mirror of https://schlomp.space/tastytea/hashboot
Compare commits
No commits in common. "master" and "0.9.7" have entirely different histories.
119
.drone.yml
119
.drone.yml
|
@ -1,119 +0,0 @@
|
|||
kind: pipeline
|
||||
name: check
|
||||
|
||||
volumes:
|
||||
- name: debian-package-cache
|
||||
host:
|
||||
path: /var/cache/debian-package-cache
|
||||
|
||||
trigger:
|
||||
event:
|
||||
exclude:
|
||||
- tag
|
||||
|
||||
steps:
|
||||
- name: shellcheck
|
||||
image: debian:stretch-slim
|
||||
pull: always
|
||||
commands:
|
||||
- rm /etc/apt/apt.conf.d/docker-clean
|
||||
- rm /var/cache/apt/archives/lock
|
||||
- echo "APT::Default-Release \"stretch\";" >> /etc/apt/apt.conf.d/00default_release
|
||||
- echo "deb http://deb.debian.org/debian buster main" >> /etc/apt/sources.list.d/buster.list
|
||||
- apt-get update -q
|
||||
- apt-get install -qy -t buster shellcheck
|
||||
- shellcheck hashboot
|
||||
volumes:
|
||||
- name: debian-package-cache
|
||||
path: /var/cache/apt/archives
|
||||
|
||||
- name: notify
|
||||
image: drillster/drone-email
|
||||
pull: always
|
||||
settings:
|
||||
host: cryptoparty-celle.de
|
||||
from: drone@tzend.de
|
||||
username:
|
||||
from_secret: email_username
|
||||
password:
|
||||
from_secret: email_password
|
||||
when:
|
||||
status: [ changed, failure ]
|
||||
|
||||
---
|
||||
|
||||
kind: pipeline
|
||||
name: release
|
||||
|
||||
volumes:
|
||||
- name: debian-package-cache
|
||||
host:
|
||||
path: /var/cache/debian-package-cache
|
||||
- name: gpg-key
|
||||
host:
|
||||
path: /home/tastytea/misc/autosign_gpg.key
|
||||
|
||||
trigger:
|
||||
event:
|
||||
- tag
|
||||
|
||||
steps:
|
||||
- name: download tar.gz
|
||||
image: plugins/download
|
||||
settings:
|
||||
source: https://schlomp.space/tastytea/hashboot/archive/${DRONE_TAG}.tar.gz
|
||||
destination: hashboot-${DRONE_TAG}.tar.gz
|
||||
|
||||
- name: download zip
|
||||
image: plugins/download
|
||||
settings:
|
||||
source: https://schlomp.space/tastytea/hashboot/archive/${DRONE_TAG}.zip
|
||||
destination: hashboot-${DRONE_TAG}.zip
|
||||
|
||||
- name: signature
|
||||
image: debian:stretch-slim
|
||||
pull: always
|
||||
commands:
|
||||
- rm /etc/apt/apt.conf.d/docker-clean
|
||||
- rm -f /var/cache/apt/archives/lock
|
||||
- apt-get update -q
|
||||
- apt-get install -qy gnupg
|
||||
- gpg --import /var/autosign_gpg.key
|
||||
- gpg --verbose --detach-sign *.tar.gz
|
||||
- gpg --verbose --detach-sign *.zip
|
||||
volumes:
|
||||
- name: debian-package-cache
|
||||
path: /var/cache/apt/archives
|
||||
- name: gpg-key
|
||||
path: /var/autosign_gpg.key
|
||||
|
||||
- name: release
|
||||
image: plugins/gitea-release
|
||||
pull: always
|
||||
settings:
|
||||
base_url: https://schlomp.space
|
||||
api_key:
|
||||
from_secret: gitea_token
|
||||
title: ${DRONE_TAG}
|
||||
prerelease: true
|
||||
files:
|
||||
- hashboot-${DRONE_TAG}.tar.gz
|
||||
- hashboot-${DRONE_TAG}.tar.gz.sig
|
||||
- hashboot-${DRONE_TAG}.zip
|
||||
- hashboot-${DRONE_TAG}.zip.sig
|
||||
checksum:
|
||||
- sha256
|
||||
- sha512
|
||||
|
||||
- name: notify
|
||||
image: drillster/drone-email
|
||||
pull: always
|
||||
settings:
|
||||
host: cryptoparty-celle.de
|
||||
from: drone@tzend.de
|
||||
username:
|
||||
from_secret: email_username
|
||||
password:
|
||||
from_secret: email_password
|
||||
when:
|
||||
status: [ changed, failure ]
|
|
@ -1 +0,0 @@
|
|||
/hashboot.1
|
8
LICENSE
8
LICENSE
|
@ -1,4 +1,4 @@
|
|||
"THE HUG-WARE LICENSE" (Revision 2):
|
||||
teldra <teldra@rotce.de> and tastytea <tastytea@tastytea.de> wrote this.
|
||||
As long as you retain this notice you can do whatever you want with this.
