[PATCH v4 1/3] classes: Add initramfs class

[PATCH v4 1/3] classes: Add initramfs class

[Harald Seiler]

Add a new "image" class for generating a custom initramfs.  It works
like this: A new minimal debian rootfs is bootstrapped and all
dependency packages for the new initramfs are installed.  Then, an
initramfs is generated from this rootfs and deployed like usual.

This new initramfs.bbclass "image" class should be pulled in by an
"initramfs image" recipe.  Said recipe then specifies all dependencies
of the initramfs via INITRAMFS_INSTALL and INITRAMFS_PREINSTALL (which
are analogous to the respective IMAGE_* variables).

initramfs.bbclass intentionally does _not_ expose a mechanism to change
/etc/initramfs-tools/initramfs.conf and /etc/initramfs-tools/modules.
Changes to their settings are better done via packages that deploy
conf-hooks to /usr/share/initramfs-tools/conf-hooks.d/ and module
fragment files to /usr/share/initramfs-tools/modules.d/.

Signed-off-by: Harald Seiler <hws@denx.de>
---

Notes:
    I had this idea while searching for a way to build an initramfs that
    uses dm-verity to assert integrity of the rootfs.  To me, this feels
    like a much cleaner solution than anything else I tried and I'm happy to
    report that, using this approach, I got everything working nicely in the
    original project.
    
    In my opinion, this design has a number of advantages over the previous
    solutions we have seen so far:
    
     - It does not suffer any kind of initramfs pollution, caused by
       packages installed into a rootfs.  This is a big problem when trying
       to generated an initramfs from e.g. `buildchroot-target` as many
       unrelated packaged could be installed there which would all get
       pulled into the initrd (if they install hooks/scripts).
    
       This also means, with this new approach, the integrator has maximum
       control over the contents of the initramfs.
    
     - There are no needs to change the initramfs generation process in any
       way, the debian tooling can be used exactly like its meant to.
    
     - As most isar-generated images will never regenerate the initramfs
       from the running system, all initramfs related packages are dead-weight
       to the image.  This is a problem when trying to generate the initramfs
       from the actual image rootfs.
    
       When it is necessary to rebuild the initramfs in a running system,
       the packages designed for this new class could just be installed into
       the rootfs, without any changes necessary.  This means, any generic
       initramfs module packages can be used both with the in-rootfs mechanism
       and initramfs.bbclass.
    
     - Because of this complete isolation and independence, implementation
       of complex logic is much easier:  For example dm-verity needs
       a root-hash that is only available after the rootfs has been cast into
       a filesystem image.  With this new approach, this can be modelled with
       a simple task dependency.
    
    Changes in v2:
    - None (just added examples in new patches)
    
    Changes in v3:
    - None
    
    Changes in v4:
    - Add ${DEPLOY_DIR_IMAGE} to task [dirs] to ensure it is present.

 meta/classes/initramfs.bbclass | 42 ++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 meta/classes/initramfs.bbclass

diff --git a/meta/classes/initramfs.bbclass b/meta/classes/initramfs.bbclass
new file mode 100644
index 000000000000..10a642b1a6be
--- /dev/null
+++ b/meta/classes/initramfs.bbclass
@@ -0,0 +1,42 @@
+# This software is a part of ISAR.
+
+# Make workdir and stamps machine-specific without changing common PN target
+WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}-${MACHINE}/${PV}-${PR}"
+STAMP = "${STAMPS_DIR}/${DISTRO}-${DISTRO_ARCH}/${PN}-${MACHINE}/${PV}-${PR}"
+STAMPCLEAN = "${STAMPS_DIR}/${DISTRO}-${DISTRO_ARCH}/${PN}-${MACHINE}/*-*"
+
+INITRAMFS_INSTALL ?= ""
+INITRAMFS_PREINSTALL ?= ""
+INITRAMFS_ROOTFS ?= "${WORKDIR}/rootfs"
+INITRAMFS_IMAGE_FILE = "${DEPLOY_DIR_IMAGE}/${INITRAMFS_FULLNAME}.initrd.img"
+
+# Install proper kernel
+INITRAMFS_INSTALL += "${@ ("linux-image-" + d.getVar("KERNEL_NAME", True)) if d.getVar("KERNEL_NAME", True) else ""}"
+
+# Name of the initramfs including distro&machine names
+INITRAMFS_FULLNAME = "${PN}-${DISTRO}-${MACHINE}"
+
+DEPENDS += "${INITRAMFS_INSTALL}"
+
+ROOTFSDIR = "${INITRAMFS_ROOTFS}"
+ROOTFS_FEATURES = ""
+ROOTFS_PACKAGES = "initramfs-tools ${INITRAMFS_PREINSTALL} ${INITRAMFS_INSTALL}"
+
+inherit rootfs
+
+do_generate_initramfs[dirs] = "${DEPLOY_DIR_IMAGE}"
+do_generate_initramfs() {
+    rootfs_do_mounts
+    rootfs_do_qemu
+
+    sudo -E chroot "${INITRAMFS_ROOTFS}" \
+        update-initramfs -u -v
+
+    if [ ! -e "${INITRAMFS_ROOTFS}/initrd.img" ]; then
+        die "No initramfs was found after generation!"
+    fi
+
+    rm -rf "${INITRAMFS_IMAGE_FILE}"
+    cp "${INITRAMFS_ROOTFS}/initrd.img" "${INITRAMFS_IMAGE_FILE}"
+}
+addtask generate_initramfs after do_rootfs before do_build
-- 
2.29.2

