anatol / booster Goto Github PK

View Code? Open in Web Editor NEW

457.0 457.0 37.0 9.23 MB

Fast and secure initramfs generator

License: MIT License

Go 90.36% Shell 9.34% C 0.24% Makefile 0.05%

boot initramfs linux

booster's People

Contributors

Stargazers

Watchers

booster's Issues

Unrecoverable failure in required component org.gnome.Shell.desktop

Trying booster in Arch with zen kernel - no config files. The boot process hangs when trying to enter gnome shell. I get

gnome-session-binary[527]: Unrecoverable failure in required component org.gnome.Shell.desktop

in the journal. It does not happen when I use images from mkinitcpio. I can provide further info upon request.

EDIT: I realised that this is caused by not loading the amdgpu module. Same happens with mkinitcpio. However, if I include amdgpu to booster, it just does not boot.

module virtio_pci does not exist

With booster 0.2-1 on arch, running booster fails with module virtio_pci does not exist

In case it helps, here is the output of booster -debug

no matches found for alias 'input:b0019v0000p0001e0000-e0,1,k74,ramlsfw' (/sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input1/modalias)
no matches found for alias 'acpi:LNXPWRBN:' (/sys/devices/LNXSYSTM:00/LNXPWRBN:00/modalias)
no matches found for alias 'acpi:PNP0C01:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/PNP0C01:00/modalias)
no matches found for alias 'acpi:PNP0C02:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/PNP0C02:03/modalias)
no matches found for alias 'acpi:INT0800:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/INT0800:00/modalias)
no matches found for alias 'acpi:INT3F0D:PNP0C02:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/INT3F0D:00/modalias)
no matches found for alias 'acpi:PNP0000:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/PNP0000:00/modalias)
no matches found for alias 'acpi:PNP0100:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/PNP0100:00/modalias)
no matches found for alias 'acpi:PNP0103:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/PNP0103:00/modalias)
no matches found for alias 'acpi:PNP0200:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/PNP0200:00/modalias)
no matches found for alias 'acpi:PNP0B00:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/PNP0B00:00/modalias)
no matches found for alias 'acpi:PNP0C02:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/PNP0C02:00/modalias)
no matches found for alias 'acpi:PNP0C02:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/PNP0C02:01/modalias)
no matches found for alias 'acpi:PNP0C02:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/PNP0C02:02/modalias)
no matches found for alias 'acpi:PNP0C04:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:00/PNP0C04:00/modalias)
no matches found for alias 'acpi:PNP0A08:PNP0A03:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/modalias)
no matches found for alias 'input:b0019v0000p0001e0000-e0,1,k74,ramlsfw' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0C:00/input/input0/modalias)
no matches found for alias 'acpi:PNP0C0C:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0C:00/modalias)
no matches found for alias 'acpi:PNP0C0F:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:00/modalias)
no matches found for alias 'acpi:PNP0C0F:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:01/modalias)
no matches found for alias 'acpi:PNP0C0F:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:02/modalias)
no matches found for alias 'acpi:PNP0C0F:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:03/modalias)
no matches found for alias 'acpi:PNP0C0F:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:04/modalias)
no matches found for alias 'acpi:PNP0C0F:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:05/modalias)
no matches found for alias 'acpi:PNP0C0F:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:06/modalias)
no matches found for alias 'acpi:PNP0C0F:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:07/modalias)
no matches found for alias 'acpi:LNXSYBUS:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:00/modalias)
no matches found for alias 'acpi:LNXSYBUS:' (/sys/devices/LNXSYSTM:00/LNXSYBUS:01/modalias)
no matches found for alias 'acpi:LNXSYSTM:' (/sys/devices/LNXSYSTM:00/modalias)
