Compare commits

..

78 Commits

Author SHA1 Message Date
tastytea 775b854cd1
Add info on how to fetch autosign key. 2019-11-20 04:45:21 +01:00
tastytea c06b25c54a
Fixed bugs I introduced while fixing warnings. :-D 2019-06-21 03:30:57 +02:00
tastytea 023bd8b2de
Removed unnecessary escape. 2019-06-20 20:55:07 +02:00
tastytea 7c0b3ef862
Install shellcheck from buster. 2019-06-20 20:54:52 +02:00
tastytea dc12c45581
Limit shellcheck severity to warning. 2019-06-20 20:45:16 +02:00
tastytea 078f86c732
Don't comment the shellsheck-comment. 2019-06-20 20:38:26 +02:00
tastytea 326d4a30b6
Merge branch 'shellcheck-fixes' 2019-06-20 20:34:58 +02:00
tastytea 7b2e19bdef
Disabled some shellcheck-checks. 2019-06-20 20:31:41 +02:00
tastytea 7f32a7c5e4
Added AUR instructions, deleted Arch Linux manual instructions.
(GitHub issue #18)
2019-06-20 19:52:15 +02:00
tastytea 329095f5fa
Added information about our move to schlomp.space to readme. 2019-06-20 17:57:07 +02:00
tastytea 9e9bfe3749
Version bump 0.9.14. 2019-06-20 17:32:26 +02:00
tastytea f571b962c1
Upload source-archives to releases. 2019-06-20 17:31:13 +02:00
tastytea 4d0b0cf8e4
Fixed filenames for downloads. 2019-06-20 17:14:47 +02:00
tastytea e2ecb17afe
AAAAAAh! 2019-06-20 17:00:37 +02:00
tastytea 7d013ff78f
Fixed GPG key location in drone recipe and install gpg. 2019-06-20 16:59:19 +02:00
tastytea aa95914010
Fixed download URLs in drone recipe. 2019-06-20 16:54:35 +02:00
tastytea 89e85108ed
Fixed drone recipe. 2019-06-20 16:50:58 +02:00
tastytea a8ba52f834
Enabled shellcheck in drone recipe. 2019-06-20 16:46:41 +02:00
tastytea e3830ed8d6
Added drone recipe, for checksums and GPG-signing. 2019-06-20 16:28:57 +02:00
tastytea c9cbf76701
Fixed most shellcheck-warnings. 2019-06-20 16:28:09 +02:00
tastytea 23c3704f3b
Updated kernel-hook location in readme. 2019-06-20 15:12:45 +02:00
tastytea 202e1bfad2
Moved kernel-hook to hooks/kernel-postinst. 2019-06-20 14:30:57 +02:00
tastytea 71b41300b3
Added hook for pacman (Issue #18). 2019-06-20 14:29:42 +02:00
tastytea a4f8837aa2
Merge pull request #17 from krathalan/master
Update Arch instructions
2019-06-17 00:25:46 +02:00
Hunter Peavey be684bb473
Update Arch instructions 2019-06-16 14:53:40 -07:00
Teldra 25111f02a7
Merge pull request #16 from krathalan/master
Add installation instructions for Arch Linux
2019-05-12 19:04:29 +02:00
Hunter Peavey b2a7dd0959
Add missing arch_instructions.md 2019-05-12 09:38:55 -07:00
Hunter Peavey 22ec91cc9d
Add installation instructions for Arch Linux 2019-05-12 09:37:42 -07:00
tastytea 2be01c031b
Got rid of table in manpage. 2019-04-12 19:52:41 +02:00
tastytea 3437eba5ea
Whitespace cleanup. 2019-03-30 00:35:10 +01:00
tastytea 1e63a10a99
Enahnced installation instruction for Gentoo. 2019-03-30 00:26:41 +01:00
tastytea 9de04f11fc
Added note about untested init scripts. 2019-03-29 23:54:42 +01:00
tastytea 02121e496c
Updated SysVinit script. 2019-03-29 23:51:15 +01:00
tastytea 191753a17e
Updated openrc init script. 2019-03-29 23:49:05 +01:00
tastytea 358b75f429
Typo. 2019-03-29 23:19:08 +01:00
tastytea 62d8a78c03
Added installation instructions for Void and Gentoo. 2019-03-29 23:16:46 +01:00
tastytea b0d7c515cd
Edited README, aesthetically. 2019-03-29 23:08:03 +01:00
tastytea 72be9701a1
Moved init scripts. 2019-03-29 22:59:31 +01:00
Teldra 44f8a4f184
Merge pull request #15 from tastytea/increase_version
increase version
2019-03-29 14:03:26 +01:00
teldra 82c1d64718 increase version 2019-03-29 14:02:29 +01:00
Teldra 7c386ac209
Merge pull request #14 from teldra/rename_init_void
rename voidlinux initscript
2019-03-29 13:31:13 +01:00
teldra 51f3afb14d rename voidlinux initscript 2019-03-29 13:30:10 +01:00
Teldra 004ff12954
Merge pull request #13 from tastytea/programmer_change
Small fix
2019-03-26 11:09:50 +01:00
teldra 085c3a2882 Small fix 2019-03-26 11:06:04 +01:00
Teldra 865f417370
Merge pull request #12 from tastytea/programmer_change
make programmer for bios changeable
2019-03-26 10:20:05 +01:00
teldra f53f7263c5 make programmer for bios changeable 2019-03-26 10:09:17 +01:00
tastytea f2460a3ce9
Manpage: Fixed short description. 2019-02-25 07:07:33 +01:00
tastytea abe2411673
Merge pull request #11 from teldra/fix-logging
Fix log file location
2019-02-24 16:31:09 +00:00
teldra f450f11128 Fix log file location 2019-02-24 17:29:05 +01:00
Teldra 7eef7d017a
Merge pull request #10 from tastytea/fix-error-creating-backup
Fix error when creating first backup.
2019-02-24 17:26:23 +01:00
tastytea 57750c1979
Fix error when creating first backup. 2019-02-24 17:20:35 +01:00
tastytea 342ea5d395
Delete temporary files. 2019-02-24 17:09:42 +01:00
tastytea 069caad598
Deleted undocumented CKMODES override feature. 2019-02-24 16:37:09 +01:00
Teldra d2b63cf80c
Merge pull request #9 from teldra/master
Increase version
2019-02-24 15:43:46 +01:00
tastytea c479a8d856
Enahnced manpage. 2019-02-24 15:43:07 +01:00
teldra e709747e72 Increase version 2019-02-24 15:42:55 +01:00
tastytea d0fd5a6a68
Added manpage build instructions. 2019-02-24 15:34:16 +01:00
tastytea 8647dd65b1
Oops, forgot the short description. 2019-02-24 15:31:55 +01:00
tastytea 851b456b8e
Merge branch 'master' of github.com:tastytea/hashboot 2019-02-24 15:29:39 +01:00
teldra a3543101bf addition 2019-02-24 15:30:04 +01:00
tastytea d3762e1d97
Added manpage. 2019-02-24 15:29:11 +01:00
teldra 4729e63712 Beautify license 2019-02-24 15:28:17 +01:00
Teldra 474a4f862e
Update README.md 2019-02-24 15:12:52 +01:00
Teldra efb61a772f
Update LICENSE 2019-02-24 15:12:31 +01:00
Teldra 2700462c20
Update hashboot 2019-02-24 15:08:21 +01:00
Teldra 637e47eeda
Update README.md 2019-02-24 15:05:23 +01:00
Teldra fb95b3387e
Update LICENSE 2019-02-24 15:05:03 +01:00
Teldra cd1afbf6b8
Merge pull request #8 from tastytea/fail-no-config
Fail if no config file is found and the program is not run interactively
2019-02-24 14:56:19 +01:00
tastytea 70ae214505
Fail if no config file is found and the program is not run interactively. 2019-02-24 14:51:18 +01:00
Teldra 8c907cd430
Merge pull request #7 from tastytea/teldra-patch-1
Update README.md
2019-02-24 14:36:10 +01:00
Teldra 99a419f8f4
Merge pull request #6 from teldra/correct_cg
Cleanup cfg, fix bios check
2019-02-24 14:35:57 +01:00
Teldra 9867a6b49c
Update hashboot 2019-02-24 14:35:14 +01:00
Teldra e562459ff6
Update README.md 2019-02-24 14:31:10 +01:00
Teldra f416882bac
Update README.md 2019-02-24 14:25:57 +01:00
teldra e1e23b4818 Cleanup cfg, fix bios check 2019-02-24 14:21:20 +01:00
tastytea 00e2cfdc5d
Mention MBR in description. 2019-02-24 13:06:10 +01:00
teldra bddc2720bf increment version 2019-02-24 12:51:19 +01:00
tastytea 59cbd14881
Save default SAVEDIR if answer is "". 2019-02-24 12:47:03 +01:00
17 changed files with 452 additions and 202 deletions

