ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-19 13:07:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f6134e9c35
heads/initrd/bin/root-hashes-gui.sh
Kyle Rankin efc49c7425
Add Root file hash feature 
Currently Heads will check files in /boot for tampering before booting
into a system. It would be nice if you could use the trusted environment
within Heads and extend this to check files in / itself. This new script
adds that functionality, however due to the length of time it takes to
perform these kinds of checks, it doesn't run automatically (yet).

This feature can be configured from the config GUI - the root device/
directories to check can be set, and it can be configured to run during
boot.

To make this a bit easier to use, I added a feature to detect whether
the hash file exists and if not, to display a more limited menu to the
user guiding them to create the initial hash file. Otherwise it will
display the date the file was last modified, which can be useful to
determine how stale it is.
2023-06-21 13:26:37 -04:00

304 lines
9.9 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
set -e -o pipefail
CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
HASH_FILE="/boot/kexec_root_hashes.txt"
ROOT_MOUNT="/root"
. /etc/functions
. /etc/gui_functions
. /tmp/config
export CONFIG_ROOT_DIRLIST_PRETTY=$(echo $CONFIG_ROOT_DIRLIST | sed -e 's/^/\//;s/ / \//g')
update_root_checksums() {
if ! detect_root_device; then
whiptail $BG_COLOR_ERROR --title 'ERROR: No Valid Root Disk Found' \
--msgbox "No Valid Root Disk Found" 16 60
die "No Valid Root Disk Found"
fi
# mount /boot RW
if ! grep -q /boot /proc/mounts ; then
if ! mount -o rw /boot; then
unmount_root_device
whiptail $BG_COLOR_ERROR --title 'ERROR: Unable to mount /boot' \
--msgbox "Unable to mount /boot" 16 60
die "Unable to mount /boot"
fi
else
mount -o rw,remount /boot
fi
echo "+++ Calculating hashes for all files in $CONFIG_ROOT_DIRLIST_PRETTY "
cd $ROOT_MOUNT && find ${CONFIG_ROOT_DIRLIST} -type f ! -name '*kexec*' -print0 | xargs -0 sha256sum | tee ${HASH_FILE}
# switch back to ro mode
mount -o ro,remount /boot
update_checksums
whiptail --title 'Root Hashes Updated and Signed' \
--msgbox "All files in:\n$CONFIG_ROOT_DIRLIST_PRETTY\nhave been hashed and signed successfully" 16 60
unmount_root_device
}
check_root_checksums() {
if ! detect_root_device; then
whiptail $BG_COLOR_ERROR --title 'ERROR: No Valid Root Disk Found' \
--msgbox "No Valid Root Disk Found" 16 60
die "No Valid Root Disk Found"
fi
# mount /boot RO
if ! grep -q /boot /proc/mounts ; then
if ! mount -o ro /boot; then
unmount_root_device
whiptail $BG_COLOR_ERROR --title 'ERROR: Unable to mount /boot' \
--msgbox "Unable to mount /boot" 16 60
die "Unable to mount /boot"
fi
fi
# check that root hash file exists
if [ ! -f ${HASH_FILE} ]; then
if (whiptail $BG_COLOR_WARNING --title 'WARNING: No Root Hash File Found' \
--yesno "\nIf you just enabled root hash checking feature,
\nthen you need to create the initial hash file.
\nOtherwise, This could be caused by tampering.
