Add Root file hash feature

Currently Heads will check files in /boot for tampering before booting into a system. It would be nice if you could use the trusted environment within Heads and extend this to check files in / itself. This new script adds that functionality, however due to the length of time it takes to perform these kinds of checks, it doesn't run automatically (yet). This feature can be configured from the config GUI - the root device/ directories to check can be set, and it can be configured to run during boot. To make this a bit easier to use, I added a feature to detect whether the hash file exists and if not, to display a more limited menu to the user guiding them to create the initial hash file. Otherwise it will display the date the file was last modified, which can be useful to determine how stale it is.
2024-12-18 20:47:55 +00:00 · 2021-09-03 14:20:46 -07:00 · 2021-09-03 14:20:46 -07:00 · efc49c7425
commit efc49c7425
parent d094dcd346
12 changed files with 449 additions and 5 deletions
--- a/boards/librem_13v2/librem_13v2.config
+++ b/boards/librem_13v2/librem_13v2.config
@ -39,3 +39,6 @@ export CONFIG_BOOT_DEV="/dev/nvme0n1p1"
 export CONFIG_BOARD_NAME="Librem 13 v2/v3"
 export CONFIG_FLASHROM_OPTIONS="-p internal"
 export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"
--- a/boards/librem_13v4/librem_13v4.config
+++ b/boards/librem_13v4/librem_13v4.config
@ -39,3 +39,6 @@ export CONFIG_BOOT_DEV="/dev/nvme0n1p1"
 export CONFIG_BOARD_NAME="Librem 13 v4"
 export CONFIG_FLASHROM_OPTIONS="-p internal"
 export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"
--- a/boards/librem_14/librem_14.config
+++ b/boards/librem_14/librem_14.config
@ -39,3 +39,6 @@ export CONFIG_BOARD_NAME="Librem 14"
 export CONFIG_FLASHROM_OPTIONS="-p internal"

 export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"
--- a/boards/librem_15v3/librem_15v3.config
+++ b/boards/librem_15v3/librem_15v3.config
@ -39,3 +39,6 @@ export CONFIG_BOOT_DEV="/dev/nvme0n1p1"
 export CONFIG_BOARD_NAME="Librem 15 v3"
 export CONFIG_FLASHROM_OPTIONS="-p internal"
 export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"
--- a/boards/librem_15v4/librem_15v4.config
+++ b/boards/librem_15v4/librem_15v4.config
@ -39,3 +39,6 @@ export CONFIG_BOOT_DEV="/dev/nvme0n1p1"
 export CONFIG_BOARD_NAME="Librem 15 v4"
 export CONFIG_FLASHROM_OPTIONS="-p internal"
 export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"
--- a/boards/librem_l1um/librem_l1um.config
+++ b/boards/librem_l1um/librem_l1um.config
@ -39,3 +39,6 @@ export CONFIG_BOARD_NAME="Librem Server L1UM"
 export CONFIG_AUTO_BOOT_TIMEOUT=5
 export CONFIG_FLASHROM_OPTIONS="-p internal"
 export CONFIG_USB_KEYBOARD=y
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"
--- a/boards/librem_mini/librem_mini.config
+++ b/boards/librem_mini/librem_mini.config
@ -39,3 +39,6 @@ export CONFIG_BOARD_NAME="Librem Mini"
 export CONFIG_FLASHROM_OPTIONS="-p internal"
 export CONFIG_USB_KEYBOARD=y
 export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"
--- a/boards/librem_mini_v2/librem_mini_v2.config
+++ b/boards/librem_mini_v2/librem_mini_v2.config
@ -39,3 +39,6 @@ export CONFIG_BOARD_NAME="Librem Mini v2"
 export CONFIG_FLASHROM_OPTIONS="-p internal"
 export CONFIG_USB_KEYBOARD=y
 export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"
--- a/initrd/bin/config-gui.sh
+++ b/initrd/bin/config-gui.sh
@ -7,6 +7,8 @@ set -e -o pipefail

 TRACE "Under /bin/config-gui.sh"

+ROOT_HASH_FILE="/boot/kexec_root_hashes.txt"
+
 param=$1

 while true; do
@ -19,8 +21,11 @@ while true; do
    whiptail $BG_COLOR_MAIN_MENU --title "Config Management Menu" \
