Understanding the boot process

UNIX for Advanced & Expert Users
1

Hey guys,

I am working on a security module which checks signatures of binarys/shared libs. The Linux security framework (and thus my module) gets loaded early in the bootprocess.
Right now all my module does is - whenever a binary gets mmap'ed for execution - print out a message using printk() if the signature in the binary is valid or not.

When everything is loaded, all is fine, but not during boottime. At the very beginning it looks as if the files get loaded from another place. Just a sample output of my logfile - I chose to took exactly the part where the files seem to switch:

Mar 17 18:31:05 localhost kernel: [ 12.370243] - SIGCHECK: ld-2.13.so - No signature! 4393 / 132600
Mar 17 18:31:05 localhost kernel: [ 12.372407] - SIGCHECK: libc-2.13.so - No signature! 4391 / 1348016
Mar 17 18:31:05 localhost kernel: [ 12.458529] - SIGCHECK: init - No signature! 97804 / 31264
Mar 17 18:31:05 localhost kernel: [ 12.489367] - SIGCHECK: ld-2.13.so - Verifiation successful! 279949 / 133176
Mar 17 18:31:05 localhost kernel: [ 12.605187] - SIGCHECK: libc-2.13.so - Verifiation successful! 279931 / 1348576

The last 2 numbers are the i_ino and i_size of the inode. I put them in there to see if they are different files. As you can see they are indeed.
But when I do a find I only find one e.g. libc on my filesystem (the signed one).
So during the beginning of the bootphase I assume that the files get loaded not from within the filesystem but from somewhere else (initrd maybe?).

Now the question is: From where get these files loaded and how can I access them to sign them so that they get accepted by my security module

Edit: Since init is the first binary to be verified successfullzy, I am now pretty sure the reason is the initrd. So since I created it before I signed the files, the files in my initrd fail. Now this question kind of turns into a: How is initrd created with mkinitcpio? Does it simply take already exisiting files and pack them together? If yes, I would just need to create a new initrd. But from which place does it take the files?

2

You did not tell us particular GNU/Linux distribution you are on but you reference to mkinitcpio seems to indicate that you are on ArchLinux. mkinitcpio is a shell script which you can examine to see where it is picking up the initrd contents. BTW, it uses BusyBox to reduce size of initrd.

See mkinitcpio - ArchWiki for more information.