no matches found for alias 'pci:v00008086d00000C00sv00001849sd00000C00bc06sc00i00' (/sys/devices/pci0000:00/0000:00:00.0/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw6,8,' (/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.1/sound/card2/input10/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw6,8,' (/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.1/sound/card2/input11/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw6,8,' (/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.1/sound/card2/input12/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw6,8,' (/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.1/sound/card2/input13/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw6,8,' (/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.1/sound/card2/input14/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw6,8,' (/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.1/sound/card2/input9/modalias)
no matches found for alias 'pci:v00001022d00001471sv00001022sd00001471bc06sc04i00' (/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/modalias)
no matches found for alias 'pci:v00001022d00001470sv00000000sd00000000bc06sc04i00' (/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/modalias)
no matches found for alias 'pci:v00008086d00000C01sv00001849sd00000C01bc06sc04i00' (/sys/devices/pci0000:00/0000:00:01.0/modalias)
no matches found for alias 'pci:v00008086d00000C05sv00001849sd00000C05bc06sc04i00' (/sys/devices/pci0000:00/0000:00:01.1/modalias)
no matches found for alias 'usb:v1D6Bp0002d0510dc09dsc00dp01ic09isc00ip00in00' (/sys/devices/pci0000:00/0000:00:14.0/usb3/3-0:1.0/modalias)
no matches found for alias 'input:b0003v046DpC333e0111-e0,1,4,11,14,k71,72,73,74,75,77,79,7A,7B,7C,7D,7E,7F,80,81,82,83,84,85,86,87,88,89,8A,8C,8E,96,98,9E,9F,A1,A3,A4,A5,A6,AD,B0,B1,B2,B3,B4,B7,B8,B9,BA,BB,BC,BD,BE,BF,C0,C1,C2,F0,ram4,l0,1,2,sfw' (/sys/devices/pci0000:00/0000:00:14.0/usb3/3-13/3-13:1.0/0003:046D:C333.0005/input/input26/modalias)
no matches found for alias 'hid:b0003g0001v0000046Dp0000C333' (/sys/devices/pci0000:00/0000:00:14.0/usb3/3-13/3-13:1.0/0003:046D:C333.0005/modalias)
no matches found for alias 'input:b0003v046DpC333e0111-e0,1,4,14,k71,72,73,74,75,77,79,7A,7B,7C,7D,7E,7F,80,81,82,83,84,85,86,87,88,89,8A,B3,B4,B7,B8,B9,BA,BB,BC,BD,BE,BF,C0,C1,C2,F0,ram4,lsfw' (/sys/devices/pci0000:00/0000:00:14.0/usb3/3-13/3-13:1.1/0003:046D:C333.0006/input/input27/modalias)
no matches found for alias 'input:b0003v046DpC333e0111-e0,1,4,k71,72,73,A3,A4,A5,A6,ram4,lsfw' (/sys/devices/pci0000:00/0000:00:14.0/usb3/3-13/3-13:1.1/0003:046D:C333.0006/input/input28/modalias)
no matches found for alias 'hid:b0003g0001v0000046Dp0000C333' (/sys/devices/pci0000:00/0000:00:14.0/usb3/3-13/3-13:1.1/0003:046D:C333.0006/modalias)
no matches found for alias 'usb:v174Cp2074d0100dc09dsc00dp02ic09isc00ip02in00' (/sys/devices/pci0000:00/0000:00:14.0/usb3/3-3/3-3:1.0/modalias)
no matches found for alias 'usb:v1D6Bp0003d0510dc09dsc00dp03ic09isc00ip00in00' (/sys/devices/pci0000:00/0000:00:14.0/usb4/4-0:1.0/modalias)
no matches found for alias 'usb:v174Cp3074d0100dc09dsc00dp03ic09isc00ip00in00' (/sys/devices/pci0000:00/0000:00:14.0/usb4/4-3/4-3:1.0/modalias)
no matches found for alias 'mei::309dcde8-ccb1-4062-8f78-600115a34327:01:' (/sys/devices/pci0000:00/0000:00:16.0/0000:00:16.0-309dcde8-ccb1-4062-8f78-600115a34327/modalias)
no matches found for alias 'mei::3c4852d6-d47b-4f46-b05e-b5edc1aa440e:01:' (/sys/devices/pci0000:00/0000:00:16.0/0000:00:16.0-3c4852d6-d47b-4f46-b05e-b5edc1aa440e/modalias)
no matches found for alias 'mei::55213584-9a29-4916-badf-0fb7ed682aeb:01:' (/sys/devices/pci0000:00/0000:00:16.0/0000:00:16.0-55213584-9a29-4916-badf-0fb7ed682aeb/modalias)
no matches found for alias 'mei::8c2f4425-77d6-4755-aca3-891fdbc66a58:01:' (/sys/devices/pci0000:00/0000:00:16.0/0000:00:16.0-8c2f4425-77d6-4755-aca3-891fdbc66a58/modalias)
no matches found for alias 'mei::f908627d-13bf-4a04-b91f-a64e9245323d:01:' (/sys/devices/pci0000:00/0000:00:16.0/0000:00:16.0-f908627d-13bf-4a04-b91f-a64e9245323d/modalias)
no matches found for alias 'pci:v00008086d00008C2Dsv00001849sd00008C2Dbc0Csc03i20' (/sys/devices/pci0000:00/0000:00:1a.0/modalias)
no matches found for alias 'usb:v1D6Bp0002d0510dc09dsc00dp00ic09isc00ip00in00' (/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-0:1.0/modalias)
