Add info on how to fetch autosign key.

(GitHub issue #18)

.drone.yml

@@ -0,0 +1,119 @@
+kind: pipeline
+name: check
+
+volumes:
+- name: debian-package-cache
+  host:
+    path: /var/cache/debian-package-cache
+
+trigger:
+  event:
+    exclude:
+    - tag
+
+steps:
+- name: shellcheck
+  image: debian:stretch-slim
+  pull: always
+  commands:
+  - rm /etc/apt/apt.conf.d/docker-clean
+  - rm /var/cache/apt/archives/lock
+  - echo "APT::Default-Release \"stretch\";" >> /etc/apt/apt.conf.d/00default_release
+  - echo "deb http://deb.debian.org/debian buster main" >> /etc/apt/sources.list.d/buster.list
+  - apt-get update -q
+  - apt-get install -qy -t buster shellcheck
+  - shellcheck hashboot
+  volumes:
+  - name: debian-package-cache
+    path: /var/cache/apt/archives
+
+- name: notify
+  image: drillster/drone-email
+  pull: always
+  settings:
+    host: cryptoparty-celle.de
+    from: drone@tzend.de
+    username:
+      from_secret: email_username
+    password:
+      from_secret: email_password
+  when:
+    status: [ changed, failure ]
+
+---
+
+kind: pipeline
+name: release
+
+volumes:
+- name: debian-package-cache
+  host:
+    path: /var/cache/debian-package-cache
+- name: gpg-key
+  host:
+    path: /home/tastytea/misc/autosign_gpg.key
+
+trigger:
+  event:
+    - tag
+
+steps:
+- name: download tar.gz
+  image: plugins/download
+  settings:
+    source: https://schlomp.space/tastytea/hashboot/archive/${DRONE_TAG}.tar.gz
+    destination: hashboot-${DRONE_TAG}.tar.gz
+
+- name: download zip
+  image: plugins/download
+  settings:
+    source: https://schlomp.space/tastytea/hashboot/archive/${DRONE_TAG}.zip
+    destination: hashboot-${DRONE_TAG}.zip
+
+- name: signature
+  image: debian:stretch-slim
+  pull: always
+  commands:
+  - rm /etc/apt/apt.conf.d/docker-clean
+  - rm -f /var/cache/apt/archives/lock
+  - apt-get update -q
+  - apt-get install -qy gnupg
+  - gpg --import /var/autosign_gpg.key
+  - gpg --verbose --detach-sign *.tar.gz
+  - gpg --verbose --detach-sign *.zip
+  volumes:
+  - name: debian-package-cache
+    path: /var/cache/apt/archives
+  - name: gpg-key
+    path: /var/autosign_gpg.key
+
+- name: release
+  image: plugins/gitea-release
+  pull: always
+  settings:
+    base_url: https://schlomp.space
+    api_key:
+      from_secret: gitea_token
+    title: ${DRONE_TAG}
+    prerelease: true
+    files:
+      - hashboot-${DRONE_TAG}.tar.gz
+      - hashboot-${DRONE_TAG}.tar.gz.sig
+      - hashboot-${DRONE_TAG}.zip
+      - hashboot-${DRONE_TAG}.zip.sig
+    checksum:
+      - sha256
+      - sha512
+
+- name: notify
+  image: drillster/drone-email
+  pull: always
+  settings:
+    host: cryptoparty-celle.de
+    from: drone@tzend.de
+    username:
+      from_secret: email_username
+    password:
+      from_secret: email_password
+  when:
+    status: [ changed, failure ]

.gitignore

@@ -0,0 +1 @@
+/hashboot.1

LICENSE

@@ -1,4 +1,4 @@
-"THE HUG-WARE LICENSE" (Revision 1):
-xo <xo@rotce.de> and tastytea <tastytea@tastytea.de> wrote these files. As long
-as you retain this notice you can do whatever you want with this stuff. If we
-meet some day, and you think this stuff is worth it, you can give us a hug.
+"THE HUG-WARE LICENSE" (Revision 2):
+teldra <teldra@rotce.de> and tastytea <tastytea@tastytea.de> wrote this.
+As long as you retain this notice you can do whatever you want with this.
+If we meet some day, and you think this is nice, you can give us a hug.

