to handle this compression algorithm as well.
Is there a way to keep systemd integration optional? I know that Arch uses systemd, but not all distros have it available.
This would enable popular distros like Alpine and Void that target musl libc to work with booster.
Distro:Arch Linux
Version:booster-git
fails to boot if rootflags=noatime.
options section for systemd-boot is
options root=/dev/sda2 rw rootflags=subvol=@,compress=zstd,noatime quiet nowatchdog video=DP-1:e drm.edid_firmware=DP-1:edid/edid.bin random.trust_cpu=on
If I remove noatime,It success to boot.and mounted with /dev/sda2 on / type btrfs (rw,noatime,compress=zstd:3,space_cache,subvolid=1113,subvol=/@)
instead of relatime.
I think mount options is not changed since I use blank fstab.
devAdd: cannot detect block type
message appears even sucseed to boot.
systemd dbus api has a property InitRDTimestampMonotonic which provides the initrd boot timing information, when using supported initrd images such as those generated by mkinitcpio, for utilities like systemd-analyze to report.
I'm not totally sure what is required here, but I believe https://systemd.io/INITRD_INTERFACE/ may be relevant. Including a (possibly empty) /etc/initrd-release in the image may be all that is needed.
Does not load the keymap specified in /etc/vconsole.conf. This is problematic in LUKS when combining password with special charcters and a non US keyboard.
Analogus are sd-vconsole in mkinitcpio and rd.vconsole in dracut.
With vfio-pci.ids=1002:67df,1002:aaf0 secondary GPU should not be activated.
There is one use-case of a remote unlock that might be worth implementing at the booster side.
A remote host boots and reaches a locked root partition. At this point, initrd hangs and waits until the administrator enters the password. As this server is remote, there is no way to enter the password using a keyboard. Instead, the hosts expect the password is passed over the network.
Some initrd implementations have plugins to bringup ssh server at initrd stage e.g. mkinitcpio-dropbear. Setting up an sshd daemon brings a lot complexity to initramfs. It requires a full network setup, probably systemd/udev, the sshd server itself. Complexity is the enemy of maintainability. Complexity is the enemy of security. It would be great to implement the same use case with a simpler architecture.
In fact, booster already allows unlocking drives remotely with Tang technology. Tang is a simple two message protocol to derive keys securely over an insecure communication channel. It makes a lot of sense to reuse it. But instead of having a Tang server we need the initramfs to stop and wait for messages. Then administrator contacts the remote host and executes ECMR key exchange as would normal Tang does.
Here is what the unlock would look like:
booster unlock server1.mycompany.com ./secret.key
.Securing the initramfs via
/usr/bin/sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output /boot/booster-linux.img /boot/booster-linux.img
returns Invalid DOS header magic
Currently booster
generates zstd-compressed initramfs files. zstd compression is supported by Linux kernel since 5.9 version. But the older kernels (like Arch linux linux-lts
) needs gz
compressed files.
Add support for gz
compression. Add a configuration option for used compression.
Arch Linux
Booster-git
systemd-boot
system on cryptoluks (btrfs) with seperate boot partition (fat32) where are linux image and efi files.
A use rsync to copy whole system to non encrypted partition, and with recreate image, boot fine, but with encrypted it's always this:
my /boot/loader/entries/arch.conf
title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /booster-linux.img
options rd.luks.name=ff64c852-9a56-ayd1-vf2d-072aff6652s0=arch root=/dev/mapper/arch
Arch's 5.11.2 kernel has ~29K module aliases. booster generator tries to match all devices against all the aliases. So it has to call path.Match
function about one million times. And path.Match
function is not particularly fast.
As a result ~70% of an image generation time is spent in matchAlias
function. Optimize this codepath. Maybe we can sort the aliases somehow and then quickly pre-match using some fast string comparison?
Currently I'm facing the issue where my kernel booted on the arch linux iso is old and the standard Linux kernel. On my install it shows up as the old regular kernel but I've installed the zen kernel on my system.
I'm trying to install arch linux using luks with lvm and booster for the initramfs. On boot I get the following error /usr/lib/modules/5.11.4-arch1-1/luks.ko
I've had similar errors with both the lts and zen kernels as well.
Any idea why I get these errors and how to fix them?
There are situations when root filesystem mount failed (incorrect boot params, bug in booster, timeout issue with networks, ...). Currently booster either panics or hangs forever.
But it would be great if a user is able to inspect the machine and check what is going on. Or mount/switch to the root fs manually.