no matches found for alias 'usb:v8087p8008d0005dc09dsc00dp01ic09isc00ip00in00' (/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1:1.0/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw4,' (/sys/devices/pci0000:00/0000:00:1b.0/sound/card1/input2/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw4,' (/sys/devices/pci0000:00/0000:00:1b.0/sound/card1/input3/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfwD,' (/sys/devices/pci0000:00/0000:00:1b.0/sound/card1/input4/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw6,' (/sys/devices/pci0000:00/0000:00:1b.0/sound/card1/input5/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw6,' (/sys/devices/pci0000:00/0000:00:1b.0/sound/card1/input6/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw6,' (/sys/devices/pci0000:00/0000:00:1b.0/sound/card1/input7/modalias)
no matches found for alias 'input:b0000v0000p0000e0000-e0,5,kramlsfw2,' (/sys/devices/pci0000:00/0000:00:1b.0/sound/card1/input8/modalias)
no matches found for alias 'pci:v00008086d00008C10sv00001849sd00008C10bc06sc04i00' (/sys/devices/pci0000:00/0000:00:1c.0/modalias)
no matches found for alias 'pci:v00001B21d00000612sv00001849sd00000612bc01sc06i01' (/sys/devices/pci0000:00/0000:00:1c.2/0000:06:00.0/modalias)
no matches found for alias 'pci:v00008086d00008C14sv00001849sd00008C14bc06sc04i00' (/sys/devices/pci0000:00/0000:00:1c.2/modalias)
no matches found for alias 'pci:v00008086d00008C16sv00001849sd00008C16bc06sc04i00' (/sys/devices/pci0000:00/0000:00:1c.3/modalias)
no matches found for alias 'scsi:t-0x00' (/sys/devices/pci0000:00/0000:00:1c.4/0000:08:00.0/ata9/host8/target8:0:0/8:0:0:0/modalias)
no matches found for alias 'pci:v00001B21d00000612sv00001849sd00000612bc01sc06i01' (/sys/devices/pci0000:00/0000:00:1c.4/0000:08:00.0/modalias)
no matches found for alias 'pci:v00008086d00008C18sv00001849sd00008C18bc06sc04i00' (/sys/devices/pci0000:00/0000:00:1c.4/modalias)
no matches found for alias 'pci:v00008086d00008C26sv00001849sd00008C26bc0Csc03i20' (/sys/devices/pci0000:00/0000:00:1d.0/modalias)
no matches found for alias 'usb:v1D6Bp0002d0510dc09dsc00dp00ic09isc00ip00in00' (/sys/devices/pci0000:00/0000:00:1d.0/usb2/2-0:1.0/modalias)
no matches found for alias 'usb:v8087p8000d0005dc09dsc00dp01ic09isc00ip00in00' (/sys/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1:1.0/modalias)
no matches found for alias 'acpi:INT0800:' (/sys/devices/pci0000:00/0000:00:1f.0/INT0800:00/modalias)
no matches found for alias 'acpi:PNP0103:' (/sys/devices/pci0000:00/0000:00:1f.0/PNP0103:00/modalias)
no matches found for alias 'acpi:PNP0C04:' (/sys/devices/pci0000:00/0000:00:1f.0/PNP0C04:00/modalias)
no matches found for alias 'platform:iTCO_wdt' (/sys/devices/pci0000:00/0000:00:1f.0/iTCO_wdt.1.auto/modalias)
no matches found for alias 'platform:intel-spi' (/sys/devices/pci0000:00/0000:00:1f.0/intel-spi/modalias)
no matches found for alias 'scsi:t-0x00' (/sys/devices/pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/modalias)
no matches found for alias 'scsi:t-0x00' (/sys/devices/pci0000:00/0000:00:1f.2/ata4/host3/target3:0:0/3:0:0:0/modalias)
no matches found for alias 'scsi:t-0x00' (/sys/devices/pci0000:00/0000:00:1f.2/ata5/host4/target4:0:0/4:0:0:0/modalias)
no matches found for alias 'pci:v00008086d00008C02sv00001849sd00008C02bc01sc06i01' (/sys/devices/pci0000:00/0000:00:1f.2/modalias)
no matches found for alias 'acpi:PNP0C0C:' (/sys/devices/platform/PNP0C0C:00/modalias)
no matches found for alias 'platform:coretemp' (/sys/devices/platform/coretemp.0/modalias)
no matches found for alias 'platform:efi-framebuffer' (/sys/devices/platform/efi-framebuffer.0/modalias)
no matches found for alias 'platform:efivars' (/sys/devices/platform/efivars.0/modalias)
no matches found for alias 'platform:microcode' (/sys/devices/platform/microcode/modalias)
no matches found for alias 'platform:nct6775' (/sys/devices/platform/nct6775.656/modalias)
no matches found for alias 'platform:reg-dummy' (/sys/devices/platform/reg-dummy/modalias)
no matches found for alias 'platform:regulatory' (/sys/devices/platform/regulatory.0/modalias)
no matches found for alias 'platform:rtc-efi' (/sys/devices/platform/rtc-efi.0/modalias)
no matches found for alias 'platform:serial8250' (/sys/devices/platform/serial8250/modalias)
no matches found for alias 'platform:snd_aloop' (/sys/devices/platform/snd_aloop.0/modalias)
no matches found for alias 'platform:vboxdrv' (/sys/devices/platform/vboxdrv.0/modalias)
no matches found for alias 'platform:alarmtimer' (/sys/devices/pnp0/00:02/rtc/rtc0/alarmtimer.0.auto/modalias)
no matches found for alias 'dmi:bvnAmericanMegatrendsInc.:bvrP2.90:bd03/11/2018:br4.6:svnToBeFilledByO.E.M.:pnToBeFilledByO.E.M.:pvrToBeFilledByO.E.M.:rvnASRock:rnZ87Extreme6:rvr:cvnToBeFilledByO.E.M.:ct3:cvrToBeFilledByO.E.M.:' (/sys/devices/virtual/dmi/id/modalias)
2021/02/17 16:38:34 module virtio_pci does not exist

