ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-19 21:17:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1514 from tlaurion/confirm_rom_hash_before_flashing

Browse Source 
bin/flash-gui.sh & initrd/bin/flash.sh: Show SHA256SUM for manual verification prior of flashing
This commit is contained in:
tlaurion 2023-10-31 16:48:27 -04:00 committed by GitHub
commit bcd269318f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 51 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
initrd/bin/flash-gui.sh
View File

@ -25,67 +25,65 @@ while true; do
menu_choice=$(cat /tmp/whiptail) menu_choice=$(cat /tmp/whiptail)
case "$menu_choice" in case "$menu_choice" in
"x" ) "x")
exit 0 exit 0
;; ;;
f|c ) f | c)
if (whiptail $BG_COLOR_WARNING --title 'Flash the BIOS with a new ROM' \ if (whiptail $BG_COLOR_WARNING --title 'Flash the BIOS with a new ROM' \
--yesno "You will need to insert a USB drive containing your BIOS image (*.rom or *.tgz).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 0 80) then --yesno "You will need to insert a USB drive containing your BIOS image (*.rom, *.npf or *.tgz).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 0 80); then
mount_usb mount_usb
if grep -q /media /proc/mounts ; then if grep -q /media /proc/mounts; then
find /media ! -path '*/\.*' -type f \( -name '*.rom' -o -name '*.tgz' -o -type f -name '*.npf' \) | sort > /tmp/filelist.txt find /media ! -path '*/\.*' -type f \( -name '*.rom' -o -name '*.tgz' -o -type f -name '*.npf' \) | sort >/tmp/filelist.txt
file_selector "/tmp/filelist.txt" "Choose the ROM to flash" file_selector "/tmp/filelist.txt" "Choose the ROM to flash"
if [ "$FILE" == "" ]; then if [ "$FILE" == "" ]; then
exit 1 exit 1
else else
ROM=$FILE ROM=$FILE
fi fi
# is a .npf provided? # is a .npf provided?
if [ -z "${ROM##*.npf}" ]; then if [ -z "${ROM##*.npf}" ]; then
# unzip to /tmp/verified_rom #preventive cleanup
mkdir /tmp/verified_rom rm -rf /tmp/verified_rom >/dev/null 2>&1 || true
unzip $ROM -d /tmp/verified_rom # unzip to /tmp/verified_rom
# check file integrity mkdir -p /tmp/verified_rom >/dev/null 2>&1 || true
if (cd /tmp/verified_rom/ && sha256sum -cs /tmp/verified_rom/sha256sum.txt) ; then unzip $ROM -d /tmp/verified_rom || die "Failed to unzip ROM file"
ROM="$(head -n1 /tmp/verified_rom/sha256sum.txt | cut -d ' ' -f 3)" # check file integrity
else if (cd /tmp/verified_rom/ && sha256sum -cs /tmp/verified_rom/sha256sum.txt); then
whiptail --title 'ROM Integrity Check Failed! ' \ ROM="$(head -n1 /tmp/verified_rom/sha256sum.txt | cut -d ' ' -f 3)"
--msgbox "$ROM integrity check failed. Did not flash.\n\nPlease check your file (e.g. re-download).\n" 16 60
exit
fi
else else
# exit if we shall not proceed whiptail --title 'ROM Integrity Check Failed! ' \
if ! (whiptail $CONFIG_ERROR_BG_COLOR --title 'Flash ROM without integrity check?' \ --msgbox "$ROM integrity check failed. Did not flash.\n\nPlease check your file (e.g. re-download).\n" 16 60
--yesno "You have provided a *.rom file. The integrity of the file can not be\nchecked for this file.\nIf you do not know how to check the file integrity yourself,\nyou should use a *.npf file instead.\n\nIf the file is damaged, you will not be able to boot anymore.\nDo you want to proceed flashing without file integrity check?" 16 60) then exit
exit
fi
fi fi
else
if (whiptail $BG_COLOR_WARNING --title 'Flash ROM?' \ # a rom file was provided. exit if we shall not proceed
--yesno "This will replace your current ROM with:\n\n${ROM#"/media/"}\n\nDo you want to proceed?" 0 80) then ROM_HASH=$(sha256sum "$ROM" | awk '{print $1}') || die "Failed to hash ROM file"
if [ "$menu_choice" == "c" ]; then if ! (whiptail $CONFIG_ERROR_BG_COLOR --title 'Flash ROM without integrity check?' \
/bin/flash.sh -c "$ROM" --yesno "You have provided a *.rom file. The integrity of the file can not be\nchecked automatically for this file type.\n\nROM: $ROM\nSHA256SUM: $ROM_HASH\n\nIf you do not know how to check the file integrity yourself,\nyou should use a *.npf file instead.\n\nIf the file is damaged, you will not be able to boot anymore.\nDo you want to proceed flashing without file integrity check?" 0 80); then
# after flash, /boot signatures are now invalid so go ahead and clear them
if ls /boot/kexec* >/dev/null 2>&1 ; then
(
mount -o remount,rw /boot 2>/dev/null
rm /boot/kexec* 2>/dev/null
mount -o remount,ro /boot 2>/dev/null
)
fi
else
/bin/flash.sh "$ROM"
fi
whiptail --title 'ROM Flashed Successfully' \
--msgbox "${ROM#"/media/"}\n\nhas been flashed successfully.\n\nPress Enter to reboot\n" 0 80
umount /media
/bin/reboot
else
exit exit
fi fi
fi fi
if [ "$menu_choice" == "c" ]; then
/bin/flash.sh -c "$ROM"
# after flash, /boot signatures are now invalid so go ahead and clear them
if ls /boot/kexec* >/dev/null 2>&1; then
(
mount -o remount,rw /boot 2>/dev/null
rm /boot/kexec* 2>/dev/null
mount -o remount,ro /boot 2>/dev/null
)
fi
else
/bin/flash.sh "$ROM"
fi
whiptail --title 'ROM Flashed Successfully' \
--msgbox "${ROM#"/media/"}\n\nhas been flashed successfully.\n\nPress Enter to reboot\n" 0 80
umount /media
/bin/reboot
fi fi
fi
;; ;;
esac esac