README.md

@@ -1,31 +1,76 @@
-**hashboot** hashes all files in `/boot` to check them during early boot. It is
-intended for when you have encrypted the root partition but not the boot
-partition. The checksums and a backup of the contents of `/boot` are stored in
-`/var/lib/hashboot` by default. If a checksum doesn't match, you have the option
-to restore the file from backup.
+**hashboot** hashes all files in `/boot` and the MBR to check them during early
+boot. It is intended for when you have encrypted the root partition but not the
+boot partition. The checksums and a backup of the contents of `/boot` are stored
+in `/var/lib/hashboot` by default. If a checksum doesn't match, you have the
+option to restore the file from backup.
+
+If there is a core- or libreboot BIOS and [flashrom](https://flashrom.org/)
+installed, **hashboot** can check the BIOS for modifications too.
+
+We moved our code to
+[schlomp.space](https://schlomp.space/tastytea/hashboot) but we keep the
+[GitHub-repo](https://github.com/tastytea/hashboot) as a mirror.
 
 # Install
 
+## Packages
+
+### Void Linux
+
+``` shell
+xbps-install -S hashboot
+```
+
+### Gentoo Linux
+
+Ebuilds are available via the
+[tastytea repository](https://schlomp.space/tastytea/overlay).
+
+``` shell
+emerge -a sys-apps/hashboot
+rc-update add hashboot boot
+```
+
+### Arch Linux
+
+Use the [package from AUR](https://aur.archlinux.org/packages/hashboot/).
+
+## Manual
+
+### Any distro
+
+The releases on
+[schlomp.space](https://schlomp.space/tastytea/hashboot/releases) are
+PGP-signed. The key-ID is `F7301ADFC9ED262448C42B64242E5AC4DA587BF9`
+(`242E5AC4DA587BF9`). You can fetch it with `gpg --locate-key
+autosign@tastytea.de`.
+
 * Make hashboot executable
-* Place hashboot anywhere in $PATH
+* Place hashboot anywhere in ${PATH}
 * Install the appropriate init script
-* If applicable, copy kernel-hook to /etc/kernel/post{inst,rm}.d/zzz-hashboot (make sure it is called after all other hooks)
+* If applicable, copy `hooks/kernel-postinst` to /etc/kernel/post{inst,rm}.d/zzz-hashboot
+(make sure it is called after all other hooks)
+* To generate the manpage, install [asciidoc](http://asciidoc.org/) and run
+`build_manpage.sh`.
 
 # Usage
 
-* Run "hashboot index" to generate checksums and a backup for /boot and MBR
-* Run "hashboot check" to check /boot and MBR
-* Run "hashboot recover" to replace corrupted files with the backup
+* First run creates a configuration file. Select the desired checkroutines
+* Run `hashboot index` to generate checksums and a backup for /boot and MBR
+* Run `hashboot check` to check /boot and MBR
+* Run `hashboot recover` to replace corrupted files with the backup
 
 # Notes
 
 * You can't use the openrc/sysv init scripts with parallel boot.
+* The systemd and SysVinit init scripts have not been tested in a while, but
+will probably work.
 
 # License
 
 ```PLAIN
-"THE HUG-WARE LICENSE" (Revision 1):
-xo <xo@rotce.de> and tastytea <tastytea@tastytea.de> wrote these files. As long
-as you retain this notice you can do whatever you want with this stuff. If we
-meet some day, and you think this stuff is worth it, you can give us a hug.
+"THE HUG-WARE LICENSE" (Revision 2):
+teldra <teldra@rotce.de> and tastytea <tastytea@tastytea.de> wrote this.
+As long as you retain this notice you can do whatever you want with this.
+If we meet some day, and you think this is nice, you can give us a hug.
 ```

