wip: iommu net

Containerfile

@@ -31,7 +31,6 @@ FROM stagex/core-libunwind:sx2025.02.0@sha256:99e2574ace4f7dfa3d8bfc93ab69e1fd5f
 FROM stagex/user-libusb:sx2025.02.0@sha256:b78ca9194fdb8dfb7b7177d16a156fac21e6c9822a0c35a17841400bc1a27f68 AS user-libusb
 FROM stagex/user-libzbar:sx2025.02.0@sha256:44ad89a661bc395d6b49d89a0367846f7bee40b198780777c5c7b1b3c0d49a0e AS user-libzbar
 FROM stagex/core-libzstd:sx2025.02.0@sha256:23cd975a27e218c5398efd17e1f8c491d31969ab674d3468dbf8b75ba40611ad AS core-libzstd
-FROM stagex/user-linux-airgap:sx2025.02.0@sha256:a2dbeace3ce085ba487e88b3968fea1ec29ce392f691d28c4b183e1ed9c0df4d AS user-linux-airgap
 FROM stagex/user-lzo:sx2025.02.0@sha256:b71c2944073f3fbc1fe543b9e4dfc4f59ec013a763a6209ded77b8f8bd0a33b4 AS user-lzo
 FROM stagex/user-mtools:sx2025.02.0@sha256:ea76e5f82f9833274a4438e9706779afd9b1c0b197c984c9d54c9887163ffb42 AS user-mtools
 FROM stagex/core-musl:sx2025.02.0@sha256:23d0614f60449015add2369959c89a6ea08e208302773b9a0811ce1195afc3a4 AS core-musl
@@ -60,6 +59,10 @@ FROM stagex/user-util-linux:sx2025.02.0@sha256:bf03b1aaa92a3877f2d2a35d2c27cf453
 FROM stagex/user-xorriso:sx2025.02.0@sha256:f3b9f1eebdbc6f2e62a9d4345abb87ea81219fc4afdbdc0412a8a2110282a1a1 AS user-xorriso
 FROM stagex/core-xz:sx2025.02.0@sha256:34824f16967f6bd8ecf24c320e36dfc9cd58d5746d3c524e1b896ebdf5a2e760 AS core-xz
 FROM stagex/user-yq:sx2025.02.0@sha256:e817e39f34a7417fd151b4fb9d0d21e21242fe8dc19c0e248677426f2e478cce AS user-yq
+FROM stagex/user-edk2:sx2025.02.0@sha256:db24be51d35117d264dccfc44f0ca331f59d738083170cd9bb86b49a5c06abff AS user-edk2
+FROM stagex/core-ca-certificates:local AS core-ca-certificates
+FROM stagex/user-linux-guest:local AS user-linux-guest
+FROM stagex/user-linux-airgap:local AS user-linux-airgap
 
