-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathchkcryptoboot_install
93 lines (83 loc) · 2.65 KB
/
chkcryptoboot_install
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/bin/bash
build ()
{
# Are we even needed?
if [ ! -s /etc/default/chkcryptoboot.conf ]; then
error "There is no chkcryptoboot configuration file; exit"
return 1
else
source /etc/default/chkcryptoboot.conf
fi
# if TMPDIR is set leave it alone otherwise set
[ -z $TMPDIR ] && TMPDIR='/tmp/mkinitcpio-chkcryptoboot'
# check if TMPDIR exsists if not make it
[ -d $TMPDIR ] || mkdir -p $TMPDIR
add_dir /etc/chkcryptoboot
if [ -z $CMDLINE_NAME -o -z $CMDLINE_VALUE ]; then
error "You must configure the cmdline name/value pair; exit"
return 1
fi
if [ -n "$BOOTMODE" ]; then
if [ $BOOTMODE = "mbr" ]; then
if [ -n "$BOOTDISK" -a -b "$BOOTDISK" ]; then
#only backup first 446 bytes of disk
dd if=$BOOTDISK of=$TMPDIR/disk-head bs=446 count=1
cd $TMPDIR
sha512sum disk-head > $TMPDIR/disk-head.sha512
add_file $TMPDIR/disk-head.sha512 /etc/chkcryptoboot
if [ -n "$BOOT_PARTITION" -a -b "$BOOT_PARTITION" ]; then
#read first 62 sectors from BIOS boot partition
dd if=$BOOT_PARTITION of=$TMPDIR/grub-core bs=512 count=62
else
#read first 62 sectors from post-MBR gap
dd if=$BOOTDISK of=$TMPDIR/grub-core skip=1 bs=512 count=62
fi
sha512sum grub-core > $TMPDIR/grub-core.sha512
add_file $TMPDIR/grub-core.sha512 /etc/chkcryptoboot
else
error "No BOOTDISK configured; exit"
return 1
fi
elif [ $BOOTMODE = "efi" ]; then
if [ -n "$ESP" ]; then
if [ -n "$EFISTUB" -a -s "$EFISTUB" ]; then
findmnt $ESP --fstab -n --output=source,target,fstype,options,freq,passno > $TMPDIR/fstab
if [ $? != 0 ];then
error "Your ESP mount point was not found in /etc/fstab; exit"
return 1
else
add_module `findmnt $ESP --fstab -n --output=fstype`
add_dir `findmnt $ESP --fstab -n --output=target`
fi
#hash grub efistub
sha512sum "$EFISTUB" > $TMPDIR/efistub.sha512
add_file $TMPDIR/efistub.sha512 /etc/chkcryptoboot
add_file $TMPDIR/fstab /etc/fstab
add_binary /usr/bin/findmnt
else
error "Wrong EFISTUB configuration; exit"
return 1
fi
else
error "No ESP mount point configured; exit"
return 1
fi
else
error "Wrong BOOTMODE configured; exit"
return 1
fi
else
error "NO BOOTMODE configured; exit"
return 1
fi
add_binary /usr/bin/sha512sum
add_file /etc/default/chkcryptoboot.conf /etc/chkcryptoboot
add_runscript
}
help ()
{
cat<<HELPEOF
This hook create hashes of the bootloader code, and tries to warn the user
not to type it's root luks password in case of a compromised boot loader.
HELPEOF
}