We need a way to add shell + utils (such as busybox
optimized for size) and then switch to this emergency shell if something is going wrong.
We also need to preserve debug log and store it under /run/booster/debug.log
so users will be able to copy it to a USB storage for further investigation.
It would be nice if something like the encrypt hook cryptkey
or sd-encrypt's rd.luks.key
was supported, allowing for the root partition to be unlocked with a key file.
More info: https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#rd.luks.key
Booster currently supports identifying root fs with UUID, but it could be improved to use a variety of identifiers.
Looking around, systemd's fstab-generator supports LABEL, UUID, PARTUUID, and PARTLABEL. Support for those four would be great.
Linux also supports PARTUUID/PARTNROFF among others, which could be useful.
title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /booster.img
options root=PARTUUID=xxxxxxxxxxxxxxxxxxxxxx rootfstype=f2fs rw sysrq_always_enabled=1 quiet nowatchdog module_blacklist=iTCO_wdt mitigations=off numa=off
Despite having quiet
in my kernel command line I get the following message twice during boot:
devAdd: cannot detect block device type
Both are due to ntfs partitions (which booster does not support), but these messages should not be shown when booting quietly anyway.
I undertook a fresh install of Arch Linux on a spare Supermicro server, including Booster 0.2-1 from the official Arch binary packages during pacstrap
and a LUKS encrypted partition. Booster was configured for DHCP networking during the arch-chroot
stage. The DHCP server returns a DNS server on the same subnet.
The initial reboot was successful and Tang-based unlocking was then configured using clevis luks bind -d /dev/sda2 tang '{"url": "http://cwdsrrkms1.acegi.com.au"}'
(this host is on the same subnet as the host; ie no gateway is required). After rebooting the following kernel panic was displayed:
This server includes an Intel 10-Gigabit X540-AT2 (ensf30
) card in addition to the inbuilt Intel I350 Gigabit Network Controller on the motherboard.
Following the above failed boot I restarted with a live image, disabled the network in /etc/booster.yaml
, reinstalled Booster, and rebooted without issue.
Any thoughts on how to overcome the kernel panic?
Binary size is reduced by adding -ldflags=-buildid= to PKGBUILD.
and it is needed for reploducible build.
Some users have multiple kernels installed. Booster handles them by generating images for all the kernels. It uses /etc/booster.yaml
config for all the images. But there are cases when one would want to have different config options for different kernels. For example linux-lts
based on Linux 5.4 does not support zstd compression and needs to use something like gzip
while newer kernel could use zstd compression.
Add possibility to overwrite variant-specific config options. One proposal is to have an additional configuration section something like
compression: zstd # default value
...
variant:
linux-lts:
compression: gzip # overwrites the option for this particular variant
modules: ...
Forking discussion off #17
If fstab contains btrfs with subvolumes then there is some boot issue. booster
itself seems fine, it detects rootfs, mounts it and launches systemd
. But then systemd
fails to boot properly.
It would be useful to add support for initramfs inspection to booster
command. It can look like booster ls $booster.img
and booster cat $booster.img:/somefile
.
For consistency we should add a sub-command for generatin an image booster gen
that is going to be an equivalent for current booster
invocation without any subcommands.
Hi,
the doc only describes updating systemd-boot, but does this work with grub as well? What do i have to do to make it work? When i run grub-mkconfig
it doesn't find the new booster images. They are present in the /boot folder though.
Regards
Currently, early microcode updates are supported by booting the kernel with two initrds: a microcode unage followed by booster's image.
But with 3.5M, the intel-ucode.img image is quite large. When not creating a universal image, booster could create its own early image with unneeded microcode code stripped. For my system, the stripped image is just 104k in size.
This can be done by running something equivalent to this command:
bsdtar -Oxf /boot/intel-ucode.img | iucode_tool -tb --scan-system --write-earlyfw=/tmp/iucode-stripped.img -
The final booster image that's created now just has to be appended as is to create a final bootable image.
Since the AMD ucode image is just 40K, stripping shouldn't be necessary and the image can just be prepended as-is.
So people might prefer having an offline help for booster tool. We need to have a manpage for booster.
