I need to sign my initramfs files: how do I prevent running mkinitcpio

sharethewisdom · 2018-09-14 17:53:48

I've set up grub to verify signatures of several files, including initcpio-* images.
I often update, sometimes in such a hurry, that I don't see mkinitcpio making new images. Additionally, I have a long tedious passphrase to lock down grub, which I don't carry with me all the time. I needed to reboot with a recovery usb (which I also seldom carry with me) several times because of that.

I'm ignoring linux and linux-lts in /etc/pacman.conf, and I'd like to explicitly force-update (using pacman -Syu linux ...) ALL packages that require mkinitcpio to run. (I've read this old topic but I'm not sure how to proceed. Should I just use /etc/pacman.conf to ignore kernel modules, and what else?

I guess there's no better way around it, as I like that signing the images requires me to log in as root interactively.

Last edited by sharethewisdom (2018-09-14 17:55:21)

loqs · 2018-09-14 17:58:06

Do you not need to just override /usr/share/libalpm/hooks/90-linux.hook ? ( The override would be /etc/pacman.d/hooks/90-linux.hook )
Edit:
remove -mainline was referencing a custom kernel hook instead of the standard one

Last edited by loqs (2018-09-14 17:59:20)

eschwartz · 2018-09-14 18:31:52

Hooks actually make this super easy, you could just override the hook with something empty.

Actually, I'd recommend something different: if a hook triggers recreation of the initcpio, you don't want to simply ignore that, because it's *supposed* to be recreated and doing so is not harmful.

Instead, modify the hook to leave a message warning you to recreate and sign the initcpio, and for good measure create a flag file too so you can double-check later if it was needed.
Then, the hook does not invalidate your initcpio by creating an unsigned one, but it does do something useful instead.

This is a plus over the old days where really you should have updated the initcpio but you never knew, so it stayed old. I don't know why you'd want to have custom handling sending you back to the old days, but you can have custom handling that enables the new days, tailored to your use case.

Last edited by eschwartz (2018-09-14 18:34:39)

sharethewisdom · 2018-09-15 18:17:03

Thanks for the responses. Indeed I used to temporarily override the hook (ln -s /dev/null /etc/pacman.d/hooks/90-linux.hook).

I use a laptop sometimes to the point that the battery gets drained completely. Thus I'm a little reluctant to try to rely on a message. In any case I don't want the files matching the current signatures to be replaced automatically. Maybe a message notifying me about a initcpio-linux.new file in /boot on login would do. What do other users do? Please comment.

loqs · 2018-09-15 18:28:04

If the hook does not run mkinitcpio and you have the kernels on ignore (plus anything that supplies kernel modules) then the rest of the updates would be triggered by early userspace changes
which should not actually matter as long as you have a working early userspace already in the initrd and switchroot seperates early userspace cleanly from the start of init proper.
The only issue I can see would be remembering you must regenerate the initrd after you do a manual kernel update.

eschwartz · 2018-09-16 02:35:27

sharethewisdom wrote:

Thanks for the responses. Indeed I used to temporarily override the hook (ln -s /dev/null /etc/pacman.d/hooks/90-linux.hook).
I use a laptop sometimes to the point that the battery gets drained completely. Thus I'm a little reluctant to try to rely on a message. In any case I don't want the files matching the current signatures to be replaced automatically. Maybe a message notifying me about a initcpio-linux.new file in /boot on login would do. What do other users do? Please comment.

Well, I don't see how a message is any worse than currently. Instead of simply ignoring the mkinitcpio change entirely by overriding it, you would just override it with something that at least provides the message.

Since nothing other than an actual, manual kernel update should *require* an initcpio rebuild in order to retain basic functionality -- you'll simply have an outdated initcpio with old versions of e.g. mkinitcpio-busybox, cryptsetup, systemd, and so on -- that would still mean you can boot fine, but you have a chance to notice that it might be a good idea to refresh the initcpio anyway.

sharethewisdom · 2018-10-15 14:47:35

quick note: I use a notification for mako and I'm running swaywm.

[Trigger]
Type = File
Operation = Install
Operation = Upgrade
Target = boot/vmlinuz-linux
Target = usr/lib/initcpio/*

[Action]
Description = Warn about updating linux initcpios...
When = PostTransaction
Exec = /usr/bin/sudo -u bart DISPLAY=:0 WAYLAND_DISLAY=wayland-0 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus /usr/bin/notify-send -u critical -i dialog-warning -a pacman "new kernel" "please run mkinitcpio -P and <b>SIGN</b> both the <i>images</i> and the <i>kernel</i>(s) with gpg --detach-sign --homedir /root/keys ..."

in ~/.config/mako/config, I overwrite the default with

[urgency=high]
default-timeout=0
background-color=#ffffffff
text-color=#ff0000ff

And I'm thinking of writing a PreTransaction hook to prevent installation of a new kernel or module package when the battery is low.

Last edited by sharethewisdom (2018-10-15 14:53:49)

Arch Linux

#1 2018-09-14 17:53:48

I need to sign my initramfs files: how do I prevent running mkinitcpio

#2 2018-09-14 17:58:06

Re: I need to sign my initramfs files: how do I prevent running mkinitcpio

#3 2018-09-14 18:31:52

Re: I need to sign my initramfs files: how do I prevent running mkinitcpio

#4 2018-09-15 18:17:03

Re: I need to sign my initramfs files: how do I prevent running mkinitcpio

#5 2018-09-15 18:28:04

Re: I need to sign my initramfs files: how do I prevent running mkinitcpio

#6 2018-09-16 02:35:27

Re: I need to sign my initramfs files: how do I prevent running mkinitcpio

#7 2018-10-15 14:47:35

Re: I need to sign my initramfs files: how do I prevent running mkinitcpio

Board footer