\n
\nWould you like to create the hash file now?" 0 80) then
update_root_checksums
return 0
else
exit 1
fi
fi
echo "+++ Checking root hash file signature "
if ! sha256sum `find /boot/kexec*.txt` | gpgv /boot/kexec.sig - > /tmp/hash_output; then
ERROR=`cat /tmp/hash_output`
whiptail $BG_COLOR_ERROR --title 'ERROR: Signature Failure' \
--msgbox "The signature check on hash files failed:\n${CHANGED_FILES}\nExiting to a recovery shell" 16 60
unmount_root_device
die 'Invalid signature'
fi
echo "+++ Checking for new files in $CONFIG_ROOT_DIRLIST_PRETTY "
find ${CONFIG_ROOT_DIRLIST} -type f ! -name '*kexec*' | sort > /tmp/new_file_list
cut -d' ' -f3- ${HASH_FILE} | sort | diff -U0 - /tmp/new_file_list > /tmp/new_file_diff || new_files_found=y
if [ "$new_files_found" == "y" ]; then
grep -E -v '^[+-]{3}|[@]{2} ' /tmp/new_file_diff > /tmp/new_file_diff2 # strip any output that's not a file
mv /tmp/new_file_diff2 /tmp/new_file_diff
CHANGED_FILES_COUNT=$(wc -l /tmp/new_file_diff | cut -f1 -d ' ')
whiptail $BG_COLOR_ERROR --title 'ERROR: Files Added/Removed in Root ' \
--msgbox "${CHANGED_FILES_COUNT} files were added/removed in root!\n\nHit OK to review the list of files.\n\nType \"q\" to exit the list and return to the menu." 16 60
echo "Type \"q\" to exit the list and return to the menu." >> /tmp/new_file_diff
less /tmp/new_file_diff
else
echo "+++ Verified no files added/removed "
fi
echo "+++ Checking hashes for all files in $CONFIG_ROOT_DIRLIST_PRETTY (this might take a while) "
if cd $ROOT_MOUNT && sha256sum -c ${HASH_FILE} > /tmp/hash_output 2>/dev/null; then
echo "+++ Verified root hashes "
valid_hash='y'
unmount_root_device
if [ "$new_files_found" == "y" ]; then
if (whiptail --title 'ERROR: New Files Added/Removed in Root' \
--yesno "New files were added/removed in root.
\n
\nThis could be caused by tampering or by routine software updates.
\n
\nIf you just updated the software on your system, then that is likely
\nthe cause and you should update your file signatures.
\n
\nWould you like to update your signatures now?" 0 80) then
update_root_checksums
return 0
else
return 1
fi
fi
return 0
else
CHANGED_FILES=$(grep -v 'OK$' /tmp/hash_output | cut -f1 -d ':' | tee -a /tmp/hash_output_mismatches)
CHANGED_FILES_COUNT=$(wc -l /tmp/hash_output_mismatches | cut -f1 -d ' ')
whiptail $BG_COLOR_ERROR --title 'ERROR: Root Hash Mismatch' \
--msgbox "${CHANGED_FILES_COUNT} files failed the verification process!\n\nHit OK to review the list of files.\n\nType \"q\" to exit the list and return to the menu." 16 60
unmount_root_device
echo "Type \"q\" to exit the list and return to the menu." >> /tmp/hash_output_mismatches
less /tmp/hash_output_mismatches
#move outdated hash mismatch list
mv /tmp/hash_output_mismatches /tmp/hash_output_mismatch_old
if (whiptail --title 'ERROR: Root Hash Check Failed' \
--yesno "The root hash check failed.
\n
\nThis could be caused by tampering or by routine software updates.
\n
\nIf you just updated the software on your system, then that is likely
\nthe cause and you should update your file signatures.
