mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-19 21:17:55 +00:00
extract and verify gpg signature on the boot script
This commit is contained in:
parent
2438460503
commit
80b82fdfc4
23
Makefile
23
Makefile
@ -80,8 +80,8 @@ initrd_bins += initrd/bin/$(notdir $1)
|
|||||||
endef
|
endef
|
||||||
|
|
||||||
$(foreach _, $(call outputs,kexec), $(eval $(call initrd_bin,$_)))
|
$(foreach _, $(call outputs,kexec), $(eval $(call initrd_bin,$_)))
|
||||||
$(foreach _, $(call outputs,tpmtotp), $(eval $(call initrd_bin,$_)))
|
#$(foreach _, $(call outputs,tpmtotp), $(eval $(call initrd_bin,$_)))
|
||||||
$(foreach _, $(call outputs,xen), $(eval $(call initrd_bin,$_)))
|
#$(foreach _, $(call outputs,xen), $(eval $(call initrd_bin,$_)))
|
||||||
|
|
||||||
# hack to install busybox into the initrd
|
# hack to install busybox into the initrd
|
||||||
initrd_bins += initrd/bin/busybox
|
initrd_bins += initrd/bin/busybox
|
||||||
@ -101,10 +101,21 @@ initrd/bin/cbmem: $(build)/$(coreboot_dir)/util/cbmem/cbmem
|
|||||||
$(build)/$(coreboot_dir)/util/cbmem/cbmem: $(build)/$(coreboot_dir)/.canary
|
$(build)/$(coreboot_dir)/util/cbmem/cbmem: $(build)/$(coreboot_dir)/.canary
|
||||||
make -C "$(dir $@)"
|
make -C "$(dir $@)"
|
||||||
|
|
||||||
|
# Mounting dm-verity file systems requires dm-verity to be installed
|
||||||
|
# We use gpgv to verify the signature on the root hash.
|
||||||
|
# Both of these should be brought in as modules instead of from /sbin
|
||||||
|
initrd_bins += initrd/bin/dmsetup
|
||||||
|
initrd/bin/dmsetup: /sbin/dmsetup
|
||||||
|
cp "$<" "$@"
|
||||||
|
initrd_bins += initrd/bin/gpgv
|
||||||
|
initrd/bin/gpgv: /usr/bin/gpgv
|
||||||
|
cp "$<" "$@"
|
||||||
|
|
||||||
# Update all of the libraries in the initrd based on the executables
|
# Update all of the libraries in the initrd based on the executables
|
||||||
# that were installed.
|
# that were installed.
|
||||||
initrd_libs: $(initrd_bins)
|
initrd_libs: $(initrd_bins)
|
||||||
|
-find initrd/bin -type f -print0 \
|
||||||
|
| xargs -0 strip
|
||||||
./populate-lib \
|
./populate-lib \
|
||||||
./initrd/lib/x86_64-linux-gnu/ \
|
./initrd/lib/x86_64-linux-gnu/ \
|
||||||
initrd/bin/* \
|
initrd/bin/* \
|
||||||
@ -122,6 +133,8 @@ initrd_libs: $(initrd_bins)
|
|||||||
#
|
#
|
||||||
# If there is in /dev/console, initrd can't startup.
|
# If there is in /dev/console, initrd can't startup.
|
||||||
# We have to force it to be included into the cpio image.
|
# We have to force it to be included into the cpio image.
|
||||||
|
# Since we are picking up the system's /dev/console, the
|
||||||
|
# timestamp will not be reproducible.
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
initrd.cpio: $(initrd_bins) initrd_libs
|
initrd.cpio: $(initrd_bins) initrd_libs
|
||||||
@ -154,3 +167,9 @@ $(build)/$(coreboot_dir)/bzImage: $(call outputs,linux)
|
|||||||
cp -a "$^" "$@"
|
cp -a "$^" "$@"
|
||||||
$(call outputs,coreboot): $(build)/$(coreboot_dir)/bzImage
|
$(call outputs,coreboot): $(build)/$(coreboot_dir)/bzImage
|
||||||
|
|
||||||
|
|
||||||
|
# The CoreBoot gcc won't work for us since it doesn't have libc
|
||||||
|
#XGCC := $(build)/$(coreboot_dir)/util/crossgcc/xgcc/
|
||||||
|
#export CC := $(XGCC)/bin/x86_64-elf-gcc
|
||||||
|
#export LDFLAGS := -L/lib/x86_64-linux-gnu
|
||||||
|
|
||||||
|
71
initrd/mount-boot
Executable file
71
initrd/mount-boot
Executable file
@ -0,0 +1,71 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# Extract the GPG signed dmsetup configuration from
|
||||||
|
# the header of the file system, validate it against
|
||||||
|
# the trusted key database, and execute it to mount
|
||||||
|
# the /boot filesystem
|
||||||
|
|
||||||
|
dev="$1"
|
||||||
|
offset="$2"
|
||||||
|
|
||||||
|
cmd=/tmp/mount-boot
|
||||||
|
cmd_sig="$cmd.asc"
|
||||||
|
|
||||||
|
if [ -z "$dev" ]; then
|
||||||
|
dev=/dev/sda
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$offset" ]; then
|
||||||
|
offset=256
|
||||||
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
# Find the size of the device
|
||||||
|
# Is there a better way?
|
||||||
|
#
|
||||||
|
dev_size_file="/sys/class/block/`basename $dev`/size"
|
||||||
|
if [ ! -r "$dev_size_file" ]; then
|
||||||
|
echo >&2 '!!!!!'
|
||||||
|
echo >&2 '!!!!! $dev file $dev_size_file not found'
|
||||||
|
echo >&2 '!!!!! Dropping to recovery shell'
|
||||||
|
echo >&2 '!!!!!'
|
||||||
|
exit -1
|
||||||
|
fi
|
||||||
|
|
||||||
|
dev_blocks=`cat "$dev_size_file"`
|
||||||
|
|
||||||
|
#
|
||||||
|
# Extract the signed file from the hard disk image
|
||||||
|
#
|
||||||
|
if ! dd if="$dev" of="$cmd_sig" bs=512 skip="`expr $dev_blocks - 1`"; then
|
||||||
|
echo >&2 '!!!!!'
|
||||||
|
echo >&2 '!!!!! Boot block extraction failed'
|
||||||
|
echo >&2 '!!!!! Dropping to recovery shell'
|
||||||
|
echo >&2 '!!!!!'
|
||||||
|
exit -1
|
||||||
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
# Validate the file
|
||||||
|
#
|
||||||
|
if ! gpgv --keyring /trustedkeys.gpg "$cmd_sig"; then
|
||||||
|
echo >&2 '!!!!!'
|
||||||
|
echo >&2 '!!!!! GPG signature on block failed'
|
||||||
|
echo >&2 '!!!!! Dropping to recovery shell'
|
||||||
|
echo >&2 '!!!!!'
|
||||||
|
exit -1
|
||||||
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
# Strip the PGP signature off the file
|
||||||
|
# (too bad gpgv doesn't do this)
|
||||||
|
#
|
||||||
|
awk < "$cmd_sig" > "$cmd" '
|
||||||
|
/BEGIN PGP SIGNATURE/ { exit };
|
||||||
|
do_print {print};
|
||||||
|
/^$/ { do_print=1 };
|
||||||
|
'
|
||||||
|
|
||||||
|
#
|
||||||
|
# And execute it!
|
||||||
|
#
|
||||||
|
sh -x "$cmd"
|
BIN
initrd/trustedkeys.gpg
Normal file
BIN
initrd/trustedkeys.gpg
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user