mirror of
https://github.com/linuxboot/heads.git
synced 2025-01-18 02:39:59 +00:00
887c79065e
Part of the Heads workflow involves handling legitimate changes to /boot as part of the package manager. This is a challenging workflow to handle as package managers on many systems work in a completely unattended way (and some even reboot first, apply updates, and then reboot again). We need to be able to detect changes that are potentially caused by a package manager so to do that I've set up a trigger within the OS (currently just for Debian) that runs both before and after package updates. It verifies the signatures in /boot and if they fail before package updates it creates a log file in /boot/kexec_package_trigger_pre.txt. If they fail after package updates run /boot/kexec_package_trigger_post.txt is created. These files contain the following fields: CHANGED_FILES: A list of files in /boot that failed the sha256sum check UPDATE_INITRAMFS_PACKAGE: An (optional) list of packages known to trigger initramfs changes Following those fields is a list of log output from the last package manager run which contains its own formatted fields (I'm pulling from /var/lib/dpkg/info). When a user selects a boot option, gui-init first verifies the checksums just to catch errors before calling kexec-select-boot. If there are any errors it looks for these package logs and if they exist, it displays appropriate warnings. If the files are absent it displays a more generic warning. The user is also given an opportunity to re-sign the /boot hashes. |
||
|---|---|---|
| .. | ||
| flashrom-kgpe-d16-openbmc.sh | ||
| flashrom-kgpe-d16.sh | ||
| flashrom-x230.sh | ||
| generic-init | ||
| gpgv | ||
| gui-init | ||
| kexec-boot | ||
| kexec-insert-key | ||
| kexec-iso-init | ||
| kexec-parse-boot | ||
| kexec-save-default | ||
| kexec-save-key | ||
| kexec-seal-key | ||
| kexec-select-boot | ||
| kexec-sign-config | ||
| kexec-unseal-key | ||
| mount-usb | ||
| network-init-recovery | ||
| poweroff | ||
| qubes-measure-luks | ||
| reboot | ||
| seal-totp | ||
| tpm-reset | ||
| unseal-totp | ||
| usb-init | ||
| usb-scan | ||
| wget-measure.sh | ||
| x230-flash.init | ||