119
.drone.yml Normal file
View File

@ -0,0 +1,119 @@
kind: pipeline
name: check
volumes:
- name: debian-package-cache
host:
path: /var/cache/debian-package-cache
trigger:
event:
exclude:
- tag
steps:
- name: shellcheck
image: debian:stretch-slim
pull: always
commands:
- rm /etc/apt/apt.conf.d/docker-clean
- rm /var/cache/apt/archives/lock
- echo "APT::Default-Release \"stretch\";" >> /etc/apt/apt.conf.d/00default_release
- echo "deb http://deb.debian.org/debian buster main" >> /etc/apt/sources.list.d/buster.list
- apt-get update -q
- apt-get install -qy -t buster shellcheck
- shellcheck hashboot
volumes:
- name: debian-package-cache
path: /var/cache/apt/archives
- name: notify
image: drillster/drone-email
pull: always
settings:
host: cryptoparty-celle.de
from: drone@tzend.de
username:
from_secret: email_username
password:
from_secret: email_password
when:
status: [ changed, failure ]
---
kind: pipeline
name: release
volumes:
- name: debian-package-cache
host:
path: /var/cache/debian-package-cache
- name: gpg-key
host:
path: /home/tastytea/misc/autosign_gpg.key
trigger:
event:
- tag
steps:
- name: download tar.gz
image: plugins/download
settings:
source: https://schlomp.space/tastytea/hashboot/archive/${DRONE_TAG}.tar.gz
destination: hashboot-${DRONE_TAG}.tar.gz
- name: download zip
image: plugins/download
settings:
source: https://schlomp.space/tastytea/hashboot/archive/${DRONE_TAG}.zip
destination: hashboot-${DRONE_TAG}.zip
- name: signature
image: debian:stretch-slim
pull: always
commands:
- rm /etc/apt/apt.conf.d/docker-clean
- rm -f /var/cache/apt/archives/lock
- apt-get update -q
- apt-get install -qy gnupg
- gpg --import /var/autosign_gpg.key
- gpg --verbose --detach-sign *.tar.gz
- gpg --verbose --detach-sign *.zip
volumes:
- name: debian-package-cache
path: /var/cache/apt/archives
- name: gpg-key
path: /var/autosign_gpg.key
- name: release
image: plugins/gitea-release
pull: always
settings:
base_url: https://schlomp.space
api_key:
from_secret: gitea_token
title: ${DRONE_TAG}
prerelease: true
files:
- hashboot-${DRONE_TAG}.tar.gz
- hashboot-${DRONE_TAG}.tar.gz.sig
- hashboot-${DRONE_TAG}.zip
- hashboot-${DRONE_TAG}.zip.sig
checksum:
- sha256
- sha512
- name: notify
image: drillster/drone-email
pull: always
settings:
host: cryptoparty-celle.de
from: drone@tzend.de
username:
from_secret: email_username
password:
from_secret: email_password
when:
status: [ changed, failure ]

