You are not logged in.

#1 2019-11-08 16:50:06

blufinney
Member
Registered: 2014-08-26
Posts: 59

pacman hook (kernel) vs mkinitcpio v27

I'm looking for assistance/ideas on a reliable pacman hook used to run a script that compiles (initramfs, kernel, etc) and signs for secureboot.

Previous we could use:

[Trigger]
Operation = Install
Operation = Upgrade
Type = File
Target = boot/vmlinuz-*

I have since been recommended to use:

[Trigger]
Operation = Install
Operation = Upgrade
Type = File
Target = usr/lib/modules/*/vmlinuz

The new trigger works great when a new kernel is installed (or re-installed).

The problem I'm facing with the new trigger is when a (non-kernel) package is installed that triggers a rebuild of the boot directory files.  While the initramfs/vmlinuz-linux files are updated in the /boot directory - the hook doesn't run!

Maybe there is a trigger that covers that scenario?

[edited out inaccurate (noob) description]

Last edited by blufinney (2019-11-08 16:54:08)

Offline

#2 2019-11-08 17:16:35

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: pacman hook (kernel) vs mkinitcpio v27

/usr/share/libalpm/hooks/90-mkinitcpio-install.hook has a second target entry

Target = usr/lib/initcpio/*

If that is the cause of the update then perhaps adding that to your hook as well would solve the issue.

Offline

#3 2019-11-08 17:17:04

WorMzy
Forum Moderator
From: Scotland
Registered: 2010-06-16
Posts: 11,786
Website

Re: pacman hook (kernel) vs mkinitcpio v27

Take a look at what the mkinitcpio hook triggers on: /usr/share/libalpm/hooks/90-mkinitcpio-install.hook


Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

#4 2019-11-08 17:42:37

blufinney
Member
Registered: 2014-08-26
Posts: 59

Re: pacman hook (kernel) vs mkinitcpio v27

Thanks for the responses.

I'll try adding:

Target = usr/lib/initcpio/*

I'll have to do some testing.  I'm concerned the variable passed to the script when using the above trigger will not have information about the version of kernel in that case?  How would my script know what kernel (e.g. linux vs linux-hardened) or what version?

Maybe I'm just noobing out on this, but having trouble seeing how that would work.

Offline

#5 2019-11-08 17:52:19

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: pacman hook (kernel) vs mkinitcpio v27

Matching usr/lib/initcpio/* in /usr/share/libalpm/hooks/90-mkinitcpio-install.hook will trigger all initrds to be rebuild.
So I believe your hook should then create new signed binaries for every kernel.

Offline

#6 2019-11-08 18:19:00

blufinney
Member
Registered: 2014-08-26
Posts: 59

Re: pacman hook (kernel) vs mkinitcpio v27

loqs wrote:

Matching usr/lib/initcpio/* in /usr/share/libalpm/hooks/90-mkinitcpio-install.hook will trigger all initrds to be rebuild.
So I believe your hook should then create new signed binaries for every kernel.

Ah, I see what you mean.  I could change my signing script from using the variable passed from the hook to instead just looping all kernels when triggered.

Newb question: Let's say I create a stand-alone hook using the trigger "usr/lib/initcpio/*" and I updated at "Nov  8 00:01"

drwxr-xr-x   5 root root   4096 Nov  8 00:01 .
drwxr-xr-x 231 root root 208896 Nov  8 00:02 ..
-rwxr-xr-x   1 root root 512144 Mar  1  2019 busybox
-rw-r--r--   1 root root  23329 Nov  6 12:31 functions
drwxr-xr-x   2 root root   4096 Nov  8 00:01 hooks
-rwxr-xr-x   1 root root   2093 Nov  6 12:31 init
-rw-r--r--   1 root root  13140 Nov  6 12:31 init_functions
drwxr-xr-x   2 root root   4096 Nov  8 00:01 install
-rwxr-xr-x   1 root root   2746 Nov  6 12:31 shutdown
drwxr-xr-x   2 root root   4096 Nov  8 00:01 udev

How many times would my shiny new signing script run (against all kernels)?  Twice in the above scenario?  Looking for ways to reduce/eliminate redundantly running the script.

Offline

#7 2019-11-08 19:07:07

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: pacman hook (kernel) vs mkinitcpio v27

Can you please post your current script and hook?

