diff mbox series

[isar-cip-core,v2,6/6] secureboot: Prevent getting shell on panic

Message ID 4eaa5df2b217c0afa9e21c1f7adb4f189f54e4fc.1650613658.git.jan.kiszka@siemens.com (mailing list archive)
State Handled Elsewhere
Headers show
Series Fix read-only rootfs setup /wrt etc overlay - and more | expand

Commit Message

Jan Kiszka April 22, 2022, 7:47 a.m. UTC
From: Jan Kiszka <jan.kiszka@siemens.com>

On panic, initramfs-tools opens up a shell unless panic=X is set on the
kernel command line. Fix that because such a shell could break the chain
of trust.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 wic/qemu-amd64-efibootguard-secureboot.wks.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index affa299..4a0e987 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -12,4 +12,4 @@  part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE
 part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
 part /var  --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var  --fstype=ext4 --label var  --align 1024 --size 2G
 
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=5"