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
/hashboot.1

View File

@ -1,4 +1,4 @@
"THE HUG-WARE LICENSE" (Revision 1): "THE HUG-WARE LICENSE" (Revision 2):
xo <xo@rotce.de> and tastytea <tastytea@tastytea.de> wrote these files. As long teldra <teldra@rotce.de> and tastytea <tastytea@tastytea.de> wrote this.
as you retain this notice you can do whatever you want with this stuff. If we As long as you retain this notice you can do whatever you want with this.
meet some day, and you think this stuff is worth it, you can give us a hug. If we meet some day, and you think this is nice, you can give us a hug.

View File

@ -1,31 +1,76 @@
**hashboot** hashes all files in `/boot` to check them during early boot. It is **hashboot** hashes all files in `/boot` and the MBR to check them during early
intended for when you have encrypted the root partition but not the boot boot. It is intended for when you have encrypted the root partition but not the
partition. The checksums and a backup of the contents of `/boot` are stored in boot partition. The checksums and a backup of the contents of `/boot` are stored
`/var/lib/hashboot` by default. If a checksum doesn't match, you have the option in `/var/lib/hashboot` by default. If a checksum doesn't match, you have the
to restore the file from backup. option to restore the file from backup.
If there is a core- or libreboot BIOS and [flashrom](https://flashrom.org/)
installed, **hashboot** can check the BIOS for modifications too.
We moved our code to
[schlomp.space](https://schlomp.space/tastytea/hashboot) but we keep the
[GitHub-repo](https://github.com/tastytea/hashboot) as a mirror.
# Install # Install
## Packages
### Void Linux
``` shell
xbps-install -S hashboot
```
### Gentoo Linux
Ebuilds are available via the
[tastytea repository](https://schlomp.space/tastytea/overlay).
``` shell
emerge -a sys-apps/hashboot
rc-update add hashboot boot
```
### Arch Linux
Use the [package from AUR](https://aur.archlinux.org/packages/hashboot/).
## Manual
### Any distro
The releases on
[schlomp.space](https://schlomp.space/tastytea/hashboot/releases) are
PGP-signed. The key-ID is `F7301ADFC9ED262448C42B64242E5AC4DA587BF9`
(`242E5AC4DA587BF9`). You can fetch it with `gpg --locate-key
autosign@tastytea.de`.
* Make hashboot executable * Make hashboot executable
* Place hashboot anywhere in $PATH * Place hashboot anywhere in ${PATH}
* Install the appropriate init script * Install the appropriate init script
* If applicable, copy kernel-hook to /etc/kernel/post{inst,rm}.d/zzz-hashboot (make sure it is called after all other hooks) * If applicable, copy `hooks/kernel-postinst` to /etc/kernel/post{inst,rm}.d/zzz-hashboot
(make sure it is called after all other hooks)
* To generate the manpage, install [asciidoc](http://asciidoc.org/) and run
`build_manpage.sh`.
# Usage # Usage
* Run "hashboot index" to generate checksums and a backup for /boot and MBR * First run creates a configuration file. Select the desired checkroutines
* Run "hashboot check" to check /boot and MBR * Run `hashboot index` to generate checksums and a backup for /boot and MBR
* Run "hashboot recover" to replace corrupted files with the backup * Run `hashboot check` to check /boot and MBR
* Run `hashboot recover` to replace corrupted files with the backup
# Notes # Notes
* You can't use the openrc/sysv init scripts with parallel boot. * You can't use the openrc/sysv init scripts with parallel boot.
* The systemd and SysVinit init scripts have not been tested in a while, but
will probably work.
# License # License
```PLAIN ```PLAIN
"THE HUG-WARE LICENSE" (Revision 1): "THE HUG-WARE LICENSE" (Revision 2):
xo <xo@rotce.de> and tastytea <tastytea@tastytea.de> wrote these files. As long teldra <teldra@rotce.de> and tastytea <tastytea@tastytea.de> wrote this.
as you retain this notice you can do whatever you want with this stuff. If we As long as you retain this notice you can do whatever you want with this.
meet some day, and you think this stuff is worth it, you can give us a hug. If we meet some day, and you think this is nice, you can give us a hug.
``` ```

12
build_manpage.sh Executable file
View File

@ -0,0 +1,12 @@
#!/bin/sh
if [ -f "hashboot.1.adoc" ]; then
name="hashboot"
version="$(grep VERSION hashboot | head -n1 | cut -d\" -f2)"
dir="$(dirname ${0})"
sed -Ei "s/(Revision: +)[0-9]+\.[0-9]+\.[0-9]+/\1${version}/" ${name}.1.adoc
a2x --doctype manpage --format manpage --no-xmllint ${name}.1.adoc
else
echo "hashboot.1.adoc not found." >&2
fi