Add support for xz compressed images

Add an option for xz image compression.

Golang has 2 xz libraries:

https://github.com/xi2/xz fast but provides Reader functionality only. currently used to unpack modules
https://github.com/ulikunitz/xz has Writer() but Reader path is slower ulikunitz/xz#23

Images compressed with https://github.com/ulikunitz/xz are not unpacked correctly with Arch kernel for some reason. Figure out why.

Add support for lz4 compression

Per comments at reddit lz4 compression is quite popular for modules and image compression. Booster should be able to handle this compression algorithm as well.

Systemd integration

Is there a way to keep systemd integration optional? I know that Arch uses systemd, but not all distros have it available.

This would enable popular distros like Alpine and Void that target musl libc to work with booster.

fails to boot if noatime in rootflags.

Distro:Arch Linux
Version:booster-git

fails to boot if rootflags=noatime.
options section for systemd-boot is
options root=/dev/sda2 rw rootflags=subvol=@,compress=zstd,noatime quiet nowatchdog video=DP-1:e drm.edid_firmware=DP-1:edid/edid.bin random.trust_cpu=on
If I remove noatime,It success to boot.and mounted with /dev/sda2 on / type btrfs (rw,noatime,compress=zstd:3,space_cache,subvolid=1113,subvol=/@) instead of relatime.
I think mount options is not changed since I use blank fstab.

devAdd: cannot detect block type message appears even sucseed to boot.

RFE: support systemd InitRDTimestampMonotonic

systemd dbus api has a property InitRDTimestampMonotonic which provides the initrd boot timing information, when using supported initrd images such as those generated by mkinitcpio, for utilities like systemd-analyze to report.

I'm not totally sure what is required here, but I believe https://systemd.io/INITRD_INTERFACE/ may be relevant. Including a (possibly empty) /etc/initrd-release in the image may be all that is needed.

Keymap not loaded.

Does not load the keymap specified in /etc/vconsole.conf. This is problematic in LUKS when combining password with special charcters and a non US keyboard.

Analogus are sd-vconsole in mkinitcpio and rd.vconsole in dracut.

Kerner parameter "vfio-pci.ids" is ignored.

With vfio-pci.ids=1002:67df,1002:aaf0 secondary GPU should not be activated.

Reverse Tang unlocking

There is one use-case of a remote unlock that might be worth implementing at the booster side.

A remote host boots and reaches a locked root partition. At this point, initrd hangs and waits until the administrator enters the password. As this server is remote, there is no way to enter the password using a keyboard. Instead, the hosts expect the password is passed over the network.

Some initrd implementations have plugins to bringup ssh server at initrd stage e.g. mkinitcpio-dropbear. Setting up an sshd daemon brings a lot complexity to initramfs. It requires a full network setup, probably systemd/udev, the sshd server itself. Complexity is the enemy of maintainability. Complexity is the enemy of security. It would be great to implement the same use case with a simpler architecture.

In fact, booster already allows unlocking drives remotely with Tang technology. Tang is a simple two message protocol to derive keys securely over an insecure communication channel. It makes a lot of sense to reuse it. But instead of having a Tang server we need the initramfs to stop and wait for messages. Then administrator contacts the remote host and executes ECMR key exchange as would normal Tang does.

Here is what the unlock would look like:

the remote hosts opens a port and waits for incoming messages
administrator runs a CLI tool that initiates one ECMR key exchange. The cli would look like booster unlock server1.mycompany.com ./secret.key.

'sbsign' complains about booster images: "Invalid DOS header magic"

Securing the initramfs via

/usr/bin/sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output /boot/booster-linux.img /boot/booster-linux.img

returns Invalid DOS header magic

Add support for gz-compressed initramfs files

Currently booster generates zstd-compressed initramfs files. zstd compression is supported by Linux kernel since 5.9 version. But the older kernels (like Arch linux linux-lts) needs gz compressed files.

Add support for gz compression. Add a configuration option for used compression.

Can't boot system from encrypted partition

Arch Linux
Booster-git
systemd-boot
system on cryptoluks (btrfs) with seperate boot partition (fat32) where are linux image and efi files.
A use rsync to copy whole system to non encrypted partition, and with recreate image, boot fine, but with encrypted it's always this:

my /boot/loader/entries/arch.conf

title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /booster-linux.img
options rd.luks.name=ff64c852-9a56-ayd1-vf2d-072aff6652s0=arch root=/dev/mapper/arch

Optimize `matchAliases`

Arch's 5.11.2 kernel has ~29K module aliases. booster generator tries to match all devices against all the aliases. So it has to call path.Match function about one million times. And path.Match function is not particularly fast.

As a result ~70% of an image generation time is spent in matchAlias function. Optimize this codepath. Maybe we can sort the aliases somehow and then quickly pre-match using some fast string comparison?

Booster should look at the installed kernels modules not the booted kernels modules

Currently I'm facing the issue where my kernel booted on the arch linux iso is old and the standard Linux kernel. On my install it shows up as the old regular kernel but I've installed the zen kernel on my system.