There is a race condition between reading udev events and closing udev reader. If we close udev reader in cleanup() while the udev goroutine tries to read events then the reader returns an error that panics inside bufio.fill():
panic: bufio: reader returned negative count from Read
goroutine 6 [running]:
bufio.(*Reader).fill(0xc000070f68)
/usr/lib/go/src/bufio/bufio.go:103 +0x1dd
bufio.(*Reader).ReadSlice(0xc000070f68, 0x0, 0xc, 0x7f6718544c28, 0xc0003c42f0, 0x0, 0xab0fc0)
/usr/lib/go/src/bufio/bufio.go:360 +0x3d
bufio.(*Reader).collectFragments(0xc000070f68, 0xc000070d00, 0x40d610, 0xc00006b440, 0x30, 0x30, 0x823120, 0xc00005c960, 0x60, 0x7f671854e308, ...)
/usr/lib/go/src/bufio/bufio.go:435 +0x7a
bufio.(*Reader).ReadString(0xc000070f68, 0xc00005c900, 0x7, 0x0, 0xc00011a9d8, 0x0)
/usr/lib/go/src/bufio/bufio.go:483 +0x4c
github.com/s-urbaniak/uevent.(*Decoder).next(...)
/home/anatol/go/pkg/mod/github.com/s-urbaniak/[email protected]/decoder.go:81
github.com/s-urbaniak/uevent.(*Decoder).Decode(0xc000070ed0, 0xc00006b3e0, 0x83cf0f, 0x7)
/home/anatol/go/pkg/mod/github.com/s-urbaniak/[email protected]/decoder.go:42 +0x75
main.udevListener()
/mnt/cold/sources/golang/booster/init/main.go:454 +0x185
created by main.boost
/mnt/cold/sources/golang/booster/init/main.go:782 +0x4bd
[ 1.375818] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000200
[ 1.376737] CPU: 1 PID: 144 Comm: init Not tainted 5.10.14-arch1-1 #1
[ 1.377591] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.14.0-1 04/01/2014
[ 1.378961] Call Trace:
[ 1.379355] dump_stack+0x6b/0x83
[ 1.379844] panic+0x112/0x2e8
[ 1.380304] do_exit.cold+0x2c/0xb3
[ 1.380854] do_group_exit+0x33/0xa0
[ 1.381288] get_signal+0x13f/0x890
[ 1.381690] arch_do_signal+0x3d/0x740
[ 1.382122] exit_to_user_mode_prepare+0xb4/0x120
[ 1.382653] syscall_exit_to_user_mode+0x28/0x160
[ 1.383185] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1.383761] RIP: 0033:0x4b3e4a
[ 1.384161] Code: e8 db 16 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 4c 8b 54 24 28 4c 8b 44 24 30 4c 8b 4c 24 38 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 40 ff ff ff ff 48 c7 44 24 48
[ 1.386236] RSP: 002b:000000c00004dae8 EFLAGS: 00000212 ORIG_RAX: 0000000000000106
[ 1.387080] RAX: 0000000000000000 RBX: 000000c00002e000 RCX: 00000000004b3e4a
[ 1.387882] RDX: 000000c0006a05e8 RSI: 000000c000596200 RDI: ffffffffffffff9c
[ 1.388675] RBP: 000000c00004db60 R08: 0000000000000000 R09: 0000000000000000
[ 1.389477] R10: 0000000000000100 R11: 0000000000000212 R12: ffffffffffffffff
[ 1.390273] R13: 0000000000000011 R14: 0000000000000010 R15: 0000000000000100
[ 1.391149] Kernel Offset: 0xda00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 1.392362] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000200 ]---
Add support for detecting this filesystem type
Plymouth is a project from Fedora and now listed among the freedesktop.org's official resources providing a flicker-free graphical boot process. It relies on kernel mode setting (KMS) to set the native resolution of the display as early as possible, then provides an eye-candy splash screen leading all the way up to the login manager.
Plymouth is used by many Linux distributions. These include Ubuntu, fedora and pop os to name a few. It would be very useful for down stream distro maintainers to be able to use booster along with plymouth.
We can currently include extra modules with the "modules: " option in the config, but Booster could use a config option to exclude certain modules as well.
I would suggest a "modules-skip" or "modules-exclude" option for this purpose.
Follow-up for #6
We need to make sure that UUID provided with kernel boot parameters and UUID received from the block devices are properly formatted. Per https://en.wikipedia.org/wiki/Universally_unique_identifier#Format
In its canonical textual representation, the 16 octets of a UUID are represented as 32 hexadecimal (base-16) digits, displayed in five groups separated by hyphens, in the form 8-4-4-4-12 for a total of 36 characters (32 hexadecimal characters and 4 hyphens). For example:
123e4567-e89b-12d3-a456-426614174000
Hi, I've been trying to use booster, but I've been unable to get it to mount the rootfs. I see the error devAdd: cannot detect block type
looped a few times on the same line.
booster config has modules: btrfs
booster.debug=1 has way too much info scrolling by too quickly to even capture with video but if there's a way to somehow get that data I would be glad to give more info.