|
||||
If we meet some day, and you think this is nice, you can give us a hug.
|
||||
"THE HUG-WARE LICENSE" (Revision 1):
|
||||
xo <xo@rotce.de> and tastytea <tastytea@tastytea.de> wrote these files. As long
|
||||
as you retain this notice you can do whatever you want with this stuff. If we
|
||||
meet some day, and you think this stuff is worth it, you can give us a hug.
|
||||
|
|
73
README.md
73
README.md
|
@ -1,76 +1,31 @@
|
|||
**hashboot** hashes all files in `/boot` and the MBR to check them during early
|
||||
boot. It is intended for when you have encrypted the root partition but not the
|
||||
boot partition. The checksums and a backup of the contents of `/boot` are stored
|
||||
in `/var/lib/hashboot` by default. If a checksum doesn't match, you have the
|
||||
option to restore the file from backup.
|
||||
|
||||
If there is a core- or libreboot BIOS and [flashrom](https://flashrom.org/)
|
||||
installed, **hashboot** can check the BIOS for modifications too.
|
||||
|
||||
We moved our code to
|
||||
[schlomp.space](https://schlomp.space/tastytea/hashboot) but we keep the
|
||||
[GitHub-repo](https://github.com/tastytea/hashboot) as a mirror.
|
||||
**hashboot** hashes all files in `/boot` to check them during early boot. It is
|
||||
intended for when you have encrypted the root partition but not the boot
|
||||
partition. The checksums and a backup of the contents of `/boot` are stored in
|
||||
`/var/lib/hashboot` by default. If a checksum doesn't match, you have the option
|
||||
to restore the file from backup.
|
||||
|
||||
# Install
|
||||
|
||||
## Packages
|
||||
|
||||
### Void Linux
|
||||
|
||||
``` shell
|
||||
xbps-install -S hashboot
|
||||
```
|
||||
|
||||
### Gentoo Linux
|
||||
|
||||
Ebuilds are available via the
|
||||
[tastytea repository](https://schlomp.space/tastytea/overlay).
|
||||
|
||||
``` shell
|
||||
emerge -a sys-apps/hashboot
|
||||
rc-update add hashboot boot
|
||||
```
|
||||
|
||||
### Arch Linux
|
||||
|
||||
Use the [package from AUR](https://aur.archlinux.org/packages/hashboot/).
|
||||
|
||||
## Manual
|
||||
|
||||
### Any distro
|
||||
|
||||
The releases on
|
||||
[schlomp.space](https://schlomp.space/tastytea/hashboot/releases) are
|
||||
PGP-signed. The key-ID is `F7301ADFC9ED262448C42B64242E5AC4DA587BF9`
|
||||
(`242E5AC4DA587BF9`). You can fetch it with `gpg --locate-key
|
||||
autosign@tastytea.de`.
|
||||
|
||||
* Make hashboot executable
|
||||
* Place hashboot anywhere in ${PATH}
|
||||
* Place hashboot anywhere in $PATH
|
||||
* Install the appropriate init script
|
||||
* If applicable, copy `hooks/kernel-postinst` to /etc/kernel/post{inst,rm}.d/zzz-hashboot
|
||||
(make sure it is called after all other hooks)
|
||||
* To generate the manpage, install [asciidoc](http://asciidoc.org/) and run
|
||||
`build_manpage.sh`.
|
||||
* If applicable, copy kernel-hook to /etc/kernel/post{inst,rm}.d/zzz-hashboot (make sure it is called after all other hooks)
|
||||
|
||||
# Usage
|
||||
|
||||
* First run creates a configuration file. Select the desired checkroutines
|
||||
* Run `hashboot index` to generate checksums and a backup for /boot and MBR
|
||||
* Run `hashboot check` to check /boot and MBR
|
||||
* Run `hashboot recover` to replace corrupted files with the backup
|
||||
* Run "hashboot index" to generate checksums and a backup for /boot and MBR
|
||||
* Run "hashboot check" to check /boot and MBR
|
||||
* Run "hashboot recover" to replace corrupted files with the backup
|
||||
|
||||
# Notes
|
||||
|
||||
* You can't use the openrc/sysv init scripts with parallel boot.
|
||||
* The systemd and SysVinit init scripts have not been tested in a while, but
|
||||
will probably work.
|
||||
|
||||
# License
|
||||
|
||||
```PLAIN
|
||||
"THE HUG-WARE LICENSE" (Revision 2):
|
||||
teldra <teldra@rotce.de> and tastytea <tastytea@tastytea.de> wrote this.
|
||||
As long as you retain this notice you can do whatever you want with this.
|
||||
If we meet some day, and you think this is nice, you can give us a hug.
|
||||
"THE HUG-WARE LICENSE" (Revision 1):
|
||||
xo <xo@rotce.de> and tastytea <tastytea@tastytea.de> wrote these files. As long
|
||||
as you retain this notice you can do whatever you want with this stuff. If we
|
||||
meet some day, and you think this stuff is worth it, you can give us a hug.
