[systemd-devel] vconsole.conf, systemd-localed and the console keymap in the initrd

[Lennart Poettering]

On Mi, 31.07.19 14:28, Hans de Goede (hdegoede at redhat.com) wrote:

> Hi Lennart,
>
> On 31-07-19 14:07, Lennart Poettering wrote:
> > On Di, 30.07.19 10:49, Hans de Goede (hdegoede at redhat.com) wrote:
> >
> > > I believe that the best way to fix is this is probably to specify the
> > > keymap on the kernel commandline using vconsole.keymap= on the kernel
> > > commandline.
> >
> > As you found out, our current logic is to let kernel cmdline settings
> > override everything else.
> >
> > To implement what you are looking for we probably should add a new
> > setting vconsole.default_keymap= or so which can set the default which
> > is used when there's no vconsole.conf or so defined.
>
> Hmm, that would fix the silverblue case, but not the regular Fedora
> case unless we patch dracut to omit vconsole.conf. I was thinking
> myself about maybe making systemd-vconsole-setup recognize
> rd.vconsole.keymap but only when it is running from the initrd (*).

There's actually generic support in our kernel cmdline parser that
stuff prefixed with "rd." is only applied in the initrd. you don't
have to do any work whatsoever to get this beaviour hence.

> *) This requires systemd-vconsole-setup being able to reliable tell
> it is running from the initrd, I'm not 100% sure if that is
> possible.

We have a helper call already in place that is used at various
places. It's called in_initrd() and it ultimately checks for the
existance of /etc/initrd-release which is supposed to exist only in
the initrd.

> Sorry, and EFI only solution is not going to cut it, there are still
> a lot of users out there using classic BIOS boot and we still support
> systems which only support BIOS boot (not to mention non x86 archs).

Then say good bye to SecureBoot...

> > Note that on secureboot envs you cannot really change the kernel
> > cmdline options though, can you? i mean if you could, then you could
> > add any rubbish you'd like too, no?
>
> Actually the grubenv and grub.cfg are not protected in anyway ATM,
> which is an area where out secureboot story needs to improve. But since
> the kernel cmdline typically includes a root= argument which may well
> be a UUID or something else system specific, if we start signing these
> files we need a way to locally sign them and which point we can also
> update the keymap settings on the kernel cmdline.

shudder...

> See above for the secureboot part of your question. Yes
> vconsole.default_keymap= would work, but I would prefer
> rd.vconsole.keymap also for it being backward compat with older
> (pre systemd in initrd) initrds.

pre-systemd? I mean, knock yourself out, but that's like 10y ago...

Anyway, the rd. thing is supported by our parser anyway, as mentioned.

Lennart

--
Lennart Poettering, Berlin