diff mbox series

[isar-cip-core,v3,7/7] secureboot: Prevent getting shell on panic

Message ID d8cbc1f5ccaf72027c430c8134390e06c698d24d.1650887383.git.jan.kiszka@siemens.com (mailing list archive)
State Handled Elsewhere
Headers show
Series Fix read-only rootfs setup /wrt etc overlay - and more | expand

Commit Message

Jan Kiszka April 25, 2022, 11:49 a.m. UTC 
From: Jan Kiszka <jan.kiszka@siemens.com>

On panic, initramfs-tools opens up a shell unless panic=X is set on the
kernel command line. Fix that because such a shell could break the chain
of trust.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 wic/qemu-amd64-efibootguard-secureboot.wks.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index affa299..4a0e987 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -12,4 +12,4 @@  part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE
 part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
 part /var  --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var  --fstype=ext4 --label var  --align 1024 --size 2G
 
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=5"