|
||||
```
|
||||
|
|
|
@ -1,12 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
if [ -f "hashboot.1.adoc" ]; then
|
||||
name="hashboot"
|
||||
version="$(grep VERSION hashboot | head -n1 | cut -d\" -f2)"
|
||||
dir="$(dirname ${0})"
|
||||
|
||||
sed -Ei "s/(Revision: +)[0-9]+\.[0-9]+\.[0-9]+/\1${version}/" ${name}.1.adoc
|
||||
a2x --doctype manpage --format manpage --no-xmllint ${name}.1.adoc
|
||||
else
|
||||
echo "hashboot.1.adoc not found." >&2
|
||||
fi
|
183
hashboot
183
hashboot
|
@ -5,23 +5,20 @@
|
|||
#7 = write error, 8 = dd error, 9 = file not found
|
||||
#10 = bios mismatch, 11 == mbr&bios mismatch, 12 = files&bios mismatch
|
||||
#13 = mbr&bios&files mismatch
|
||||
###############################################################################
|
||||
# "THE HUG-WARE LICENSE" (Revision 2): #
|
||||
# teldra <teldra@rotce.de> and tastytea <tastytea@tastytea.de> wrote this. #
|
||||
# As Long as you retain this notice you can do whatever you want with this. #
|
||||
# If we meet some day, and you think this is nice, you can give us a hug. #
|
||||
###############################################################################
|
||||
###################################################################################
|
||||
# "THE HUG-WARE LICENSE" (Revision 1): #
|
||||
# xo <xo@rotce.de> and tastytea <tastytea@tastytea.de> wrote these files. As long #
|
||||
# as you retain this notice you can do whatever you want with this stuff. If we #
|
||||
# meet some day, and you think this stuff is worth it, you can give us a hug. #
|
||||
###################################################################################
|
||||
|
||||
# Disable warnings about $?.
|
||||
# shellcheck disable=SC2181
|
||||
|
||||
VERSION="0.9.14"
|
||||
VERSION="0.9.7"
|
||||
PATH="/bin:/usr/bin:/sbin:/usr/sbin:${PATH}"
|
||||
DIGEST_FILE=""
|
||||
BACKUP_FILE=""
|
||||
SAVEDIR=""
|
||||
DIGEST_FILE_TMP="/tmp/hashboot.digesttmp"
|
||||
LOG_FILE="/var/log/hashboot.log"
|
||||
LOG_FILE="/tmp/hashboot.log"
|
||||
MBR_DEVICE="/dev/sda"
|
||||
MBR_SIZE=1024
|
||||
MBR_TMP="/tmp/mbr"
|
||||
|
@ -31,7 +28,7 @@ BOOT_MOUNTED=0
|
|||
CONFIG_FILE="/etc/hashboot.cfg"
|
||||
COUNTER=0
|
||||
DD_STATUS="none"
|
||||
PROGRAMMER=${PROGRAMMER:=internal}
|
||||
PROGRAMMER="no" #standard change enables bios mode
|
||||
#bitmask:
|
||||
# 001=mbr
|
||||
# 010=files
|
||||
|
@ -46,36 +43,33 @@ die ()
|
|||
umount /boot
|
||||
fi
|
||||
|
||||
# Delete temporary files
|
||||
rm -f "${DIGEST_FILE_TMP}" "${MBR_TMP}" "${BIOS_TMP}"
|
||||
|
||||
[ -z "${2}" ] || echo "${2}" >&2
|
||||
exit "${1}"
|
||||
exit ${1}
|
||||
}
|
||||
|
||||
write_hashes ()
|
||||
{
|
||||
local file="${1}"
|
||||
#Write header to ${file}
|
||||
echo "#hashboot ${VERSION} - Algorithm: $(basename ${HASHER})" > "${file}"
|
||||
#Write header to ${1}
|
||||
echo "#hashboot ${VERSION} - Algorithm: $(basename ${HASHER})" > ${1}
|
||||
|
||||
if [ $((CKMODES & 001)) -ne 0 ]; then
|
||||
if [ $((${CKMODES} & 001)) -ne 0 ]; then
|
||||
#copy mbr to file
|
||||
dd if=${MBR_DEVICE} of=${MBR_TMP} bs=${MBR_SIZE}K count=1 status=${DD_STATUS} || die 8
|
||||
#Write hash of MBR to ${file}
|
||||
${HASHER} ${MBR_TMP} >> "${file}"
|
||||
#Write hash of MBR to ${1}
|
||||
${HASHER} ${MBR_TMP} >> ${1}
|
||||
fi
|
||||
if [ $((CKMODES & 010)) -ne 0 ]; then
|
||||
#Write hashes of all regular files to ${file}
|
||||
# shellcheck disable=SC2227
|
