Hello!

I have a system with Dropbear (to unlock encrypted root volume) inside
of initramfs. Initramfs itself supports IPv6 (link-local tested).
Is there a way for static IPv6 address configuration like it exists
for IPv4?

--
kind regards
Marco

Send spam to [email protected]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 18/03/2024 at 16:42, Marco Moock wrote:

I have a system with Dropbear (to unlock encrypted root volume) inside
of initramfs. Initramfs itself supports IPv6 (link-local tested).

IPv6 link-local addresses are assigned by the kernel, they do not
require any userland support.

Is there a way for static IPv6 address configuration like it exists
for IPv4?

AFAICS dropbear expects the static IP address to be defined by the ip=
kernel parameter. But it contains multiple values (IP address, mask, gateway...) separated with ":" so I am afraid that it does not support
IPv6 addresses which also contain ":".

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Marco,

On Mon, Mar 18, 2024 at 04:42:22PM +0100, Marco Moock wrote:

I have a system with Dropbear (to unlock encrypted root volume) inside
of initramfs. Initramfs itself supports IPv6 (link-local tested).
Is there a way for static IPv6 address configuration like it exists
for IPv4?

The way the early boot network autoconfiguration works is the
intramfs-tools init script takes the ip= option from the kernel commandline
and passess it (somewhat modified) to the klibc-utils "ipconfig"
tool. Looking at the source that tool very much only handles IPv4 so we're going to need to use an alternate approach for adding a v6 address.

initramfs-tools supports adding your own custom code to the boot process, I have to admit I've never needed to do this, I thought it would be a bit
fiddly but it didn't end up being so bad. These days you can easily test
your initramfs setup using qemu before rebooting and finding your machine bricked :)

Depending on your fstab/crypttab setup you may have to wait a bit for init
to fail to find the root device and kick you into the rescue shell but this works:

$ qemu-system-x86_64 -m 512 -nographic -kernel /boot/vmlinuz-6.1.0-18-amd64 -append 'console=ttyS0 debug=y' -initrd /boot/initrd.img-6.1.0-18-amd64

The script itself is pretty simple, since we can add addressess to an
interface even if it's still down where in the run order we place it
doesn't matter too much. I'm putting it in init-premount like the dropbear script.

$ cat /etc/initramfs-tools/scripts/init-premount/my-static-v6
#!/bin/sh
case $1 in prereqs) exit 0 ;; esac
ip addr add dev ens3 2001:db8::1/64

Note: The "prereqs" bit is so initramfs-tools can figure out the order of scripts when it's generating the image.

I would have liked to recommend the use of ip-token(8) to change the
interface ID of the SLAAC address instead of hardcoding the whole IP so
this works even when your prefix changes but it looks like busybox ip
doesn't support that. Should be pretty trivial to add tho if anyone feels
like working on this.

Let me know how that goes,
--Daniel

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEV6G/FbT2+ZuJ7bKf05SBrh55rPcFAmX5dHwACgkQ05SBrh55 rPfGYA/+O1dUqBBjVv0aOSFpldQjgfTdGF+LujaUDnMeN+uPBQHGsibSTSVmtfSx 3cmGXZTvk4FLiJPMQ/nRRuD3yoX7hS+/EWjRASX8AoWW0Cay/hqJnbY36euSBjBp fBCEXrtlpdLS5FoSEkIPe0U1iGnF3ZfxHErLJoJdYsXl67rP2iTcNlM5LhASh9lu OfMQog3QZUQfohVPKXCGjA2oWjscevfsKrsEDN8tiN+a1y7CtS+zy4zsAXzzI9TC 6ch2rUILXOUyjU/FlwfJhPt/YolBIbXEqdgsxpbXLqcMFLUc2rzdlkUxWtGVtSnH GFfXfVvXPVi96wQZxwSml5ftXElKz8rygR7Cs3a8mt+V2qs0q1whK8OtwVizX2T8 vpd/11TiCugcynROxodW5engilK3zusBArCxBnDD8HoHWmfXMRAwrF8dX0hcE6NC /NpUaEmSM6OYtDCGPq+HOp8EBfkjCBU96kN9LfHKdIc0m4T4V+W+XejNDIdc3RR9 vPPRTgnzRARY7MmOUmglk85dWE1IgLr4vFC3m41dc1C4bC6ILpc3WIVQ/v0HPR4S QEvPgfqz3usXq6T48klhASYMv9FScfKifpldjCqmKReuT8+8FOX59ADfmityG0Pi ltPu/LizYPsihIyUyGaB9Kf9kMN+AnC+OHOuJscfOWMF1d1X3/w=
=O37U
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)