ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-02-21 09:31:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #852 from Nitrokey/update_checksum

Browse Source 
Change hash files only if gpg card is present
This commit is contained in:
tlaurion 2020-10-17 20:16:21 -04:00 committed by GitHub
commit 5d2f6d57bf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 25 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
initrd/bin/kexec-save-default
View File

@ -132,7 +132,7 @@ fi
# sign and auto-roll config counter # sign and auto-roll config counter
extparam= extparam=
if [ "$CONFIG_TPM" = "y" ]; then if [ "$CONFIG_TPM" = "y" ]; then
extparam=-u extparam=-r
fi fi
kexec-sign-config -p $paramsdir $extparam \ kexec-sign-config -p $paramsdir $extparam \
|| die "Failed to sign default config" || die "Failed to sign default config"

2
initrd/bin/kexec-save-key
View File

@ -62,7 +62,7 @@ kexec-seal-key $paramsdir \
if [ "$skip_sign" != "y" ]; then if [ "$skip_sign" != "y" ]; then
# sign and auto-roll config counter # sign and auto-roll config counter
kexec-sign-config -p $paramsdir -u \ kexec-sign-config -p $paramsdir -r \
|| die "Failed to sign updated config" || die "Failed to sign updated config"
fi fi

23
initrd/bin/kexec-sign-config
View File

@ -5,12 +5,13 @@ set -e -o pipefail
. /etc/functions . /etc/functions
rollback="n" rollback="n"
update_counter="n" update="n"
while getopts "p:c:u" arg; do while getopts "p:c:u:r" arg; do
case $arg in case $arg in
p) paramsdir="$OPTARG" ;; p) paramsdir="$OPTARG" ;;
c) counter="$OPTARG"; rollback="y" ;; c) counter="$OPTARG"; rollback="y" ;;
u) update_counter="y"; rollback="y" ;; u) update="y" ;;
r) rollback="y" ;;
esac esac
done done
@ -22,6 +23,22 @@ paramsdir="${paramsdir%%/}"
confirm_gpg_card confirm_gpg_card
# update hashes in /boot before signing
if [ "$update" = "y" ]; then
(
cd /boot
find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt
if [ -e /boot/kexec_default_hashes.txt ]; then
DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
fi
)
# Remove any package trigger log files
# We don't need them after the user decides to sign
rm -f /boot/kexec_package_trigger*
fi
if [ "$rollback" = "y" ]; then if [ "$rollback" = "y" ]; then
rollback_file="$paramsdir/kexec_rollback.txt" rollback_file="$paramsdir/kexec_rollback.txt"

16
initrd/etc/functions
View File

@ -276,26 +276,16 @@ update_checksums()
mount -o ro /boot \ mount -o ro /boot \
|| recovery "Unable to mount /boot" || recovery "Unable to mount /boot"
fi fi
# remount RW # remount RW
mount -o rw,remount /boot mount -o rw,remount /boot
(
cd /boot
find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt
if [ -e /boot/kexec_default_hashes.txt ]; then
DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
fi
)
# Remove any package trigger log files
# We don't need them after the user decides to sign
rm -f /boot/kexec_package_trigger*
# sign and auto-roll config counter # sign and auto-roll config counter
extparam= extparam=
if [ "$CONFIG_TPM" = "y" ]; then if [ "$CONFIG_TPM" = "y" ]; then
extparam=-u extparam=-r
fi fi
if ! kexec-sign-config -p /boot $extparam ; then if ! kexec-sign-config -p /boot -u $extparam ; then
echo "Failed to sign default config; press Enter to continue." echo "Failed to sign default config; press Enter to continue."
read read
fi fi