Microgram Ramdisk is a framework used to generate ramdisks using TOML definitions and python functions
µgRD is designed to generate a custom initramfs environment to boot the system that built it.
Generated images are as static and secure as possible, only including components and features required to mount the root and switch to it.
µgRD itself is pure python, and uses the pycpio
library to generate the CPIO archive.
The final build environment is left in the specified build_dir
, where it can be examined or repacked.
Unless validation is disabled, µgRD attemts to validate most configuration against the host system, raising exceptions or logging warnings warnings if the configuration is invalid.
The original goal of this project was to create an initramfs suitable for decrypting a LUKS root filesystem with a smartcard, with enough config validation to prevent the user from being left in a broken pre-boot environment.
- Root mount, using
/proc/mounts
.root=
androotflags=
can be used but are not required. - LUKS auto-configuration and validation for the root mount
- Rootfs LVM, including under LUKS, is auto-mounted
- BTRFS root subvolumes are automatically detected, but can be overridden or
subvol_selector
can be used to select a subvolume at boot time. /usr
auto-mounting if the init system requires it- Auto-detection of kernel modules required by the storage device used by the root filesystem
- Configuration validation against the host config in
validate
mode - Static output image checks
- QEMU based test framework with
--test
or using theugrd.base.test
module
- OpenPGP Smartcards (YubiKey) with the
ugrd.crypto.smartcard
module yubikey example - GPG encrypted LUKS keyfiles with the
ugrd.crypto.gpg
module gpg example - LUKS with detatched headers detached headers example
- Cryptsetup re-attempts and alternative unlock methods
- Allows for late insertion of a smartcard
cryptsetup_retries
andcryptsetup_autoretry
- Can fail back to plain password entry
try_nokey
- Allows for late insertion of a smartcard
- Key entry over serial raid crypt serial
- Automatic CPIO generation (PyCPIO)
- Device nodes are created within the CPIO only, so true root privileges are not required
- Hardlinks are automatically created for files with matching SHA256 hashes
- Automatic xz compression
- ZSH and BASH autocompletion for the
ugrd
command - Similar usage/arguments as Dracut
µgRD is designed to be as portable as possible, but has only been tested on a limited number of systems.
µgRD was designed to work with Gentoo, but has been tested on:
- Garuda linux
- Debian 12
- Ubuntu 22.04
If userspace tools are not required to mount a the root filesystem, µgRD can be used with any filesystem supported by the kernel.
The following root filesystems have been tested:
- BTRFS
- EXT4
- XFS
- FAT32
- NILFS2
If the required kernel module is not built into the kernel, and the filesystem is not listed above, the kernel module may need to be included in kmod_init
.
The example config has
kmod_autodetect_lsmod
enabled which should automatically pull in the required modules, unless the active kernel differs from the build kernel.
µgRD is primarily designed and tested against x86_64
, but has been tested on arm64
.
Additional documentation can be found in the docs directory.