\n
\nWould you like to update your signatures now?" 0 80) then
update_root_checksums
return 0
else
return 1
fi
fi
}
# detect and set /root device
# mount /root if successful
detect_root_device()
{
echo "+++ Detecting root device "
if [ ! -e $ROOT_MOUNT ]; then
mkdir -p $ROOT_MOUNT
fi
# unmount $ROOT_MOUNT to be safe
cd / && umount $ROOT_MOUNT 2>/dev/null
# check $CONFIG_ROOT_DEV if set/valid
if [ -e "$CONFIG_ROOT_DEV" ]; then
if cryptsetup isLuks $CONFIG_ROOT_DEV >/dev/null 2>&1; then
if cryptsetup luksOpen $CONFIG_ROOT_DEV rootdisk; then
if mount -o ro /dev/mapper/rootdisk $ROOT_MOUNT >/dev/null 2>&1; then
if cd $ROOT_MOUNT && ls -d $CONFIG_ROOT_DIRLIST >/dev/null 2>&1; then # CONFIG_ROOT_DEV is valid device and contains an installed OS
return 0
fi
fi
fi
fi
fi
# generate list of possible boot devices
fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist
# filter out extraneous options
> /tmp_root_device_list
for i in `cat /tmp/disklist`; do
# remove block device from list if numeric partitions exist
DEV_NUM_PARTITIONS=$((`ls -1 $i* | wc -l`-1))
if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then
echo $i >> /tmp_root_device_list
else
ls $i* | tail -${DEV_NUM_PARTITIONS} >> /tmp_root_device_list
fi
done
# iterate thru possible options and check for LUKS
for i in `cat /tmp_root_device_list`; do
if cryptsetup isLuks $i >/dev/null 2>&1; then
if cryptsetup luksOpen $i rootdisk; then
if mount -o ro /dev/mapper/rootdisk $ROOT_MOUNT >/dev/null 2>&1; then
if cd $ROOT_MOUNT && ls -d $CONFIG_ROOT_DIRLIST >/dev/null 2>&1; then
# CONFIG_ROOT_DEV is valid device and contains an installed OS
CONFIG_ROOT_DEV="$i"
return 0
fi
fi
fi
fi
done
# no valid root device found
echo "Unable to locate $ROOT_MOUNT files on any mounted disk"
unmount_root_device
return 1
}
unmount_root_device()
{
cd /
umount $ROOT_MOUNT 2>/dev/null
cryptsetup luksClose rootdisk
}
checkonly="n"
createnew="n"
while getopts ":hcn" arg; do
case $arg in
c) checkonly="y" ;;
n) createnew="y" ;;
h) echo "Usage: $0 [-c|-h|-n]"; exit 0 ;;
esac
done
if [ "$checkonly" = "y" ]; then
check_root_checksums
if [ -e /tmp/hash_output_mismatches ]; then # if this file exists, there were errors
exit 1
else
exit 0
fi
fi
if [ "$createnew" = "y" ]; then
update_root_checksums
exit 0
fi
while true; do
unset menu_choice
# mount /boot RO to detect hash file
if ! grep -q /boot /proc/mounts ; then
if ! mount -o ro /boot; then
unmount_root_device
whiptail $BG_COLOR_ERROR --title 'ERROR: Unable to mount /boot' \
--msgbox "Unable to mount /boot" 16 60
die "Unable to mount /boot"
fi
fi
if [ "$CONFIG_ROOT_CHECK_AT_BOOT" = "y" ]; then
AT_BOOT="enabled"
else
AT_BOOT="disabled"
fi
if [ -e "$HASH_FILE" ]; then
HASH_FILE_DATE=$(stat -c %y ${HASH_FILE})
whiptail --title "Root Disk Verification Menu" \
--menu "This feature lets you detect tampering in files on your root disk.\n\nHash file last updated: ${HASH_FILE_DATE}\n\nYou can check and update hashes for files in:\n $CONFIG_ROOT_DIRLIST_PRETTY\n\nAutomatic checks are ${AT_BOOT} at boot.\n\nSelect the function to perform:" 0 80 10 \
'c' ' Check root hashes' \
'u' ' Update root hashes' \
'x' ' Exit' \
2>/tmp/whiptail || recovery "GUI menu failed"
else
whiptail --title "Root Disk Verification Menu" \
--menu "This feature lets you detect tampering in files on your root disk.\n\nNo hash file has been created yet\n\nYou can create hashes for files in:\n $CONFIG_ROOT_DIRLIST_PRETTY\n\nAutomatic checks are ${AT_BOOT} at boot.\n\nSelect the function to perform:" 0 80 10 \
'u' ' Create root hashes' \
'x' ' Exit' \
2>/tmp/whiptail || recovery "GUI menu failed"
fi
menu_choice=$(cat /tmp/whiptail)
case "$menu_choice" in
"x" )
exit 0
;;
"c" )
check_root_checksums
if [ $? -eq 0 ]; then
whiptail --title 'Verified Root Hashes' \
--msgbox "All files in $CONFIG_ROOT_DIRLIST_PRETTY passed the verification process" 16 60
fi
;;
"u" )
update_root_checksums
;;
esac
done
exit 0
Reference in New Issue View Git Blame Copy Permalink