On Thu, 2015-01-08 at 09:01 -0500, Josh Boyer wrote: > On Wed, Jan 7, 2015 at 3:52 PM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > > This patch modifies the gen_initramfs_list.sh script to include xattrs > > in the initramfs. > > > > Dracut creates the initramfs using the cpio tool on the system, not > > the kernel's gen_init_cpio script. The following commands, for example, > > would create an initramfs containing xattrs. > > > > dracut -H -f /boot/initramfs-3.XX.0+.img 3.XX.0+ -M --keep \ > > --noprelink --nostrip > > gen_initramfs_list.sh /var/tmp/initramfs.XXXXXX/ > \ > > /var/tmp/initramfs_list.XXXXXX > > > > [Sign files here, if not already signed, using evmctl.] > > > > gen_init_cpio -x /var/tmp/initramfs_list.XXXXXX > \ > > /boot/initramfs-3.XX.0+test.img > > That's pretty awkward. I think it highlights the major downside of > this approach in that from a standard distro point of view this > functionality isn't likely to be used. Do you foresee this feature as > something that should be widely used, or something that would be used > more in custom, locked-down machines? Before distros can start enabling these features, software packages need to come with file signatures. Fin Gunter posted (and shortly will re-post) patches to include file signatures in RPM patches. Including file signatures in RPM packages (and similarly in other software package formats) is the direction we, the linux community, IMHO should be moving. How long this will take is entirely up to the distros. > I can understand not wanting to redefine the newc format in userspace > cpio, but if you want this to be easier to use then perhaps working > with dracut upstream to make it support this out of the box would be a > good idea. Anyone using dracut/systemd is currently not using tmpfs, as specifying "root=" on the boot command line reverts to using ramfs. Rob Landley suggested userspace apps use "ROOT=" instead. (http://sourceforge.net/p/linux-ima/mailman/message/33189705/) This patch set was posted as an RFC. Assuming this solution for including xattrs in the rootfs is acceptable, I'll post the dracut/systemd changes. Mimi -- To unsubscribe from this list: send the line "unsubscribe initramfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
