extract and verify gpg signature on the boot script

Makefile

@@ -80,8 +80,8 @@ initrd_bins += initrd/bin/$(notdir $1)
 endef
 
 $(foreach _, $(call outputs,kexec), $(eval $(call initrd_bin,$_)))
-$(foreach _, $(call outputs,tpmtotp), $(eval $(call initrd_bin,$_)))
-$(foreach _, $(call outputs,xen), $(eval $(call initrd_bin,$_)))
+#$(foreach _, $(call outputs,tpmtotp), $(eval $(call initrd_bin,$_)))
+#$(foreach _, $(call outputs,xen), $(eval $(call initrd_bin,$_)))
 
 # hack to install busybox into the initrd
 initrd_bins += initrd/bin/busybox
@@ -101,10 +101,21 @@ initrd/bin/cbmem: $(build)/$(coreboot_dir)/util/cbmem/cbmem
 $(build)/$(coreboot_dir)/util/cbmem/cbmem: $(build)/$(coreboot_dir)/.canary
 	make -C "$(dir $@)"
 
+# Mounting dm-verity file systems requires dm-verity to be installed
+# We use gpgv to verify the signature on the root hash.
+# Both of these should be brought in as modules instead of from /sbin
+initrd_bins += initrd/bin/dmsetup
+initrd/bin/dmsetup: /sbin/dmsetup
+	cp "$<" "$@"
+initrd_bins += initrd/bin/gpgv
+initrd/bin/gpgv: /usr/bin/gpgv
+	cp "$<" "$@"
 
 # Update all of the libraries in the initrd based on the executables
 # that were installed.
 initrd_libs: $(initrd_bins)
+	-find initrd/bin -type f -print0 \
+		| xargs -0 strip
 	./populate-lib \
 		./initrd/lib/x86_64-linux-gnu/ \
 		initrd/bin/* \
@@ -122,6 +133,8 @@ initrd_libs: $(initrd_bins)
 #
 # If there is in /dev/console, initrd can't startup.
 # We have to force it to be included into the cpio image.
+# Since we are picking up the system's /dev/console, the
+# timestamp will not be reproducible.
 #
 #
 initrd.cpio: $(initrd_bins) initrd_libs
@@ -154,3 +167,9 @@ $(build)/$(coreboot_dir)/bzImage: $(call outputs,linux)
 	cp -a "$^" "$@"
 $(call outputs,coreboot): $(build)/$(coreboot_dir)/bzImage
 
+
+# The CoreBoot gcc won't work for us since it doesn't have libc
+#XGCC := $(build)/$(coreboot_dir)/util/crossgcc/xgcc/
+#export CC := $(XGCC)/bin/x86_64-elf-gcc
+#export LDFLAGS := -L/lib/x86_64-linux-gnu
+

initrd/mount-boot

@@ -0,0 +1,71 @@
+#!/bin/sh
+# Extract the GPG signed dmsetup configuration from
+# the header of the file system, validate it against
+# the trusted key database, and execute it to mount
+# the /boot filesystem
+
+dev="$1"
+offset="$2"
+
+cmd=/tmp/mount-boot
+cmd_sig="$cmd.asc"
+
+if [ -z "$dev" ]; then
+	dev=/dev/sda
+fi
+
+if [ -z "$offset" ]; then
+	offset=256
+fi
+
+#
+# Find the size of the device
+# Is there a better way?
+#
+dev_size_file="/sys/class/block/`basename $dev`/size"
+if [ ! -r "$dev_size_file" ]; then
+	echo >&2 '!!!!!'
+	echo >&2 '!!!!! $dev file $dev_size_file not found'
+	echo >&2 '!!!!! Dropping to recovery shell'
+	echo >&2 '!!!!!'
+	exit -1
+fi
+
+dev_blocks=`cat "$dev_size_file"`
+
+#
+# Extract the signed file from the hard disk image
+#
+if ! dd if="$dev" of="$cmd_sig" bs=512 skip="`expr $dev_blocks - 1`"; then
+	echo >&2 '!!!!!'
+	echo >&2 '!!!!! Boot block extraction failed'
+	echo >&2 '!!!!! Dropping to recovery shell'
+	echo >&2 '!!!!!'
+	exit -1
+fi
+
+#
+# Validate the file
+#
+if ! gpgv --keyring /trustedkeys.gpg "$cmd_sig"; then
+	echo >&2 '!!!!!'
+	echo >&2 '!!!!! GPG signature on block failed'
+	echo >&2 '!!!!! Dropping to recovery shell'
+	echo >&2 '!!!!!'
+	exit -1
+fi
+
+#
+# Strip the PGP signature off the file
+# (too bad gpgv doesn't do this)
+#
+awk < "$cmd_sig" > "$cmd" '
+	/BEGIN PGP SIGNATURE/ { exit };
+	do_print {print};
+	/^$/ { do_print=1 };
+'
+
+#
+# And execute it!
+#
+sh -x "$cmd"