||||
find /boot -type f -exec ${HASHER} --binary {} >> "${file}" +
|
||||
if [ $((${CKMODES} & 010)) -ne 0 ]; then
|
||||
#Write hashes of all regular files to ${1}
|
||||
find /boot -type f -exec ${HASHER} --binary {} >> ${1} +
|
||||
fi
|
||||
if [ $((CKMODES & 100)) -ne 0 ]; then
|
||||
#read bios to file
|
||||
flashrom --programmer ${PROGRAMMER} -r ${BIOS_TMP} > /dev/null 2>&1
|
||||
#and write hashes of bios files to ${file}
|
||||
${HASHER} ${BIOS_TMP} >> "${file}"
|
||||
|
||||
if [ $((${CKMODES} & 100)) != 0 ]; then
|
||||
#if we set an programmer chip in config
|
||||
if [ ! "${PROGRAMMER}" == "no" ]; then
|
||||
#read bios to file
|
||||
flashrom --programmer ${PROGRAMMER} -r ${BIOS_TMP} > /dev/null 2>&1
|
||||
#and write hashes of bios files to ${1}
|
||||
${HASHER} ${BIOS_TMP} >> ${1}
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -94,9 +88,7 @@ then
|
|||
fi
|
||||
|
||||
# Debian < 8 check
|
||||
if command -v lsb_release > /dev/null \
|
||||
&& [ "$(lsb_release -si)" == "Debian" ] \
|
||||
&& [ "$(lsb_release -sr | cut -d'.' -f1)" -lt 8 ]
|
||||
if which lsb_release > /dev/null 2>&1 && [ "$(lsb_release -si)" == "Debian" ] && [ $(lsb_release -sr | cut -d'.' -f1) -lt 8 ]
|
||||
then
|
||||
DD_STATUS="noxfer"
|
||||
fi
|
||||
|
@ -104,10 +96,9 @@ fi
|
|||
#Look for config file and set ${MBR_DEVICE}.
|
||||
if [ -f ${CONFIG_FILE} ]
|
||||
then
|
||||
# shellcheck source=/dev/null
|
||||
source ${CONFIG_FILE} || die 9 "Error reading config file"
|
||||
#compatibility to old cfg format
|
||||
if [ -n "${BACKUP_FILE}" ]; then
|
||||
if [ ! -z "${BACKUP_FILE}" ]; then
|
||||
SAVEDIR="/var/lib/hashboot"
|
||||
echo "SAVEDIR=${SAVEDIR}" >> ${CONFIG_FILE}
|
||||
mkdir -p ${SAVEDIR}
|
||||
|
@ -118,7 +109,6 @@ then
|
|||
sed -i '/BACKUP_FILE/d' ${CONFIG_FILE}
|
||||
echo "The backup und the digests have been moved to ${SAVEDIR}"
|
||||
fi
|
||||
# here we extrapolate paths from savedir.
|
||||
DIGEST_FILE="${SAVEDIR}/hashboot.digest"
|
||||
BACKUP_FILE="${SAVEDIR}/boot-backup.tar"
|
||||
#If not found, create one and ask for ${MBR_DEVICE}
|
||||
|
@ -126,47 +116,59 @@ else
|
|||
#Create ${CONFIG_FILE} with defaults if noninterctive
|
||||
if [ -t "0" ]
|
||||
then
|
||||
echo -n "Which device contains the MBR? [/dev/sda] "
|
||||
read -r MBR_DEVICE
|
||||
[ -z "${MBR_DEVICE}" ] && MBR_DEVICE="/dev/sda"
|
||||
echo "#Device with the MBR on it" > ${CONFIG_FILE}
|
||||
echo "MBR_DEVICE=${MBR_DEVICE}" >> ${CONFIG_FILE}
|
||||
|
||||
echo -n "Where should backup file and digestfile be stored? [/var/lib/hashboot] "
|
||||
read -r SAVEDIR
|
||||
[ -z "${SAVEDIR}" ] && SAVEDIR="/var/lib/hashboot"
|
||||
echo "#Where the Backup files are stored" > ${CONFIG_FILE}
|
||||
echo "#Where the Backup files are stored" >> ${CONFIG_FILE}
|
||||
echo "SAVEDIR=${SAVEDIR}" >> ${CONFIG_FILE}
|
||||
DIGEST_FILE="${SAVEDIR}/hashboot.digest"
|
||||
BACKUP_FILE="${SAVEDIR}/boot-backup.tar"
|
||||
mkdir -p ${SAVEDIR}
|
||||
|
||||
echo -n "Include BIOS check? (y/n)"
|
||||
read prompt
|
||||
while ! [[ $prompt == "y" || $prompt == "Y" || $prompt == "n" || $prompt == "N" ]]; do
|
||||
read prompt
|
||||
done
|
||||
if [[ "${prompt}" == "y" || "${prompt}" == "Y" ]]; then
|
||||
if which flashrom; then
|
||||
flashrom
|
||||
echo -n "Which programmer? (eg. internal) "
|
||||
read p
|
||||
echo "PROGRAMMER=${p}" >> ${CONFIG_FILE}
|
||||
else
|
||||
echo "No flashrom found. You need to install it."