Partition is unencrypted BTRFS. universal: true
did not help.
full systemd-boot configuration, which is identical to my working config with mkinitcpio except for booster changes:
linux /vmlinuz-linux-g14
initrd /amd-ucode.img
initrd /booster-linux.img
options root=UUID="58e16728-f562-4211-bcc7-a8bbab97cb9b" fstype=btrfs rootflags=subvolid=1974 rw splash mitigations=off trace_clock=local amd_iommu=on random.trust_cpu=1 resume=UUID="ca1b6bf9-b4a1-4d73-8e81-0938ac8ce4cb" no_console_suspend clocksource=tsc tsc=reliable no_console_suspend ignore_loglevel initcall_debug```
Currently, booster employs clevis
to unlock LUKS partitions. It would be great to extend the unlocking functionality to other existing technologies:
Clevis keeps its metadata in LUKS tokens. If we want to unlock non-LUKS partitions then we need to find a place to store the clevis partition-specific metadata.
initramfs size is reduced by stripping kernel modules.
mkinitcpio has strip hook.
Couldn't figure out why this wasn't working until I looked at the source. Please see here:
https://www.freedesktop.org/software/systemd/man/systemd-cryptsetup-generator.html
When trying to unlock my bootloader I get the error Unkown af hash algorithm: sha3-512
.
Here's my /etc/booster.yaml
universal: true
modules: amdgpu
compression: zstd
Here's my menuentry from /boot/EFI/refind/refind.conf
menuentry "Arch Linux" {
icon /EFI/refind/themes/refind-dreary/icons/os_arch.png
volume Arch
loader /vmlinuz-linux
initrd /booster-linux.img
options "rd.luks.name=e4dca43a-21bd-4598-88fc-371dd20695a4=crypt root=/dev/mapper/crypt rootflags=subvol=@ rw quiet nmi_watchdog=0 kernel.unprivileged_userns_clone=0 net.core.bpf_jit_harden=2 apparmor=1 lsm=lockdown,yama,apparmor systemd.unified_cgroup_hierarchy=1 add_efi_memmap initrd=\amd-ucode.img"
submenuentry "Boot - terminal" {
add_options "systemd.unit=multi-user.target"
}
}
When creating the initial LUKS encrypted partition I ran
cryptsetup luksFormat --perf-no_read_workqueue --perf-no_write_workqueue --type luks2 --cipher aes-xts-plain64 --key-size 512 --iter-time 2000 --pbkdf argon2id --hash sha3-512 /dev/nvme0n1p2
cryptsetup --allow-discards --perf-no_read_workqueue --perf-no_write_workqueue --persistent open /dev/nvme0n1p2 crypt
I'm getting a kernel panic right at boot because PID 1 panics:
panic: open /usr/lib/modules/5.9.14-arch1-1/booster.alias: no such file or directory
goroutine 1 [running]:
main.main()
init/main.go:785 + 0xd0
I'm using booster-git
freshly installed from AUR. Here's my config file:
universal: false
modules: i915
And boot entry:
title arch
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /booster-linux.img
options root=/dev/sda2 rw
When installing the linux
package from [testing], booster is invoked like:
booster -force -output /boot/booster-linux.img -kernelVersion 5.10.2-arch1-1
Any idea what's wrong? It worked fine with linux 5.9.
There are people who uses Yubikey hardware token for authentication. It would be great if booster
supports unlocking machines with a Yubikey.
This issue depends on anatol/clevis.go#3
Some users might need LVM volumes to construct root block device. We need to be able to handle it.
Here is how dracut
configures LVM https://mirrors.edge.kernel.org/pub/linux/utils/boot/dracut/dracut.html#_lvm
When a LUKS keyslot is configured with a command such as clevis luks bind -d /dev/sda2 tang '{"url": "http://valid.dns.name"}'
a system boot displays "connect: cannot assign requested address 53" messages before requiring fallback LUKS console password entry.
This can be worked around by unbinding (clevis luks unbind -d /dev/sda2 -s 1
) and re-binding with a numeric IP in the URL. In this case Booster successfully queried Tang and unlocked the partition (tested on Arch Linux).