build_manpage.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+if [ -f "hashboot.1.adoc" ]; then
+    name="hashboot"
+    version="$(grep VERSION hashboot | head -n1 | cut -d\" -f2)"
+    dir="$(dirname ${0})"
+
+    sed -Ei "s/(Revision: +)[0-9]+\.[0-9]+\.[0-9]+/\1${version}/" ${name}.1.adoc
+    a2x --doctype manpage --format manpage --no-xmllint ${name}.1.adoc
+else
+    echo "hashboot.1.adoc not found." >&2
+fi

hashboot

@@ -5,20 +5,23 @@
 #7 = write error, 8 = dd error, 9 = file not found
 #10 = bios mismatch, 11 == mbr&bios mismatch, 12 = files&bios mismatch
 #13 = mbr&bios&files mismatch
-###################################################################################
-# "THE HUG-WARE LICENSE" (Revision 1):                                            #
-# xo <xo@rotce.de> and tastytea <tastytea@tastytea.de> wrote these files. As long #
-# as you retain this notice you can do whatever you want with this stuff. If we   #
-# meet some day, and you think this stuff is worth it, you can give us a hug.     #
-###################################################################################
+###############################################################################
+# "THE HUG-WARE LICENSE" (Revision 2):                                        #
+# teldra <teldra@rotce.de> and tastytea <tastytea@tastytea.de> wrote this.    #
+# As Long as you retain this notice you can do whatever you want with this.   #
+# If we meet some day, and you think this is nice, you can give us a hug.     #
+###############################################################################
 
-VERSION="0.9.7"
+# Disable warnings about $?.
+# shellcheck disable=SC2181
+
+VERSION="0.9.14"
 PATH="/bin:/usr/bin:/sbin:/usr/sbin:${PATH}"
 DIGEST_FILE=""
 BACKUP_FILE=""
 SAVEDIR=""
 DIGEST_FILE_TMP="/tmp/hashboot.digesttmp"
-LOG_FILE="/tmp/hashboot.log"
+LOG_FILE="/var/log/hashboot.log"
 MBR_DEVICE="/dev/sda"
 MBR_SIZE=1024
 MBR_TMP="/tmp/mbr"
@@ -28,7 +31,7 @@ BOOT_MOUNTED=0
 CONFIG_FILE="/etc/hashboot.cfg"
 COUNTER=0
 DD_STATUS="none"
-PROGRAMMER="no" #standard change enables bios mode
+PROGRAMMER=${PROGRAMMER:=internal}
 #bitmask:
 # 001=mbr
 # 010=files
@@ -43,33 +46,36 @@ die ()
         umount /boot
     fi
 
+    # Delete temporary files
+    rm -f "${DIGEST_FILE_TMP}" "${MBR_TMP}" "${BIOS_TMP}"
+
     [ -z "${2}" ] || echo "${2}" >&2
-    exit ${1}
+    exit "${1}"
 }
 
 write_hashes ()
 {
-    #Write header to ${1}
-    echo "#hashboot ${VERSION} - Algorithm: $(basename ${HASHER})" > ${1}
+    local file="${1}"
+    #Write header to ${file}
+    echo "#hashboot ${VERSION} - Algorithm: $(basename ${HASHER})" > "${file}"
 
-    if [ $((${CKMODES} & 001)) -ne 0 ]; then
+    if [ $((CKMODES & 001)) -ne 0 ]; then
         #copy mbr to file
         dd if=${MBR_DEVICE} of=${MBR_TMP} bs=${MBR_SIZE}K count=1 status=${DD_STATUS} || die 8
-        #Write hash of MBR to ${1}
-        ${HASHER} ${MBR_TMP} >> ${1}
+        #Write hash of MBR to ${file}
+        ${HASHER} ${MBR_TMP} >> "${file}"
     fi
-    if [ $((${CKMODES} & 010)) -ne 0 ]; then
-        #Write hashes of all regular files to ${1}
-        find /boot -type f -exec ${HASHER} --binary {} >> ${1} +
+    if [ $((CKMODES & 010)) -ne 0 ]; then
+        #Write hashes of all regular files to ${file}
+        # shellcheck disable=SC2227
+        find /boot -type f -exec ${HASHER} --binary {} >> "${file}" +
     fi
-    if [ $((${CKMODES} & 100)) != 0 ]; then
-        #if we set an programmer chip in config
-        if [ ! "${PROGRAMMER}" == "no" ]; then
+    if [ $((CKMODES & 100)) -ne 0 ]; then
         #read bios to file
         flashrom --programmer ${PROGRAMMER} -r ${BIOS_TMP} > /dev/null 2>&1
-            #and write hashes of bios files to ${1}
-            ${HASHER} ${BIOS_TMP} >> ${1}
-        fi
+        #and write hashes of bios files to ${file}
+        ${HASHER} ${BIOS_TMP} >> "${file}"
+
     fi
 }
 