|
||||
echo "PROGRAMMER=${PROGRAMMER}" >> ${CONFIG_FILE}
|
||||
fi
|
||||
else
|
||||
echo "PROGRAMMER=no" >> ${CONFIG_FILE}
|
||||
fi
|
||||
echo "What do we check?"
|
||||
echo "001=mbr"
|
||||
echo "010=files"
|
||||
echo "100=core-/libreboot bios"
|
||||
echo "100=bios"
|
||||
echo "eg. 101 for mbr and bios: "
|
||||
read -r CKMODES
|
||||
echo "#001=mbr,010=files,100=bios" >> ${CONFIG_FILE}
|
||||
read CKMODES
|
||||
echo "CKMODES=$CKMODES" >> ${CONFIG_FILE}
|
||||
|
||||
if [ $((CKMODES & 001)) -ne 0 ]; then
|
||||
echo -n "Which device contains the MBR? [/dev/sda] "
|
||||
read -r MBR_DEVICE
|
||||
[ -z "${MBR_DEVICE}" ] && MBR_DEVICE="/dev/sda"
|
||||
echo "#Device with the MBR on it" >> ${CONFIG_FILE}
|
||||
echo "MBR_DEVICE=${MBR_DEVICE}" >> ${CONFIG_FILE}
|
||||
fi
|
||||
|
||||
if [ $((CKMODES & 100)) -ne 0 ]; then
|
||||
if ! command -v flashrom > /dev/null; then
|
||||
echo "You need to have flashrom installed!"
|
||||
echo "Currently it is not installed, don't reboot"
|
||||
echo "If you need another programmer than internal"
|
||||
echo "use the variable PROGRAMMER in ${CONFIG_FILE}!"
|
||||
fi
|
||||
fi
|
||||
|
||||
else
|
||||
die 9 "No config file found. Run hashboot interactively to generate one."
|
||||
echo "#Device with the MBR on it" > ${CONFIG_FILE}
|
||||
echo "MBR_DEVICE=${MBR_DEVICE}" >> ${CONFIG_FILE}
|
||||
echo "#Where the Backup files are stored" >> ${CONFIG_FILE}
|
||||
echo "BACKUP_FILE=${BACKUP_FILE}" >> ${CONFIG_FILE}
|
||||
echo "CKMODES=$CKMODES" >> ${CONFIG_FILE}
|
||||
echo "PROGRAMMER=${PROGRAMMER}" >> ${CONFIG_FILE}
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ $((CKMODES & 001)) -ne 0 ]; then
|
||||
if [ "${2}" > "1" ]; then
|
||||
CKMODES=${2}
|
||||
fi
|
||||
|
||||
if [ $((${CKMODES} & 001)) -ne 0 ]; then
|
||||
# Find out where the first partition starts and set ${MBR_SIZE} in KiB
|
||||
sectorsize=$(LC_ALL=C fdisk -l ${MBR_DEVICE} | grep '^Units' | awk '{print $8}' )
|
||||
if [ "${sectorsize}" == "=" ] # Older versions of util-linux
|
||||
|
@ -179,7 +181,7 @@ if [ $((CKMODES & 001)) -ne 0 ]; then
|
|||
startsector=$(LC_ALL=C fdisk -l ${MBR_DEVICE} | grep -A1 'Device' | tail -n1 | awk '{print $3}' )
|
||||
fi
|
||||
|
||||
MBR_SIZE=$((sectorsize * startsector / 1024))
|
||||
MBR_SIZE=$(expr ${sectorsize} \* ${startsector} / 1024)
|
||||
|
||||
if [ ${?} != 0 ]
|
||||
then
|
||||
|
@ -191,10 +193,10 @@ fi
|
|||
if [ "${1}" == "index" ]
|
||||
then
|
||||
#Try different hashers, use the most secure
|
||||
HASHER=$(command -v sha512sum)
|
||||
test -z "${HASHER}" && HASHER=$(command -v sha384sum)
|
||||
test -z "${HASHER}" && HASHER=$(command -v sha256sum)
|
||||
test -z "${HASHER}" && HASHER=$(command -v sha224sum)
|
||||
HASHER=$(/usr/bin/which sha512sum 2> /dev/null)
|
||||
test -z "${HASHER}" && HASHER=$(/usr/bin/which sha384sum 2> /dev/null)
|
||||
test -z "${HASHER}" && HASHER=$(/usr/bin/which sha256sum 2> /dev/null)
|
||||
test -z "${HASHER}" && HASHER=$(/usr/bin/which sha224sum 2> /dev/null)
|
||||
#If we found no hasher: exit
|
||||
[ -z "${HASHER}" ] && die 5 "No hash calculator found"