    --menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 0 80 10 \
    'b' ' Change the /boot device' \
-    's' ' Save the current configuration to the running BIOS' \
    'r' ' Clear GPG key(s) and reset all user settings' \
+    'R' ' Change the root device for hashing' \
+    'D' ' Change the root directories to hash' \
+    'B' ' Check root hashes at boot' \
+    's' ' Save the current configuration to the running BIOS' \
    'x' ' Return to Main Menu' \
    2>/tmp/whiptail || recovery "GUI menu failed"

@ -136,6 +141,97 @@ while true; do
        exit 0
      fi
    ;;
+    "R" )
+      CURRENT_OPTION=`grep 'CONFIG_ROOT_DEV=' /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'`
+      fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist.txt
+      # filter out extraneous options
+      > /tmp/root_device_list.txt
+      for i in `cat /tmp/disklist.txt`; do
+        # remove block device from list if numeric partitions exist, since not bootable
+        DEV_NUM_PARTITIONS=$((`ls -1 $i* | wc -l`-1))
+        if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then
+          echo $i >> /tmp/root_device_list.txt
+        else
+          ls $i* | tail -${DEV_NUM_PARTITIONS} >> /tmp/root_device_list.txt
+        fi
+      done
+      file_selector "/tmp/root_device_list.txt" \
+          "Choose the default root device.\n\nCurrently set to $CURRENT_OPTION." \
+          "Root Device Selection"
+      if [ "$FILE" == "" ]; then
+        return
+      else
+        SELECTED_FILE=$FILE
+      fi
+
+      replace_config /etc/config.user "CONFIG_ROOT_DEV" "$SELECTED_FILE"
+      combine_configs
+
+      whiptail --title 'Config change successful' \
+        --msgbox "The root device was successfully changed to $SELECTED_FILE" 0 80
+    ;;
+    "D" )
+      CURRENT_OPTION=`grep 'CONFIG_ROOT_DIRLIST=' /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'`
+      
+      echo "The current list of directories to hash is $CURRENT_OPTION"
+      echo -e "\nEnter the new list of directories separated by spaces, without any beginning forward slashes:"
+      echo -e "(Press enter with the list empty to cancel)"
+      read -r NEW_CONFIG_ROOT_DIRLIST
+
+      # strip any leading forward slashes in case the user ignored us
+      NEW_CONFIG_ROOT_DIRLIST=$(echo $NEW_CONFIG_ROOT_DIRLIST | sed -e 's/^\///;s/ \// /g')
+
+      #check if list empty
+      if [ -s $NEW_CONFIG_ROOT_DIRLIST ] ; then
+        whiptail --title 'Config change canceled' \
+        --msgbox "Root device directory change canceled by user" 0 80
+        break
+      fi
+
+      replace_config /etc/config.user "CONFIG_ROOT_DIRLIST" "$NEW_CONFIG_ROOT_DIRLIST"
+      combine_configs
+
+      whiptail --title 'Config change successful' \
+        --msgbox "The root directories to hash was successfully changed to:\n$NEW_CONFIG_ROOT_DIRLIST" 0 80
+    ;;
+    "B" )
+      CURRENT_OPTION=`grep 'CONFIG_ROOT_CHECK_AT_BOOT=' /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'`
+      if [ "$CURRENT_OPTION" = "n" ]; then
+        if (whiptail --title 'Enable Root Hash Check at Boot?' \
+             --yesno "This will enable checking root hashes each time you boot.
+                    \nDepending on the directories you are checking, this might add
+                    \na minute or more to the boot time.
+                    \n\nDo you want to proceed?" 0 80) then
+
+          replace_config /etc/config.user "CONFIG_ROOT_CHECK_AT_BOOT" "y"
+          combine_configs
+
+          # check that root hash file exists
+          if [ ! -f ${ROOT_HASH_FILE} ]; then
+            if (whiptail --title 'Generate Root Hash File' \
+                --yesno "\nNo root hash file exists.
