mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-24 07:06:42 +00:00
parent
febff85498
commit
accd9f470d
@ -66,12 +66,13 @@ verify_global_hashes()
|
||||
# Check the hashes of all the files, ignoring signatures for now
|
||||
check_config /boot force
|
||||
TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
|
||||
TMP_TREE_FILE="/tmp/kexec/kexec_tree.txt"
|
||||
TMP_PACKAGE_TRIGGER_PRE="/tmp/kexec/kexec_package_trigger_pre.txt"
|
||||
TMP_PACKAGE_TRIGGER_POST="/tmp/kexec/kexec_package_trigger_post.txt"
|
||||
|
||||
if ( cd /boot && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ) then
|
||||
if verify_checksums /boot ; then
|
||||
return 0
|
||||
elif [ ! -f $TMP_HASH_FILE ]; then
|
||||
elif [[ ! -f "$TMP_HASH_FILE" || ! -f "$TMP_TREE_FILE" ]] ; then
|
||||
if (whiptail $BG_COLOR_ERROR --title 'ERROR: Missing Hash File!' \
|
||||
--yesno "The file containing hashes for /boot is missing!\n\nIf you are setting this system up for the first time, select Yes to update\nyour list of checksums.\n\nOtherwise this could indicate a compromise and you should select No to\nreturn to the main menu.\n\nWould you like to update your checksums now?" 0 80) then
|
||||
if update_checksums ; then
|
||||
|
@ -52,7 +52,7 @@ verify_global_hashes()
|
||||
{
|
||||
echo "+++ Checking verified boot hash file "
|
||||
# Check the hashes of all the files
|
||||
if ( cd $bootdir && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ); then
|
||||
if verify_checksums "$bootdir" ; then
|
||||
echo "+++ Verified boot hashes "
|
||||
valid_hash='y'
|
||||
valid_global_hash='y'
|
||||
@ -326,6 +326,7 @@ while true; do
|
||||
TMP_DEFAULT_FILE=`find /tmp/kexec/kexec_default.*.txt 2>/dev/null | head -1` || true
|
||||
TMP_MENU_FILE="/tmp/kexec/kexec_menu.txt"
|
||||
TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
|
||||
TMP_TREE_FILE="/tmp/kexec/kexec_tree.txt"
|
||||
TMP_DEFAULT_HASH_FILE="/tmp/kexec/kexec_default_hashes.txt"
|
||||
TMP_ROLLBACK_FILE="/tmp/kexec/kexec_rollback.txt"
|
||||
TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt"
|
||||
@ -385,4 +386,4 @@ while true; do
|
||||
fi
|
||||
done
|
||||
|
||||
die "!!! Shouldn't get here""
|
||||
die "!!! Shouldn't get here"
|
||||
|
@ -27,12 +27,16 @@ confirm_gpg_card
|
||||
if [ "$update" = "y" ]; then
|
||||
(
|
||||
cd /boot
|
||||
find ./ -type f ! -name '*kexec*' -print0 | xargs -0 sha256sum > /boot/kexec_hashes.txt
|
||||
find ./ -type f ! -path './kexec*' -print0 | xargs -0 sha256sum > /boot/kexec_hashes.txt
|
||||
if [ -e /boot/kexec_default_hashes.txt ]; then
|
||||
DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
|
||||
echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
|
||||
fi
|
||||
|
||||
#also save the file & directory structure to detect added files
|
||||
print_tree > /boot/kexec_tree.txt
|
||||
)
|
||||
[ $? -eq 0 ] || die "$paramsdir: Failed to update hashes."
|
||||
|
||||
# Remove any package trigger log files
|
||||
# We don't need them after the user decides to sign
|
||||
|
@ -195,9 +195,14 @@ generate_checksums()
|
||||
fi
|
||||
|
||||
# generate hashes
|
||||
find /boot -type f ! -name '*kexec*' -print0 \
|
||||
| xargs -0 sha256sum > /boot/kexec_hashes.txt 2>/dev/null \
|
||||
|| whiptail_error_die "Error generating kexec hashes"
|
||||
(
|
||||
set -e -o pipefail
|
||||
cd /boot
|
||||
find ./ -type f ! -path './kexec*' -print0 \
|
||||
| xargs -0 sha256sum > /boot/kexec_hashes.txt 2>/dev/null
|
||||
print_tree > /boot/kexec_tree.txt
|
||||
)
|
||||
[ $? -eq 0 ] || whiptail_error_die "Error generating kexec hashes"
|
||||
|
||||
param_files=`find /boot/kexec*.txt`
|
||||
[ -z "$param_files" ] \
|
||||
|
@ -335,6 +335,31 @@ update_checksums()
|
||||
return $rv
|
||||
}
|
||||
|
||||
print_tree() {
|
||||
#use \x0 as long as possible to avoid issues with newlines in file names
|
||||
find ./ ! -path './kexec*' -print0 | sort -z | xargs -0 printf "%s\n"
|
||||
}
|
||||
|
||||
verify_checksums()
|
||||
{
|
||||
local boot_dir="$1"
|
||||
|
||||
(
|
||||
set +e -o pipefail
|
||||
local ret=0
|
||||
cd "$boot_dir" || ret=1
|
||||
sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output || ret=1
|
||||
|
||||
# also make sure that the file & directory structure didn't change
|
||||
# (sha256sum won't detect added files)
|
||||
print_tree > /tmp/tree_output || ret=1
|
||||
diff "$TMP_TREE_FILE" /tmp/tree_output > /tmp/tree_diff || ret=1
|
||||
grep -E '^\+[^\+].*$' /tmp/tree_diff | sed -E 's/^\+(.*)/(new) \1/g' >> /tmp/hash_output
|
||||
exit $ret
|
||||
)
|
||||
return $?
|
||||
}
|
||||
|
||||
# detect and set /boot device
|
||||
# mount /boot if successful
|
||||
detect_boot_device()
|
||||
|
Loading…
Reference in New Issue
Block a user