| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Ben Kohler <bkohler@gentoo.org>
|
| |
|
|
|
|
| |
Bug: https://bugs.gentoo.org/753617
Signed-off-by: FlyingWaffle <flyingwaffle@pm.me>
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
|
|
|
|
| |
See 71110f715fc46f148280b52b297121786504a325 and d9687a4df038382187300d6f44230661ff5bc377
in gentoo.git.
Bug: https://bugs.gentoo.org/909722
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cryptsetup LUKS2 format comes with an ability to automatically unlock
multiple devices (root, swap, etc.) sharing the same passphrase, without
retyping it for each of them, by loading it into the user keyring.
This commit adds such (optional) genkernel support for loading LUKS
passphrase into the user keyring on boot.
In the default mode of operation the newly added key is (possibly) used
only to unlock root and swap devices and is removed soon after that.
By providing appropriate kernel command line parameter the key can be left
in the keyring instead (with an optional timeout) for unlocking other LUKS
devices post-initramfs time.
Because one of the most common use cases of this functionality will be
having an encrypted swap for doing suspend to disk (hibernation) let's also
make sure that we don't unlock the root device when doing so is unnecessary
(when we are resuming the system from hibernation).
Since the security of a FDE passphrase is of paramount importance in this
solution significant care has been taken not to leak it accidentally:
* The passphrase is read directly by keyctl to avoid storing it in the
shell,
* If the passphrase is used only to unlock root and swap devices (which is
the default mode of operation) the init script will check whether its
removal from keyring has actually succeeded and, if not, reboot the system
rather than continue while leaving it exposed,
* keyutils includes a patch (already upstreamed) to wipe the passphrase
from memory when no longer needed.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
|
| |\
| |
| |
| |
| |
| |
| |
| | |
Note: commit 73a05632d61171685ac4960c6b684cefa6d82afd is
significantly easier to review by ignoring whitespace changes.
Closes: https://github.com/gentoo/genkernel/pull/28
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
|
| | |
| |
| |
| | |
Signed-off-by: Dmitry Baranov <reagentoo@gmail.com>
|
| |/
|
|
| |
Signed-off-by: Matt Turner <mattst88@gentoo.org>
|
| |
|
|
|
| |
Bug: https://bugs.gentoo.org/786405
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Move from space-separated list to comma-separated list
to add support for firmware files with spaces.
- Add support for firmware files with spaces.
- Check for specified firmware files in determine_real_args() which
will allow us to error out early.
- Clarify documentation.
Fixes: c576f99b0b ("Misc improvements for FIRMWARE* handling")
Bug: https://bugs.gentoo.org/775221
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous idea (commit 93bf318e5114233f3cacc4575ab2e58d60e785c7) never
worked: Exec will replace initramfs' init (PID 1) with specified command
so that any further line will never be reached. If that command will
fail now, init basically ended which will trigger a kernel panic:
!! A fatal error has occured since /sbin/openrc-init did not
!! boot correctly. Trying to open a shell ...
+ exec /bin/bash
/init: exec: line 1366: /bin/bash: not found
[ 55.060649] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00
The new error handling will keep init running in loop which will
allow user to fix every detected problem until we are confident that
switch_root call has a chance to succeed.
In case the user cannot fix the problem (maybe because of
gk.userinteraction.disabled), we will call the newly added
gk.emergency action (reboot, poweroff or halt).
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
| |
It was never really used; Kernel's console handling
already did the work.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
| |
Not used anymore since we moved to (e)udev.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When this boolean option is set and enabled, genkernel initramfs will unmount /run
before calling switch_root.
This can help in SELinux context for example where labeling is required which is
not supported by genkernel.
Bug: https://bugs.gentoo.org/739424
Bug: https://bugs.gentoo.org/740576
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
options to cryptsetup
Cryptsetup supports additional options like "--perf-no_read_workqueue" or
"--perf-no_write_workqueue". While it is recommended to use LUKS2 format
and make these activiation flags permanent, you can also make use of
the new kernel command-line arguments "crypt_root_options" for root device
or "crypt_swap_options" for swap device to pass additional options
to cryptsetup.