 FROM scratch AS base
 ARG VERSION development
@@ -98,13 +101,69 @@ COPY --from=core-curl . /
 COPY --from=user-libtpms . /
 COPY --from=user-tpm2-tss . /
 COPY --from=user-tpm2-tools . /
+COPY --from=user-edk2 . /
+
+FROM base AS build-guest
+COPY --from=user-linux-guest /bzImage iso/boot/vmlinuz
+COPY --from=core-busybox . initramfs
+COPY --from=user-eudev . initramfs
+COPY --from=core-musl . initramfs
+COPY --from=core-zlib . initramfs
+COPY --from=core-ca-certificates . initramfs
+COPY src/guest/rootfs/ initramfs
+RUN <<-EOF
+    set -eux
+    cd initramfs
+    mkdir -p home/git
+    chmod 755 home
+    chown -R 1000:1000 home/git
+    find . -exec touch -hcd "@0" "{}" +
+    find . -print0 \
+    | sort -z \
+    | cpio \
+        --null \
+        --create \
+        --verbose \
+        --reproducible \
+        --format=newc \
+    | gzip --best \
+    > ../iso/boot/initramfs
+EOF
+COPY src/guest/config/syslinux.cfg iso/boot/syslinux/
+COPY --from=user-syslinux \
+    /usr/share/syslinux/isohdpfx.bin \
+    /usr/share/syslinux/isolinux.bin \
+    /usr/share/syslinux/ldlinux.c32 \
+    /usr/share/syslinux/libutil.c32 \
+    /usr/share/syslinux/libcom32.c32 \
+    /usr/share/syslinux/mboot.c32 \
+    iso/boot/syslinux/
+ENV SOURCE_DATE_EPOCH=1
+RUN <<-EOF
+    set -eux
+    find iso -exec touch -hcd "@0" "{}" +
+    xorrisofs \
+        -output guest.img \
+        -full-iso9660-filenames \
+        -joliet \
+        -rational-rock \
+        -sysid LINUX \
+        -volid "repros" \
+        -isohybrid-mbr iso/boot/syslinux/isohdpfx.bin \
+        -eltorito-boot boot/syslinux/isolinux.bin \
+        -eltorito-catalog boot/syslinux/boot.cat \
+        -no-emul-boot \
+        -boot-load-size 4 \
+        -boot-info-table \
+        -no-emul-boot \
+        -isohybrid-gpt-basdat \
+        -follow-links \
+        iso/
+EOF
 
 FROM base AS build
-
-## Kernel
 COPY --from=user-linux-airgap /bzImage iso/boot/vmlinuz
-
+COPY --from=build-guest /guest.img initramfs/
-## Initramfs
 COPY --from=core-busybox . initramfs
 COPY --from=user-eudev . initramfs
 COPY --from=core-musl . initramfs
@@ -135,17 +194,34 @@ COPY --from=user-nettle . initramfs
 COPY --from=user-opensc . initramfs
 COPY --from=user-util-linux . initramfs
 COPY --from=user-sops . initramfs
-COPY --from=core-gcc /usr/lib/libgcc* initramfs/usr/lib/
+COPY --from=core-gcc /usr/lib/. initramfs/usr/lib/
 COPY --from=core-sqlite3 . initramfs
 COPY --from=user-sdtool . initramfs
 RUN chmod +x initramfs/usr/bin/sdtool
 COPY --from=user-openpgp-card-tools . initramfs
 COPY --from=user-sequoia-sq . initramfs
 COPY --from=user-sequoia-sq-wot . initramfs
+COPY --from=user-libslirp . initramfs
+COPY --from=user-seabios . initramfs
+COPY --from=user-ipxe . initramfs
+COPY --from=user-glib . initramfs
+COPY --from=user-numactl . initramfs
+COPY --from=core-libzstd . initramfs
+COPY --from=user-alsa-lib . initramfs
+COPY --from=user-lzo . initramfs
+COPY --from=user-dtc . initramfs
+COPY --from=user-libaio . initramfs
+COPY --from=user-libseccomp . initramfs
+COPY --from=core-libffi . initramfs
+COPY --from=core-libzstd . initramfs
+COPY --from=user-libslirp . initramfs
+COPY --from=user-seabios . initramfs
+COPY --from=user-canokey-qemu . initramfs
+COPY --from=user-qemu . initramfs
 COPY --from=user-libzbar . initramfs
 COPY --from=user-keyfork . initramfs
 COPY --from=user-icepick . initramfs
-COPY rootfs/ initramfs
+COPY src/host/rootfs/ initramfs
 COPY <<-EOF initramfs/etc/environment
     export VERSION="$VERSION"
     export GIT_TIMESTAMP="$GIT_TIMESTAMP"
@@ -170,8 +246,8 @@ RUN <<-EOF
 EOF
 
 ## Grub (EFI Boot)
-COPY config/grub.cfg iso/boot/grub/grub.cfg
+COPY src/host/config/grub.cfg iso/boot/grub/grub.cfg
-COPY config/grub_early.cfg grub_early.cfg
+COPY src/host/config/grub_early.cfg grub_early.cfg
 RUN <<-EOF
     set -eux
     mkdir -p efi/boot
@@ -203,7 +279,7 @@ RUN <<-EOF
 EOF
 
