On Wednesday, July 10, 2024 at 6:57:20 PM UTC+5:30 Rakesh Kumar wrote:
thanks, Jan Kiszka, for pointing that out! I have made the corrections in git message now.
Regards,
Rakesh
On Wednesday, July 10, 2024 at 4:51:11 PM UTC+5:30 Jan Kiszka wrote:
On 10.07.24 07:33, Rakesh Kumar wrote:
> To ensure proper initialization of the fTPM and tee-supplicant services before
> the root filesystem is mounted, we are relocating their initialization to the
> local-top section of initramfs. This change ensures that the encrypted filesystems
> are properly initialized and ready for use before the root filesystem is mounted at
> local-bottom stage.
Close but not fully correct: The rootfs is mounted AFTER the top stage
and BEFORE bottom.
>
> Reason for local-top:
>
> * Early Initialization: The local-top scripts run before the root filesystem is mounted.
> This timing is essential for encrypted root filesystems since the decryption process must be
> completed before the filesystem can be accessed.
>
> * Dependency Handling: The encryption setup requires initializing dependencies such as
> fTPM (firmware Trusted Platform Module) devices. Performing these tasks early in the boot process
> ensures that all necessary components are in place before the root filesystem is mounted.
This will still need some isar-cip-core patch in order to add a PREREQ
on fTPM if a concrete target using fTPM for disk encryption. But Quirin
just had another idea, leaving the stage to him now. :)
Jan
>
> Signed-off-by: Rakesh Kumar <kumar....@siemens.com>
> ---
> .../initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb | 4 ++--
> .../initramfs-tee-supplicant-hook_0.1.bb | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
> index db38e618..82fec1bb 100644
> --- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
> +++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
> @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools"
>
> do_install[cleandirs] += " \
> ${D}/usr/share/initramfs-tools/hooks \
> - ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> + ${D}/usr/share/initramfs-tools/scripts/local-top"
>
> do_install() {
> install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
> "${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
> install -m 0755 "${WORKDIR}/tee-ftpm.script" \
> - "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-ftpm"
> + "${D}/usr/share/initramfs-tools/scripts/local-top/tee-ftpm"
> }
> diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
> index 3768b8e0..a7a19bee 100644
> --- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
> +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
> @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant, procps"
>
> do_install[cleandirs] += " \
> ${D}/usr/share/initramfs-tools/hooks \
> - ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> + ${D}/usr/share/initramfs-tools/scripts/local-top"
>
> do_install() {
> install -m 0755 "${WORKDIR}/tee-supplicant.hook" \
> "${D}/usr/share/initramfs-tools/hooks/tee-supplicant"
> install -m 0755 "${WORKDIR}/tee-supplicant.script" \
> - "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-supplicant"
> + "${D}/usr/share/initramfs-tools/scripts/local-top/tee-supplicant"
> }
--
Siemens AG, Technology
Linux Expert Center