171
hashboot
View File

@ -5,20 +5,23 @@
#7 = write error, 8 = dd error, 9 = file not found #7 = write error, 8 = dd error, 9 = file not found
#10 = bios mismatch, 11 == mbr&bios mismatch, 12 = files&bios mismatch #10 = bios mismatch, 11 == mbr&bios mismatch, 12 = files&bios mismatch
#13 = mbr&bios&files mismatch #13 = mbr&bios&files mismatch
################################################################################### ###############################################################################
# "THE HUG-WARE LICENSE" (Revision 1): # # "THE HUG-WARE LICENSE" (Revision 2): #
# xo <xo@rotce.de> and tastytea <tastytea@tastytea.de> wrote these files. As long # # teldra <teldra@rotce.de> and tastytea <tastytea@tastytea.de> wrote this. #
# as you retain this notice you can do whatever you want with this stuff. If we # # As Long as you retain this notice you can do whatever you want with this. #
# meet some day, and you think this stuff is worth it, you can give us a hug. # # If we meet some day, and you think this is nice, you can give us a hug. #
################################################################################### ###############################################################################
VERSION="0.9.7" # Disable warnings about $?.
# shellcheck disable=SC2181
VERSION="0.9.14"
PATH="/bin:/usr/bin:/sbin:/usr/sbin:${PATH}" PATH="/bin:/usr/bin:/sbin:/usr/sbin:${PATH}"
DIGEST_FILE="" DIGEST_FILE=""
BACKUP_FILE="" BACKUP_FILE=""
SAVEDIR="" SAVEDIR=""
DIGEST_FILE_TMP="/tmp/hashboot.digesttmp" DIGEST_FILE_TMP="/tmp/hashboot.digesttmp"
LOG_FILE="/tmp/hashboot.log" LOG_FILE="/var/log/hashboot.log"
MBR_DEVICE="/dev/sda" MBR_DEVICE="/dev/sda"
MBR_SIZE=1024 MBR_SIZE=1024
MBR_TMP="/tmp/mbr" MBR_TMP="/tmp/mbr"
@ -28,7 +31,7 @@ BOOT_MOUNTED=0
CONFIG_FILE="/etc/hashboot.cfg" CONFIG_FILE="/etc/hashboot.cfg"
COUNTER=0 COUNTER=0
DD_STATUS="none" DD_STATUS="none"
PROGRAMMER="no" #standard change enables bios mode PROGRAMMER=${PROGRAMMER:=internal}
#bitmask: #bitmask:
# 001=mbr # 001=mbr
# 010=files # 010=files
@ -43,33 +46,36 @@ die ()
umount /boot umount /boot
fi fi
# Delete temporary files
rm -f "${DIGEST_FILE_TMP}" "${MBR_TMP}" "${BIOS_TMP}"
[ -z "${2}" ] || echo "${2}" >&2 [ -z "${2}" ] || echo "${2}" >&2
exit ${1} exit "${1}"
} }
write_hashes () write_hashes ()
{ {
#Write header to ${1} local file="${1}"
echo "#hashboot ${VERSION} - Algorithm: $(basename ${HASHER})" > ${1} #Write header to ${file}
echo "#hashboot ${VERSION} - Algorithm: $(basename ${HASHER})" > "${file}"
if [ $((${CKMODES} & 001)) -ne 0 ]; then if [ $((CKMODES & 001)) -ne 0 ]; then
#copy mbr to file #copy mbr to file
dd if=${MBR_DEVICE} of=${MBR_TMP} bs=${MBR_SIZE}K count=1 status=${DD_STATUS} || die 8 dd if=${MBR_DEVICE} of=${MBR_TMP} bs=${MBR_SIZE}K count=1 status=${DD_STATUS} || die 8
#Write hash of MBR to ${1} #Write hash of MBR to ${file}
${HASHER} ${MBR_TMP} >> ${1} ${HASHER} ${MBR_TMP} >> "${file}"
fi fi
if [ $((${CKMODES} & 010)) -ne 0 ]; then if [ $((CKMODES & 010)) -ne 0 ]; then
#Write hashes of all regular files to ${1} #Write hashes of all regular files to ${file}
find /boot -type f -exec ${HASHER} --binary {} >> ${1} + # shellcheck disable=SC2227
find /boot -type f -exec ${HASHER} --binary {} >> "${file}" +
fi fi
if [ $((${CKMODES} & 100)) != 0 ]; then if [ $((CKMODES & 100)) -ne 0 ]; then
#if we set an programmer chip in config
if [ ! "${PROGRAMMER}" == "no" ]; then
#read bios to file #read bios to file
flashrom --programmer ${PROGRAMMER} -r ${BIOS_TMP} > /dev/null 2>&1 flashrom --programmer ${PROGRAMMER} -r ${BIOS_TMP} > /dev/null 2>&1
#and write hashes of bios files to ${1} #and write hashes of bios files to ${file}
${HASHER} ${BIOS_TMP} >> ${1} ${HASHER} ${BIOS_TMP} >> "${file}"