Offline

#8 2019-11-08 20:41:20

blufinney
Member
Registered: 2014-08-26
Posts: 59

Re: pacman hook (kernel) vs mkinitcpio v27

loqs wrote:

Can you please post your current script and hook?

This is the current setup that works well (w/ mkinitcpio v27) when a kernel pkg is installed or updated - but doesn't trigger when a non-kernel pkg is installed/updated that triggers kernel rebuild.

This is of course before trying to use "Target = usr/lib/initcpio/*" in some way.

Current hook:

[Trigger]
Operation = Install
Operation = Upgrade
Type = File
Target = usr/lib/modules/*/vmlinuz

[Action]
When = PostTransaction
Exec = /bin/sh -c 'while read -r f; do /root/secure-boot/make-sign-image.sh "$f"; done'
NeedsTargets

Current script:

#!/bin/bash

PKGBASE="/$(echo $1 | sed 's/vmlinuz//')pkgbase"
KLABEL=$(cat $PKGBASE)
BOOTDIR=/boot
CERTDIR=/root/keys
KERNEL=$1
INITRAMFS="/boot/intel-ucode.img /boot/initramfs-$(echo $KLABEL).img"
EFISTUB=/usr/lib/systemd/boot/efi/linuxx64.efi.stub
BUILDDIR=_build
OUTIMG=/boot/$(echo $KLABEL).img
CMDLINE=/etc/cmdline

mkdir -p $BUILDDIR

cat ${INITRAMFS} > ${BUILDDIR}/initramfs.img

/usr/bin/objcopy \
    --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 \
    --add-section .cmdline=${CMDLINE} --change-section-vma .cmdline=0x30000 \
    --add-section .linux=${KERNEL} --change-section-vma .linux=0x40000 \
    --add-section .initrd=${BUILDDIR}/initramfs.img --change-section-vma .initrd=0x3000000 \
    ${EFISTUB} ${BUILDDIR}/combined-boot.efi

/usr/bin/sbsign --key ${CERTDIR}/DB.key --cert ${CERTDIR}/DB.crt --output ${BUILDDIR}/combined-boot-signed.efi ${BUILDDIR}/combined-boot.efi

cp ${BUILDDIR}/combined-boot-signed.efi ${OUTIMG}

Offline

#9 2019-11-08 21:11:40

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: pacman hook (kernel) vs mkinitcpio v27

I would suggest changing the exec of the current hook to call a new script
Based on /usr/share/libalpm/scripts/mkinitcpio-install I would suggest the new script that does something similar to the following ( which is untested )

kernels=() #array of kernels that have been updated
all=0 #if usr/lib/initcpio/* is updated then all kernels will have been updated

while read -r line; do
    if [[ $line != */vmlinuz ]]; then
        # triggers when it's a change to usr/lib/initcpio/*
        all=1
        break
    fi

    if ! read -r pkgbase > /dev/null 2>&1 < "${line%/vmlinuz}/pkgbase"; then
        # if the kernel has no pkgbase, we skip it
        continue
    fi
    kernels+=("${pkgbase}")
done

if [[ all ]]; then
  for kernel in /usr/lib/modules/*/pkgbase
  do
    /root/secure-boot/make-sign-image.sh "$kernel"
  done
else
  for kernel in "${kernels[@]}"
  do
    /root/secure-boot/make-sign-image.sh "$kernel"
  done
fi

Last edited by loqs (2019-11-08 21:19:18)

Offline

#10 2023-01-23 08:21:54

fxxr
Member
Registered: 2023-01-23
Posts: 1

Re: pacman hook (kernel) vs mkinitcpio v27

loqs wrote:

/usr/share/libalpm/hooks/90-mkinitcpio-install.hook has a second target entry

Target = usr/lib/initcpio/*

If that is the cause of the update then perhaps adding that to your hook as well would solve the issue.

It's three years later, but I just wanted to add that this solved the issue for me, signing my UKI files after mkinitcpio was done.
A good test is to reinstall systemd.

Here's my hook:

[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Target = usr/lib/modules/*/vmlinuz
Target = usr/lib/initcpio/*

[Action]
Description = Signing kernels for Secure Boot
When = PostTransaction
Exec = /usr/bin/find /boot/EFI/Linux -maxdepth 1 -name 'arch*.efi' -exec sbctl sign {} ;
Depends = sbctl
Depends = findutils

Thanks!

Offline

Board footer

Powered by FluxBB