|
||||
|
||||
|
@ -213,25 +215,18 @@ then
|
|||
for file in $(diff ${DIGEST_FILE} ${DIGEST_FILE_TMP} | grep -v '#hashboot' | grep '<' | cut -d'*' -f2 | sed 's/\ /\\ /g' );
|
||||
do
|
||||
#delete from tar
|
||||
tar --delete -v -P -f ${BACKUP_FILE} "${file}"
|
||||
tar --delete -v -P -f $BACKUP_FILE $file
|
||||
done
|
||||
for file in $(diff ${DIGEST_FILE} ${DIGEST_FILE_TMP} | grep -v '#hashboot' | grep '>' | cut -d'*' -f2 | sed 's/\ /\\ /g' );
|
||||
do
|
||||
tar -r -v -P -f $BACKUP_FILE "${file}"
|
||||
tar -r -v -P -f $BACKUP_FILE $file
|
||||
done
|
||||
fi
|
||||
#nur, wenn das updaten des Backups geklappt hat. *im Hinterkopf behalt*
|
||||
mv ${DIGEST_FILE_TMP} ${DIGEST_FILE}
|
||||
else
|
||||
write_hashes $DIGEST_FILE
|
||||
INCLUDE_FILES=""
|
||||
if [ -f "${MBR_TMP}" ]; then
|
||||
INCLUDE_FILES="${INCLUDE_FILES} ${MBR_TMP}"
|
||||
fi
|
||||
if [ -f "${BIOS_TMP}" ]; then
|
||||
INCLUDE_FILES="${BIOS_TMP}"
|
||||
fi
|
||||
tar -cpPf "${BACKUP_FILE}" ${INCLUDE_FILES} /boot ${DIGEST_FILE} || die 7 "Error writing ${BACKUP_FILE}"
|
||||
tar -cpPf ${BACKUP_FILE} ${BIOS} ${MBR_TMP} /boot ${DIGEST_FILE} || die 7 "Error writing ${BACKUP_FILE}"
|
||||
echo "Backup written to ${BACKUP_FILE}"
|
||||
fi
|
||||
|
||||
|
@ -239,33 +234,34 @@ elif [ "${1}" == "check" ]
|
|||
then
|
||||
[ -f ${DIGEST_FILE} ] || die 9 "No digestfile"
|
||||
HASHER=$(head -n1 ${DIGEST_FILE} | awk '{print $5}')
|
||||
if [ $((CKMODES & 001)) != 0 ]; then
|
||||
if [ $((${CKMODES} & 001)) != 0 ]; then
|
||||
dd if=${MBR_DEVICE} of=${MBR_TMP} bs=${MBR_SIZE}K count=1 status=${DD_STATUS} || die 8
|
||||
grep ${MBR_TMP} ${DIGEST_FILE} | ${HASHER} --check --warn --quiet --strict | tee ${LOG_FILE}
|
||||
if [ "${PIPESTATUS[2]}" -ne 0 ]
|
||||
if [ ${PIPESTATUS[2]} -ne 0 ]
|
||||
then
|
||||
echo " !! TIME TO PANIK: MBR WAS MODIFIED !!"
|
||||
COUNTER=$((COUNTER + 1))
|
||||
fi
|
||||
fi
|
||||
if [ $((CKMODES & 010)) -ne 0 ]; then
|
||||
if [ $((${CKMODES} & 010)) -ne 0 ]; then
|
||||
grep -v ${MBR_TMP} ${DIGEST_FILE} | grep -v ${BIOS_TMP} | ${HASHER} --check --warn --quiet --strict | tee -a ${LOG_FILE}
|
||||
if [ "${PIPESTATUS[2]}" -ne 0 ]
|
||||
if [ ${PIPESTATUS[2]} -ne 0 ]
|
||||
then
|
||||
echo " !! TIME TO PANIK: AT LEAST 1 FILE WAS MODIFIED !!"
|
||||
COUNTER=$((COUNTER + 2))
|
||||
fi
|
||||
fi
|
||||
if [ $((CKMODES & 100)) -ne 0 ]; then
|
||||
if [ $((${CKMODES} & 100)) -ne 0 ]; then
|
||||
flashrom --programmer ${PROGRAMMER} -r ${BIOS_TMP} > /dev/null 2>&1
|
||||
#if we set an programmer chip in config, find line with hash for bios and compare. if smthg wrong, panic
|
||||
grep ${BIOS_TMP} ${DIGEST_FILE} | ${HASHER} --check --warn --quiet --strict | tee -a ${LOG_FILE}
|
||||
if [ "${PIPESTATUS[2]}" -ne 0 ]
|
||||
then
|
||||
echo " !! TIME TO PANIK: BIOS WAS MODIFIED !!"
|
||||
COUNTER=$((COUNTER + 10))
|
||||
if [ ! ${PROGRAMMER} == "no" ]; then
|
||||
grep ${BIOS_TMP} ${DIGEST_FILE} | ${HASHER} --check --warn --quiet --strict | tee -a ${LOG_FILE}
|
||||
if [ ${PIPESTATUS[2]} -ne 0 ]
|
||||
then
|
||||
echo " !! TIME TO PANIK: BIOS WAS MODIFIED !!"