+                        \nWould you like to create the initial hash file now?" 0 80) then
+                root-hashes-gui.sh -n
+              fi
+          fi
+
+          whiptail --title 'Config change successful' \
+            --msgbox "The root device will be checked at each boot." 0 80
+
+        fi
+      else
+        if (whiptail --title 'Disable Root Hash Check at Boot?' \
+             --yesno "This will disable checking root hashes each time you boot.
+                    \n\nDo you want to proceed?" 0 80) then
+
+          replace_config /etc/config.user "CONFIG_ROOT_CHECK_AT_BOOT" "n"
+          combine_configs
+
+          whiptail --title 'Config change successful' \
+            --msgbox "The root device will not be checked at each boot." 0 80
+        fi
+      fi
+    ;;
  esac

 done
--- a/initrd/bin/gui-init
+++ b/initrd/bin/gui-init
@ -416,8 +416,9 @@ show_options_menu()
    'f' ' Flash/Update the BIOS -->' \
    'g' ' GPG Options -->' \
    'F' ' OEM Factory Reset / Re-Ownership -->' \
-    'R' ' Reencrypt LUKS container -->' \
-    'C' ' Change LUKS Disk Recovery Key passphrase ->' \
+    'C' ' Reencrypt LUKS container -->' \
+    'P' ' Change LUKS Disk Recovery Key passphrase ->' \
+    'R' ' Check/Update file hashes on root disk -->' \
    'x' ' Exit to recovery shell' \
    'r' ' <-- Return to main menu' \
    2>/tmp/whiptail || recovery "GUI menu failed"
@ -445,14 +446,17 @@ show_options_menu()
    F )
      oem-factory-reset
      ;;
-    R )
+    C )
      luks_reencrypt
      luks_secrets_cleanup
      ;;
-    C )
+    P )
      luks_change_passphrase
      luks_secrets_cleanup
      ;;
+    R )
+      root-hashes-gui.sh
+      ;;
    x )
      recovery "User requested recovery shell"
      ;;
--- a/initrd/bin/kexec-select-boot
+++ b/initrd/bin/kexec-select-boot
@ -82,6 +82,23 @@ verify_global_hashes()
 		fi
 		die "$TMP_HASH_FILE: boot hash mismatch"
 	fi
+  # If user enables it, check root hashes before boot as well
+  if [[ "$CONFIG_ROOT_CHECK_AT_BOOT" = "y" && "$force_menu" == "n" ]]; then
+    if root-hashes-gui.sh -c; then
+      echo "+++ Verified root hashes, continuing boot "
+      # if user re-signs, it wipes out saved options, so scan the boot directory and generate
+      if [ ! -r "$TMP_MENU_FILE" ]; then
+        scan_options
+      fi
+    else
+      # root-hashes-gui.sh handles the GUI error menu, just die here
+      if [ "$gui_menu" = "y" ]; then
+        whiptail $BG_COLOR_ERROR --title 'ERROR: Root Hash Mismatch' \
+          --msgbox "The root hash check failed!\nExiting to a recovery shell" 16 60
+      fi
+      die "root hash mismatch, see /tmp/hash_output_mismatches for details"
+    fi
+  fi
 }

 verify_rollback_counter()
--- a/initrd/bin/root-hashes-gui.sh
+++ b/initrd/bin/root-hashes-gui.sh
@ -0,0 +1,303 @@
+#!/bin/bash
+
+set -e -o pipefail
+
+CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+HASH_FILE="/boot/kexec_root_hashes.txt"
+ROOT_MOUNT="/root"
+
+. /etc/functions
+. /etc/gui_functions
+. /tmp/config
+
+export CONFIG_ROOT_DIRLIST_PRETTY=$(echo $CONFIG_ROOT_DIRLIST | sed -e 's/^/\//;s/ / \//g')
+
+update_root_checksums() {
+  if ! detect_root_device; then
+    whiptail $BG_COLOR_ERROR --title 'ERROR: No Valid Root Disk Found' \
+      --msgbox "No Valid Root Disk Found" 16 60
+    die "No Valid Root Disk Found"
+  fi
+
+  # mount /boot RW
+  if ! grep -q /boot /proc/mounts ; then
+    if ! mount -o rw /boot; then
+       unmount_root_device
+       whiptail $BG_COLOR_ERROR --title 'ERROR: Unable to mount /boot' \
