mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-23 14:52:27 +00:00
Merge pull request #1262 from 3hhh/add-files
This commit is contained in:
commit
db5777ad91
@ -66,14 +66,15 @@ verify_global_hashes()
|
|||||||
# Check the hashes of all the files, ignoring signatures for now
|
# Check the hashes of all the files, ignoring signatures for now
|
||||||
check_config /boot force
|
check_config /boot force
|
||||||
TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
|
TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
|
||||||
|
TMP_TREE_FILE="/tmp/kexec/kexec_tree.txt"
|
||||||
TMP_PACKAGE_TRIGGER_PRE="/tmp/kexec/kexec_package_trigger_pre.txt"
|
TMP_PACKAGE_TRIGGER_PRE="/tmp/kexec/kexec_package_trigger_pre.txt"
|
||||||
TMP_PACKAGE_TRIGGER_POST="/tmp/kexec/kexec_package_trigger_post.txt"
|
TMP_PACKAGE_TRIGGER_POST="/tmp/kexec/kexec_package_trigger_post.txt"
|
||||||
|
|
||||||
if ( cd /boot && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ) then
|
if verify_checksums /boot ; then
|
||||||
return 0
|
return 0
|
||||||
elif [ ! -f $TMP_HASH_FILE ]; then
|
elif [[ ! -f "$TMP_HASH_FILE" || ! -f "$TMP_TREE_FILE" ]] ; then
|
||||||
if (whiptail $BG_COLOR_ERROR --title 'ERROR: Missing Hash File!' \
|
if (whiptail $BG_COLOR_ERROR --title 'ERROR: Missing File!' \
|
||||||
--yesno "The file containing hashes for /boot is missing!\n\nIf you are setting this system up for the first time, select Yes to update\nyour list of checksums.\n\nOtherwise this could indicate a compromise and you should select No to\nreturn to the main menu.\n\nWould you like to update your checksums now?" 0 80) then
|
--yesno "One of the files containing integrity information for /boot is missing!\n\nIf you are setting up heads for the first time or upgrading from an\nolder version, select Yes to create the missing files.\n\nOtherwise this could indicate a compromise and you should select No to\nreturn to the main menu.\n\nWould you like to create the missing files now?" 0 80) then
|
||||||
if update_checksums ; then
|
if update_checksums ; then
|
||||||
BG_COLOR_MAIN_MENU=""
|
BG_COLOR_MAIN_MENU=""
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -52,7 +52,7 @@ verify_global_hashes()
|
|||||||
{
|
{
|
||||||
echo "+++ Checking verified boot hash file "
|
echo "+++ Checking verified boot hash file "
|
||||||
# Check the hashes of all the files
|
# Check the hashes of all the files
|
||||||
if ( cd $bootdir && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ); then
|
if verify_checksums "$bootdir" "$gui_menu" ; then
|
||||||
echo "+++ Verified boot hashes "
|
echo "+++ Verified boot hashes "
|
||||||
valid_hash='y'
|
valid_hash='y'
|
||||||
valid_global_hash='y'
|
valid_global_hash='y'
|
||||||
@ -326,6 +326,7 @@ while true; do
|
|||||||
TMP_DEFAULT_FILE=`find /tmp/kexec/kexec_default.*.txt 2>/dev/null | head -1` || true
|
TMP_DEFAULT_FILE=`find /tmp/kexec/kexec_default.*.txt 2>/dev/null | head -1` || true
|
||||||
TMP_MENU_FILE="/tmp/kexec/kexec_menu.txt"
|
TMP_MENU_FILE="/tmp/kexec/kexec_menu.txt"
|
||||||
TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
|
TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
|
||||||
|
TMP_TREE_FILE="/tmp/kexec/kexec_tree.txt"
|
||||||
TMP_DEFAULT_HASH_FILE="/tmp/kexec/kexec_default_hashes.txt"
|
TMP_DEFAULT_HASH_FILE="/tmp/kexec/kexec_default_hashes.txt"
|
||||||
TMP_ROLLBACK_FILE="/tmp/kexec/kexec_rollback.txt"
|
TMP_ROLLBACK_FILE="/tmp/kexec/kexec_rollback.txt"
|
||||||
TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt"
|
TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt"
|
||||||
@ -385,4 +386,4 @@ while true; do
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
die "!!! Shouldn't get here""
|
die "!!! Shouldn't get here"
|
||||||
|
@ -21,18 +21,24 @@ fi
|
|||||||
|
|
||||||
paramsdir="${paramsdir%%/}"
|
paramsdir="${paramsdir%%/}"
|
||||||
|
|
||||||
|
assert_signable
|
||||||
|
|
||||||
confirm_gpg_card
|
confirm_gpg_card
|
||||||
|
|
||||||
# update hashes in /boot before signing
|
# update hashes in /boot before signing
|
||||||
if [ "$update" = "y" ]; then
|
if [ "$update" = "y" ]; then
|
||||||
(
|
(
|
||||||
cd /boot
|
cd /boot
|
||||||
find ./ -type f ! -name '*kexec*' -print0 | xargs -0 sha256sum > /boot/kexec_hashes.txt
|
find ./ -type f ! -path './kexec*' -print0 | xargs -0 sha256sum > /boot/kexec_hashes.txt
|
||||||
if [ -e /boot/kexec_default_hashes.txt ]; then
|
if [ -e /boot/kexec_default_hashes.txt ]; then
|
||||||
DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
|
DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
|
||||||
echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
|
echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
#also save the file & directory structure to detect added files
|
||||||
|
print_tree > /boot/kexec_tree.txt
|
||||||
)
|
)
|
||||||
|
[ $? -eq 0 ] || die "$paramsdir: Failed to update hashes."