 ## Syslinux (BIOS Boot)
-COPY config/syslinux.cfg iso/boot/syslinux/
+COPY src/host/config/syslinux.cfg iso/boot/syslinux/
 COPY --from=user-syslinux \
     /usr/share/syslinux/isohdpfx.bin \
     /usr/share/syslinux/isolinux.bin \
@@ -213,8 +289,6 @@ COPY --from=user-syslinux \
     /usr/share/syslinux/mboot.c32 \
     iso/boot/syslinux/
 
-## Build Hybrid EFI/BIOS ISO
-FROM build AS install
 ENV SOURCE_DATE_EPOCH=1
 RUN <<-EOF
     set -eux
@@ -253,5 +327,5 @@ RUN <<-EOF
 EOF
 
 FROM scratch AS package
-COPY --from=install /sdcard.img /
+COPY --from=build /sdcard.img /
-COPY --from=install /airgap.iso /
+COPY --from=build /airgap.iso /

Makefile

@@ -60,7 +60,7 @@ vm: out/dev-shell.digest out/airgap.iso out/sdcard.img
 			--tpm2 & \
 		qemu-system-x86_64 \
 			-m 4G \
-			-machine pc \
+			-machine q35,kernel-irqchip=split \
 			-chardev socket,id=chrtpm,path=vtpm-sock \
 			-usb -device canokey,file=/out/canokey-file \
 			-tpmdev emulator,id=tpm0,chardev=chrtpm \
@@ -70,6 +70,9 @@ vm: out/dev-shell.digest out/airgap.iso out/sdcard.img
 			-device sd-card,drive=external \
 			-drive id=external,if=none,format=raw,file=out/sdcard.img \
 			-device usb-storage,drive=usbdrive \
+                   	-device intel-iommu,intremap=on \
+                   	-netdev user,id=net0 \
+                   	-device e1000,netdev=net0 \
 			$(if $(filter $(EFI),true) ,\
 				-bios /usr/share/ovmf/OVMF.fd \
 				-drive id=boot$(,)if=virtio$(,)format=raw$(,)file=out/airgap.iso \

rootfs/.gnupg/gpg.conf

@@ -1 +0,0 @@
-pinentry-mode loopback

src/guest/config/syslinux.cfg

@@ -0,0 +1,8 @@
+TIMEOUT 2
+PROMPT -1
+DEFAULT ReprOS
+LABEL ReprOS
+	MENU LABEL Linux ReprOS
+	KERNEL /boot/vmlinuz
+	INITRD /boot/initramfs
+	APPEND init=/init vga=normal console=ttyAMA0,115200 console=tty highres=off console=ttyS0 console=tty0 ro

src/guest/rootfs/etc/git/base-hooks/post-receive

@@ -0,0 +1,6 @@
+#!/bin/bash
+set -eu
+echo "hook -> post-receive"
+while read oldrev newrev refname; do
+    git --work-tree=".." checkout -f "$newrev"
+done

src/guest/rootfs/etc/git/base-hooks/pre-receive

@@ -0,0 +1,2 @@
+#!/bin/bash
+echo "hook -> pre-receive"

src/guest/rootfs/etc/git/base-hooks/update

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "Firing update hook"

