mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-19 04:57:55 +00:00
Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
62 lines
1.3 KiB
Bash
Executable File
62 lines
1.3 KiB
Bash
Executable File
#!/bin/sh
|
|
# Update the /boot partition signatures
|
|
set -o pipefail
|
|
. /etc/functions
|
|
|
|
XEN="$1"
|
|
KERNEL="$2"
|
|
INITRD="$3"
|
|
BOOT_HASHES="/boot/boot.hashes"
|
|
|
|
if [ -z "$XEN" -o -z "$KERNEL" -o -z "$INITRD" ]; then
|
|
die "Usage: $0 /boot/xen... /boot/vmlinuz... /boot/initramfs..."
|
|
fi
|
|
|
|
confirm_gpg_card
|
|
|
|
# if the /boot.hashes file already exists, read the TPM counter ID
|
|
# from it.
|
|
if [ -r "$BOOT_HASHES" ]; then
|
|
TPM_COUNTER=`grep counter- "$BOOT_HASHES" | cut -d- -f2`
|
|
else
|
|
warn "$BOOT_HASHES does not exist; creating new TPM counter"
|
|
read -s -p "TPM Owner password: " tpm_password
|
|
echo
|
|
tpm counter_create \
|
|
-pwdo "$tpm_password" \
|
|
-pwdc '' \
|
|
-la 3135106223 \
|
|
| tee /tmp/counter \
|
|
|| die "Unable to create TPM counter"
|
|
TPM_COUNTER=`cut -d: -f1 < /tmp/counter`
|
|
fi
|
|
|
|
if [ -z "$TPM_COUNTER" ]; then
|
|
die "$BOOT_HASHES: TPM Counter not found?"
|
|
fi
|
|
|
|
mount -o rw,remount /boot \
|
|
|| die "Could not remount /boot"
|
|
|
|
tpm counter_increment -ix "$TPM_COUNTER" -pwdc '' \
|
|
| tee /tmp/counter-$TPM_COUNTER \
|
|
|| die "Counter increment failed"
|
|
|
|
sha256sum \
|
|
"$XEN" \
|
|
"$KERNEL" \
|
|
"$INITRD" \
|
|
"/tmp/counter-$TPM_COUNTER" \
|
|
| tee "$BOOT_HASHES"
|
|
|
|
for tries in 1 2 3; do
|
|
if gpg --detach-sign -a "$BOOT_HASHES"; then
|
|
mount -o ro,remount /boot
|
|
exit 0
|
|
fi
|
|
done
|
|
|
|
warn "$BOOT_HASHES: Unable to sign boot hashes"
|
|
mount -o ro,remount /boot
|
|
exit 1
|