mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-20 21:43:11 +00:00
efc49c7425
Currently Heads will check files in /boot for tampering before booting into a system. It would be nice if you could use the trusted environment within Heads and extend this to check files in / itself. This new script adds that functionality, however due to the length of time it takes to perform these kinds of checks, it doesn't run automatically (yet). This feature can be configured from the config GUI - the root device/ directories to check can be set, and it can be configured to run during boot. To make this a bit easier to use, I added a feature to detect whether the hash file exists and if not, to display a more limited menu to the user guiding them to create the initial hash file. Otherwise it will display the date the file was last modified, which can be useful to determine how stale it is.
304 lines
9.9 KiB
Bash
Executable File
304 lines
9.9 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
set -e -o pipefail
|
|
|
|
CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
|
|
HASH_FILE="/boot/kexec_root_hashes.txt"
|
|
ROOT_MOUNT="/root"
|
|
|
|
. /etc/functions
|
|
. /etc/gui_functions
|
|
. /tmp/config
|
|
|
|
export CONFIG_ROOT_DIRLIST_PRETTY=$(echo $CONFIG_ROOT_DIRLIST | sed -e 's/^/\//;s/ / \//g')
|
|
|
|
update_root_checksums() {
|
|
if ! detect_root_device; then
|
|
whiptail $BG_COLOR_ERROR --title 'ERROR: No Valid Root Disk Found' \
|
|
--msgbox "No Valid Root Disk Found" 16 60
|
|
die "No Valid Root Disk Found"
|
|
fi
|
|
|
|
# mount /boot RW
|
|
if ! grep -q /boot /proc/mounts ; then
|
|
if ! mount -o rw /boot; then
|
|
unmount_root_device
|
|
whiptail $BG_COLOR_ERROR --title 'ERROR: Unable to mount /boot' \
|
|
--msgbox "Unable to mount /boot" 16 60
|
|
die "Unable to mount /boot"
|
|
fi
|
|
else
|
|
mount -o rw,remount /boot
|
|
fi
|
|
|
|
echo "+++ Calculating hashes for all files in $CONFIG_ROOT_DIRLIST_PRETTY "
|
|
cd $ROOT_MOUNT && find ${CONFIG_ROOT_DIRLIST} -type f ! -name '*kexec*' -print0 | xargs -0 sha256sum | tee ${HASH_FILE}
|
|
|
|
# switch back to ro mode
|
|
mount -o ro,remount /boot
|
|
|
|
update_checksums
|
|
|
|
whiptail --title 'Root Hashes Updated and Signed' \
|
|
--msgbox "All files in:\n$CONFIG_ROOT_DIRLIST_PRETTY\nhave been hashed and signed successfully" 16 60
|
|
|
|
unmount_root_device
|
|
}
|
|
check_root_checksums() {
|
|
if ! detect_root_device; then
|
|
whiptail $BG_COLOR_ERROR --title 'ERROR: No Valid Root Disk Found' \
|
|
--msgbox "No Valid Root Disk Found" 16 60
|
|
die "No Valid Root Disk Found"
|
|
fi
|
|
|
|
# mount /boot RO
|
|
if ! grep -q /boot /proc/mounts ; then
|
|
if ! mount -o ro /boot; then
|
|
unmount_root_device
|
|
whiptail $BG_COLOR_ERROR --title 'ERROR: Unable to mount /boot' \
|
|
--msgbox "Unable to mount /boot" 16 60
|
|
die "Unable to mount /boot"
|
|
fi
|
|
fi
|
|
|
|
# check that root hash file exists
|
|
if [ ! -f ${HASH_FILE} ]; then
|
|
if (whiptail $BG_COLOR_WARNING --title 'WARNING: No Root Hash File Found' \
|
|
--yesno "\nIf you just enabled root hash checking feature,
|
|
\nthen you need to create the initial hash file.
|
|
\nOtherwise, This could be caused by tampering.