src/guest/rootfs/etc/group

@@ -0,0 +1,47 @@
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:
+disk:x:6:
+lp:x:7:lp
+mem:x:8:
+kmem:x:9:
+wheel:x:10:root
+floppy:x:11:root
+mail:x:12:mail
+news:x:13:news
+uucp:x:14:uucp
+man:x:15:man
+cron:x:16:cron
+console:x:17:
+audio:x:18:
+cdrom:x:19:
+dialout:x:20:root
+ftp:x:21:
+sshd:x:22:
+input:x:23:
+at:x:25:at
+tape:x:26:root
+video:x:27:root
+netdev:x:28:
+readproc:x:30:
+squid:x:31:squid
+xfs:x:33:xfs
+kvm:x:34:kvm
+games:x:35:
+shadow:x:42:
+cdrw:x:80:
+www-data:x:82:
+usb:x:85:
+vpopmail:x:89:
+users:x:100:games
+ntp:x:123:
+nofiles:x:200:
+smmsp:x:209:smmsp
+locate:x:245:
+abuild:x:300:
+utmp:x:406:
+ping:x:999:
+git:x:1000:

src/guest/rootfs/etc/hosts

@@ -0,0 +1,4 @@
+127.0.0.1	localhost
+::1		    localhost ip6-localhost ip6-loopback repros
+ff02::1		ip6-allnodes
+ff02::2		ip6-allrouters

src/guest/rootfs/etc/init.d/S01syslogd

@@ -0,0 +1,55 @@
+#!/bin/sh
+
+DAEMON="syslogd"
+PIDFILE="/var/run/$DAEMON.pid"
+
+SYSLOGD_ARGS=""
+
+# shellcheck source=/dev/null
+[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
+
+# BusyBox' syslogd does not create a pidfile, so pass "-n" in the command line
+# and use "-m" to instruct start-stop-daemon to create one.
+start() {
+	printf 'Starting %s: ' "$DAEMON"
+	# shellcheck disable=SC2086 # we need the word splitting
+	start-stop-daemon -b -m -S -q -p "$PIDFILE" -x "/bin/$DAEMON" \
+		-- -n $SYSLOGD_ARGS
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+	return "$status"
+}
+
+stop() {
+	printf 'Stopping %s: ' "$DAEMON"
+	start-stop-daemon -K -q -p "$PIDFILE"
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		rm -f "$PIDFILE"
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+	return "$status"
+}
+
+restart() {
+	stop
+	sleep 1
+	start
+}
+
+case "$1" in
+	start|stop|restart)
+		"$1";;
+	reload)
+		# Restart, since there is no true "reload" feature.
+		restart;;
+	*)
+		echo "Usage: $0 {start|stop|restart|reload}"
+		exit 1
+esac

src/guest/rootfs/etc/init.d/S02klogd

@@ -0,0 +1,55 @@
+#!/bin/sh
+
+DAEMON="klogd"
+PIDFILE="/var/run/$DAEMON.pid"
+
+KLOGD_ARGS=""
+
+# shellcheck source=/dev/null
+[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
+
+# BusyBox' klogd does not create a pidfile, so pass "-n" in the command line
+# and use "-m" to instruct start-stop-daemon to create one.
+start() {
+	printf 'Starting %s: ' "$DAEMON"
+	# shellcheck disable=SC2086 # we need the word splitting
+	start-stop-daemon -b -m -S -q -p "$PIDFILE" -x "/bin/$DAEMON" \
+		-- -n $KLOGD_ARGS
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+	return "$status"
+}
+
+stop() {
+	printf 'Stopping %s: ' "$DAEMON"
+	start-stop-daemon -K -q -p "$PIDFILE"
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		rm -f "$PIDFILE"
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+	return "$status"
+}
+
+restart() {
+	stop
+	sleep 1
+	start
+}
+
+case "$1" in
+	start|stop|restart)
+		"$1";;
+	reload)
+		# Restart, since there is no true "reload" feature.
+		restart;;
+	*)
+		echo "Usage: $0 {start|stop|restart|reload}"
+		exit 1
+esac