[PATCH v4 2/3] Add example initramfs module recipe

[Harald Seiler]

Add the initramfs-example recipe/package which demonstrates how to write
initramfs modules.  It demonstrates how to add hook scripts, boot scripts,
and conf-hooks.

Signed-off-by: Harald Seiler <hws@denx.de>
---

Notes:
    Changes in v3:
    - None
    
    Changes in v4:
    - None

 .../initramfs-example/files/example.conf-hook |  7 ++++
 .../initramfs-example/files/example.hook      | 19 +++++++++
 .../initramfs-example/files/example.script    | 21 ++++++++++
 .../initramfs-example/initramfs-example.bb    | 40 +++++++++++++++++++
 4 files changed, 87 insertions(+)
 create mode 100644 meta-isar/recipes-initramfs/initramfs-example/files/example.conf-hook
 create mode 100644 meta-isar/recipes-initramfs/initramfs-example/files/example.hook
 create mode 100644 meta-isar/recipes-initramfs/initramfs-example/files/example.script
 create mode 100644 meta-isar/recipes-initramfs/initramfs-example/initramfs-example.bb

diff --git a/meta-isar/recipes-initramfs/initramfs-example/files/example.conf-hook b/meta-isar/recipes-initramfs/initramfs-example/files/example.conf-hook
new file mode 100644
index 000000000000..2a3cf7a84040
--- /dev/null
+++ b/meta-isar/recipes-initramfs/initramfs-example/files/example.conf-hook
@@ -0,0 +1,7 @@
+# Example conf-hook.
+#
+# See "CONFIGURATION HOOK SCRIPTS" in initramfs-tools(7) for details.
+
+# Example: Use busybox instead of klibc-utils.  The package must also add
+# `busybox` as a dependency when this is set.
+BUSYBOX=y
diff --git a/meta-isar/recipes-initramfs/initramfs-example/files/example.hook b/meta-isar/recipes-initramfs/initramfs-example/files/example.hook
new file mode 100644
index 000000000000..0d84e7a97efd
--- /dev/null
+++ b/meta-isar/recipes-initramfs/initramfs-example/files/example.hook
@@ -0,0 +1,19 @@
+#!/bin/sh
+# Example hook script.
+#
+# See "HOOK SCRIPTS" in initramfs-tools(7) for details.
+
+PREREQ=""
+prereqs()
+{
+    echo "$PREREQ"
+}
+case $1 in
+prereqs)
+    prereqs
+    exit 0
+    ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+# Begin real processing below this line
diff --git a/meta-isar/recipes-initramfs/initramfs-example/files/example.script b/meta-isar/recipes-initramfs/initramfs-example/files/example.script
new file mode 100644
index 000000000000..784fad9c99bb
--- /dev/null
+++ b/meta-isar/recipes-initramfs/initramfs-example/files/example.script
@@ -0,0 +1,21 @@
+#!/bin/sh
+# Example boot script.
+#
+# See "BOOT SCRIPTS" in initramfs-tools(7) for details.
+
+PREREQ=""
+prereqs()
+{
+    echo "$PREREQ"
+}
+case $1 in
+prereqs)
+    prereqs
+    exit 0
+    ;;
+esac
+
+. /scripts/functions
+# Begin real processing below this line
+
+log_success_msg "Hello from ISAR!"
diff --git a/meta-isar/recipes-initramfs/initramfs-example/initramfs-example.bb b/meta-isar/recipes-initramfs/initramfs-example/initramfs-example.bb
new file mode 100644
index 000000000000..c336dda92b5d
--- /dev/null
+++ b/meta-isar/recipes-initramfs/initramfs-example/initramfs-example.bb
@@ -0,0 +1,40 @@
+# Example of a recipe containing an initramfs module.  Packages like this can be
+# used with initramfs.bbclass or installed directly into a rootfs, depending on
+# the usecase.
+#
+# This software is a part of ISAR.
+
+DESCRIPTION = "Sample initramfs module for ISAR"
+MAINTAINER = "Your name here <you@domain.com>"
+DEBIAN_DEPENDS = "initramfs-tools"
+
+# If the conf-hook enables BUSYBOX=y, busybox is needed:
+DEBIAN_DEPENDS .= ", busybox"
+
+SRC_URI = " \
+    file://example.conf-hook \
+    file://example.hook \
+    file://example.script \
+    "
+
+inherit dpkg-raw
+
+do_install[cleandirs] += " \
+    ${D}/usr/share/initramfs-tools/conf-hooks.d \
+    ${D}/usr/share/initramfs-tools/hooks \
+    ${D}/usr/share/initramfs-tools/scripts/local-top \
+    "
+do_install() {
+    # See "CONFIGURATION HOOK SCRIPTS" in initramfs-tools(7) for details.
+    install "${WORKDIR}/example.conf-hook" \
+        "${D}/usr/share/initramfs-tools/conf-hooks.d/isar-example"
+
+    # See "HOOK SCRIPTS" in initramfs-tools(7) for details.
+    install "${WORKDIR}/example.hook" \
+        "${D}/usr/share/initramfs-tools/hooks/isar-example"
+
+    # Note that there are other places where a boot script might be deployed to,
+    # apart from local-top.  See "BOOT SCRIPTS" in initramfs-tools(7) for details.
+    install "${WORKDIR}/example.script" \
+        "${D}/usr/share/initramfs-tools/scripts/local-top/example.script"
+}
-- 
2.29.2