+         --msgbox "Unable to mount /boot" 16 60
+       die "Unable to mount /boot"
+    fi
+  else
+    mount -o rw,remount /boot
+  fi
+
+  echo "+++ Calculating hashes for all files in $CONFIG_ROOT_DIRLIST_PRETTY "
+  cd $ROOT_MOUNT && find ${CONFIG_ROOT_DIRLIST} -type f ! -name '*kexec*' -print0 | xargs -0 sha256sum | tee ${HASH_FILE}
+  
+  # switch back to ro mode
+  mount -o ro,remount /boot
+
+  update_checksums
+
+  whiptail --title 'Root Hashes Updated and Signed' \
+    --msgbox "All files in:\n$CONFIG_ROOT_DIRLIST_PRETTY\nhave been hashed and signed successfully" 16 60
+
+  unmount_root_device
+}
+check_root_checksums() {
+  if ! detect_root_device; then
+    whiptail $BG_COLOR_ERROR --title 'ERROR: No Valid Root Disk Found' \
+      --msgbox "No Valid Root Disk Found" 16 60
+    die "No Valid Root Disk Found"
+  fi
+
+  # mount /boot RO
+  if ! grep -q /boot /proc/mounts ; then
+    if ! mount -o ro /boot; then
+       unmount_root_device
+       whiptail $BG_COLOR_ERROR --title 'ERROR: Unable to mount /boot' \
+         --msgbox "Unable to mount /boot" 16 60
+       die "Unable to mount /boot"
+    fi
+  fi
+
+  # check that root hash file exists
+  if [ ! -f ${HASH_FILE} ]; then
+     if (whiptail $BG_COLOR_WARNING --title 'WARNING: No Root Hash File Found' \
+        --yesno "\nIf you just enabled root hash checking feature,
+                \nthen you need to create the initial hash file.
+                \nOtherwise, This could be caused by tampering.
+                \n
+                \nWould you like to create the hash file now?" 0 80) then
+        update_root_checksums
+        return 0
+      else
+        exit 1
+      fi
+  fi
+
+  echo "+++ Checking root hash file signature "
+  if ! sha256sum `find /boot/kexec*.txt` | gpgv /boot/kexec.sig - > /tmp/hash_output; then
+    ERROR=`cat /tmp/hash_output`
+    whiptail $BG_COLOR_ERROR --title 'ERROR: Signature Failure' \
+      --msgbox "The signature check on hash files failed:\n${CHANGED_FILES}\nExiting to a recovery shell" 16 60
+    unmount_root_device
+    die 'Invalid signature'
+  fi
+
+  echo "+++ Checking for new files in $CONFIG_ROOT_DIRLIST_PRETTY "
+  find ${CONFIG_ROOT_DIRLIST} -type f ! -name '*kexec*' | sort > /tmp/new_file_list
+  cut -d' ' -f3- ${HASH_FILE} | sort | diff -U0 - /tmp/new_file_list > /tmp/new_file_diff || new_files_found=y
+  if [ "$new_files_found" == "y" ]; then
+    grep -E -v '^[+-]{3}|[@]{2} ' /tmp/new_file_diff > /tmp/new_file_diff2 # strip any output that's not a file
+    mv /tmp/new_file_diff2 /tmp/new_file_diff
+    CHANGED_FILES_COUNT=$(wc -l /tmp/new_file_diff | cut -f1 -d ' ')
+    whiptail $BG_COLOR_ERROR --title 'ERROR: Files Added/Removed in Root ' \
+      --msgbox "${CHANGED_FILES_COUNT} files were added/removed in root!\n\nHit OK to review the list of files.\n\nType \"q\" to exit the list and return to the menu." 16 60
+
+    echo "Type \"q\" to exit the list and return to the menu." >> /tmp/new_file_diff
+    less /tmp/new_file_diff
+  else
+    echo "+++ Verified no files added/removed "
+  fi
+
+  echo "+++ Checking hashes for all files in $CONFIG_ROOT_DIRLIST_PRETTY (this might take a while) "
+  if cd $ROOT_MOUNT && sha256sum -c ${HASH_FILE} > /tmp/hash_output 2>/dev/null; then
+    echo "+++ Verified root hashes "
+    valid_hash='y'
+    unmount_root_device
+
+    if [ "$new_files_found" == "y" ]; then
+      if (whiptail --title 'ERROR: New Files Added/Removed in Root' \
+        --yesno "New files were added/removed in root.