|
||||||
|
|
||||||
# Remove any package trigger log files
|
# Remove any package trigger log files
|
||||||
# We don't need them after the user decides to sign
|
# We don't need them after the user decides to sign
|
||||||
|
@ -195,9 +195,14 @@ generate_checksums()
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# generate hashes
|
# generate hashes
|
||||||
find /boot -type f ! -name '*kexec*' -print0 \
|
(
|
||||||
| xargs -0 sha256sum > /boot/kexec_hashes.txt 2>/dev/null \
|
set -e -o pipefail
|
||||||
|| whiptail_error_die "Error generating kexec hashes"
|
cd /boot
|
||||||
|
find ./ -type f ! -path './kexec*' -print0 \
|
||||||
|
| xargs -0 sha256sum > /boot/kexec_hashes.txt 2>/dev/null
|
||||||
|
print_tree > /boot/kexec_tree.txt
|
||||||
|
)
|
||||||
|
[ $? -eq 0 ] || whiptail_error_die "Error generating kexec hashes"
|
||||||
|
|
||||||
param_files=`find /boot/kexec*.txt`
|
param_files=`find /boot/kexec*.txt`
|
||||||
[ -z "$param_files" ] \
|
[ -z "$param_files" ] \
|
||||||
@ -553,6 +558,8 @@ if ! gpg --card-status >/dev/null 2>&1 ; then
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
assert_signable
|
||||||
|
|
||||||
# Action time...
|
# Action time...
|
||||||
|
|
||||||
# detect and set /boot device
|
# detect and set /boot device
|
||||||
|
@ -335,6 +335,122 @@ update_checksums()
|
|||||||
return $rv
|
return $rv
|
||||||
}
|
}
|
||||||
|
|
||||||
|
print_tree() {
|
||||||
|
find ./ ! -path './kexec*' -print0 | sort -z
|
||||||
|
}
|
||||||
|
|
||||||
|
# Escape zero-delimited standard input to safely display it to the user in e.g.
|
||||||
|
# `whiptail`, `less`, `echo`, `cat`. Doesn't produce shell-escaped output.
|
||||||
|
# Most printable characters are passed verbatim (exception: \).
|
||||||
|
# These escapes are used to replace their corresponding characters: #n#r#t#v#b
|
||||||
|
# Other characters are rendered as hexadecimal escapes.
|
||||||
|
# escape_zero [prefix] [escape character]
|
||||||
|
# prefix: \0 in the input will result in \n[prefix]
|
||||||
|
# escape character: character to use for escapes (default: #); \ may be interpreted by `whiptail`
|
||||||
|
escape_zero() {
|
||||||
|
local prefix="$1"
|
||||||
|
local echar="${2:-#}"
|
||||||
|
local todo=""
|
||||||
|
local echar_hex="$(echo -n "$echar" | xxd -p -c1)"
|
||||||
|
[ ${#echar_hex} -eq 2 ] || die "Invalid escape character $echar passed to escape_zero(). Programming error?!"
