Investigating initrd.img changes

sethf · January 3, 2025, 7:22pm

I have a dual monitor setup. I came back to my computer today and the left screen (normally the primary) was blank/black but I could still move my cursor around in it. The right screen had the gnome menubar and icons.

To resolve, I logged out and rebooted and then was presented with a message that checksum for initrd.img-6.1.0-28-amd64 had changed.

The previous system boot according to the last command was Nov 26th.

reboot system boot 6.1.0-28-amd64 Tue Nov 26 05:19 - 11:07 (38+05:48)

My current kernel version is 6.1.0-28-amd64. So between now and Nov 26th, no new kernel was installed, but something triggered a rebuild of initrd and /boot/grub directory on Dec 18th, according to time stamps of ls -ltr /boot command.

Can anybody help me investigate the logs to determine if this rebuild was was innocuous or perhaps nefarious? I’m leaning towards the former but I want to perform my due diligence before I sign the updated checksums in PureBoot.

According to /var/log/apt/history.log.1.gz these were the apt operations that took place on December 18th. I’m guessing it was the installation of libguestfs-tools that triggered the grub menu and initrd rebuild.

Start-Date: 2024-12-18  12:30:20
Commandline: apt install libguestfs-tools
Requested-By: seth (1000)
Install: reiserfsprogs:amd64 (1:3.6.27-4, automatic), libhivex0:amd64 (1.3.23-1+b1, automatic), supermin:amd64 (5.2.2-1+b9, automatic), l
ibldm-1.0-0:amd64 (0.2.5-1, automatic), rpm-common:amd64 (4.18.0+dfsg-1+deb12u1, automatic), libyara9:amd64 (4.2.3-4, automatic), librpmi
o9:amd64 (4.18.0+dfsg-1+deb12u1, automatic), libintl-perl:amd64 (1.33-1, automatic), zerofree:amd64 (1.1.1-1, automatic), libguestfs-perl
:amd64 (1:1.48.6-2, automatic), libaugeas0:amd64 (1.14.0-1, automatic), lsscsi:amd64 (0.31-1+b1, automatic), libxml-xpath-perl:amd64 (1.4
8-1, automatic), librpm9:amd64 (4.18.0+dfsg-1+deb12u1, automatic), icoutils:amd64 (0.32.3-4, automatic), liblockfile-bin:amd64 (1.17-1+b1
, automatic), xfsprogs:amd64 (6.1.0-1, automatic), virt-p2v:amd64 (1.42.3-1, automatic), exim4-config:amd64 (4.96-15+deb12u6, automatic), exim4-base:amd64 (4.96-15+deb12u6, automatic), guestmount:amd64 (1:1.48.6-2, automatic), libhfsp0:amd64 (1.0.4-17, automatic), augeas-lenses:amd64 (1.14.0-1, automatic), extlinux:amd64 (3:6.04~git20190206.bf6db5b4+dfsg1-3+b1, automatic), lzop:amd64 (1.04-2, automatic), libguestfs-xfs:amd64 (1:1.48.6-2, automatic), syslinux:amd64 (3:6.04~git20190206.bf6db5b4+dfsg1-3+b1, automatic), db-util:amd64 (5.3.2, automatic), guestfs-tools:amd64 (1.48.2-1+deb12u1, automatic), libsys-virt-perl:amd64 (9.0.0-1, automatic), libguestfs-tools:amd64 (1:1.48.6-2), mdadm:amd64 (4.2-5, automatic), libguestfs-hfsplus:amd64 (1:1.48.6-2, automatic), syslinux-common:amd64 (3:6.04~git20190206.bf6db5b4+dfsg1-3, automatic), guestfish:amd64 (1:1.48.6-2, automatic), scrub:amd64 (2.6.1-1+b1, automatic), btrfs-progs:amd64 (6.2-1+deb12u1, automatic), ldmtool:amd64 (0.2.5-1, automatic), db5.3-util:amd64 (5.3.28+dfsg2-1, automatic), hfsplus:amd64 (1.0.4-17, automatic), libwin-hivex-perl:amd64 (1.3.23-1+b1, automatic), exim4-daemon-light:amd64 (4.96-15+deb12u6, automatic), bsd-mailx:amd64 (8.1.2-0.20220412cvs-1, automatic), libguestfs-reiserfs:amd64 (1:1.48.6-2, automatic), libinih1:amd64 (55-1, automatic), libintl-xs-perl:amd64 (1.33-1, automatic), f2fs-tools:amd64 (1.15.0-1, automatic), liblockfile1:amd64 (1.17-1+b1, automatic), kpartx:amd64 (0.9.4-3+deb12u1, automatic), libguestfs0:amd64 (1:1.48.6-2, automatic), liburcu8:amd64 (0.13.2-1, automatic)
End-Date: 2024-12-18  12:31:03

Start-Date: 2024-12-18  19:50:45
Commandline: apt upgrade -y
Requested-By: seth (1000)
Upgrade: signal-desktop:amd64 (7.36.0, 7.36.1)
End-Date: 2024-12-18  19:51:04

FranklyFlawless · January 3, 2025, 10:31pm

Is your computer normally on and already logged in?

sethf · January 3, 2025, 11:00pm

Yes it is. I only reboot to install new kernels for the most part.

Skalman · January 3, 2025, 11:23pm

Check if there is also a corresponding /var/log/apt/term.log.1.gz file and if so unpack it (using gunzip) and look for “update-initramfs” or “initramfs-tools” or “initrd” in that file. Does that show anything about when and why the initrd file was (re)created?

FranklyFlawless · January 3, 2025, 11:23pm

Assuming that apt is the only method to install and/or upgrade packages, everything seems to visually check out.

sethf · January 3, 2025, 11:58pm

I found that in the term.log.1.gz as suggested.

Relevant log snippet pasted before for the curious. Looks like it was mdadm package that triggered the initramfs hook.

Log started: 2024-12-18  12:30:20
Selecting previously unselected package mdadm.
Preparing to unpack .../00-mdadm_4.2-5_amd64.deb ...
Unpacking mdadm (4.2-5) ...

<snip snip snip>

update-initramfs: deferring update (trigger activated)

<snip snip snip>

Setting up mdadm (4.2-5) ...
Generating mdadm.conf... done.
update-initramfs: deferring update (trigger activated)
Generating grub configuration file ...
Warning: Setting GRUB_TIMEOUT to a non-zero value when GRUB_HIDDEN_TIMEOUT is set is no longer supported.
Found linux image: /boot/vmlinuz-6.1.0-28-amd64
Found initrd image: /boot/initrd.img-6.1.0-28-amd64
Found linux image: /boot/vmlinuz-6.1.0-27-amd64
Found initrd image: /boot/initrd.img-6.1.0-27-amd64
Found memtest86+x64 image: /memtest86+x64.bin
Warning: os-prober will not be executed to detect other bootable partitions.
Systems on them will not be added to the GRUB boot configuration.
Check GRUB_DISABLE_OS_PROBER documentation entry.
done
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Created symlink /etc/systemd/system/sysinit.target.wants/mdadm-shutdown.service → /lib/systemd/system/mdadm-shutdown.service.
Setting up libsys-virt-perl (9.0.0-1) ...
Setting up librpmio9 (4.18.0+dfsg-1+deb12u1) ...
Setting up hfsplus (1.0.4-17) ...
Setting up librpm9 (4.18.0+dfsg-1+deb12u1) ...
Setting up exim4-base (4.96-15+deb12u6) ...
exim: DB upgrade, deleting hints-db