+                \n
+                \nThis could be caused by tampering or by routine software updates.
+                \n
+                \nIf you just updated the software on your system, then that is likely
+                \nthe cause and you should update your file signatures.
+                \n
+                \nWould you like to update your signatures now?" 0 80) then
+
+        update_root_checksums
+
+        return 0
+      else
+        return 1
+      fi
+    fi
+    return 0
+  else
+    CHANGED_FILES=$(grep -v 'OK$' /tmp/hash_output | cut -f1 -d ':' | tee -a /tmp/hash_output_mismatches)
+    CHANGED_FILES_COUNT=$(wc -l /tmp/hash_output_mismatches | cut -f1 -d ' ')
+    whiptail $BG_COLOR_ERROR --title 'ERROR: Root Hash Mismatch' \
+      --msgbox "${CHANGED_FILES_COUNT} files failed the verification process!\n\nHit OK to review the list of files.\n\nType \"q\" to exit the list and return to the menu." 16 60
+    unmount_root_device
+
+    echo "Type \"q\" to exit the list and return to the menu." >> /tmp/hash_output_mismatches
+    less /tmp/hash_output_mismatches
+
+    #move outdated hash mismatch list
+    mv /tmp/hash_output_mismatches /tmp/hash_output_mismatch_old
+
+    if (whiptail --title 'ERROR: Root Hash Check Failed' \
+      --yesno "The root hash check failed.
+              \n
+              \nThis could be caused by tampering or by routine software updates.
+              \n
+              \nIf you just updated the software on your system, then that is likely
+              \nthe cause and you should update your file signatures.
+              \n
+              \nWould you like to update your signatures now?" 0 80) then
+
+      update_root_checksums
+      return 0
+    else
+      return 1
+    fi
+  fi
+}
+# detect and set /root device
+# mount /root if successful
+detect_root_device()
+{
+  echo "+++ Detecting root device "
+
+  if [ ! -e $ROOT_MOUNT ]; then
+    mkdir -p $ROOT_MOUNT
+  fi
+  # unmount $ROOT_MOUNT to be safe
+  cd / && umount $ROOT_MOUNT 2>/dev/null
+
+  # check $CONFIG_ROOT_DEV if set/valid
+  if [ -e "$CONFIG_ROOT_DEV" ]; then
+    if cryptsetup isLuks $CONFIG_ROOT_DEV >/dev/null 2>&1; then
+      if cryptsetup luksOpen $CONFIG_ROOT_DEV rootdisk; then
+        if mount -o ro /dev/mapper/rootdisk $ROOT_MOUNT >/dev/null 2>&1; then
+          if cd $ROOT_MOUNT && ls -d $CONFIG_ROOT_DIRLIST >/dev/null 2>&1; then # CONFIG_ROOT_DEV is valid device and contains an installed OS
+            return 0
+          fi
+        fi
+      fi
+    fi
+  fi
+
+  # generate list of possible boot devices
+  fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist
+
+  # filter out extraneous options
+  > /tmp_root_device_list
+  for i in `cat /tmp/disklist`; do
+    # remove block device from list if numeric partitions exist
+    DEV_NUM_PARTITIONS=$((`ls -1 $i* | wc -l`-1))
+    if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then
+      echo $i >> /tmp_root_device_list
+    else
+      ls $i* | tail -${DEV_NUM_PARTITIONS} >> /tmp_root_device_list
+    fi
+  done
+
+  # iterate thru possible options and check for LUKS