@@ -88,7 +94,9 @@ then
 fi
 
 # Debian < 8 check
-if which lsb_release > /dev/null 2>&1 && [ "$(lsb_release -si)" == "Debian" ] && [ $(lsb_release -sr | cut -d'.' -f1) -lt 8 ]
+if command -v lsb_release > /dev/null \
+        && [ "$(lsb_release -si)" == "Debian" ] \
+        && [ "$(lsb_release -sr | cut -d'.' -f1)" -lt 8 ]
 then
     DD_STATUS="noxfer"
 fi
@@ -96,9 +104,10 @@ fi
 #Look for config file and set ${MBR_DEVICE}.
 if [ -f ${CONFIG_FILE} ]
 then
+    # shellcheck source=/dev/null
     source ${CONFIG_FILE} || die 9 "Error reading config file"
     #compatibility to old cfg format
-    if [ ! -z "${BACKUP_FILE}" ]; then
+    if [ -n "${BACKUP_FILE}" ]; then
         SAVEDIR="/var/lib/hashboot"
         echo "SAVEDIR=${SAVEDIR}" >> ${CONFIG_FILE}
         mkdir -p ${SAVEDIR}
@@ -109,6 +118,7 @@ then
         sed -i '/BACKUP_FILE/d' ${CONFIG_FILE}
         echo "The backup und the digests have been moved to ${SAVEDIR}"
     fi
+    # here we extrapolate paths from savedir.
     DIGEST_FILE="${SAVEDIR}/hashboot.digest"
     BACKUP_FILE="${SAVEDIR}/boot-backup.tar"
 #If not found, create one and ask for ${MBR_DEVICE}
@@ -116,59 +126,47 @@ else
     #Create ${CONFIG_FILE} with defaults if noninterctive
     if [ -t "0" ]
     then
-        echo -n "Which device contains the MBR? [/dev/sda] "
-        read -r MBR_DEVICE
-        [ -z "${MBR_DEVICE}" ] && MBR_DEVICE="/dev/sda"
-        echo "#Device with the MBR on it" > ${CONFIG_FILE}
-        echo "MBR_DEVICE=${MBR_DEVICE}" >> ${CONFIG_FILE}
-
         echo -n "Where should backup file and digestfile be stored? [/var/lib/hashboot] "
         read -r SAVEDIR
-        echo "#Where the Backup files are stored" >> ${CONFIG_FILE}
+        [ -z "${SAVEDIR}" ] && SAVEDIR="/var/lib/hashboot"
+        echo "#Where the Backup files are stored" > ${CONFIG_FILE}
         echo "SAVEDIR=${SAVEDIR}" >> ${CONFIG_FILE}
         DIGEST_FILE="${SAVEDIR}/hashboot.digest"
         BACKUP_FILE="${SAVEDIR}/boot-backup.tar"
         mkdir -p ${SAVEDIR}
-        echo -n "Include BIOS check? (y/n)"
-        read prompt
-        while ! [[ $prompt == "y" || $prompt == "Y" || $prompt == "n" || $prompt == "N" ]]; do
-            read prompt
-        done
-        if [[ "${prompt}" == "y" || "${prompt}" == "Y" ]]; then
-            if which flashrom; then
-                flashrom
-                echo -n "Which programmer? (eg. internal) "
-                read p
-                echo "PROGRAMMER=${p}" >> ${CONFIG_FILE}
-            else
-                echo "No flashrom found. You need to install it."
-                echo "PROGRAMMER=${PROGRAMMER}" >> ${CONFIG_FILE}
-            fi
-        else
-            echo "PROGRAMMER=no" >> ${CONFIG_FILE}
-        fi
+
         echo "What do we check?"
         echo "001=mbr"
         echo "010=files"
-        echo "100=bios"
+        echo "100=core-/libreboot bios"
         echo "eg. 101 for mbr and bios: "
-        read CKMODES
+        read -r CKMODES
+        echo "#001=mbr,010=files,100=bios" >> ${CONFIG_FILE}
         echo "CKMODES=$CKMODES" >> ${CONFIG_FILE}
-    else
-        echo "#Device with the MBR on it" > ${CONFIG_FILE}
+
+        if [ $((CKMODES & 001)) -ne 0 ]; then
+            echo -n "Which device contains the MBR? [/dev/sda] "
+            read -r MBR_DEVICE
+            [ -z "${MBR_DEVICE}" ] && MBR_DEVICE="/dev/sda"
+            echo "#Device with the MBR on it" >> ${CONFIG_FILE}
             echo "MBR_DEVICE=${MBR_DEVICE}" >> ${CONFIG_FILE}
-        echo "#Where the Backup files are stored" >> ${CONFIG_FILE}
-        echo "BACKUP_FILE=${BACKUP_FILE}" >> ${CONFIG_FILE}
-        echo "CKMODES=$CKMODES" >> ${CONFIG_FILE}
-        echo "PROGRAMMER=${PROGRAMMER}" >> ${CONFIG_FILE}
+        fi
+
+        if [ $((CKMODES & 100)) -ne 0 ]; then
+            if ! command -v flashrom > /dev/null; then
+                echo "You need to have flashrom installed!"
+                echo "Currently it is not installed, don't reboot"
+                echo "If you need another programmer than internal"
+                echo "use the variable PROGRAMMER in ${CONFIG_FILE}!"
             fi
         fi
 