Initramfs with root partition using lvm and luks encryption fails to boot as its looking for a nonexistent kernel module

I'm trying to install arch linux using luks with lvm and booster for the initramfs. On boot I get the following error /usr/lib/modules/5.11.4-arch1-1/luks.ko I've had similar errors with both the lts and zen kernels as well.

Any idea why I get these errors and how to fix them?

Implement emergency shell

There are situations when root filesystem mount failed (incorrect boot params, bug in booster, timeout issue with networks, ...). Currently booster either panics or hangs forever.

But it would be great if a user is able to inspect the machine and check what is going on. Or mount/switch to the root fs manually.

We need a way to add shell + utils (such as busybox optimized for size) and then switch to this emergency shell if something is going wrong.

We also need to preserve debug log and store it under /run/booster/debug.log so users will be able to copy it to a USB storage for further investigation.

Add support for unlocking LUKS with a key file

It would be nice if something like the encrypt hook cryptkey or sd-encrypt's rd.luks.key was supported, allowing for the root partition to be unlocked with a key file.

More info: https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#rd.luks.key

RFE: support more blkid identifiers

Booster currently supports identifying root fs with UUID, but it could be improved to use a variety of identifiers.

Looking around, systemd's fstab-generator supports LABEL, UUID, PARTUUID, and PARTLABEL. Support for those four would be great.

Linux also supports PARTUUID/PARTNROFF among others, which could be useful.

Detect f2fs filesystem properly

title   Arch Linux
linux   /vmlinuz-linux
initrd  /intel-ucode.img
initrd  /booster.img
options root=PARTUUID=xxxxxxxxxxxxxxxxxxxxxx rootfstype=f2fs rw sysrq_always_enabled=1 quiet nowatchdog module_blacklist=iTCO_wdt mitigations=off  numa=off

Not booting quietly

Despite having quiet in my kernel command line I get the following message twice during boot:

devAdd: cannot detect block device type

Both are due to ntfs partitions (which booster does not support), but these messages should not be shown when booting quietly anyway.

Kernel panic with an Intel 10-Gigabit X540-AT2 card

I undertook a fresh install of Arch Linux on a spare Supermicro server, including Booster 0.2-1 from the official Arch binary packages during pacstrap and a LUKS encrypted partition. Booster was configured for DHCP networking during the arch-chroot stage. The DHCP server returns a DNS server on the same subnet.

The initial reboot was successful and Tang-based unlocking was then configured using clevis luks bind -d /dev/sda2 tang '{"url": "http://cwdsrrkms1.acegi.com.au"}' (this host is on the same subnet as the host; ie no gateway is required). After rebooting the following kernel panic was displayed:

This server includes an Intel 10-Gigabit X540-AT2 (ensf30) card in addition to the inbuilt Intel I350 Gigabit Network Controller on the motherboard.

Following the above failed boot I restarted with a live image, disabled the network in /etc/booster.yaml, reinstalled Booster, and rebooted without issue.

Any thoughts on how to overcome the kernel panic?

PKGBUILD:add -buildid= to -ldflags= for reducing bin size

Binary size is reduced by adding -ldflags=-buildid= to PKGBUILD.
and it is needed for reploducible build.

Handle configurations for multiple images/kernels

Some users have multiple kernels installed. Booster handles them by generating images for all the kernels. It uses /etc/booster.yaml config for all the images. But there are cases when one would want to have different config options for different kernels. For example linux-lts based on Linux 5.4 does not support zstd compression and needs to use something like gzip while newer kernel could use zstd compression.

Add possibility to overwrite variant-specific config options. One proposal is to have an additional configuration section something like

compression: zstd # default value
...
variant:
  linux-lts:
    compression: gzip # overwrites the option for this particular variant
    modules: ...

Unable to boot cryptsetup+btrfs with submodules

Forking discussion off #17

If fstab contains btrfs with subvolumes then there is some boot issue. booster itself seems fine, it detects rootfs, mounts it and launches systemd. But then systemd fails to boot properly.

cc @Th3Whit3Wolf

Add initramfs inspection commands

It would be useful to add support for initramfs inspection to booster command. It can look like booster ls $booster.img and booster cat $booster.img:/somefile.

For consistency we should add a sub-command for generatin an image booster gen that is going to be an equivalent for current booster invocation without any subcommands.

Usable with Grub?

Hi,

the doc only describes updating systemd-boot, but does this work with grub as well? What do i have to do to make it work? When i run grub-mkconfig it doesn't find the new booster images. They are present in the /boot folder though.

Regards

Support early microcode update directly

Currently, early microcode updates are supported by booting the kernel with two initrds: a microcode unage followed by booster's image.
But with 3.5M, the intel-ucode.img image is quite large. When not creating a universal image, booster could create its own early image with unneeded microcode code stripped. For my system, the stripped image is just 104k in size.