fi
fi fi
} }
@ -88,7 +94,9 @@ then
fi fi
# Debian < 8 check # Debian < 8 check
if which lsb_release > /dev/null 2>&1 && [ "$(lsb_release -si)" == "Debian" ] && [ $(lsb_release -sr | cut -d'.' -f1) -lt 8 ] if command -v lsb_release > /dev/null \
&& [ "$(lsb_release -si)" == "Debian" ] \
&& [ "$(lsb_release -sr | cut -d'.' -f1)" -lt 8 ]
then then
DD_STATUS="noxfer" DD_STATUS="noxfer"
fi fi
@ -96,9 +104,10 @@ fi
#Look for config file and set ${MBR_DEVICE}. #Look for config file and set ${MBR_DEVICE}.
if [ -f ${CONFIG_FILE} ] if [ -f ${CONFIG_FILE} ]
then then
# shellcheck source=/dev/null
source ${CONFIG_FILE} || die 9 "Error reading config file" source ${CONFIG_FILE} || die 9 "Error reading config file"
#compatibility to old cfg format #compatibility to old cfg format
if [ ! -z "${BACKUP_FILE}" ]; then if [ -n "${BACKUP_FILE}" ]; then
SAVEDIR="/var/lib/hashboot" SAVEDIR="/var/lib/hashboot"
echo "SAVEDIR=${SAVEDIR}" >> ${CONFIG_FILE} echo "SAVEDIR=${SAVEDIR}" >> ${CONFIG_FILE}
mkdir -p ${SAVEDIR} mkdir -p ${SAVEDIR}
@ -109,6 +118,7 @@ then
sed -i '/BACKUP_FILE/d' ${CONFIG_FILE} sed -i '/BACKUP_FILE/d' ${CONFIG_FILE}
echo "The backup und the digests have been moved to ${SAVEDIR}" echo "The backup und the digests have been moved to ${SAVEDIR}"
fi fi
# here we extrapolate paths from savedir.
DIGEST_FILE="${SAVEDIR}/hashboot.digest" DIGEST_FILE="${SAVEDIR}/hashboot.digest"
BACKUP_FILE="${SAVEDIR}/boot-backup.tar" BACKUP_FILE="${SAVEDIR}/boot-backup.tar"
#If not found, create one and ask for ${MBR_DEVICE} #If not found, create one and ask for ${MBR_DEVICE}
@ -116,59 +126,47 @@ else
#Create ${CONFIG_FILE} with defaults if noninterctive #Create ${CONFIG_FILE} with defaults if noninterctive
if [ -t "0" ] if [ -t "0" ]
then then
echo -n "Which device contains the MBR? [/dev/sda] "
read -r MBR_DEVICE
[ -z "${MBR_DEVICE}" ] && MBR_DEVICE="/dev/sda"
echo "#Device with the MBR on it" > ${CONFIG_FILE}
echo "MBR_DEVICE=${MBR_DEVICE}" >> ${CONFIG_FILE}
echo -n "Where should backup file and digestfile be stored? [/var/lib/hashboot] " echo -n "Where should backup file and digestfile be stored? [/var/lib/hashboot] "
read -r SAVEDIR read -r SAVEDIR
echo "#Where the Backup files are stored" >> ${CONFIG_FILE} [ -z "${SAVEDIR}" ] && SAVEDIR="/var/lib/hashboot"
echo "#Where the Backup files are stored" > ${CONFIG_FILE}
echo "SAVEDIR=${SAVEDIR}" >> ${CONFIG_FILE} echo "SAVEDIR=${SAVEDIR}" >> ${CONFIG_FILE}
DIGEST_FILE="${SAVEDIR}/hashboot.digest" DIGEST_FILE="${SAVEDIR}/hashboot.digest"
BACKUP_FILE="${SAVEDIR}/boot-backup.tar" BACKUP_FILE="${SAVEDIR}/boot-backup.tar"
mkdir -p ${SAVEDIR} mkdir -p ${SAVEDIR}
echo -n "Include BIOS check? (y/n)"
read prompt
while ! [[ $prompt == "y" || $prompt == "Y" || $prompt == "n" || $prompt == "N" ]]; do
read prompt
done
if [[ "${prompt}" == "y" || "${prompt}" == "Y" ]]; then
if which flashrom; then
flashrom
echo -n "Which programmer? (eg. internal) "
read p
echo "PROGRAMMER=${p}" >> ${CONFIG_FILE}
else
echo "No flashrom found. You need to install it."
echo "PROGRAMMER=${PROGRAMMER}" >> ${CONFIG_FILE}
fi
else
echo "PROGRAMMER=no" >> ${CONFIG_FILE}
fi
echo "What do we check?" echo "What do we check?"
echo "001=mbr" echo "001=mbr"
echo "010=files" echo "010=files"
echo "100=bios" echo "100=core-/libreboot bios"
echo "eg. 101 for mbr and bios: " echo "eg. 101 for mbr and bios: "
read CKMODES read -r CKMODES
echo "#001=mbr,010=files,100=bios" >> ${CONFIG_FILE}
echo "CKMODES=$CKMODES" >> ${CONFIG_FILE} echo "CKMODES=$CKMODES" >> ${CONFIG_FILE}
else
echo "#Device with the MBR on it" > ${CONFIG_FILE} if [ $((CKMODES & 001)) -ne 0 ]; then
echo -n "Which device contains the MBR? [/dev/sda] "
read -r MBR_DEVICE
[ -z "${MBR_DEVICE}" ] && MBR_DEVICE="/dev/sda"