-if [ "${2}" > "1" ]; then
-    CKMODES=${2}
+    else
+        die 9 "No config file found. Run hashboot interactively to generate one."
+    fi
 fi
 
-if [ $((${CKMODES} & 001)) -ne 0 ]; then
+if [ $((CKMODES & 001)) -ne 0 ]; then
     # Find out where the first partition starts and set ${MBR_SIZE} in KiB
     sectorsize=$(LC_ALL=C fdisk -l ${MBR_DEVICE} | grep '^Units' | awk '{print $8}' )
     if [ "${sectorsize}" == "=" ] # Older versions of util-linux
@@ -181,7 +179,7 @@ if [ $((${CKMODES} & 001)) -ne 0 ]; then
         startsector=$(LC_ALL=C fdisk -l ${MBR_DEVICE} | grep -A1 'Device' | tail -n1 | awk '{print $3}' )
     fi
 
-    MBR_SIZE=$(expr ${sectorsize} \* ${startsector} / 1024)
+    MBR_SIZE=$((sectorsize * startsector / 1024))
 
     if [ ${?} != 0 ]
     then
@@ -193,10 +191,10 @@ fi
 if [ "${1}" == "index" ]
 then
     #Try different hashers, use the most secure
-    HASHER=$(/usr/bin/which sha512sum 2> /dev/null)
-    test -z "${HASHER}" && HASHER=$(/usr/bin/which sha384sum 2> /dev/null)
-    test -z "${HASHER}" && HASHER=$(/usr/bin/which sha256sum 2> /dev/null)
-    test -z "${HASHER}" && HASHER=$(/usr/bin/which sha224sum 2> /dev/null)
+    HASHER=$(command -v sha512sum)
+    test -z "${HASHER}" && HASHER=$(command -v sha384sum)
+    test -z "${HASHER}" && HASHER=$(command -v sha256sum)
+    test -z "${HASHER}" && HASHER=$(command -v sha224sum)
     #If we found no hasher: exit
     [ -z "${HASHER}" ] && die 5 "No hash calculator found"
 