This can be done by running something equivalent to this command:
bsdtar -Oxf /boot/intel-ucode.img | iucode_tool -tb --scan-system --write-earlyfw=/tmp/iucode-stripped.img -

The final booster image that's created now just has to be appended as is to create a final bootable image.
Since the AMD ucode image is just 40K, stripping shouldn't be necessary and the image can just be prepended as-is.

Add manpage

So people might prefer having an offline help for booster tool. We need to have a manpage for booster.

udev race condition

There is a race condition between reading udev events and closing udev reader. If we close udev reader in cleanup() while the udev goroutine tries to read events then the reader returns an error that panics inside bufio.fill():

panic: bufio: reader returned negative count from Read

goroutine 6 [running]:
bufio.(*Reader).fill(0xc000070f68)
	/usr/lib/go/src/bufio/bufio.go:103 +0x1dd
bufio.(*Reader).ReadSlice(0xc000070f68, 0x0, 0xc, 0x7f6718544c28, 0xc0003c42f0, 0x0, 0xab0fc0)
	/usr/lib/go/src/bufio/bufio.go:360 +0x3d
bufio.(*Reader).collectFragments(0xc000070f68, 0xc000070d00, 0x40d610, 0xc00006b440, 0x30, 0x30, 0x823120, 0xc00005c960, 0x60, 0x7f671854e308, ...)
	/usr/lib/go/src/bufio/bufio.go:435 +0x7a
bufio.(*Reader).ReadString(0xc000070f68, 0xc00005c900, 0x7, 0x0, 0xc00011a9d8, 0x0)
	/usr/lib/go/src/bufio/bufio.go:483 +0x4c
github.com/s-urbaniak/uevent.(*Decoder).next(...)
	/home/anatol/go/pkg/mod/github.com/s-urbaniak/[email protected]/decoder.go:81
github.com/s-urbaniak/uevent.(*Decoder).Decode(0xc000070ed0, 0xc00006b3e0, 0x83cf0f, 0x7)
	/home/anatol/go/pkg/mod/github.com/s-urbaniak/[email protected]/decoder.go:42 +0x75
main.udevListener()
	/mnt/cold/sources/golang/booster/init/main.go:454 +0x185
created by main.boost
	/mnt/cold/sources/golang/booster/init/main.go:782 +0x4bd
[    1.375818] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000200
[    1.376737] CPU: 1 PID: 144 Comm: init Not tainted 5.10.14-arch1-1 #1
[    1.377591] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.14.0-1 04/01/2014
[    1.378961] Call Trace:
[    1.379355]  dump_stack+0x6b/0x83
[    1.379844]  panic+0x112/0x2e8
[    1.380304]  do_exit.cold+0x2c/0xb3
[    1.380854]  do_group_exit+0x33/0xa0
[    1.381288]  get_signal+0x13f/0x890
[    1.381690]  arch_do_signal+0x3d/0x740
[    1.382122]  exit_to_user_mode_prepare+0xb4/0x120
[    1.382653]  syscall_exit_to_user_mode+0x28/0x160
[    1.383185]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[    1.383761] RIP: 0033:0x4b3e4a
[    1.384161] Code: e8 db 16 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 4c 8b 54 24 28 4c 8b 44 24 30 4c 8b 4c 24 38 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 40 ff ff ff ff 48 c7 44 24 48
[    1.386236] RSP: 002b:000000c00004dae8 EFLAGS: 00000212 ORIG_RAX: 0000000000000106
[    1.387080] RAX: 0000000000000000 RBX: 000000c00002e000 RCX: 00000000004b3e4a
[    1.387882] RDX: 000000c0006a05e8 RSI: 000000c000596200 RDI: ffffffffffffff9c
[    1.388675] RBP: 000000c00004db60 R08: 0000000000000000 R09: 0000000000000000
[    1.389477] R10: 0000000000000100 R11: 0000000000000212 R12: ffffffffffffffff
[    1.390273] R13: 0000000000000011 R14: 0000000000000010 R15: 0000000000000100
[    1.391149] Kernel Offset: 0xda00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[    1.392362] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000200 ]---

Detect zfs filesystem

Add support for detecting this filesystem type

Plymouth support

Plymouth is a project from Fedora and now listed among the freedesktop.org's official resources providing a flicker-free graphical boot process. It relies on kernel mode setting (KMS) to set the native resolution of the display as early as possible, then provides an eye-candy splash screen leading all the way up to the login manager.

Plymouth is used by many Linux distributions. These include Ubuntu, fedora and pop os to name a few. It would be very useful for down stream distro maintainers to be able to use booster along with plymouth.

RFE: add a way to exlucde modules from generated images

We can currently include extra modules with the "modules: " option in the config, but Booster could use a config option to exclude certain modules as well.

I would suggest a "modules-skip" or "modules-exclude" option for this purpose.