src/guest/rootfs/etc/inittab

@@ -0,0 +1,54 @@
+# /etc/inittab
+
+# Format for each entry: <id>:<runlevels>:<action>:<process>
+#
+# id        == tty to run on, or empty for /dev/console
+# runlevels == ignored
+# action    == one of sysinit, respawn, askfirst, wait, and once
+# process   == program to run
+
+# Startup the system
+::sysinit:/bin/mount -t devtmpfs devtmpfs /dev
+::sysinit:/bin/mkdir -p /proc /run /dev/pts /dev/shm /sys
+::sysinit:/bin/mount -t sysfs sysfs /sys
+::sysinit:/bin/mount -t devpts devpts /dev/pts
+::sysinit:/bin/mount -t cgroup cgroup /sys/fs/cgroup
+::sysinit:/bin/mount -t proc proc /proc
+::sysinit:/bin/mount -o remount,rw /
+::sysinit:/bin/mkdir /var/log
+::sysinit:/bin/hostname -F /etc/hostname
+null::sysinit:/bin/ln -sf /proc/self/fd /dev/fd
+null::sysinit:/bin/ln -sf /proc/self/fd/0 /dev/stdin
+null::sysinit:/bin/ln -sf /proc/self/fd/1 /dev/stdout
+null::sysinit:/bin/ln -sf /proc/self/fd/2 /dev/stderr
+
+# Stuff to do for the 3-finger salute
+::ctrlaltdel:/usr/bin/reboot
+
+# now run any rc scripts
+::sysinit:/etc/init.d/rcS
+
+# Spawn shells on serial terminal and default console
+::respawn:-/usr/bin/login -f root
+ttyS0::respawn:-/usr/bin/login -f root
+
+# Stuff to do before rebooting
+::shutdown:/etc/init.d/rcK
+::shutdown:/bin/umount -a -r
+::sysinit:/bin/hostname -F /etc/hostname
+null::sysinit:/bin/ln -sf /proc/self/fd /dev/fd
+null::sysinit:/bin/ln -sf /proc/self/fd/0 /dev/stdin
+null::sysinit:/bin/ln -sf /proc/self/fd/1 /dev/stdout
+null::sysinit:/bin/ln -sf /proc/self/fd/2 /dev/stderr
+# now run any rc scripts
+::sysinit:/etc/init.d/rcS
+
+# Put a getty on the serial port
+ttyS0::respawn:-/usr/bin/login -f root
+
+# Stuff to do for the 3-finger salute
+#::ctrlaltdel:/sbin/reboot
+
+# Stuff to do before rebooting
+::shutdown:/etc/init.d/rcK
+::shutdown:/bin/umount -a -r

src/guest/rootfs/etc/passwd

@@ -0,0 +1,4 @@
+root::0:0:root:/root:/bin/sh
+sshd:x:22:22:sshd:/dev/null:/sbin/nologin
+git::1000:1000::/home/git:/bin/git-shell
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

src/guest/rootfs/etc/profile

@@ -0,0 +1,5 @@
+export EDITOR=/bin/vi
+export PATH="/usr/local/bin:/bin:/sbin:/usr/bin:/usr/sbin"
+export PS1="[\h \t] \\$ "
+export GNUPGHOME=/.gnupg
+cd /root

