Merge pull request #1262 from 3hhh/add-files

initrd/bin/gui-init

@@ -66,14 +66,15 @@ verify_global_hashes()
   # Check the hashes of all the files, ignoring signatures for now
   check_config /boot force
   TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
+  TMP_TREE_FILE="/tmp/kexec/kexec_tree.txt"
   TMP_PACKAGE_TRIGGER_PRE="/tmp/kexec/kexec_package_trigger_pre.txt"
   TMP_PACKAGE_TRIGGER_POST="/tmp/kexec/kexec_package_trigger_post.txt"
 
-  if ( cd /boot && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ) then
+  if verify_checksums /boot ; then
     return 0
-  elif [ ! -f $TMP_HASH_FILE ]; then
+  elif [[ ! -f "$TMP_HASH_FILE" || ! -f "$TMP_TREE_FILE" ]] ; then
-    if (whiptail $BG_COLOR_ERROR --title 'ERROR: Missing Hash File!' \
+    if (whiptail $BG_COLOR_ERROR --title 'ERROR: Missing File!' \
-        --yesno "The file containing hashes for /boot is missing!\n\nIf you are setting this system up for the first time, select Yes to update\nyour list of checksums.\n\nOtherwise this could indicate a compromise and you should select No to\nreturn to the main menu.\n\nWould you like to update your checksums now?" 0 80) then
+        --yesno "One of the files containing integrity information for /boot is missing!\n\nIf you are setting up heads for the first time or upgrading from an\nolder version, select Yes to create the missing files.\n\nOtherwise this could indicate a compromise and you should select No to\nreturn to the main menu.\n\nWould you like to create the missing files now?" 0 80) then
       if update_checksums ; then
         BG_COLOR_MAIN_MENU=""
         return 0;

initrd/bin/kexec-select-boot

@@ -52,7 +52,7 @@ verify_global_hashes()
 {
 	echo "+++ Checking verified boot hash file "
 	# Check the hashes of all the files
-	if ( cd $bootdir && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ); then
+	if verify_checksums "$bootdir" "$gui_menu" ; then
 		echo "+++ Verified boot hashes "
 		valid_hash='y'
 		valid_global_hash='y'
@@ -326,6 +326,7 @@ while true; do
 	TMP_DEFAULT_FILE=`find /tmp/kexec/kexec_default.*.txt 2>/dev/null | head -1` || true
 	TMP_MENU_FILE="/tmp/kexec/kexec_menu.txt"
 	TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
+	TMP_TREE_FILE="/tmp/kexec/kexec_tree.txt"
 	TMP_DEFAULT_HASH_FILE="/tmp/kexec/kexec_default_hashes.txt"
 	TMP_ROLLBACK_FILE="/tmp/kexec/kexec_rollback.txt"
 	TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt"
@@ -385,4 +386,4 @@ while true; do
 	fi
 done
 
-die "!!! Shouldn't get here""
+die "!!! Shouldn't get here"

initrd/bin/kexec-sign-config

@@ -21,18 +21,24 @@ fi
 
 paramsdir="${paramsdir%%/}"
 
+assert_signable
+
 confirm_gpg_card
 
 # update hashes in /boot before signing
 if [ "$update" = "y" ]; then
 	(
 		cd /boot
-		find ./ -type f ! -name '*kexec*' -print0 | xargs -0 sha256sum > /boot/kexec_hashes.txt
+		find ./ -type f ! -path './kexec*' -print0 | xargs -0 sha256sum > /boot/kexec_hashes.txt
 		if [ -e /boot/kexec_default_hashes.txt ]; then
 			DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
 			echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
 		fi
+
+		#also save the file & directory structure to detect added files
+		print_tree > /boot/kexec_tree.txt
 	)
+	[ $? -eq 0 ] || die "$paramsdir: Failed to update hashes."
 
 	# Remove any package trigger log files
 	# We don't need them after the user decides to sign

initrd/bin/oem-factory-reset

@@ -195,9 +195,14 @@ generate_checksums()
     fi
 
     # generate hashes
-    find /boot -type f ! -name '*kexec*' -print0 \
+    (
-        | xargs -0 sha256sum > /boot/kexec_hashes.txt 2>/dev/null \
+        set -e -o pipefail
-        || whiptail_error_die "Error generating kexec hashes"
+        cd /boot
+        find ./ -type f ! -path './kexec*' -print0 \
+            | xargs -0 sha256sum > /boot/kexec_hashes.txt 2>/dev/null
+        print_tree > /boot/kexec_tree.txt
+    )
+    [ $? -eq 0 ] || whiptail_error_die "Error generating kexec hashes"
 
     param_files=`find /boot/kexec*.txt`
     [ -z "$param_files" ] \
@@ -553,6 +558,8 @@ if ! gpg --card-status >/dev/null 2>&1 ; then
     fi
 fi
 
+assert_signable
+
 # Action time...
 