|
|
\n
|
|
\nWould you like to create the hash file now?" 0 80) then
|
|
update_root_checksums
|
|
return 0
|
|
else
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
echo "+++ Checking root hash file signature "
|
|
if ! sha256sum `find /boot/kexec*.txt` | gpgv /boot/kexec.sig - > /tmp/hash_output; then
|
|
ERROR=`cat /tmp/hash_output`
|
|
whiptail $BG_COLOR_ERROR --title 'ERROR: Signature Failure' \
|
|
--msgbox "The signature check on hash files failed:\n${CHANGED_FILES}\nExiting to a recovery shell" 16 60
|
|
unmount_root_device
|
|
die 'Invalid signature'
|
|
fi
|
|
|
|
echo "+++ Checking for new files in $CONFIG_ROOT_DIRLIST_PRETTY "
|
|
find ${CONFIG_ROOT_DIRLIST} -type f ! -name '*kexec*' | sort > /tmp/new_file_list
|
|
cut -d' ' -f3- ${HASH_FILE} | sort | diff -U0 - /tmp/new_file_list > /tmp/new_file_diff || new_files_found=y
|
|
if [ "$new_files_found" == "y" ]; then
|
|
grep -E -v '^[+-]{3}|[@]{2} ' /tmp/new_file_diff > /tmp/new_file_diff2 # strip any output that's not a file
|
|
mv /tmp/new_file_diff2 /tmp/new_file_diff
|
|
CHANGED_FILES_COUNT=$(wc -l /tmp/new_file_diff | cut -f1 -d ' ')
|
|
whiptail $BG_COLOR_ERROR --title 'ERROR: Files Added/Removed in Root ' \
|
|
--msgbox "${CHANGED_FILES_COUNT} files were added/removed in root!\n\nHit OK to review the list of files.\n\nType \"q\" to exit the list and return to the menu." 16 60
|
|
|
|
echo "Type \"q\" to exit the list and return to the menu." >> /tmp/new_file_diff
|
|
less /tmp/new_file_diff
|
|
else
|
|
echo "+++ Verified no files added/removed "
|
|
fi
|
|
|
|
echo "+++ Checking hashes for all files in $CONFIG_ROOT_DIRLIST_PRETTY (this might take a while) "
|
|
if cd $ROOT_MOUNT && sha256sum -c ${HASH_FILE} > /tmp/hash_output 2>/dev/null; then
|
|
echo "+++ Verified root hashes "
|
|
valid_hash='y'
|
|
unmount_root_device
|
|
|
|
if [ "$new_files_found" == "y" ]; then
|
|
if (whiptail --title 'ERROR: New Files Added/Removed in Root' \
|
|
--yesno "New files were added/removed in root.
|
|
\n
|
|
\nThis could be caused by tampering or by routine software updates.
|
|
\n
|
|
\nIf you just updated the software on your system, then that is likely
|
|
\nthe cause and you should update your file signatures.
|
|
\n
|
|
\nWould you like to update your signatures now?" 0 80) then
|
|
|
|
update_root_checksums
|
|
|
|
return 0
|
|
else
|
|
return 1
|
|
fi
|
|
fi
|
|
return 0
|
|
else
|
|
CHANGED_FILES=$(grep -v 'OK$' /tmp/hash_output | cut -f1 -d ':' | tee -a /tmp/hash_output_mismatches)
|
|
CHANGED_FILES_COUNT=$(wc -l /tmp/hash_output_mismatches | cut -f1 -d ' ')
|
|
whiptail $BG_COLOR_ERROR --title 'ERROR: Root Hash Mismatch' \
|
|
--msgbox "${CHANGED_FILES_COUNT} files failed the verification process!\n\nHit OK to review the list of files.\n\nType \"q\" to exit the list and return to the menu." 16 60
|
|
unmount_root_device
|
|
|
|
echo "Type \"q\" to exit the list and return to the menu." >> /tmp/hash_output_mismatches
|
|
less /tmp/hash_output_mismatches
|
|
|
|
#move outdated hash mismatch list
|
|
mv /tmp/hash_output_mismatches /tmp/hash_output_mismatch_old
|
|
|
|
if (whiptail --title 'ERROR: Root Hash Check Failed' \
|
|
--yesno "The root hash check failed.
|
|
\n
|
|
\nThis could be caused by tampering or by routine software updates.
|
|
\n
|
|
\nIf you just updated the software on your system, then that is likely
|
|
\nthe cause and you should update your file signatures.
|
|
\n
|
|
\nWould you like to update your signatures now?" 0 80) then
|
|
|
|
update_root_checksums
|
|
return 0
|
|
else
|
|
return 1
|
|
fi
|
|
fi
|
|
}
|
|
# detect and set /root device
|
|
# mount /root if successful
|
|
detect_root_device()
|
|
{
|
|
echo "+++ Detecting root device "
|
|
|
|
if [ ! -e $ROOT_MOUNT ]; then
|
|
mkdir -p $ROOT_MOUNT
|
|
fi
|
|
# unmount $ROOT_MOUNT to be safe
|
|
cd / && umount $ROOT_MOUNT 2>/dev/null
|
|
|
|
# check $CONFIG_ROOT_DEV if set/valid
|
|
if [ -e "$CONFIG_ROOT_DEV" ]; then
|
|
if cryptsetup isLuks $CONFIG_ROOT_DEV >/dev/null 2>&1; then