[PATCH v4 3/3] Add custom isar-initramfs example

[Harald Seiler]

isar-initramfs is a custom initramfs which additionally has the
initramfs-example module installed.  It is also built as part of
the CI.

Signed-off-by: Harald Seiler <hws@denx.de>
---

Notes:
    Changes in v3:
    - Add this target to ci_build.sh for CI inclusion.
    
    Changes in v4:
    - None

 .../recipes-initramfs/images/isar-initramfs.bb | 18 ++++++++++++++++++
 scripts/ci_build.sh                            |  1 +
 2 files changed, 19 insertions(+)
 create mode 100644 meta-isar/recipes-initramfs/images/isar-initramfs.bb

diff --git a/meta-isar/recipes-initramfs/images/isar-initramfs.bb b/meta-isar/recipes-initramfs/images/isar-initramfs.bb
new file mode 100644
index 000000000000..aaa0350aab20
--- /dev/null
+++ b/meta-isar/recipes-initramfs/images/isar-initramfs.bb
@@ -0,0 +1,18 @@
+# Example of a custom initramfs image recipe.  The image will be deployed to
+#
+#   build/tmp/deploy/images/${MACHINE}/isar-initramfs-${DISTRO}-${MACHINE}.initrd.img
+#
+# This software is a part of ISAR.
+
+inherit initramfs
+
+# Debian packages that should be installed into the system for building the
+# initramfs.  E.g. the cryptsetup package which contains initramfs scripts for
+# decrypting a root filesystem.
+INITRAMFS_PREINSTALL += " \
+    "
+
+# Recipes that should be installed into the initramfs build rootfs.
+INITRAMFS_INSTALL += " \
+    initramfs-example \
+    "
diff --git a/scripts/ci_build.sh b/scripts/ci_build.sh
index f4c33a37247e..f6fc5e54f7d3 100755
--- a/scripts/ci_build.sh
+++ b/scripts/ci_build.sh
@@ -28,6 +28,7 @@ TARGETS_SET="\
             mc:qemuamd64-stretch:isar-image-base \
             mc:qemuamd64-buster:isar-image-base \
             mc:qemuamd64-buster-tgz:isar-image-base \
+            mc:qemuamd64-buster:isar-initramfs \
             mc:qemumipsel-stretch:isar-image-base \
             mc:qemumipsel-buster:isar-image-base \
             mc:nand-ubi-demo-buster:isar-image-ubi \
-- 
2.29.2

Re: [PATCH v4 1/3] classes: Add initramfs class

[Anton Mikanovich]

18.01.2021 13:07, Harald Seiler wrote:
> Add a new "image" class for generating a custom initramfs.  It works
> like this: A new minimal debian rootfs is bootstrapped and all
> dependency packages for the new initramfs are installed.  Then, an
> initramfs is generated from this rootfs and deployed like usual.
>
> This new initramfs.bbclass "image" class should be pulled in by an
> "initramfs image" recipe.  Said recipe then specifies all dependencies
> of the initramfs via INITRAMFS_INSTALL and INITRAMFS_PREINSTALL (which
> are analogous to the respective IMAGE_* variables).
>
> initramfs.bbclass intentionally does _not_ expose a mechanism to change
> /etc/initramfs-tools/initramfs.conf and /etc/initramfs-tools/modules.
> Changes to their settings are better done via packages that deploy
> conf-hooks to /usr/share/initramfs-tools/conf-hooks.d/ and module
> fragment files to /usr/share/initramfs-tools/modules.d/.
>
> Signed-off-by: Harald Seiler <hws@denx.de>

Patchset applied to next, thanks.

-- 
Anton Mikanovich
Promwad Ltd.
External service provider of ilbers GmbH
Maria-Merian-Str. 8
85521 Ottobrunn, Germany
+49 (89) 122 67 24-0
Commercial register Munich, HRB 214197
General Manager: Baurzhan Ismagulov