mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-19 13:07:58 +00:00
8004b5df2a
Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
95 lines
2.0 KiB
Bash
Executable File
95 lines
2.0 KiB
Bash
Executable File
#!/bin/sh
|
|
. /etc/functions
|
|
|
|
dryrun="n"
|
|
while getopts "b:e:r:a:d" arg; do
|
|
case $arg in
|
|
b) bootdir="$OPTARG" ;;
|
|
e) entry="$OPTARG" ;;
|
|
r) cmdremove="$OPTARG" ;;
|
|
a) cmdadd="$OPTARG" ;;
|
|
d) dryrun="y" ;;
|
|
esac
|
|
done
|
|
|
|
kexectype=`echo $entry | cut -d\| -f2`
|
|
kexecparams=`echo $entry | cut -d\| -f3- | tr '|' '\n'`
|
|
kexeccmd="kexec"
|
|
|
|
# TODO: make this configurable
|
|
cmdadd="intel_iommu=on $cmdadd"
|
|
cmdremove="quiet $cmdremove"
|
|
|
|
fix_file_path() {
|
|
if [ "$dryrun" = "y" ]; then echo ".$firstval"; fi
|
|
|
|
filepath=`find $bootdir -path "*$firstval" | tail -1`
|
|
if ! [ -r $filepath ]; then
|
|
die "failed to find file $firstval"
|
|
fi
|
|
}
|
|
|
|
adjust_cmd_line() {
|
|
if [ -n "$cmdremove" ]; then
|
|
for i in $cmdremove; do
|
|
cmdline="${cmdline//$i/}"
|
|
done
|
|
fi
|
|
|
|
if [ -n "$cmdadd" ]; then
|
|
cmdline="$cmdline $cmdadd"
|
|
fi
|
|
}
|
|
|
|
first_module=y
|
|
while read line
|
|
do
|
|
key=`echo $line | cut -d\ -f1`
|
|
firstval=`echo $line | cut -d\ -f2`
|
|
restval=`echo $line | cut -d\ -f3-`
|
|
if [ "$key" = "kernel" ]; then
|
|
if [ "$kexectype" = "xen" ]; then
|
|
# always overload xen and with custom arguments
|
|
kexeccmd="$kexeccmd -l /bin/xen.gz"
|
|
kexeccmd="$kexeccmd --command-line \"no-real-mode reboot=no\""
|
|
elif [ "$kexectype" = "multiboot" ]; then
|
|
fix_file_path
|
|
kexeccmd="$kexeccmd -l $filepath"
|
|
kexeccmd="$kexeccmd --command-line \"$restval\""
|
|
else
|
|
fix_file_path
|
|
kexeccmd="$kexeccmd -l $filepath"
|
|
fi
|
|
fi
|
|
if [ "$key" = "module" ]; then
|
|
fix_file_path
|
|
cmdline="$restval"
|
|
if [ -n "$first_module" ]; then
|
|
adjust_cmd_line
|
|
unset first_module
|
|
fi
|
|
kexeccmd="$kexeccmd --module \"$filepath $cmdline\""
|
|
fi
|
|
if [ "$key" = "initrd" ]; then
|
|
fix_file_path
|
|
kexeccmd="$kexeccmd --initrd=$filepath"
|
|
fi
|
|
if [ "$key" = "append" ]; then
|
|
cmdline="$firstval $restval"
|
|
adjust_cmd_line
|
|
kexeccmd="$kexeccmd --append=\"$cmdline\""
|
|
fi
|
|
done << EOF
|
|
$kexecparams
|
|
EOF
|
|
|
|
if [ "$dryrun" = "y" ]; then exit 0; fi
|
|
|
|
echo "Loading the new kernel:"
|
|
echo "$kexeccmd"
|
|
eval "$kexeccmd" \
|
|
|| die "Failed to load the new kernel"
|
|
|
|
echo "Starting the new kernel"
|
|
exec kexec -e
|