echo "#Device with the MBR on it" >> ${CONFIG_FILE}
echo "MBR_DEVICE=${MBR_DEVICE}" >> ${CONFIG_FILE} echo "MBR_DEVICE=${MBR_DEVICE}" >> ${CONFIG_FILE}
echo "#Where the Backup files are stored" >> ${CONFIG_FILE} fi
echo "BACKUP_FILE=${BACKUP_FILE}" >> ${CONFIG_FILE}
echo "CKMODES=$CKMODES" >> ${CONFIG_FILE} if [ $((CKMODES & 100)) -ne 0 ]; then
echo "PROGRAMMER=${PROGRAMMER}" >> ${CONFIG_FILE} if ! command -v flashrom > /dev/null; then
echo "You need to have flashrom installed!"
echo "Currently it is not installed, don't reboot"
echo "If you need another programmer than internal"
echo "use the variable PROGRAMMER in ${CONFIG_FILE}!"
fi
fi
else
die 9 "No config file found. Run hashboot interactively to generate one."
fi fi
fi fi
if [ "${2}" > "1" ]; then if [ $((CKMODES & 001)) -ne 0 ]; then
CKMODES=${2}
fi
if [ $((${CKMODES} & 001)) -ne 0 ]; then
# Find out where the first partition starts and set ${MBR_SIZE} in KiB # Find out where the first partition starts and set ${MBR_SIZE} in KiB
sectorsize=$(LC_ALL=C fdisk -l ${MBR_DEVICE} | grep '^Units' | awk '{print $8}' ) sectorsize=$(LC_ALL=C fdisk -l ${MBR_DEVICE} | grep '^Units' | awk '{print $8}' )
if [ "${sectorsize}" == "=" ] # Older versions of util-linux if [ "${sectorsize}" == "=" ] # Older versions of util-linux
@ -181,7 +179,7 @@ if [ $((${CKMODES} & 001)) -ne 0 ]; then
startsector=$(LC_ALL=C fdisk -l ${MBR_DEVICE} | grep -A1 'Device' | tail -n1 | awk '{print $3}' ) startsector=$(LC_ALL=C fdisk -l ${MBR_DEVICE} | grep -A1 'Device' | tail -n1 | awk '{print $3}' )
fi fi
MBR_SIZE=$(expr ${sectorsize} \* ${startsector} / 1024) MBR_SIZE=$((sectorsize * startsector / 1024))
if [ ${?} != 0 ] if [ ${?} != 0 ]
then then
@ -193,10 +191,10 @@ fi
if [ "${1}" == "index" ] if [ "${1}" == "index" ]
then then
#Try different hashers, use the most secure #Try different hashers, use the most secure
HASHER=$(/usr/bin/which sha512sum 2> /dev/null) HASHER=$(command -v sha512sum)
test -z "${HASHER}" && HASHER=$(/usr/bin/which sha384sum 2> /dev/null) test -z "${HASHER}" && HASHER=$(command -v sha384sum)
test -z "${HASHER}" && HASHER=$(/usr/bin/which sha256sum 2> /dev/null) test -z "${HASHER}" && HASHER=$(command -v sha256sum)
test -z "${HASHER}" && HASHER=$(/usr/bin/which sha224sum 2> /dev/null) test -z "${HASHER}" && HASHER=$(command -v sha224sum)
#If we found no hasher: exit #If we found no hasher: exit
[ -z "${HASHER}" ] && die 5 "No hash calculator found" [ -z "${HASHER}" ] && die 5 "No hash calculator found"
@ -215,18 +213,25 @@ then
for file in $(diff ${DIGEST_FILE} ${DIGEST_FILE_TMP} | grep -v '#hashboot' | grep '<' | cut -d'*' -f2 | sed 's/\ /\\ /g' ); for file in $(diff ${DIGEST_FILE} ${DIGEST_FILE_TMP} | grep -v '#hashboot' | grep '<' | cut -d'*' -f2 | sed 's/\ /\\ /g' );
do do
#delete from tar #delete from tar
tar --delete -v -P -f $BACKUP_FILE $file tar --delete -v -P -f ${BACKUP_FILE} "${file}"
done done
for file in $(diff ${DIGEST_FILE} ${DIGEST_FILE_TMP} | grep -v '#hashboot' | grep '>' | cut -d'*' -f2 | sed 's/\ /\\ /g' ); for file in $(diff ${DIGEST_FILE} ${DIGEST_FILE_TMP} | grep -v '#hashboot' | grep '>' | cut -d'*' -f2 | sed 's/\ /\\ /g' );
do do
tar -r -v -P -f $BACKUP_FILE $file tar -r -v -P -f $BACKUP_FILE "${file}"
done done
fi fi
#nur, wenn das updaten des Backups geklappt hat. *im Hinterkopf behalt* #nur, wenn das updaten des Backups geklappt hat. *im Hinterkopf behalt*
mv ${DIGEST_FILE_TMP} ${DIGEST_FILE} mv ${DIGEST_FILE_TMP} ${DIGEST_FILE}
else else
write_hashes $DIGEST_FILE write_hashes $DIGEST_FILE
tar -cpPf ${BACKUP_FILE} ${BIOS} ${MBR_TMP} /boot ${DIGEST_FILE} || die 7 "Error writing ${BACKUP_FILE}" INCLUDE_FILES=""
if [ -f "${MBR_TMP}" ]; then
INCLUDE_FILES="${INCLUDE_FILES} ${MBR_TMP}"