@@ -215,18 +213,25 @@ then
             for file in $(diff ${DIGEST_FILE} ${DIGEST_FILE_TMP} | grep -v '#hashboot' | grep '<' | cut -d'*' -f2 | sed 's/\ /\\ /g' );
             do
                 #delete from tar
-                tar --delete -v -P -f $BACKUP_FILE $file
+                tar --delete -v -P -f ${BACKUP_FILE} "${file}"
             done
             for file in $(diff ${DIGEST_FILE} ${DIGEST_FILE_TMP} | grep -v '#hashboot' | grep '>' | cut -d'*' -f2 | sed 's/\ /\\ /g' );
             do
-                tar -r -v -P -f $BACKUP_FILE $file
+                tar -r -v -P -f $BACKUP_FILE "${file}"
             done
         fi
     #nur, wenn das updaten des Backups geklappt hat. *im Hinterkopf behalt*
     mv ${DIGEST_FILE_TMP} ${DIGEST_FILE}
     else
         write_hashes $DIGEST_FILE
-        tar -cpPf ${BACKUP_FILE} ${BIOS} ${MBR_TMP} /boot ${DIGEST_FILE} || die 7 "Error writing ${BACKUP_FILE}"
+        INCLUDE_FILES=""
+        if [ -f "${MBR_TMP}" ]; then
+            INCLUDE_FILES="${INCLUDE_FILES} ${MBR_TMP}"
+        fi
+        if [ -f "${BIOS_TMP}" ]; then
+            INCLUDE_FILES="${BIOS_TMP}"
+        fi
+        tar -cpPf "${BACKUP_FILE}" ${INCLUDE_FILES} /boot ${DIGEST_FILE} || die 7 "Error writing ${BACKUP_FILE}"
         echo "Backup written to ${BACKUP_FILE}"
     fi
 
@@ -234,34 +239,33 @@ elif [ "${1}" == "check" ]
 then
     [ -f ${DIGEST_FILE} ] || die 9 "No digestfile"
     HASHER=$(head -n1 ${DIGEST_FILE} | awk '{print $5}')
-    if [ $((${CKMODES} & 001)) != 0 ]; then
+    if [ $((CKMODES & 001)) != 0 ]; then
         dd if=${MBR_DEVICE} of=${MBR_TMP} bs=${MBR_SIZE}K count=1 status=${DD_STATUS} || die 8
         grep ${MBR_TMP} ${DIGEST_FILE} | ${HASHER} --check --warn --quiet --strict | tee ${LOG_FILE}
-        if [ ${PIPESTATUS[2]} -ne 0 ]
+        if [ "${PIPESTATUS[2]}" -ne 0 ]
         then
             echo "    !! TIME TO PANIK: MBR WAS MODIFIED !!"
             COUNTER=$((COUNTER + 1))
         fi
     fi
-    if [ $((${CKMODES} & 010)) -ne 0 ]; then
+    if [ $((CKMODES & 010)) -ne 0 ]; then
         grep -v ${MBR_TMP} ${DIGEST_FILE} | grep -v ${BIOS_TMP} | ${HASHER} --check --warn --quiet --strict | tee -a ${LOG_FILE}
-        if [ ${PIPESTATUS[2]} -ne 0 ]
+        if [ "${PIPESTATUS[2]}" -ne 0 ]
         then
             echo "    !! TIME TO PANIK: AT LEAST 1 FILE WAS MODIFIED !!"
             COUNTER=$((COUNTER + 2))
         fi
     fi
-    if [ $((${CKMODES} & 100)) -ne 0 ]; then
+    if [ $((CKMODES & 100)) -ne 0 ]; then
         flashrom --programmer ${PROGRAMMER} -r ${BIOS_TMP} > /dev/null 2>&1
         #if we set an programmer chip in config, find line with hash for bios and compare. if smthg wrong, panic
-        if [ ! ${PROGRAMMER} == "no" ]; then
         grep ${BIOS_TMP} ${DIGEST_FILE} | ${HASHER} --check --warn --quiet --strict | tee -a ${LOG_FILE}
-            if [ ${PIPESTATUS[2]} -ne 0 ]
+        if [ "${PIPESTATUS[2]}" -ne 0 ]
         then
             echo "    !! TIME TO PANIK: BIOS WAS MODIFIED !!"
             COUNTER=$((COUNTER + 10))
         fi
-        fi
+
     fi
 
     if [ ${COUNTER} -gt 0 ]; then
@@ -272,15 +276,16 @@ then
     echo "Restoring files from backup... (type yes or no for each file)"
 