|
||||||
|
|
||||||
|
echo -e -n "$prefix"
|
||||||
|
xxd -p -c1 | tr -d '\n' |
|
||||||
|
{
|
||||||
|
while IFS= read -r -n2 -d '' ; do
|
||||||
|
if [ -n "$todo" ] ; then
|
||||||
|
#REPLY == " " is EOF
|
||||||
|
[[ "$REPLY" == " " ]] && echo '' || echo -e -n "$todo"
|
||||||
|
todo=""
|
||||||
|
fi
|
||||||
|
|
||||||
|
case "$REPLY" in
|
||||||
|
00)
|
||||||
|
todo="\n$prefix"
|
||||||
|
;;
|
||||||
|
08)
|
||||||
|
echo -n "${echar}b"
|
||||||
|
;;
|
||||||
|
09)
|
||||||
|
echo -n "${echar}t"
|
||||||
|
;;
|
||||||
|
0a)
|
||||||
|
echo -n "${echar}n"
|
||||||
|
;;
|
||||||
|
0b)
|
||||||
|
echo -n "${echar}v"
|
||||||
|
;;
|
||||||
|
0d)
|
||||||
|
echo -n "${echar}r"
|
||||||
|
;;
|
||||||
|
"$echar_hex")
|
||||||
|
echo -n "$echar$echar"
|
||||||
|
;;
|
||||||
|
#interpreted characters:
|
||||||
|
2[0-9a-f]|3[0-9a-f]|4[0-9a-f]|5[0-9abd-f]|6[0-9a-f]|7[0-9a-e])
|
||||||
|
echo -e -n '\x'"$REPLY"
|
||||||
|
;;
|
||||||
|
# All others are escaped
|
||||||
|
*)
|
||||||
|
echo -n "${echar}x$REPLY"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Currently heads doesn't support signing file names with certain characters
|
||||||
|
# due to https://bugs.busybox.net/show_bug.cgi?id=14226. Also, certain characters
|
||||||
|
# may be intepreted by `whiptail`, `less` et al (e.g. \n, \b, ...).
|
||||||
|
assert_signable() {
|
||||||
|
# ensure /boot mounted
|
||||||
|
if ! grep -q /boot /proc/mounts ; then
|
||||||
|
mount -o ro /boot || die "Unable to mount /boot"
|
||||||
|
fi
|
||||||
|
|
||||||
|
find /boot -print0 > /tmp/signable.ref
|
||||||
|
local del='\001-\037\134\177-\377'
|
||||||
|
LC_ALL=C tr -d "$del" < /tmp/signable.ref > /tmp/signable.del || die "Failed to execute tr."
|
||||||
|
if ! cmp -s "/tmp/signable.ref" "/tmp/signable.del" &> /dev/null ; then
|
||||||
|
local user_out="/tmp/hash_output_mismatches"
|
||||||
|
local add="Please investigate!"
|
||||||
|
[ -f "$user_out" ] && add="Please investigate the following relative paths to /boot (where # are sanitized invalid characters):"$'\n'"$(cat "$user_out")"
|
||||||
|
recovery "Some /boot file names contain characters that are currently not supported by heads: $del"$'\n'"$add"
|
||||||
|
fi
|
||||||
|
rm -f /tmp/signable.*
|
||||||
|
}
|
||||||
|
|
||||||
|
verify_checksums()
|
||||||
|
{
|
||||||
|
local boot_dir="$1"
|
||||||
|
local gui="${2:-y}"
|
||||||
|
|
||||||
|
(
|
||||||
|
set +e -o pipefail
|
||||||
|
local ret=0
|
||||||
|
cd "$boot_dir" || ret=1
|
||||||
|
sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output || ret=1
|
||||||
|
|
||||||
|
# also make sure that the file & directory structure didn't change
|
||||||
|
# (sha256sum won't detect added files)
|
||||||
|
print_tree > /tmp/tree_output || ret=1
|
||||||
|
if ! cmp -s "$TMP_TREE_FILE" /tmp/tree_output &> /dev/null ; then
|
||||||
|
ret=1
|
||||||
|
[[ "$gui" != "y" ]] && exit "$ret"
|
||||||
|
# produce a diff that can safely be presented to the user
|
||||||
|
# this is relatively hard as file names may e.g. contain backslashes etc.,
|
||||||
|
# which are interpreted by whiptail, less, ...
|
||||||
|
escape_zero "(new) " < "$TMP_TREE_FILE" > "${TMP_TREE_FILE}.user"
|
||||||
|
escape_zero "(new) " < /tmp/tree_output > /tmp/tree_output.user
|
||||||
|
diff "${TMP_TREE_FILE}.user" /tmp/tree_output.user | grep -E '^\+\(new\).*$' | sed -r 's/^\+\(new\)/(new)/g' >> /tmp/hash_output
|
||||||
|
rm -f "${TMP_TREE_FILE}.user"
|
||||||
|
rm -f /tmp/tree_output.user
|
||||||
|
fi
|
||||||
|
exit $ret
|
||||||
|
)
|
||||||
|
return $?
|
||||||
|
}
|
||||||
|
|
||||||
# detect and set /boot device
|
# detect and set /boot device
|
||||||
# mount /boot if successful
|
# mount /boot if successful
|
||||||
detect_boot_device()
|
detect_boot_device()
|
||||||
|
Loading…
Reference in New Issue
Block a user