|
||||
COUNTER=$((COUNTER + 10))
|
||||
fi
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
if [ ${COUNTER} -gt 0 ]; then
|
||||
|
@ -276,16 +272,15 @@ then
|
|||
echo "Restoring files from backup... (type yes or no for each file)"
|
||||
|
||||
#For each failed file: ask if it should be recovered from backup
|
||||
# shellcheck disable=2013
|
||||
for file in $(cut -d: -f1 ${LOG_FILE})
|
||||
do
|
||||
tar -xpPvwf ${BACKUP_FILE} "${file}"
|
||||
[ ${?} != 0 ] && echo "Error restoring ${file} from backup, continuing" >&2
|
||||
tar -xpPvwf ${BACKUP_FILE} ${file}
|
||||
[ $? != 0 ] && echo "Error restoring ${file} from backup, continuing" >&2
|
||||
#If the MBR is to be recovered, copy to ${MBR_DEVICE}
|
||||
if [ "${file}" == ${MBR_TMP} ]
|
||||
then
|
||||
cp ${MBR_TMP} ${MBR_DEVICE}
|
||||
[ ${?} != 0 ] && echo "Error restoring MBR from backup, continuing" >&2
|
||||
[ $? != 0 ] && echo "Error restoring MBR from backup, continuing" >&2
|
||||
fi
|
||||
done
|
||||
else
|
||||
|
|
|
@ -1,56 +0,0 @@
|
|||
= hashboot(1)
|
||||
tastytea <tastytea@tastytea.de>; teldra <teldra@rotce.de>
|
||||
:Date: 2019-04-12
|
||||
:Revision: 0.9.8
|
||||
:man source: hashboot
|
||||
:man version: {revision}
|
||||
:man manual: General Commands Manual
|
||||
|
||||
== NAME
|
||||
|
||||
hashboot - generate checksums and a backup for /boot, MBR and BIOS.
|
||||
|
||||
== SYNOPSIS
|
||||
|
||||
*hashboot* _index_|_check_|_recover_
|
||||
|
||||
== DESCRIPTION
|
||||
|
||||
hashboot hashes all files in `/boot` and the MBR to check them during early
|
||||
boot. It is intended for when you have encrypted the root partition but not the
|
||||
boot partition. The checksums and a backup of the contents of `/boot` are stored
|
||||
in `/var/lib/hashboot` by default. If a checksum doesn't match, you have the
|
||||
option to restore the file from backup.
|
||||
|
||||
If there is a core- or libreboot bios and flashrom installed, hashboot can
|
||||
check bios for modifications too.
|
||||
|
||||
== OPTIONS
|
||||
|
||||
*index*::
|
||||
generate checksums and a backup for `/boot`, MBR and BIOS.
|
||||
|
||||
*check*::
|
||||
check `/boot`, MBR and BIOS.
|
||||
|
||||
*recover*::
|
||||
replace corrupted files with the backup.
|
||||
|
||||
== CONFIGURATION
|
||||
|
||||
The configuration file is in `/etc/hashboot.conf`.
|
||||
|
||||
=== Possible options
|
||||
|
||||
[frame="none",grid="none"]
|
||||
|============
|
||||
|SAVEDIR | The checksums and the backup are stored here.
|
||||
|CKMODES | 001=mbr, 010=files, 100=bios.
|
||||
|MBR_DEVICE | Device with the MBR on it.
|
||||
|PROGRAMMER | Use this programmer instead of "internal". Will be passed to flashrom.
|
||||
|============
|
||||
|
||||
|
||||
== REPORTING BUGS
|
||||
|
||||
Bugtracker: https://github.com/tastytea/hashboot/issues
|
|
@ -1,12 +0,0 @@
|
|||
[Trigger]
|
||||
Operation = Install
|
||||
Operation = Upgrade
|
||||
Operation = Remove
|
||||
Type = Package
|
||||
Target = *
|
||||
|
||||
[Action]
|
||||
Description = Regenerating hashboot checksums...
|
||||
When = PostTransaction
|
||||
Exec = /usr/bin/hashboot index
|
||||
Depends = hashboot
|
39
init/openrc
39
init/openrc
|
@ -1,39 +0,0 @@
|
|||
#!/sbin/openrc-run
|
||||
# Copyright 1999-2019 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
description="Check integrity of files in /boot"
|
||||
|
||||
depend()
|
||||
{
|
||||
need localmount
|
||||
before xdm
|
||||
}
|
||||
|
||||
start()
|
||||
{
|
||||
ebegin "Checking integrity of files in /boot"
|
||||
|
||||
# See if hashboot is accessible
|
||||
which hashboot > /dev/null || return 255
|
||||
|
||||
hashboot check
|
||||
ret=$?
|
||||
# If return code is 1-3 or 10-13
|
||||
if [ ${ret} -ge 1 ] && [ ${ret} -le 3 ] || [ ${ret} -ge 10 ] && [ ${ret} -le 13 ]; then
|
||||
echo -n "Recover files? [y/N] "
|
||||
read -r yesno
|
||||
if [ "${yesno}" == "y" ]; then
|
||||
hashboot recover
|
||||
fi
|
||||
|
||||
echo "Dropping to shell. Type exit to continue."
