OFW unsecure kernel/initramfs load from zip file

Daniel Drake dsd at laptop.org
Mon Sep 19 10:40:48 EDT 2011


Hi,

Right now, our signed images included in the boot partition:
signed initramfs and kernel (runrd.zip runos.zip), used for secure boot
unsigned initramfs and kernel (vmlinuz initrd.img), used in unsecure
mode, but identical the the files in the signed tarballs

I'd like to change the unsecure boot path logic to be:
- use initrd.img and vmlinuz (as now) if they are present
- otherwise, load initrd.img from the 'data.img' file inside
runrd.zip, and load vmlinuz from the 'data.img' file inside runos.zip
i.e. it would use the signed kernel/initramfs but wouldn't do any
signature checking

This would allow us to eliminate the unsigned kernel/initramfs files
from our builds, saving some disk space in the boot partition (which
is precious for XO-1).

The first part of this (use vmlinuz/initrd.img if found) is easy, but
I looked at implementing the second part (load from zip) but got a bit
lost and confused.
I think the best way may be to have the existing boot-device/ramdisk
code to transparently handle this case, so that we could have:

   " last:\actrd.zip" to ramdisk
   " last:\actos.zip" to boot-device

And the code behind those entities could either look at the filename,
or recognise the zip format signature, and know that data.img should
be read from the archive.

Thoughts / implementation guidance?

Thanks,
Daniel


More information about the Devel mailing list