     #For each failed file: ask if it should be recovered from backup
+    # shellcheck disable=2013
     for file in $(cut -d: -f1 ${LOG_FILE})
     do
-        tar -xpPvwf ${BACKUP_FILE} ${file}
-        [ $? != 0 ] && echo "Error restoring ${file} from backup, continuing" >&2
+        tar -xpPvwf ${BACKUP_FILE} "${file}"
+        [ ${?} != 0 ] && echo "Error restoring ${file} from backup, continuing" >&2
         #If the MBR is to be recovered, copy to ${MBR_DEVICE}
         if [ "${file}" == ${MBR_TMP} ]
         then
             cp ${MBR_TMP} ${MBR_DEVICE}
-            [ $? != 0 ] && echo "Error restoring MBR from backup, continuing" >&2
+            [ ${?} != 0 ] && echo "Error restoring MBR from backup, continuing" >&2
         fi
     done
 else

hashboot.1.adoc

@@ -0,0 +1,56 @@
+= hashboot(1)
+tastytea <tastytea@tastytea.de>; teldra <teldra@rotce.de>
+:Date:          2019-04-12
+:Revision:      0.9.8
+:man source:    hashboot
+:man version:   {revision}
+:man manual:    General Commands Manual
+
+== NAME
+
+hashboot - generate checksums and a backup for /boot, MBR and BIOS.
+
+== SYNOPSIS
+
+*hashboot* _index_|_check_|_recover_
+
+== DESCRIPTION
+
+hashboot hashes all files in `/boot` and the MBR to check them during early
+boot. It is intended for when you have encrypted the root partition but not the
+boot partition. The checksums and a backup of the contents of `/boot` are stored
+in `/var/lib/hashboot` by default. If a checksum doesn't match, you have the
+option to restore the file from backup.
+
+If there is a core- or libreboot bios and flashrom installed, hashboot can
+check bios for modifications too.
+
+== OPTIONS
+
+*index*::
+    generate checksums and a backup for `/boot`, MBR and BIOS.
+
+*check*::
+    check `/boot`, MBR and BIOS.
+
+*recover*::
+    replace corrupted files with the backup.
+
+== CONFIGURATION
+
+The configuration file is in `/etc/hashboot.conf`.
+
+=== Possible options
+
+[frame="none",grid="none"]
+|============
+|SAVEDIR    | The checksums and the backup are stored here.
+|CKMODES    | 001=mbr, 010=files, 100=bios.
+|MBR_DEVICE | Device with the MBR on it.
+|PROGRAMMER | Use this programmer instead of "internal". Will be passed to flashrom.
+|============
+
+
+== REPORTING BUGS
+
+Bugtracker: https://github.com/tastytea/hashboot/issues

hooks/pacman.hook

@@ -0,0 +1,12 @@
+[Trigger]
+Operation = Install
+Operation = Upgrade
+Operation = Remove
+Type = Package
+Target = *
+
+[Action]
+Description = Regenerating hashboot checksums...
+When = PostTransaction
+Exec = /usr/bin/hashboot index
+Depends = hashboot

init/openrc

@@ -0,0 +1,39 @@
+#!/sbin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+description="Check integrity of files in /boot"
+
+depend()
+{
+    need localmount
+    before xdm
+}
+
+start()
+{
+    ebegin "Checking integrity of files in /boot"
+
+    # See if hashboot is accessible
+    which hashboot > /dev/null || return 255
+
+    hashboot check
+    ret=$?
+    # If return code is 1-3 or 10-13
+    if [ ${ret} -ge 1 ] && [ ${ret} -le 3 ] || [ ${ret} -ge 10 ] && [ ${ret} -le 13 ]; then
+        echo -n "Recover files? [y/N] "
+        read -r yesno
+        if [ "${yesno}" == "y" ]; then
+            hashboot recover
+        fi
+
+        echo "Dropping to shell. Type exit to continue."
+        sh
+        return ${ret}
+    elif [ ${ret} != 0 ]; then
+        eerror "Unexpected error number ${ret}."
+        return ${ret}
+    fi
+
+    eend 0
+}

