mirror of
https://github.com/linuxboot/heads.git
synced 2025-01-31 08:25:37 +00:00
8004b5df2a
Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
26 lines
371 B
Bash
Executable File
26 lines
371 B
Bash
Executable File
#!/bin/sh
|
|
# Sign a valid directory of kexec params
|
|
. /etc/functions
|
|
|
|
MEDIA="$1"
|
|
|
|
if [ -z "$MEDIA" ]; then
|
|
die "Usage: $0 /boot "
|
|
fi
|
|
|
|
confirm_gpg_card
|
|
|
|
for tries in 1 2 3; do
|
|
if sha256sum `find $MEDIA/kexec*.txt` | gpg \
|
|
--digest-algo SHA256 \
|
|
--detach-sign \
|
|
-a \
|
|
> $MEDIA/kexec.sig \
|
|
; then
|
|
exit 0
|
|
fi
|
|
done
|
|
|
|
warn "$MEDIA: Unable to sign boot hashes"
|
|
exit 1
|