|
||||
sh
|
||||
return ${ret}
|
||||
elif [ ${ret} != 0 ]; then
|
||||
eerror "Unexpected error number ${ret}."
|
||||
return ${ret}
|
||||
fi
|
||||
|
||||
eend 0
|
||||
}
|
56
init/sysv
56
init/sysv
|
@ -1,56 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: hashboot
|
||||
# Required-Start: $mountall
|
||||
# Required-Stop:
|
||||
# Default-Start: S
|
||||
# Default-Stop:
|
||||
# Short-Description: Check integrity of files in /boot
|
||||
### END INIT INFO
|
||||
|
||||
#PATH=/sbin:/bin:/usr/bin:/usr
|
||||
|
||||
# See if hashboot is accessible
|
||||
test -x $(which hashboot) || exit 255
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
log_daemon_msg "Checking integrity of files in /boot"
|
||||
|
||||
hashboot check
|
||||
ret=$?
|
||||
if [ ${ret} -ge 1 ] && [ ${ret} -le 3 ] || [ ${ret} -ge 10 ] && [ ${ret} -le 13 ]; then
|
||||
log_end_msg ${ret}
|
||||
|
||||
echo -n "Recover files? [y/N] "
|
||||
read -r yesno
|
||||
if [ "${yesno}" == "y" ]; then
|
||||
hashboot recover
|
||||
fi
|
||||
|
||||
echo "Dropping to shell. Type exit to continue."
|
||||
sh
|
||||
exit ${ret}
|
||||
elif [ ${ret} != 0 ]; then
|
||||
log_end_msg ${ret}
|
||||
eerror "Unexpected error number ${ret}."
|
||||
exit ${ret}
|
||||
fi
|
||||
|
||||
log_end_msg 0
|
||||
;;
|
||||
stop)
|
||||
# No-op
|
||||
;;
|
||||
restart|reload|force-reload|status)
|
||||
echo "Error: argument '$1' not supported" >&2
|
||||
exit 1
|
||||
;;
|
||||
*)
|
||||
echo "Usage: /etc/init.d/hashboot {start|stop}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,37 @@
|
|||
#!/sbin/openrc-run
|
||||
|
||||
description="Check integrity of files in /boot"
|
||||
|
||||
depend()
|
||||
{
|
||||
need localmount
|
||||
before xdm
|
||||
}
|
||||
|
||||
start()
|
||||
{
|
||||
ebegin "Checking integrity of files in /boot"
|
||||
|
||||
# See if hashboot is accessible
|
||||
which hashboot > /dev/null || return 255
|
||||
|
||||
hashboot check
|
||||
if [ $? -gt 0 ] && [ $? -le 3 ]
|
||||
then
|
||||
echo -n "Recover files? [y/N] "
|
||||
read -r yesno
|
||||
if [ "${yesno}" == "y" ]
|
||||
then
|
||||
hashboot recover
|
||||
fi
|
||||
|
||||
echo "Dropping to shell. Type exit to continue."
|
||||
sh
|
||||
return 3
|
||||
elif [ $? != 0 ]
|
||||
then
|
||||
return $?
|
||||
fi
|
||||
|
||||
eend 0
|
||||
}
|
|
@ -0,0 +1,58 @@
|
|||
#!/bin/bash
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: hashboot
|
||||
# Required-Start: $mountall
|
||||
# Required-Stop:
|
||||
# Default-Start: S
|
||||
# Default-Stop:
|
||||
# Short-Description: Check integrity of files in /boot
|
||||
### END INIT INFO
|
||||
|
||||
#PATH=/sbin:/bin:/usr/bin:/usr
|
||||
|
||||
# See if hashboot is accessible
|
||||
test -x $(which hashboot) || exit 255
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
log_daemon_msg "Checking integrity of files in /boot"
|
||||
|
||||
hashboot check
|
||||
if [ $? -gt 0 ] && [ $? -le 3 ]
|
||||
then
|
||||
log_end_msg 4
|
||||
|
||||
echo -n "Recover files? [y/N] "
|
||||
read -r yesno
|
||||
if [ "${yesno}" == "y" ]
|
||||
then
|
||||
hashboot recover
|
||||
fi
|
||||
|
||||
echo "Dropping to shell. Type exit to continue."
|
||||
sh
|
||||
exit 3
|
||||
elif [ $? != 0 ]
|
||||
then
|
||||
log_end_msg $?
|
||||
exit $?
|
||||
fi
|
||||
|
||||
log_end_msg 0
|
||||
;;
|
||||
stop)
|
||||
# No-op
|
||||
|
||||
;;
|
||||
restart|reload|force-reload|status)
|
||||
echo "Error: argument '$1' not supported" >&2
|
||||
exit 1
|
||||
;;
|
||||
*)
|
||||
echo "Usage: /etc/init.d/hashboot {start|stop}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
Loading…
Reference in New Issue