These arguments can be specified multiple times or separate multiple
options with a comma.
Bug: https://bugs.gentoo.org/755587
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
| |
This is no longer necessary with the switch to UDEV.
Bug: https://bugs.gentoo.org/739892
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
{root,swap}_keydev
We need to do the same we do for rootfs since commit 05f968fda2c6839744b36c442b3feaa6de974e63
also for {root,swap}_keydev.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
| |
When gk.udev.debug=yes is set (boolean option), udevd will run in
debug mode. Output will be written to /run/initramfs/udevd.log.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
Now that we are using UDEV and have to preserve /run, we can also
use /run to always store log from initramfs.
This will make debugging easier because user don't have to explicit
enable logging (disabling is still possible).
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
| |
Now that we always build util-linux for switch_root, we no longer
need this option.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Now that we are using (e)udev with kmod support, we can rely on UDEV to
load required kernel modules.
Old module loading based on modules_load file can still be enabled via
boolean "gk.hw.use-modules_load" kernel command-line option which is inverting
and replacing previous "nodetect" kernel command-line option.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
Before this change we had different names in config file
and command-line for the same thing.
With this change we have one option named KERNEL_MODULES_PREFIX and its
corresponding --kernel-modules-prefix command-line argument.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
We need to switch from using MDEV to UDEV to avoid boot problems
due to timeouts caused by some UDEV rules from real system when
real system is using systemd.
Bug: https://bugs.gentoo.org/706434
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
| |
When this option is set and enabled, genkernel initramfs will not prompt
on errors, i.e. this will disable any user interaction, e.g. for a kiosk system.
Bug: https://bugs.gentoo.org/730966
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
| |
Bug: https://bugs.gentoo.org/731294
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
--compress-initramfs-type to determine_real_args()
This will allow us to error out early if required user space tool
needed to compress initramfs based on specified --compress-initramfs-type
is missing or selected type is invalid/unsupported.
Best/fastest list is based on results from [Link1][Link2][Link3].
Link1: https://events.static.linuxfound.org/sites/events/files/lcjpcojp13_klee.pdf
Link2: https://kernel.ubuntu.com/~cking/boot-speed-eoan-5.3/kernel-compression-method.txt
Link3: https://lwn.net/Articles/817134/
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
| |
Signed-off-by: Richard Yao <ryao@gentoo.org>
Closes: https://github.com/gentoo/genkernel/pull/15
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
| |
This commit will make kernel config filename used by --save-config
feature customizable like previous commit 769a07fd3e947 did for
initramfs and kernel image.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
| |
b2sum can be used to verify (boot) media since
commit 5c55dd467a563623f16be27f670b5a3ddc79fb02.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
While we call emerge with "--ignore-default-opts" since commit da5a5fa797a5fffa6c4d694cbfe2edc83bab4890
to avoid conflicting emerge options, we also need to ensure that
we don't clash with problematic emerge FEATURES like "getbinpkg".
Reported-by: Rick Farina <zerochaos@gentoo.org>
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
--quiet-build=y instead of just --quiet will output error message in
case emerge failed. Because we catch output this will make genkernel.log
a single point of truth logfile without the need to consult any additional
logfile.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
It's possible that user has set conflicting emerge options like
"--ask" in EMERGE_DEFAULT_OPTS which could break genkernel.
Calling emerge with --ignore-default-opts will allow us to
avoid such scenarios.
In addition, --module-rebuild-cmd (MODULEREBUILD_CMD) option was
added to allow user to alter default command.
Closes: https://bugs.gentoo.org/705082
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
| |
Embedding microcode updates into initramfs is deprecated when
system is able to load multiple initramfs.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Add support for LABEL/UUID in root kernel parameter
- When loading network, always load all network modules
even when root block device is already available
- Always load crypto and USB module group when CRYPT_{ROOT,SWAP}
is set.