fi
if [ -f "${BIOS_TMP}" ]; then
INCLUDE_FILES="${BIOS_TMP}"
fi
tar -cpPf "${BACKUP_FILE}" ${INCLUDE_FILES} /boot ${DIGEST_FILE} || die 7 "Error writing ${BACKUP_FILE}"
echo "Backup written to ${BACKUP_FILE}" echo "Backup written to ${BACKUP_FILE}"
fi fi
@ -234,34 +239,33 @@ elif [ "${1}" == "check" ]
then then
[ -f ${DIGEST_FILE} ] || die 9 "No digestfile" [ -f ${DIGEST_FILE} ] || die 9 "No digestfile"
HASHER=$(head -n1 ${DIGEST_FILE} | awk '{print $5}') HASHER=$(head -n1 ${DIGEST_FILE} | awk '{print $5}')
if [ $((${CKMODES} & 001)) != 0 ]; then if [ $((CKMODES & 001)) != 0 ]; then
dd if=${MBR_DEVICE} of=${MBR_TMP} bs=${MBR_SIZE}K count=1 status=${DD_STATUS} || die 8 dd if=${MBR_DEVICE} of=${MBR_TMP} bs=${MBR_SIZE}K count=1 status=${DD_STATUS} || die 8
grep ${MBR_TMP} ${DIGEST_FILE} | ${HASHER} --check --warn --quiet --strict | tee ${LOG_FILE} grep ${MBR_TMP} ${DIGEST_FILE} | ${HASHER} --check --warn --quiet --strict | tee ${LOG_FILE}
if [ ${PIPESTATUS[2]} -ne 0 ] if [ "${PIPESTATUS[2]}" -ne 0 ]
then then
echo " !! TIME TO PANIK: MBR WAS MODIFIED !!" echo " !! TIME TO PANIK: MBR WAS MODIFIED !!"
COUNTER=$((COUNTER + 1)) COUNTER=$((COUNTER + 1))
fi fi
fi fi
if [ $((${CKMODES} & 010)) -ne 0 ]; then if [ $((CKMODES & 010)) -ne 0 ]; then
grep -v ${MBR_TMP} ${DIGEST_FILE} | grep -v ${BIOS_TMP} | ${HASHER} --check --warn --quiet --strict | tee -a ${LOG_FILE} grep -v ${MBR_TMP} ${DIGEST_FILE} | grep -v ${BIOS_TMP} | ${HASHER} --check --warn --quiet --strict | tee -a ${LOG_FILE}
if [ ${PIPESTATUS[2]} -ne 0 ] if [ "${PIPESTATUS[2]}" -ne 0 ]
then then
echo " !! TIME TO PANIK: AT LEAST 1 FILE WAS MODIFIED !!" echo " !! TIME TO PANIK: AT LEAST 1 FILE WAS MODIFIED !!"
COUNTER=$((COUNTER + 2)) COUNTER=$((COUNTER + 2))
fi fi
fi fi
if [ $((${CKMODES} & 100)) -ne 0 ]; then if [ $((CKMODES & 100)) -ne 0 ]; then
flashrom --programmer ${PROGRAMMER} -r ${BIOS_TMP} > /dev/null 2>&1 flashrom --programmer ${PROGRAMMER} -r ${BIOS_TMP} > /dev/null 2>&1
#if we set an programmer chip in config, find line with hash for bios and compare. if smthg wrong, panic #if we set an programmer chip in config, find line with hash for bios and compare. if smthg wrong, panic
if [ ! ${PROGRAMMER} == "no" ]; then
grep ${BIOS_TMP} ${DIGEST_FILE} | ${HASHER} --check --warn --quiet --strict | tee -a ${LOG_FILE} grep ${BIOS_TMP} ${DIGEST_FILE} | ${HASHER} --check --warn --quiet --strict | tee -a ${LOG_FILE}
if [ ${PIPESTATUS[2]} -ne 0 ] if [ "${PIPESTATUS[2]}" -ne 0 ]
then then
echo " !! TIME TO PANIK: BIOS WAS MODIFIED !!" echo " !! TIME TO PANIK: BIOS WAS MODIFIED !!"
COUNTER=$((COUNTER + 10)) COUNTER=$((COUNTER + 10))
fi fi
fi
fi fi
if [ ${COUNTER} -gt 0 ]; then if [ ${COUNTER} -gt 0 ]; then
@ -272,15 +276,16 @@ then
echo "Restoring files from backup... (type yes or no for each file)" echo "Restoring files from backup... (type yes or no for each file)"
#For each failed file: ask if it should be recovered from backup #For each failed file: ask if it should be recovered from backup
# shellcheck disable=2013
for file in $(cut -d: -f1 ${LOG_FILE}) for file in $(cut -d: -f1 ${LOG_FILE})
do do
tar -xpPvwf ${BACKUP_FILE} ${file} tar -xpPvwf ${BACKUP_FILE} "${file}"
[ $? != 0 ] && echo "Error restoring ${file} from backup, continuing" >&2 [ ${?} != 0 ] && echo "Error restoring ${file} from backup, continuing" >&2
#If the MBR is to be recovered, copy to ${MBR_DEVICE} #If the MBR is to be recovered, copy to ${MBR_DEVICE}
if [ "${file}" == ${MBR_TMP} ] if [ "${file}" == ${MBR_TMP} ]
then then
cp ${MBR_TMP} ${MBR_DEVICE} cp ${MBR_TMP} ${MBR_DEVICE}
[ $? != 0 ] && echo "Error restoring MBR from backup, continuing" >&2 [ ${?} != 0 ] && echo "Error restoring MBR from backup, continuing" >&2
fi fi
done done
else else

