GitLab

We don't need them in the initramfs, let's save some space.

Source: https://gitlab.com/tlaurion/heads/commit/05e8152e9e2bb8154c01660e45b31458f6ea8d2f#0d1ead893ed92e52f8f33500806ba904915d803d_33_34

Currently translated at 17.7% (11 of 62 strings)

Translation: Tails/wiki/src/news/version_3.14.1.*.po
Translate-URL: http://translate.tails.boum.org/projects/tails/wikisrcnewsversion_3141po/pt/

Currently translated at 39.0% (16 of 41 strings)

Translation: Tails/wiki/src/news/version_3.11.*.po
Translate-URL: http://translate.tails.boum.org/projects/tails/wikisrcnewsversion_311po/it/

On Buster, partprobe complains if dmidecode is missing. It's not clear
what the consequences are, at least it doesn't cause partprobe to exit with an
error status code - but it's cheap to just copy dmidecode to the initramfs.

sdhci and subdependencies initrd kernel modules loaded to support Heads kexec'ing Tails kernel from sdcard integrity validated iso, permitting Tails to boot from a Read Only sdcard (fromiso). Heads boot device is referred by device/by-uuid (fromiso) to continue Heads kexec boot process from OS initrd loaded modules, prerequisite to continue kernel booting.

This would permit measured boot (on-boot iso integrity validation from Read Only sdcard) on many tamper evident laptop models( RYF x200, QubesOS to be certified x230, x220 and many other laptops using those modules for memory extension slot support).

Linked to this discussion: https://lists.autistici.org/message/20190612.203305.bcc3b98b.en.html
Linked to this Heads ticket: https://github.com/osresearch/heads/issues/581

Otherwise, in the initramfs partitioning script, mlabel fails with "Error
converting to codepage 850 Invalid argument", while the same command works fine
when run in the regular system.

sgdisk is used to fix the GPT and grow the system partition during boot.
partprobe is used to inform the kernel about these changes.

Return to the initramfs (unpacked in /run/initramfs) on shutdown (refs: #12428, #12354, Debian#778849).

… otherwise the aufs read-write (tmpfs) branch, among possibly other things,
can't be properly unmounted and its content remains in memory.

Notes:

 * We have to handle some unmounting ourselves in initramfs-pre-shutdown-hook:
   systemd-shutdown doesn't manage to unmount the aufs read-write
   branch (/oldroot/lib/live/mount/overlay) as it is needed by the
   aufs (/oldroot) filesystem, and reciprocally it cannot unmount /oldroot as it
   is kept busy by /oldroot/lib/live/mount/*. So we disentangle this mess
   ourselves. And we have to manually empty the aufs read-write (tmpfs) branch,
   otherwise for some reason its content remains in memory. This code will of
   course need to be adapted for overlayfs some day.

 * We lock /bin/kill in memory: apparently systemd-exit.service needs it.

 * We remount /run on shutdown *before* dropping caches, just in case dropping
   caches removes what we've locked into memory.

 * We unpack the initramfs to /run/initramfs at *boot* time: sadly, I was not
   able to have it unpacked reliably in udev-watchdog-wrapper when the boot
   medium is ejected, so we'll use a little bit more RAM (instead of locking the
   compressed initramfs into memory, we're storing the uncompressed one there)
   and probably slow down the boot a bit, in order to make emergency shutdown
   robust. Note, however, that we save some of the RAM used by the uncompressed
   initramfs by deleting the worst offenders (kernel modules).

 * For now the whole procedure is quite noisy on the screen: the pre-shutdown
   hook runs under "set -x", doesn't run "clear", and spits out lots of
   debugging information. The goal is to enable users to provide useful
   debugging data if they have problems with emergency shutdown. Once we have
   shipped this code in a few releases and trust it's robust enough, we can
   surely reconsider and polish the UX by making the output less noisy.

 * We use absolute paths in many places to avoid $PATH lookup which might
   fail if the root filesystem is not there anymore.

It's not reliable enough and provides poor UX. Linux memory poisoning
works well enough to get rid of it.

This might help ensure this driver is used, instead of the radeon module,
on hardware that it supports better than the radeon one.

Directly call poweroff instead of halt -p. Also, don't pass -n to poweroff and
reboot, it's not supported anymore.

The goal is to have a more seamless transition from initial kernel modesetting
to X.Org when booting, and same on the way back on shutdown. It also will be
needed to get a nicer, Tails-specific boot splash. Moreover, as seen in the
bugfix/sdmem_on_intel_gpu branch (of the old Git repo), this can help for proper
graphics hardware reinitialization post-kexec.

We include:

 * bochs, cirrus and qxl because they can be useful in virtual machines;
 * i915, nouveau and radeon are they are the best maintained ones these days,
   and cover the vast majority of hardware that is able to run Tails/Jessie
   properly.

This reverts commit 34daa6f0.

Conflicts:
	config/chroot_local-hooks/52-update-rc.d
	config/chroot_local-includes/etc/default/kexec
	config/chroot_local-includes/etc/init.d/tails-reconfigure-kexec
	config/chroot_local-includes/etc/init.d/tails-sdmem-on-media-removal

This reverts commit d16355b8, reversing
changes made to eee9369b.

This merge (perhaps in combination with something else boot related,
e.g. the new initramfs-tools) seems to make Tails unbootable on a
variety of systems. Let's revert this until we understand this issue
and can fix it.

This reverts commit d16355b8, reversing
changes made to eee9369b.

This merge (perhaps in combination with something else boot related,
e.g. the new initramfs-tools) seems to make Tails unbootable on a
variety of systems. Let's revert this until we understand this issue
and can fix it.

In order to show our shiny new Plymouth theme on more systems, we manually add
kernel mode settings video drivers for NVidia.

Unfortunately, vboxvideo (VirtualBox) does not currently support KMS; vmgfx
(VMWare) did not work either according to some quick tests.

- build initramfs with sdmem support
- install kexec-tools that are used to run the sdmem-enabled initramfs on
  shutdown
- pass the rebooting/halting status to the kexec'd initramfs using a custom
  /etc/default/kexec
- remove custom live-boot packages to disable previous (buggy and incomplete)
  sdmem implementation
- provide our own tails-kexec initscript to replace /etc/init.d/kexec:
  tails-kexec is more post-eject-time friendly and informs the user s/he can
  remove the boot device before the sdmem process before it happens; hence
  switching live-boot boot parameter to noprompt
- kexec-load, tails-kexec-cache and tails-kexec are run on halt as well as on
  reboot; to achieve this we need to patch the kexec-load initscript LSB header:
  update-rc.d is not enough as insserv uses LSB headers rather than update-rc.d
  arguments
- don't disable init concurrency at shutdown anymore: the initscripts
  dependencies now are be accurate enough to prevent running in
  parallel scripts that should be run sequentially