Merge pull request #1514 from tlaurion/confirm_rom_hash_before_flashing

bin/flash-gui.sh & initrd/bin/flash.sh: Show SHA256SUM for manual verification prior of flashing
2024-12-18 20:47:55 +00:00 · 2023-10-31 16:48:27 -04:00 · 2023-10-31 16:48:27 -04:00 · bcd269318f
commit bcd269318f
parent f540f2a335 c0cf446034
1 changed files with 51 additions and 53 deletions
--- a/initrd/bin/flash-gui.sh
+++ b/initrd/bin/flash-gui.sh
@ -30,7 +30,7 @@ while true; do
    ;;
  f | c)
    if (whiptail $BG_COLOR_WARNING --title 'Flash the BIOS with a new ROM' \
-          --yesno "You will need to insert a USB drive containing your BIOS image (*.rom or *.tgz).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 0 80) then
+      --yesno "You will need to insert a USB drive containing your BIOS image (*.rom, *.npf or *.tgz).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 0 80); then
      mount_usb
      if grep -q /media /proc/mounts; then
        find /media ! -path '*/\.*' -type f \( -name '*.rom' -o -name '*.tgz' -o -type f -name '*.npf' \) | sort >/tmp/filelist.txt
@ -43,9 +43,11 @@ while true; do

        # is a .npf provided?
        if [ -z "${ROM##*.npf}" ]; then
+          #preventive cleanup
+          rm -rf /tmp/verified_rom >/dev/null 2>&1 || true
          # unzip to /tmp/verified_rom
-            mkdir /tmp/verified_rom
-            unzip $ROM -d /tmp/verified_rom
+          mkdir -p /tmp/verified_rom >/dev/null 2>&1 || true
+          unzip $ROM -d /tmp/verified_rom || die "Failed to unzip ROM file"
          # check file integrity
          if (cd /tmp/verified_rom/ && sha256sum -cs /tmp/verified_rom/sha256sum.txt); then
            ROM="$(head -n1 /tmp/verified_rom/sha256sum.txt | cut -d ' ' -f 3)"
@ -55,15 +57,14 @@ while true; do
            exit
          fi
        else
-            # exit if we shall not proceed
+          # a rom file was provided. exit if we shall not proceed
+          ROM_HASH=$(sha256sum "$ROM" | awk '{print $1}') || die "Failed to hash ROM file"
          if ! (whiptail $CONFIG_ERROR_BG_COLOR --title 'Flash ROM without integrity check?' \
-                --yesno "You have provided a *.rom file. The integrity of the file can not be\nchecked for this file.\nIf you do not know how to check the file integrity yourself,\nyou should use a *.npf file instead.\n\nIf the file is damaged, you will not be able to boot anymore.\nDo you want to proceed flashing without file integrity check?" 16 60) then
+            --yesno "You have provided a *.rom file. The integrity of the file can not be\nchecked automatically for this file type.\n\nROM: $ROM\nSHA256SUM: $ROM_HASH\n\nIf you do not know how to check the file integrity yourself,\nyou should use a *.npf file instead.\n\nIf the file is damaged, you will not be able to boot anymore.\nDo you want to proceed flashing without file integrity check?" 0 80); then
            exit
          fi
        fi

-          if (whiptail $BG_COLOR_WARNING --title 'Flash ROM?' \
-              --yesno "This will replace your current ROM with:\n\n${ROM#"/media/"}\n\nDo you want to proceed?" 0 80) then
        if [ "$menu_choice" == "c" ]; then
          /bin/flash.sh -c "$ROM"
          # after flash, /boot signatures are now invalid so go ahead and clear them
@ -81,9 +82,6 @@ while true; do
          --msgbox "${ROM#"/media/"}\n\nhas been flashed successfully.\n\nPress Enter to reboot\n" 0 80
        umount /media
        /bin/reboot
-          else
-            exit
-          fi
      fi
    fi
    ;;