56
hashboot.1.adoc Normal file
View File

@ -0,0 +1,56 @@
= hashboot(1)
tastytea <tastytea@tastytea.de>; teldra <teldra@rotce.de>
:Date: 2019-04-12
:Revision: 0.9.8
:man source: hashboot
:man version: {revision}
:man manual: General Commands Manual
== NAME
hashboot - generate checksums and a backup for /boot, MBR and BIOS.
== SYNOPSIS
*hashboot* _index_|_check_|_recover_
== DESCRIPTION
hashboot hashes all files in `/boot` and the MBR to check them during early
boot. It is intended for when you have encrypted the root partition but not the
boot partition. The checksums and a backup of the contents of `/boot` are stored
in `/var/lib/hashboot` by default. If a checksum doesn't match, you have the
option to restore the file from backup.
If there is a core- or libreboot bios and flashrom installed, hashboot can
check bios for modifications too.
== OPTIONS
*index*::
generate checksums and a backup for `/boot`, MBR and BIOS.
*check*::
check `/boot`, MBR and BIOS.
*recover*::
replace corrupted files with the backup.
== CONFIGURATION
The configuration file is in `/etc/hashboot.conf`.
=== Possible options
[frame="none",grid="none"]
|============
|SAVEDIR | The checksums and the backup are stored here.
|CKMODES | 001=mbr, 010=files, 100=bios.
|MBR_DEVICE | Device with the MBR on it.
|PROGRAMMER | Use this programmer instead of "internal". Will be passed to flashrom.
|============
== REPORTING BUGS
Bugtracker: https://github.com/tastytea/hashboot/issues

12
hooks/pacman.hook Normal file
View File

@ -0,0 +1,12 @@
[Trigger]
Operation = Install
Operation = Upgrade
Operation = Remove
Type = Package
Target = *
[Action]
Description = Regenerating hashboot checksums...
When = PostTransaction
Exec = /usr/bin/hashboot index
Depends = hashboot

39
init/openrc Executable file
View File

@ -0,0 +1,39 @@
#!/sbin/openrc-run
# Copyright 1999-2019 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
description="Check integrity of files in /boot"
depend()
{
need localmount
before xdm
}
start()
{
ebegin "Checking integrity of files in /boot"
# See if hashboot is accessible
which hashboot > /dev/null || return 255
hashboot check
ret=$?
# If return code is 1-3 or 10-13
if [ ${ret} -ge 1 ] && [ ${ret} -le 3 ] || [ ${ret} -ge 10 ] && [ ${ret} -le 13 ]; then
echo -n "Recover files? [y/N] "
read -r yesno
if [ "${yesno}" == "y" ]; then
hashboot recover
fi
echo "Dropping to shell. Type exit to continue."
sh
return ${ret}
elif [ ${ret} != 0 ]; then
eerror "Unexpected error number ${ret}."
return ${ret}
fi
eend 0
}

56
init/sysv Executable file
View File

@ -0,0 +1,56 @@
#!/bin/bash
### BEGIN INIT INFO
# Provides: hashboot
# Required-Start: $mountall
# Required-Stop:
# Default-Start: S
# Default-Stop:
# Short-Description: Check integrity of files in /boot
### END INIT INFO
#PATH=/sbin:/bin:/usr/bin:/usr
# See if hashboot is accessible
test -x $(which hashboot) || exit 255
case "$1" in
start)
log_daemon_msg "Checking integrity of files in /boot"
hashboot check
ret=$?
if [ ${ret} -ge 1 ] && [ ${ret} -le 3 ] || [ ${ret} -ge 10 ] && [ ${ret} -le 13 ]; then
log_end_msg ${ret}
echo -n "Recover files? [y/N] "
read -r yesno
if [ "${yesno}" == "y" ]; then
hashboot recover
fi
echo "Dropping to shell. Type exit to continue."
sh
exit ${ret}
elif [ ${ret} != 0 ]; then
log_end_msg ${ret}
eerror "Unexpected error number ${ret}."
exit ${ret}
fi
log_end_msg 0
;;
stop)
# No-op
;;
restart|reload|force-reload|status)
echo "Error: argument '$1' not supported" >&2
exit 1
;;
*)
echo "Usage: /etc/init.d/hashboot {start|stop}"
exit 1
;;
esac
exit 0

View File

@ -1,37 +0,0 @@
#!/sbin/openrc-run
description="Check integrity of files in /boot"
depend()
{
need localmount
before xdm
}
start()
{
ebegin "Checking integrity of files in /boot"
# See if hashboot is accessible
which hashboot > /dev/null || return 255
hashboot check
if [ $? -gt 0 ] && [ $? -le 3 ]
then
echo -n "Recover files? [y/N] "
read -r yesno
if [ "${yesno}" == "y" ]
then
hashboot recover
fi
echo "Dropping to shell. Type exit to continue."
sh
return 3
elif [ $? != 0 ]
then
return $?
fi
eend 0
}

View File

@ -1,58 +0,0 @@
#!/bin/bash
### BEGIN INIT INFO
# Provides: hashboot
# Required-Start: $mountall
# Required-Stop:
# Default-Start: S
# Default-Stop:
# Short-Description: Check integrity of files in /boot
### END INIT INFO
#PATH=/sbin:/bin:/usr/bin:/usr
# See if hashboot is accessible
test -x $(which hashboot) || exit 255
case "$1" in
start)
log_daemon_msg "Checking integrity of files in /boot"
hashboot check
if [ $? -gt 0 ] && [ $? -le 3 ]
then
log_end_msg 4
echo -n "Recover files? [y/N] "
read -r yesno
if [ "${yesno}" == "y" ]
then
hashboot recover
fi
echo "Dropping to shell. Type exit to continue."
sh
exit 3
elif [ $? != 0 ]
then
log_end_msg $?
exit $?
fi
log_end_msg 0
;;
stop)
# No-op
;;
restart|reload|force-reload|status)
echo "Error: argument '$1' not supported" >&2
exit 1
;;
*)
echo "Usage: /etc/init.d/hashboot {start|stop}"
exit 1
;;
esac
exit 0