Re: [RFC 2/2] initramfs with digital signature protection
From: Kasatkin, Dmitry
Date: Fri Feb 08 2013 - 03:34:49 EST
On Thu, Feb 7, 2013 at 7:05 PM, Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
> On Tue, Feb 05, 2013 at 02:34:50PM +0200, Dmitry Kasatkin wrote:
>
> [..]
>> +static int __init load_initramfs(void)
>> +{
>> + static char *argv[] = { "pre-init", NULL, };
>> + extern char *envp_init[];
>> + int err;
>> +
>> + /*
>> + * In case that a resume from disk is carried out by linuxrc or one of
>> + * its children, we need to tell the freezer not to wait for us.
>> + */
>> + current->flags |= PF_FREEZER_SKIP;
>> +
>> + err = call_usermodehelper_fns("/pre-init", argv, envp_init,
>> + UMH_WAIT_PROC, init_init, init_cleanup,
>> + NULL);
>> +
>> + current->flags &= ~PF_FREEZER_SKIP;
>> +
>> + pr_info("initramfs_sig /pre-init completed: %d\n", err);
>> +
>
> Dmitry,
>
> How do we make sure that this is the first call to user mode helpers. I
> see that we first unpacked unsigned initramfs. Then after a while we
> unpacked signed initramfs on /root and did a chroot. But now there is
> a window before chroot, where kernel might call into /sbin/hotplug or
> /sbin/modprobe from unsigned initramfs?
>
> Specifically, I put some printk and I am seeing calls to /sbin/hotplug
> before we even unpacked signed initramfs.
If it really happens, then there something should be done to prevent it.
Can you please send me your patch with printks.
It would be interesting to analyze more what might happen.
Thanks,
Dmitry
>
> Thanks
> Vivek
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/