- Always load fs module group.
- Add gk.hw.load-all kernel command-line argument to allow
user to force loading of all module groups.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
To compile thin-provisioning-tools, required for LVM thin provisioning
support which was added in commit 9dea735590ebfff278710148fa8743777a18c4bd,
we need a C++ compiler.
This option will allow user to specify custom C++ compiler (for example
when using ccache/distcc).
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
| |
Bug: https://bugs.gentoo.org/560710
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit will bring back read timeout which was removed in
Commit a280829. Read timeout is still disabled by default but
can now be controlled via gk.prompt.timeout kernel command-line
argument.
When gk.prompt.timeout is != 0, the current prompt will be written
to $GK_PROMPT_FILE. This will allow remote user to notice that
there's a prompt.
In addition, on timeout, $GK_PROMPT_FILE will be read allowing
remote user to answer prompt and hopefully to fix the problem
and resume booting.
To make this work, gk.prompt.timeout will be set to 30 seconds
by default when SSH usage is enabled.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By default, any {bad,good,warn}_msg output and external command calls
will now be logged to /tmp/init.log in initramfs. This can be turned
off via gk.log.disabled={1,yes} kernel command-line argument.
This is especially helpful when working with remote servers when you
can access initramfs system through SSH.
In addition, initramfs' log file can be preserved, i.e. copied to
real system just before switch_root call. This can be controlled
via gk.log.keep kernel command-line argument: When just enabled,
initramfs will copy log to $NEWROOT/genkernel-boot.log. Keep in my
that the file path must be accessible for initramfs and by default,
initramfs will only mount / as $NEWROOT and no additional mountpoints.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now that we moved $ARCH value to kernel's LOCALVERSION setting,
you cannot easily change LOCALVERSION anymore without losing
$ARCH information.
This can be annoying when you just want to build a new revision
which should have its own kernel binary, initramfs and modules
directory because you would have to remember to include default
value.
The new option will allow you to just append to genkernel's
KERNEL_LOCALVERSION value. This way you can just call genkernel
with --kernel-append-localversion=-rN option to build and test
a new revision.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit will change default kernel and initramfs filename:
kernel-genkernel-%%ARCH%%-%%KV%% -> vmlinuz-%%KV%%
System.map-genkernel--%%ARCH%%-%%KV%% -> System.map-%%KV%%
initramfs-genkernel-%%ARCH%%-%%KV%% -> initramfs-%%KV%%.img
The new naming will be consistent with kernel's "make install" and
will allow to match files in /lib/modules with actual kernel.
In addition, $ARCH value was moved to kernel's LOCALVERSION. This will
ensure that this information is still present and when you do
cross-compilation, that /lib/modules content don't get mixed.
Bug: https://bugs.gentoo.org/390407
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
New options like --initramfs-filename or --kernel-filename will
allow user to customize filenames used when installing initramfs
or kernel into $BOOTDIR. Therefore --kernelname (KNAME) option
was removed.
Filename can contain placeholders like '%%ARCH%%' which will get
replaced at runtime. Man page contains more information.
Bug: https://bugs.gentoo.org/395095
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To avoid preventable errors like running out of disk space while building
a new kernel, two new options, --check-free-disk-space-bootdir and
--check-free-disk-space-kerneloutputdir, were added.
When set, disabled by default, genkernel will check early before
starting to build kernel/initramfs for specified amount of free
disk space.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
| |
This option will set/unset kernel option CONFIG_LOCALVERSION.
Closes: https://bugs.gentoo.org/521774
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
| |
|
|
|
|
|
| |
This option is useful when you are calling genkernel within a sandboxed
environment, i.e. when using genkernel within an ebuild.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
Ben Kohler
FlyingWaffle
Sam James
Maciej S. Szmigiero
Robin H. Johnson
Dmitry Baranov
Matt Turner
Thomas Deutschmann
Richard Yao
GitWeb