It would be helpful to add DNS resolution to the project or mention it in the docs given those using something like network bound disk encryption probably have a local DNS server to resolve its name. :-)
In addition I found the network address does not ping
and it might assist with troubleshooting if it would answer pings.
Thanks for your work on Booster.
Current booster init implementation loads modules sequentially.
It would be nice if required modules can be loaded in parallel/asynchronously. This way we can squeeze a bit more out of boot time.
One thing to keep in mind here is that a module may require several dependencies and load for those deps need to be completed before we can start loading current module.
According to this page https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html rootflags
boot parameter is used to provide extra mount options for the root filesystem.
Thanks for adding support for unlocking using a Tang server specified using a DNS-resolvable hostname address (issue #19).
I have now tested this with a newly-built server as follows:
eno1
enp1s0
http://the.dns.name
to a Tang server on same subnethttp://the.dns.name
address (ie hostname, not numeric IP)The /etc/booster.yaml
contains two lines:
network:
dhcp: on
A forced rebuilt was performed using booster -force -output /boot/booster-linux.img
.
The boot failed with the following:
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on [::1]:53: connect: cannot assign requested address
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on [::1]:53: connect: cannot assign requested address
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on [::1]:53: connect: cannot assign requested address
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on [::1]:53: connect: network is unreachable
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on [::1]:53: connect: network is unreachable
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on 192.168.250.1:53: dial udp 192.168.250.1:53: connect: network is unreachable
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on 192.168.250.1:53: dial udp 192.168.250.1:53: connect: network is unreachable
.... more messages as above.....
Enter passphrase for cryptroot: unable to initialize network interface eth0: DHCP: no ACK received
I attempted to provide a static network configuration as follows (and of course rebuilt the image):
network:
dhcp: off
ip: 192.168.110.104/24
gateway: 192.168.110.1
dns_servers: 192.168.250.1
On this occasion I receive:
unable to initialize network interface eth1: file exists
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on 192.168.250.1:53: read udp 192.168.110.104:53967->192.168.250.1:53: i/o timeout
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on 192.168.250.1:53: read udp 192.168.110.104:37372->192.168.250.1:53: i/o timeout
.... more messages as above.....
The above caused some minutes of blocking the boot waiting for the I/O timeouts to pass. It might be desirable to use a different timeout approach (eg abandon after 30 seconds).
Thinking it is perhaps an issue that the DNS server is on a different subnet than the server's IP address, I enabled DNS resolution on 192.168.110.1 and set DHCP to return that. After booting I confirmed:
$ resolvectl status
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: foreign
Fallback DNS Servers: 1.1.1.1 9.9.9.10 8.8.8.8 2606:4700:4700::1111 2620:fe::10 2001:4860:4860::8888
Link 2 (enp1s0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 3 (eno1)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.110.1
DNS Servers: 192.168.110.1
I then verified the internal DNS address of the Tang server resolves correctly via a ping. This was done to rule out any firewall, routing or DNS server issues.
I then edited the dns_servers:
to 192.168.110.1
(ie maintaining a static IP configuration), rebuilt and rebooted:
**unable to initialize network interface eth1: file exists
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on 192.168.110.1:53: read udp 192.168.110.104:57918->192.168.110.1:53: i/o timeout
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on 192.168.110.1:53: read udp 192.168.110.104:45474->192.168.110.1:53: i/o timeout
.... more messages as above.....
As shown it still didn't work despite a completely static network configuration in booster.yaml
and the DNS server being on the same subnet.
I then switched Booster back to the minimal /etc/booster.yaml
:
network:
dhcp: on
The server then booted without a problem (ie DHCP assignment of a DNS server on the same subnet).
I then modified the DHCP server to return DNS server 192.168.250.1 (like we started with) and rebooted. This failed with the same messages as seen originally. When I changed the DHCP server to again return DNS server 192.168.110.1 and rebooted, the server booted fine once again.
In conclusion DNS resolution currently appears require two conditions:
/etc/booster.yaml
)I'm happy to help with testing an updated package if you wish.
Some laptops (e.g. Lenovo Thinkpad) have fingerprint sensors. It would be great to integrate it with booster
.
This issue depends on anatol/clevis.go#2
Some kernel modules (e.g. amdgpu
) require extra firmware files. This firmware dependencies information is specified in the module code with macros MODULE_FIRMWARE("amdgpu/mullins_ce.bin");
and then stored as a part of *.ko elf file.
Make booster to read this dependency information the same way as modinfo amdgpu | grep firmware
does and then add the firmware files to initramfs automatically.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.