Re: Modifying the initramfs

To: debian-live@lists.debian.org
Subject: Re: Modifying the initramfs
From: donotemailme@xganon.com
Date: Sun, 30 Nov 2025 20:56:29 -0600
Message-id: <[🔎] 90ee59172b8c04b6df036d011759523d@xganon.com>
In-reply-to: <335d7bfea61445f7a030467714744210@xganon.com>
References: <335d7bfea61445f7a030467714744210@xganon.com>

On 2025-11-29 18:46, donotemailme@xganon.com wrote:

Im working on a livebuild of a secure image and looking for somepointers.
The intent is to change the initramfs to a custom made one (lets callit initramfs-tiny) that first validates the cryptographic hash of theinitramfs, then decrypts the initramfs using a JCOP4 smart card withSmartpgp on it.To do this Ill build a small initramfs that does the work. (not aproblem, I can do/script this)
The problem is Im not sure how to interrupt and change the buildprocess in live-build to encrypt the initramfs, generate the neededhashes, then change the grub menu to boot to the new initramfs-tiny. Okthat last part is not hard but telling live-build to change how theinitramfs is made is something I have not found in any of the docs oranyone writing about.
Any help would be appreciated.

Im going to reply to my own post for anyone that may be looking intothis in the future.

The man (7) page for live-build lists the subprocesses in alphabeticalorder not in order of operations. (Note: order of operations would behelpful)

My testing has indicated that the binary hooks are processed after theinclude.binary additions.

You can build a binary hook to construct a specialized initramfs butneed to place it in the binary/live directory and can not rely on theinclude.binary to add it for you.

I dont think it matters where the hook.binary runs in the order ofbinary hooks but I set mine to run early at1000-build-initramfs-mini.hook.binary

Then you can modify the menus in config/bootloaders/grub-pc andconfig/bootloaders/syslinux_common to point to your initramfs to loadit.

Ill note here that the documentation is wrong in saying that thesplash.png goes in config/bootloaders you need to put a copy in eachbootloader directory.

Now i just need to make the specialized initramfs to do sha512sumchecksums on everything and use a ACR39U with jcop4 card containing theSmartpgp app to decrypt the original initrd and switch to it for fullboot.

The fun of building a fully encrypted and verified chain of trust boot.:D

Attachment: 0xBE355809.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Next by Date: Error on building trixie live iso with persistency
Next by thread: Error on building trixie live iso with persistency
Index(es):
- Date
- Thread