src/guest/rootfs/etc/resolv.conf

@@ -0,0 +1,2 @@
+nameserver 1.1.1.1
+nameserver 8.8.8.8

src/host/rootfs/etc/init.d/S02sysctl

@@ -0,0 +1,94 @@
+#!/bin/sh
+#
+# This script is used by busybox and procps-ng.
+#
+# With procps-ng, the "--system" option of sysctl also enables "--ignore", so
+# errors are not reported via syslog. Use the run_logger function to mimic the
+# --system behavior, still reporting errors via syslog. Users not interested
+# on error reports can add "-e" to SYSCTL_ARGS.
+#
+# busybox does not have a "--system" option neither reports errors via syslog,
+# so the scripting provides a consistent behavior between the implementations.
+# Testing the busybox sysctl exit code is fruitless, as at the moment, since
+# its exit status is zero even if errors happen. Hopefully this will be fixed
+# in a future busybox version.
+
+PROGRAM="sysctl"
+
+SYSCTL_ARGS=""
+
+# shellcheck source=/dev/null
+[ -r "/etc/default/$PROGRAM" ] && . "/etc/default/$PROGRAM"
+
+# Files are read from directories in the SYSCTL_SOURCES list, in the given
+# order. A file may be used more than once, since there can be multiple
+# symlinks to it. No attempt is made to prevent this.
+SYSCTL_SOURCES="/etc/sysctl.d/ /usr/local/lib/sysctl.d/ /usr/lib/sysctl.d/ /lib/sysctl.d/ /etc/sysctl.conf"
+
+# If the logger utility is available all messages are sent to syslog, except
+# for the final status. The file redirections do the following:
+#
+# - stdout is redirected to syslog with facility.level "kern.info"
+# - stderr is redirected to syslog with facility.level "kern.err"
+# - file dscriptor 4 is used to pass the result to the "start" function.
+#
+run_logger() {
+	# shellcheck disable=SC2086 # we need the word splitting
+	find $SYSCTL_SOURCES -maxdepth 1 -name '*.conf' -print0 2> /dev/null | \
+	xargs -0 -r -n 1 readlink -f | {
+		prog_status="OK"
+		while :; do
+			read -r file || {
+				echo "$prog_status" >&4
+				break
+			}
+			echo "* Applying $file ..."
+			/sbin/sysctl -p "$file" $SYSCTL_ARGS || prog_status="FAIL"
+		done 2>&1 >&3 | /usr/bin/logger -t sysctl -p kern.err
+	} 3>&1 | /usr/bin/logger -t sysctl -p kern.info
+}
+
+# If logger is not available all messages are sent to stdout/stderr.
+run_std() {
+	# shellcheck disable=SC2086 # we need the word splitting
+	find $SYSCTL_SOURCES -maxdepth 1 -name '*.conf' -print0 2> /dev/null | \
+	xargs -0 -r -n 1 readlink -f | {
+		prog_status="OK"
+		while :; do
+			read -r file || {
+				echo "$prog_status" >&4
+				break
+			}
+			echo "* Applying $file ..."
+			/sbin/sysctl -p "$file" $SYSCTL_ARGS || prog_status="FAIL"
+		done
+	}
+}
+
+if [ -x /usr/bin/logger ]; then
+	run_program="run_logger"
+else
+	run_program="run_std"
+fi
+
+start() {
+	printf '%s %s: ' "$1" "$PROGRAM"
+	status=$("$run_program" 4>&1)
+	echo "$status"
+	if [ "$status" = "OK" ]; then
+		return 0
+	fi
+	return 1
+}
+
+case "$1" in
+	start)
+		start "Running";;
+	restart|reload)
+		start "Rerunning";;
+	stop)
+		:;;
+	*)
+		echo "Usage: $0 {start|stop|restart|reload}"
+		exit 1
+esac

src/host/rootfs/etc/init.d/S03keymap

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+case "${1}" in
+	start)
+		keymap="$( \
+			awk -F 'keymap=' '{sub(/ .*$/, "", $2); print $2}' /proc/cmdline \
+		)"
+		if [[ ! -z "$keymap" ]]; then
+			printf 'Loading Keymap %s: ' "${keymap}"
+			loadkeys "$keymap"
+			if [ $? -eq 0 ]; then
+				echo "OK"
+			else
+				echo "FAIL"
+			fi
+		fi
+		;;
+	*)
+		echo "Usage: ${0} {start}"
+		exit 1
+		;;
+esac

src/host/rootfs/etc/init.d/S10udev

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+case "$1" in
+    start)
+        printf "Populating %s using udev: " "${udev_root:-/dev}"
+        [ -e /proc/sys/kernel/hotplug ] && printf '\000\000\000\000' > /proc/sys/kernel/hotplug
+        /sbin/udevd -d || { echo "FAIL"; exit 1; }
+        udevadm trigger --type=subsystems --action=add
+        udevadm trigger --type=devices --action=add
+        udevadm settle --timeout=30 || echo "udevadm settle failed"
+        echo "done"
+        ;;
+    stop)
+        # Stop execution of events
+        udevadm control --stop-exec-queue
+        killall udevd
+        ;;
+    *)
+        echo "Usage: $0 {start|stop}"
+        exit 1
+        ;;
+esac
+
+exit 0

