ignore initramfs from bootloader

[bcressey]

Issue number:

#2501

Description of changes:
For Secure Boot support, the GRUB configuration (grub.cfg) will need to be signed by a trusted key, so that the chain of trust extends to the kernel command line, which contains sensitive data such as the dm-verity root hash.

However, Bottlerocket also allows the boot config feature to be used to extend the kernel command line. Boot config data is passed by the bootloader using the "initrd" mechanism; it consists of a payload at the end of the initramfs cpio buffer list.

In normal use, the "initrd" file should only ever contain boot config data. However, because this file is locally generated, it cannot be signed by a key known to the chain of trust. Because it is treated as an initramfs, it could be leveraged to run an unverified userspace by prepending it with an actual initramfs.

This change causes the kernel to discard any initramfs or initrd data passed by the bootloader. Any boot config data remaining at the end of the input will still be processed, as intended.

Without Secure Boot support, ignoring the initramfs is not useful as a security measure, but it still improves robustness by preventing accidental usage that might lead to boot failures.

Testing done:
Tested on variants with a 5.10 (aws-k8s-1.23) and a 5.15 (aws-k8s-1.24) kernel.

As expected, dmesg no longer shows the "Trying to unpack rootfs image as initramfs..." message, and bootconfig data is still processed.

[fedora@admin]$ sudo dmesg|grep Unpack
[fedora@admin]$ sudo sheltie
bash-5.1# cat /proc/bootconfig 
kernel.foobar = "baz"

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.