diff --git a/.gitignore b/.gitignore index 3fcdf36..da9ec4e 100644 --- a/.gitignore +++ b/.gitignore @@ -22,14 +22,8 @@ WestJeff*/ # Offline packages (built by download-packages.sh) offline-packages/ -# Boot tool binaries (built by prepare-boot-tools.sh). Everything -# under boot-tools/ is local artifact cache - EXCEPT grub-blancco.cfg, -# which is the source-of-truth config embedded into Blancco's -# grubx64.efi at build time and must be version-controlled. -boot-tools/* -!boot-tools/blancco/ -boot-tools/blancco/* -!boot-tools/blancco/grub-blancco.cfg +# Boot tool binaries (built by prepare-boot-tools.sh) +boot-tools/ # WinPE boot files (wimboot, boot.wim, BCD, ipxe.efi, etc.) boot-files/ @@ -60,23 +54,23 @@ secrets.md enrollment/ drivers-staging/ bios-staging/ -.claude/ - -# Secrets and credentials (defensive) -.env -.env.* -!.env.example -!.env.*.example -*.pem -*.key -id_rsa -id_rsa.* -*.ppk -*.p12 -*.pfx -secrets.json -secrets.yaml -secrets.yml -*_secret -*_secrets -credentials.json +.claude/ + +# Secrets and credentials (defensive) +.env +.env.* +!.env.example +!.env.*.example +*.pem +*.key +id_rsa +id_rsa.* +*.ppk +*.p12 +*.pfx +secrets.json +secrets.yaml +secrets.yml +*_secret +*_secrets +credentials.json diff --git a/boot-tools/blancco/grub-blancco.cfg b/boot-tools/blancco/grub-blancco.cfg deleted file mode 100644 index acbf5c8..0000000 --- a/boot-tools/blancco/grub-blancco.cfg +++ /dev/null @@ -1,31 +0,0 @@ -set default=0 -set timeout=0 -set gfxpayload=text - -insmod all_video -insmod efi_gop -insmod efinet -insmod net -insmod http -net_bootp efinet0 -net_bootp efinet1 -net_bootp efinet2 -net_bootp efinet3 - -# Boot Ubuntu kernel + small custom initramfs (kexec-initrd.img). -# The custom init brings up the NIC (drivers baked in at build time: -# e1000e, igb, igc, bnxt_en, tg3, bnx2, b44, r8169, atlantic, ... -# much broader than Blancco's native vmlinuz-bde-linux ships with), -# HTTP-fetches the Blancco rootfs (airootfs.sfs + native kernel + -# initramfs) from this PXE server, overlay-mounts the rootfs, then -# kexecs into Blancco's environment. -# -# Previous native-kernel path (linux ...vmlinuz-bde-linux via TFTP) -# was abandoned because Blancco's kernel ships with a narrow NIC -# driver set that fails on modern Dell Latitude 5330/5440 and -# newer 'Pro' series with Intel I225/I226 NICs - "no network card -# found" at the Blancco UI after TFTP load succeeds. -menuentry "Blancco Drive Eraser" { - linux (http,10.9.100.1)/blancco/vmlinuz-ubuntu ip=dhcp - initrd (http,10.9.100.1)/blancco/kexec-initrd.img -} diff --git a/playbook/blancco-init.sh b/playbook/blancco-init.sh index 6450876..1a4dcd7 100644 --- a/playbook/blancco-init.sh +++ b/playbook/blancco-init.sh @@ -20,38 +20,14 @@ mount -t devtmpfs devtmpfs /dev 2>/dev/null mkdir -p /tmp /run echo "[1/4] Loading NIC drivers..." -echo " Kernel: $(uname -r)" -echo " Interfaces before driver load: $(ls /sys/class/net/ 2>/dev/null)" - -# Dependency modules first. insmod does not resolve deps; main NIC -# drivers like igb need dca + i2c-algo-bit, atlantic needs macsec, -# some Intel drivers need libeth/libie. Load helpers first so the -# main driver module has its required symbols available. -for mod in /lib/modules/libeth.ko /lib/modules/libie*.ko /lib/modules/dca.ko \ - /lib/modules/i2c-algo-bit.ko /lib/modules/macsec.ko \ - /lib/modules/mii.ko /lib/modules/ssb.ko /lib/modules/libphy.ko \ - /lib/modules/mdio*.ko /lib/modules/phy*.ko /lib/modules/ptp*.ko; do - [ -f "$mod" ] || continue - insmod "$mod" 2>&1 | grep -v '^$' | head -1 || true -done - -# Main NIC drivers (everything else in /lib/modules/ that is not a helper -# or the overlay/squashfs modules). Errors are now VISIBLE so if a -# driver fails to load we can see why. for mod in /lib/modules/*.ko; do - base=$(basename "$mod") - case "$base" in - libeth.ko|libie*.ko|dca.ko|i2c-algo-bit.ko|macsec.ko|mii.ko|ssb.ko|libphy.ko|overlay.ko|squashfs.ko|mdio*.ko|phy*.ko|ptp*.ko) - continue ;; - esac - echo " insmod $base" - insmod "$mod" 2>&1 | head -1 || true + echo " insmod $(basename $mod)" + insmod $mod 2>/dev/null || true done sleep 5 -echo " Interfaces after driver load: $(ls /sys/class/net/ 2>/dev/null)" -echo " Kernel messages mentioning NIC driver activity:" -dmesg 2>/dev/null | grep -iE "eth|igc|igb|bnxt|tg3|r8169|atlantic|e1000|ixgbe|i40e|eno|ens|enp" | tail -20 +echo " Interfaces after driver load:" +ls /sys/class/net/ 2>/dev/null echo " Waiting for network interface..." IFACE="" @@ -71,13 +47,9 @@ done echo "" if [ -z "$IFACE" ]; then - echo "" - echo "ERROR: No network interface found after 60s." - echo " /sys/class/net/: $(ls /sys/class/net/ 2>/dev/null)" - echo " Last 40 lines of dmesg (look for probe failures):" - dmesg 2>/dev/null | tail -40 - echo "" - echo " Dropping to busybox shell for manual debug. reboot with 'reboot -f'." + echo "ERROR: No network interface found!" + echo "Available interfaces:" + ls /sys/class/net/ 2>/dev/null exec sh fi diff --git a/playbook/pxe_server_setup.yml b/playbook/pxe_server_setup.yml index 2d9b4f1..71200c6 100644 --- a/playbook/pxe_server_setup.yml +++ b/playbook/pxe_server_setup.yml @@ -671,37 +671,16 @@ ln -sf busybox "$WORK/bin/$cmd" done - # NIC drivers: sweep the whole drivers/net/ethernet tree. The - # earlier targeted list (e1000e, igb, tg3, bnx2, bnxt_en, b44) - # missed igc (Intel I225/I226 on modern Dell Latitude 5330/5440, - # Pro-series), plus helper modules (libeth, libie, dca, - # i2c-algo-bit, macsec) needed as dependencies by the main - # drivers. insmod does not resolve deps; bundling the full - # tree + helpers is the reliable way to cover any NIC. + # NIC drivers (common server NICs) KVER=$(uname -r) - ETH="/lib/modules/$KVER/kernel/drivers/net/ethernet" - find "$ETH" -name "*.ko.zst" -type f 2>/dev/null | while read -r src; do - zstd -d "$src" -o "$WORK/lib/modules/$(basename ${src%.zst})" 2>/dev/null + KMOD="/lib/modules/$KVER/kernel/drivers/net/ethernet" + for drv in intel/e1000e/e1000e.ko.zst intel/igb/igb.ko.zst broadcom/tg3.ko.zst broadcom/bnx2.ko.zst broadcom/bnxt/bnxt_en.ko.zst broadcom/b44.ko.zst; do + if [ -f "$KMOD/$drv" ]; then + zstd -d "$KMOD/$drv" -o "$WORK/lib/modules/$(basename ${drv%.zst})" 2>/dev/null + fi done - # Helper modules (PHY, MDIO, I2C, DCA, PTP, macsec, ssb) - loaded - # first in blancco-init.sh before the main NIC drivers. - for helper_dir in \ - "/lib/modules/$KVER/kernel/drivers/net/phy" \ - "/lib/modules/$KVER/kernel/drivers/net/mdio" \ - "/lib/modules/$KVER/kernel/drivers/i2c/algos" \ - "/lib/modules/$KVER/kernel/drivers/dca" \ - "/lib/modules/$KVER/kernel/drivers/ptp" \ - "/lib/modules/$KVER/kernel/net/macsec" \ - "/lib/modules/$KVER/kernel/drivers/ssb" \ - ; do - [ -d "$helper_dir" ] || continue - find "$helper_dir" -name "*.ko.zst" -type f 2>/dev/null | while read -r src; do - zstd -d "$src" -o "$WORK/lib/modules/$(basename ${src%.zst})" 2>/dev/null - done - done - - # Overlay module (switch_root overlay mount) + # Overlay module OVMOD="/lib/modules/$KVER/kernel/fs/overlayfs/overlay.ko.zst" if [ -f "$OVMOD" ]; then zstd -d "$OVMOD" -o "$WORK/lib/modules/overlay.ko" 2>/dev/null