Verify UUID parameters format

Follow-up for #6

We need to make sure that UUID provided with kernel boot parameters and UUID received from the block devices are properly formatted. Per https://en.wikipedia.org/wiki/Universally_unique_identifier#Format

In its canonical textual representation, the 16 octets of a UUID are represented as 32 hexadecimal (base-16) digits, displayed in five groups separated by hyphens, in the form 8-4-4-4-12 for a total of 36 characters (32 hexadecimal characters and 4 hyphens). For example:
123e4567-e89b-12d3-a456-426614174000

Unable to boot rootfs with quotes around UUID

Hi, I've been trying to use booster, but I've been unable to get it to mount the rootfs. I see the error devAdd: cannot detect block type looped a few times on the same line.

booster config has modules: btrfs

booster.debug=1 has way too much info scrolling by too quickly to even capture with video but if there's a way to somehow get that data I would be glad to give more info.

Partition is unencrypted BTRFS. universal: true did not help.

full systemd-boot configuration, which is identical to my working config with mkinitcpio except for booster changes:

linux /vmlinuz-linux-g14
initrd /amd-ucode.img
initrd /booster-linux.img
options root=UUID="58e16728-f562-4211-bcc7-a8bbab97cb9b" fstype=btrfs rootflags=subvolid=1974 rw splash mitigations=off trace_clock=local amd_iommu=on random.trust_cpu=1 resume=UUID="ca1b6bf9-b4a1-4d73-8e81-0938ac8ce4cb" no_console_suspend clocksource=tsc tsc=reliable no_console_suspend ignore_loglevel initcall_debug```

Extend unlocking mechanism to non-LUKS partitions

Currently, booster employs clevis to unlock LUKS partitions. It would be great to extend the unlocking functionality to other existing technologies:

plain dm-crypt devices
ext4 per-directory encryption
upcoming btrfs encryption
...

Clevis keeps its metadata in LUKS tokens. If we want to unlock non-LUKS partitions then we need to find a place to store the clevis partition-specific metadata.

strip kernel modules

initramfs size is reduced by stripping kernel modules.
mkinitcpio has strip hook.

Add rd.luks.data & header option

Couldn't figure out why this wasn't working until I looked at the source. Please see here:

https://www.freedesktop.org/software/systemd/man/systemd-cryptsetup-generator.html

Unable to unlock LUKS: Unknown af hash algorithm: sha3-512

When trying to unlock my bootloader I get the error Unkown af hash algorithm: sha3-512.

Here's my /etc/booster.yaml

universal: true
modules: amdgpu
compression: zstd

Here's my menuentry from /boot/EFI/refind/refind.conf

menuentry "Arch Linux" {
    icon     /EFI/refind/themes/refind-dreary/icons/os_arch.png
    volume   Arch
    loader   /vmlinuz-linux
    initrd   /booster-linux.img
    options  "rd.luks.name=e4dca43a-21bd-4598-88fc-371dd20695a4=crypt root=/dev/mapper/crypt rootflags=subvol=@ rw quiet nmi_watchdog=0 kernel.unprivileged_userns_clone=0 net.core.bpf_jit_harden=2 apparmor=1 lsm=lockdown,yama,apparmor systemd.unified_cgroup_hierarchy=1 add_efi_memmap initrd=\amd-ucode.img"
    submenuentry "Boot - terminal" {
        add_options "systemd.unit=multi-user.target"
    }
}

When creating the initial LUKS encrypted partition I ran

cryptsetup luksFormat --perf-no_read_workqueue --perf-no_write_workqueue --type luks2 --cipher aes-xts-plain64 --key-size 512 --iter-time 2000 --pbkdf argon2id --hash sha3-512 /dev/nvme0n1p2
cryptsetup --allow-discards --perf-no_read_workqueue --perf-no_write_workqueue --persistent open /dev/nvme0n1p2 crypt

Kernel panic after updating to linux 5.10.2

I'm getting a kernel panic right at boot because PID 1 panics:

panic: open /usr/lib/modules/5.9.14-arch1-1/booster.alias: no such file or directory

goroutine 1 [running]:
main.main()
        init/main.go:785 + 0xd0

I'm using booster-git freshly installed from AUR. Here's my config file:

universal: false
modules: i915

And boot entry:

title	arch
linux	/vmlinuz-linux
initrd	/intel-ucode.img
initrd	/booster-linux.img
options	root=/dev/sda2 rw

When installing the linux package from [testing], booster is invoked like:

booster -force -output /boot/booster-linux.img -kernelVersion 5.10.2-arch1-1

Any idea what's wrong? It worked fine with linux 5.9.

Support yubikey unlocking for full-disk-encrypted configurations

There are people who uses Yubikey hardware token for authentication. It would be great if booster supports unlocking machines with a Yubikey.

This issue depends on anatol/clevis.go#3

Add LVM volumes support

Some users might need LVM volumes to construct root block device. We need to be able to handle it.

Here is how dracut configures LVM https://mirrors.edge.kernel.org/pub/linux/utils/boot/dracut/dracut.html#_lvm

Add fsck capability

See https://wiki.archlinux.org/index.php/Fsck#Mechanism

Clevis unlock fails if Tang server requires DNS resolution

When a LUKS keyslot is configured with a command such as clevis luks bind -d /dev/sda2 tang '{"url": "http://valid.dns.name"}' a system boot displays "connect: cannot assign requested address 53" messages before requiring fallback LUKS console password entry.