init/sysv

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+### BEGIN INIT INFO
+# Provides:          hashboot
+# Required-Start:    $mountall
+# Required-Stop:
+# Default-Start:     S
+# Default-Stop:
+# Short-Description: Check integrity of files in /boot
+### END INIT INFO
+
+#PATH=/sbin:/bin:/usr/bin:/usr
+
+# See if hashboot is accessible
+test -x $(which hashboot) || exit 255
+
+case "$1" in
+    start)
+        log_daemon_msg "Checking integrity of files in /boot"
+
+        hashboot check
+        ret=$?
+        if [ ${ret} -ge 1 ] && [ ${ret} -le 3 ] || [ ${ret} -ge 10 ] && [ ${ret} -le 13 ]; then
+            log_end_msg ${ret}
+
+            echo -n "Recover files? [y/N] "
+            read -r yesno
+            if [ "${yesno}" == "y" ]; then
+                hashboot recover
+            fi
+
+            echo "Dropping to shell. Type exit to continue."
+            sh
+            exit ${ret}
+        elif [ ${ret} != 0 ]; then
+             log_end_msg ${ret}
+             eerror "Unexpected error number ${ret}."
+             exit ${ret}
+        fi
+
+        log_end_msg 0
+        ;;
+    stop)
+        # No-op
+        ;;
+    restart|reload|force-reload|status)
+        echo "Error: argument '$1' not supported" >&2
+        exit 1
+        ;;
+    *)
+        echo "Usage: /etc/init.d/hashboot {start|stop}"
+        exit 1
+        ;;
+esac
+
+exit 0

initscript.openrc

@@ -1,37 +0,0 @@
-#!/sbin/openrc-run
-
-description="Check integrity of files in /boot"
-
-depend()
-{
-	need localmount
-	before xdm
-}
-
-start()
-{
-	ebegin "Checking integrity of files in /boot"
-
-	# See if hashboot is accessible
-	which hashboot > /dev/null || return 255
-
-	hashboot check
-	if [ $? -gt 0 ] && [ $? -le 3 ]
-	then
-		echo -n "Recover files? [y/N] "
-		read -r yesno
-		if [ "${yesno}" == "y" ]
-		then
-			hashboot recover
-		fi
-
-		echo "Dropping to shell. Type exit to continue."
-		sh
-		return 3
-	elif [ $? != 0 ]
-	then
-		return $?
-	fi
-	
-	eend 0
-}

initscript.sysv

@@ -1,58 +0,0 @@
-#!/bin/bash
-
-### BEGIN INIT INFO
-# Provides:          hashboot
-# Required-Start:    $mountall
-# Required-Stop:     
-# Default-Start:     S
-# Default-Stop:      
-# Short-Description: Check integrity of files in /boot
-### END INIT INFO
-
-#PATH=/sbin:/bin:/usr/bin:/usr
-
-# See if hashboot is accessible
-test -x $(which hashboot) || exit 255
-
-case "$1" in
-	start)
-		log_daemon_msg "Checking integrity of files in /boot"
-
-		hashboot check
-		if [ $? -gt 0 ] && [ $? -le 3 ]
-		then
-			log_end_msg 4
-			
-			echo -n "Recover files? [y/N] "
-			read -r yesno
-			if [ "${yesno}" == "y" ]
-			then
-				hashboot recover
-			fi
-
-			echo "Dropping to shell. Type exit to continue."
-			sh
-			exit 3
-		elif [ $? != 0 ]
-		then
-			log_end_msg $?
-			exit $?
-		fi
-		
-		log_end_msg 0
-		;;
-	stop)
-		# No-op
-
-		;;
-	restart|reload|force-reload|status)
-		echo "Error: argument '$1' not supported" >&2
-		exit 1
-		;;
-	*)
-		echo "Usage: /etc/init.d/hashboot {start|stop}"
-		exit 1
-		;;
-esac
-
-exit 0