 # detect and set /boot device

initrd/etc/functions

@@ -335,6 +335,122 @@ update_checksums()
 	return $rv
 }
 
+print_tree() {
+	find ./ ! -path './kexec*' -print0 | sort -z
+}
+
+# Escape zero-delimited standard input to safely display it to the user in e.g.
+# `whiptail`, `less`, `echo`, `cat`. Doesn't produce shell-escaped output.
+# Most printable characters are passed verbatim (exception: \).
+# These escapes are used to replace their corresponding characters: #n#r#t#v#b
+# Other characters are rendered as hexadecimal escapes.
+# escape_zero [prefix] [escape character]
+# prefix: \0 in the input will result in \n[prefix]
+# escape character: character to use for escapes (default: #); \ may be interpreted by `whiptail`
+escape_zero() {
+	local prefix="$1"
+	local echar="${2:-#}"
+	local todo=""
+	local echar_hex="$(echo -n "$echar" | xxd -p -c1)"
+	[ ${#echar_hex} -eq 2 ] || die "Invalid escape character $echar passed to escape_zero(). Programming error?!"
+
+	echo -e -n "$prefix"
+	xxd -p -c1 | tr -d '\n' |
+	{
+		while IFS= read -r -n2 -d '' ; do
+			if [ -n "$todo" ] ; then
+				#REPLY == "  " is EOF
+				[[ "$REPLY" == "  " ]] && echo '' || echo -e -n "$todo"
+				todo=""
+			fi
+
+			case "$REPLY" in
+				00)
+					todo="\n$prefix"
+					;;
+				08)
+					echo -n "${echar}b"
+					;;
+				09)
+					echo -n "${echar}t"
+					;;
+				0a)
+					echo -n "${echar}n"
+					;;
+				0b)
+					echo -n "${echar}v"
+					;;
+				0d)
+					echo -n "${echar}r"
+					;;
+				"$echar_hex")
+					echo -n "$echar$echar"
+					;;
+				#interpreted characters:
+				2[0-9a-f]|3[0-9a-f]|4[0-9a-f]|5[0-9abd-f]|6[0-9a-f]|7[0-9a-e])
+					echo -e -n '\x'"$REPLY"
+					;;
+				# All others are escaped
+				*)
+					echo -n "${echar}x$REPLY"
+					;;
+			esac
+		done
+	}
+}
+
+# Currently heads doesn't support signing file names with certain characters
+# due to https://bugs.busybox.net/show_bug.cgi?id=14226. Also, certain characters
+# may be intepreted by `whiptail`, `less` et al (e.g. \n, \b, ...).
+assert_signable() {
+	# ensure /boot mounted
+	if ! grep -q /boot /proc/mounts ; then
+		mount -o ro /boot || die "Unable to mount /boot"
+	fi
+
+	find /boot -print0 > /tmp/signable.ref
+	local del='\001-\037\134\177-\377'
+	LC_ALL=C tr -d "$del" < /tmp/signable.ref > /tmp/signable.del || die "Failed to execute tr."
+	if ! cmp -s "/tmp/signable.ref" "/tmp/signable.del" &> /dev/null ; then
+		local user_out="/tmp/hash_output_mismatches"
+		local add="Please investigate!"
+		[ -f "$user_out" ] && add="Please investigate the following relative paths to /boot (where # are sanitized invalid characters):"$'\n'"$(cat "$user_out")"
+		recovery "Some /boot file names contain characters that are currently not supported by heads: $del"$'\n'"$add"
+	fi
+	rm -f /tmp/signable.*
+}
+
+verify_checksums()
+{
+	local boot_dir="$1"
+	local gui="${2:-y}"
+
+	(
+		set +e -o pipefail
+		local ret=0
+		cd "$boot_dir" || ret=1
+		sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output || ret=1
+
+		# also make sure that the file & directory structure didn't change
+		# (sha256sum won't detect added files)
+		print_tree > /tmp/tree_output || ret=1
+		if ! cmp -s "$TMP_TREE_FILE" /tmp/tree_output &> /dev/null ; then
+			ret=1
+			[[ "$gui" != "y" ]] && exit "$ret"
+			# produce a diff that can safely be presented to the user
+			# this is relatively hard as file names may e.g. contain backslashes etc.,
+			# which are interpreted by whiptail, less, ...
+			escape_zero "(new) " < "$TMP_TREE_FILE" > "${TMP_TREE_FILE}.user"
+			escape_zero "(new) " < /tmp/tree_output > /tmp/tree_output.user
+			diff "${TMP_TREE_FILE}.user" /tmp/tree_output.user | grep -E '^\+\(new\).*$' | sed -r 's/^\+\(new\)/(new)/g' >> /tmp/hash_output
+			rm -f "${TMP_TREE_FILE}.user"
+			rm -f /tmp/tree_output.user
+		fi
+		exit $ret
+	)
+	return $?
+}
+
 # detect and set /boot device
 # mount /boot if successful
 detect_boot_device()