This can be worked around by unbinding (clevis luks unbind -d /dev/sda2 -s 1) and re-binding with a numeric IP in the URL. In this case Booster successfully queried Tang and unlocked the partition (tested on Arch Linux).

It would be helpful to add DNS resolution to the project or mention it in the docs given those using something like network bound disk encryption probably have a local DNS server to resolve its name. :-)

In addition I found the network address does not ping and it might assist with troubleshooting if it would answer pings.

Thanks for your work on Booster.

Load modules in parallel

Current booster init implementation loads modules sequentially.

It would be nice if required modules can be loaded in parallel/asynchronously. This way we can squeeze a bit more out of boot time.

One thing to keep in mind here is that a module may require several dependencies and load for those deps need to be completed before we can start loading current module.

Handle 'rootflags' kernel boot params

According to this page https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html rootflags boot parameter is used to provide extra mount options for the root filesystem.

DNS Resolution Issues

Thanks for adding support for unlocking using a Tang server specified using a DNS-resolvable hostname address (issue #19).

I have now tested this with a newly-built server as follows:

Arch Linux x86_64
Booster package 0.2-1 from official Arch repo
DHCP address reservation of 192.168.110.104/24
DHCP provides gateway address 192.168.110.1
DHCP provides DNS address 192.168.250.1
Ethernet port is eno1
Unused ethernet port enp1s0
DNS server resolves http://the.dns.name to a Tang server on same subnet
Clevis keyslot 1 configured with a http://the.dns.name address (ie hostname, not numeric IP)

The /etc/booster.yaml contains two lines:

network:
  dhcp: on

A forced rebuilt was performed using booster -force -output /boot/booster-linux.img.

The boot failed with the following:

Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on [::1]:53: connect: cannot assign requested address
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on [::1]:53: connect: cannot assign requested address
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on [::1]:53: connect: cannot assign requested address
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on [::1]:53: connect: network is unreachable
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on [::1]:53: connect: network is unreachable
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on 192.168.250.1:53: dial udp 192.168.250.1:53: connect: network is unreachable
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on 192.168.250.1:53: dial udp 192.168.250.1:53: connect: network is unreachable
.... more messages as above.....
Enter passphrase for cryptroot: unable to initialize network interface eth0: DHCP: no ACK received

I attempted to provide a static network configuration as follows (and of course rebuilt the image):

network:
  dhcp: off
  ip: 192.168.110.104/24
  gateway: 192.168.110.1
  dns_servers: 192.168.250.1

On this occasion I receive:

unable to initialize network interface eth1: file exists
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on 192.168.250.1:53: read udp 192.168.110.104:53967->192.168.250.1:53: i/o timeout
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on 192.168.250.1:53: read udp 192.168.110.104:37372->192.168.250.1:53: i/o timeout
.... more messages as above.....

The above caused some minutes of blocking the boot waiting for the I/O timeouts to pass. It might be desirable to use a different timeout approach (eg abandon after 30 seconds).

Thinking it is perhaps an issue that the DNS server is on a different subnet than the server's IP address, I enabled DNS resolution on 192.168.110.1 and set DHCP to return that. After booting I confirmed:

$ resolvectl status
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported                                
    resolv.conf mode: foreign                                                                       
Fallback DNS Servers: 1.1.1.1 9.9.9.10 8.8.8.8 2606:4700:4700::1111 2620:fe::10 2001:4860:4860::8888

Link 2 (enp1s0)
Current Scopes: none                                                        
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 3 (eno1)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6                                   
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.110.1                                               
       DNS Servers: 192.168.110.1

I then verified the internal DNS address of the Tang server resolves correctly via a ping. This was done to rule out any firewall, routing or DNS server issues.

I then edited the dns_servers: to 192.168.110.1 (ie maintaining a static IP configuration), rebuilt and rebooted:

**unable to initialize network interface eth1: file exists
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on 192.168.110.1:53: read udp 192.168.110.104:57918->192.168.110.1:53: i/o timeout
Post "http://the.dns.name/rec/ABCDetc": dial tcp: lookup the.dns.name on 192.168.110.1:53: read udp 192.168.110.104:45474->192.168.110.1:53: i/o timeout
.... more messages as above.....

As shown it still didn't work despite a completely static network configuration in booster.yaml and the DNS server being on the same subnet.

I then switched Booster back to the minimal /etc/booster.yaml:

network:
  dhcp: on

The server then booted without a problem (ie DHCP assignment of a DNS server on the same subnet).

I then modified the DHCP server to return DNS server 192.168.250.1 (like we started with) and rebooted. This failed with the same messages as seen originally. When I changed the DHCP server to again return DNS server 192.168.110.1 and rebooted, the server booted fine once again.

In conclusion DNS resolution currently appears require two conditions:

The DNS server is on the same subnet as the booting node; and
The booting node acquires its address information over DHCP (not from /etc/booster.yaml)

I'm happy to help with testing an updated package if you wish.

anatol / booster Goto Github PK

booster's People

Contributors

Stargazers

Watchers

Forkers

booster's Issues

Recommend Projects

Recommend Topics

Recommend Org