+  for i in `cat /tmp_root_device_list`; do
+    if cryptsetup isLuks $i >/dev/null 2>&1; then
+      if cryptsetup luksOpen $i rootdisk; then
+        if mount -o ro /dev/mapper/rootdisk $ROOT_MOUNT >/dev/null 2>&1; then
+          if cd $ROOT_MOUNT && ls -d $CONFIG_ROOT_DIRLIST >/dev/null 2>&1; then
+            # CONFIG_ROOT_DEV is valid device and contains an installed OS
+            CONFIG_ROOT_DEV="$i"
+            return 0
+          fi
+        fi
+      fi
+    fi
+  done
+
+  # no valid root device found
+  echo "Unable to locate $ROOT_MOUNT files on any mounted disk"
+  unmount_root_device
+  return 1
+}
+unmount_root_device()
+{
+  cd /
+  umount $ROOT_MOUNT 2>/dev/null
+  cryptsetup luksClose rootdisk
+}
+
+checkonly="n"
+createnew="n"
+while getopts ":hcn" arg; do
+	case $arg in
+		c) checkonly="y" ;;
+		n) createnew="y" ;;
+		h) echo "Usage: $0 [-c|-h|-n]"; exit 0 ;;
+  esac
+done
+
+if [ "$checkonly" = "y" ]; then
+  check_root_checksums
+  if [ -e /tmp/hash_output_mismatches ]; then # if this file exists, there were errors
+    exit 1
+  else
+    exit 0
+  fi
+fi
+
+if [ "$createnew" = "y" ]; then
+  update_root_checksums
+  exit 0
+fi
+
+while true; do
+  unset menu_choice
+
+  # mount /boot RO to detect hash file
+  if ! grep -q /boot /proc/mounts ; then
+    if ! mount -o ro /boot; then
+       unmount_root_device
+       whiptail $BG_COLOR_ERROR --title 'ERROR: Unable to mount /boot' \
+         --msgbox "Unable to mount /boot" 16 60
+       die "Unable to mount /boot"
+    fi
+  fi
+
+  if [ "$CONFIG_ROOT_CHECK_AT_BOOT" = "y" ]; then
+    AT_BOOT="enabled"
+  else
+    AT_BOOT="disabled"
+  fi
+  if [ -e "$HASH_FILE" ]; then
+    HASH_FILE_DATE=$(stat -c %y ${HASH_FILE})
+    whiptail --title "Root Disk Verification Menu" \
+      --menu "This feature lets you detect tampering in files on your root disk.\n\nHash file last updated: ${HASH_FILE_DATE}\n\nYou can check and update hashes for files in:\n $CONFIG_ROOT_DIRLIST_PRETTY\n\nAutomatic checks are ${AT_BOOT} at boot.\n\nSelect the function to perform:" 0 80 10 \
+      'c' ' Check root hashes' \
+      'u' ' Update root hashes' \
+      'x' ' Exit' \
+      2>/tmp/whiptail || recovery "GUI menu failed"
+  else
+    whiptail --title "Root Disk Verification Menu" \
+      --menu "This feature lets you detect tampering in files on your root disk.\n\nNo hash file has been created yet\n\nYou can create hashes for files in:\n $CONFIG_ROOT_DIRLIST_PRETTY\n\nAutomatic checks are ${AT_BOOT} at boot.\n\nSelect the function to perform:" 0 80 10 \
+      'u' ' Create root hashes' \
+      'x' ' Exit' \
+      2>/tmp/whiptail || recovery "GUI menu failed"
+  fi
+
+  menu_choice=$(cat /tmp/whiptail)
+
+  case "$menu_choice" in
+    "x" )
+      exit 0
+    ;;
+    "c" )
+      check_root_checksums
+      if [ $? -eq 0 ]; then
+        whiptail --title 'Verified Root Hashes' \
+          --msgbox "All files in $CONFIG_ROOT_DIRLIST_PRETTY passed the verification process" 16 60
+      fi
+    ;;
+    "u" )
+      update_root_checksums
+    ;;
+  esac
+
+done
+exit 0