|
|
if cryptsetup luksOpen $CONFIG_ROOT_DEV rootdisk; then
|
|
if mount -o ro /dev/mapper/rootdisk $ROOT_MOUNT >/dev/null 2>&1; then
|
|
if cd $ROOT_MOUNT && ls -d $CONFIG_ROOT_DIRLIST >/dev/null 2>&1; then # CONFIG_ROOT_DEV is valid device and contains an installed OS
|
|
return 0
|
|
fi
|
|
fi
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
# generate list of possible boot devices
|
|
fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist
|
|
|
|
# filter out extraneous options
|
|
> /tmp_root_device_list
|
|
for i in `cat /tmp/disklist`; do
|
|
# remove block device from list if numeric partitions exist
|
|
DEV_NUM_PARTITIONS=$((`ls -1 $i* | wc -l`-1))
|
|
if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then
|
|
echo $i >> /tmp_root_device_list
|
|
else
|
|
ls $i* | tail -${DEV_NUM_PARTITIONS} >> /tmp_root_device_list
|
|
fi
|
|
done
|
|
|
|
# iterate thru possible options and check for LUKS
|
|
for i in `cat /tmp_root_device_list`; do
|
|
if cryptsetup isLuks $i >/dev/null 2>&1; then
|
|
if cryptsetup luksOpen $i rootdisk; then
|
|
if mount -o ro /dev/mapper/rootdisk $ROOT_MOUNT >/dev/null 2>&1; then
|
|
if cd $ROOT_MOUNT && ls -d $CONFIG_ROOT_DIRLIST >/dev/null 2>&1; then
|
|
# CONFIG_ROOT_DEV is valid device and contains an installed OS
|
|
CONFIG_ROOT_DEV="$i"
|
|
return 0
|
|
fi
|
|
fi
|
|
fi
|
|
fi
|
|
done
|
|
|
|
# no valid root device found
|
|
echo "Unable to locate $ROOT_MOUNT files on any mounted disk"
|
|
unmount_root_device
|
|
return 1
|
|
}
|
|
unmount_root_device()
|
|
{
|
|
cd /
|
|
umount $ROOT_MOUNT 2>/dev/null
|
|
cryptsetup luksClose rootdisk
|
|
}
|
|
|
|
checkonly="n"
|
|
createnew="n"
|
|
while getopts ":hcn" arg; do
|
|
case $arg in
|
|
c) checkonly="y" ;;
|
|
n) createnew="y" ;;
|
|
h) echo "Usage: $0 [-c|-h|-n]"; exit 0 ;;
|
|
esac
|
|
done
|
|
|
|
if [ "$checkonly" = "y" ]; then
|
|
check_root_checksums
|
|
if [ -e /tmp/hash_output_mismatches ]; then # if this file exists, there were errors
|
|
exit 1
|
|
else
|
|
exit 0
|
|
fi
|
|
fi
|
|
|
|
if [ "$createnew" = "y" ]; then
|
|
update_root_checksums
|
|
exit 0
|
|
fi
|
|
|
|
while true; do
|
|
unset menu_choice
|
|
|
|
# mount /boot RO to detect hash file
|
|
if ! grep -q /boot /proc/mounts ; then
|
|
if ! mount -o ro /boot; then
|
|
unmount_root_device
|
|
whiptail $BG_COLOR_ERROR --title 'ERROR: Unable to mount /boot' \
|
|
--msgbox "Unable to mount /boot" 16 60
|
|
die "Unable to mount /boot"
|
|
fi
|
|
fi
|
|
|
|
if [ "$CONFIG_ROOT_CHECK_AT_BOOT" = "y" ]; then
|
|
AT_BOOT="enabled"
|
|
else
|
|
AT_BOOT="disabled"
|
|
fi
|
|
if [ -e "$HASH_FILE" ]; then
|
|
HASH_FILE_DATE=$(stat -c %y ${HASH_FILE})
|
|
whiptail --title "Root Disk Verification Menu" \
|
|
--menu "This feature lets you detect tampering in files on your root disk.\n\nHash file last updated: ${HASH_FILE_DATE}\n\nYou can check and update hashes for files in:\n $CONFIG_ROOT_DIRLIST_PRETTY\n\nAutomatic checks are ${AT_BOOT} at boot.\n\nSelect the function to perform:" 0 80 10 \
|
|
'c' ' Check root hashes' \
|
|
'u' ' Update root hashes' \
|
|
'x' ' Exit' \
|
|
2>/tmp/whiptail || recovery "GUI menu failed"
|
|
else
|
|
whiptail --title "Root Disk Verification Menu" \
|
|
--menu "This feature lets you detect tampering in files on your root disk.\n\nNo hash file has been created yet\n\nYou can create hashes for files in:\n $CONFIG_ROOT_DIRLIST_PRETTY\n\nAutomatic checks are ${AT_BOOT} at boot.\n\nSelect the function to perform:" 0 80 10 \
|
|
'u' ' Create root hashes' \
|
|
'x' ' Exit' \
|
|
2>/tmp/whiptail || recovery "GUI menu failed"
|
|
fi
|
|
|
|
menu_choice=$(cat /tmp/whiptail)
|
|
|
|
case "$menu_choice" in
|
|
"x" )
|
|
exit 0
|
|
;;
|
|
"c" )
|
|
check_root_checksums
|
|
if [ $? -eq 0 ]; then
|
|
whiptail --title 'Verified Root Hashes' \
|
|
--msgbox "All files in $CONFIG_ROOT_DIRLIST_PRETTY passed the verification process" 16 60
|
|
fi
|
|
;;
|
|
"u" )
|
|
update_root_checksums
|
|
;;
|
|
esac
|
|
|
|
done
|
|
exit 0
|