src/host/rootfs/etc/init.d/S20urandom

@@ -0,0 +1,70 @@
+#! /bin/sh
+#
+# Preserve the random seed between reboots. See urandom(4).
+#
+
+# Quietly do nothing if /dev/urandom does not exist
+[ -c /dev/urandom ] || exit 0
+
+URANDOM_SEED="/var/lib/random-seed"
+
+# shellcheck source=/dev/null
+[ -r "/etc/default/urandom" ] && . "/etc/default/urandom"
+
+if pool_bits=$(cat /proc/sys/kernel/random/poolsize 2> /dev/null); then
+	pool_size=$((pool_bits/8))
+else
+	pool_size=512
+fi
+
+init_rng() {
+	[ -f "$URANDOM_SEED" ] || return 0
+	printf 'Initializing random number generator: '
+	dd if="$URANDOM_SEED" bs="$pool_size" of=/dev/urandom count=1 2> /dev/null
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+	return "$status"
+}
+
+save_random_seed() {
+	printf 'Saving random seed: '
+	status=1
+	if touch "$URANDOM_SEED.new" 2> /dev/null; then
+		old_umask=$(umask)
+		umask 077
+		dd if=/dev/urandom of="$URANDOM_SEED.tmp" bs="$pool_size" count=1 2> /dev/null
+		cat "$URANDOM_SEED" "$URANDOM_SEED.tmp" 2>/dev/null \
+			| sha256sum \
+			| cut -d ' ' -f 1 > "$URANDOM_SEED.new" && \
+		mv "$URANDOM_SEED.new" "$URANDOM_SEED" && status=0
+		rm -f "$URANDOM_SEED.tmp"
+		umask "$old_umask"
+		if [ "$status" -eq 0 ]; then
+			echo "OK"
+		else
+			echo "FAIL"
+		fi
+
+	else
+		echo "SKIP (read-only file system detected)"
+	fi
+	return "$status"
+}
+
+case "$1" in
+	start|restart|reload)
+		# Carry a random seed from start-up to start-up
+		# Load and then save the whole entropy pool
+		init_rng && save_random_seed;;
+	stop)
+		# Carry a random seed from shut-down to start-up
+		# Save the whole entropy pool
+		save_random_seed;;
+	*)
+		echo "Usage: $0 {start|stop|restart|reload}"
+		exit 1
+esac

src/host/rootfs/etc/init.d/rcK

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+
+# Stop all init scripts in /etc/init.d
+# executing them in reversed numerical order.
+#
+for i in $(ls -r /etc/init.d/S??*) ;do
+
+     # Ignore dangling symlinks (if any).
+     [ ! -f "$i" ] && continue
+
+     case "$i" in
+	*.sh)
+	    # Source shell script for speed.
+	    (
+		trap - INT QUIT TSTP
+		set stop
+		. $i
+	    )
+	    ;;
+	*)
+	    # No sh extension, so fork subprocess.
+	    $i stop
+	    ;;
+    esac
+done
+

src/host/rootfs/etc/init.d/rcS

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+
+# Start all init scripts in /etc/init.d
+# executing them in numerical order.
+#
+for i in /etc/init.d/S??* ;do
+
+     # Ignore dangling symlinks (if any).
+     [ ! -f "$i" ] && continue
+
+     case "$i" in
+	*.sh)
+	    # Source shell script for speed.
+	    (
+		trap - INT QUIT TSTP
+		set start
+		. $i
+	    )
+	    ;;
+	*)
+	    # No sh extension, so fork subprocess.
+	    $i start
+	    ;;
+    esac
+done
+

src/host/rootfs/etc/modules

@@ -0,0 +1 @@
+i915

src/host/rootfs/init

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /bin/init