diff options
author | dwayne | 2015-06-09 02:09:55 +0300 |
---|---|---|
committer | dwayne | 2015-06-09 02:09:55 +0300 |
commit | f32d6b943ceb730a036a32201511195fe9eb4bf2 (patch) | |
tree | 7889756ac9245f23d383b7c7beb591123b1adea5 | |
download | aur-f32d6b943ceb730a036a32201511195fe9eb4bf2.tar.gz |
initial
-rw-r--r-- | .SRCINFO | 22 | ||||
-rw-r--r-- | PKGBUILD | 29 | ||||
-rw-r--r-- | checkboot-efi.conf | 16 | ||||
-rw-r--r-- | checkboot-efi.hook | 32 | ||||
-rw-r--r-- | checkboot-efi.install | 22 | ||||
-rw-r--r-- | checkboot-efi.install-hook | 19 |
6 files changed, 140 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..f7ff22b6934c --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,22 @@ +pkgbase = checkboot-efi + pkgdesc = Verify efi files on boot + pkgver = 0.1 + pkgrel = 1 + url = https://github.com/dwayne80/checkboot-efi + install = checkboot-efi.install + arch = any + license = GPL + depends = bash + provides = checkboot-efi + backup = etc/checkboot-efi.conf + source = checkboot-efi.install + source = checkboot-efi.hook + source = checkboot-efi.install-hook + source = checkboot-efi.conf + sha512sums = 5f27cf4a271382c1da5cfd50ad5a8abe0818b990c7c0ff899a09ee751d55f28c5d028a0b1a7fb54e022e3ba5bc61a5b46ad87a27e510764fabc4ad8a5f9e67ca + sha512sums = f50eec33926fb0661fb51ec3b6d96fb2a83251ebb9cc1220d45c64d9114a97fcd693ac04f203b191d208a04767275c656f20c1c34d0fca3aacbf629eea2242c4 + sha512sums = d55428b009b733a2ff40f0d85dab404812cd50ab2a9471337398c2780da5669ba52878ed9b2de50d0134b4f014e4dbc0e75ce2aa28dda9560ca0d1375c94fc91 + sha512sums = 9df6b4906d32b635c789bb2e0665351977be510d5605889d6ec59ec04ba6abf407a3f762f9bf9ee215185a08cfc1478aa9918802010a505b43e424c23bbd8979 + +pkgname = checkboot-efi + diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..ffb81421ec21 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,29 @@ +# Maintainer: dwayne +pkgname=checkboot-efi +pkgver=0.1 +pkgrel=1 +pkgdesc="Verify efi files on boot" +arch=('any') +license=('GPL') +depends=('bash') +makedepends=() +url="https://github.com/dwayne80/checkboot-efi" +checkdepends=() +optdepends=() +provides=('checkboot-efi') +backup=('etc/checkboot-efi.conf') +install=$pkgname.install +source=("$pkgname.install" + "checkboot-efi.hook" + "checkboot-efi.install-hook" + "checkboot-efi.conf") +sha512sums=('5f27cf4a271382c1da5cfd50ad5a8abe0818b990c7c0ff899a09ee751d55f28c5d028a0b1a7fb54e022e3ba5bc61a5b46ad87a27e510764fabc4ad8a5f9e67ca' + 'f50eec33926fb0661fb51ec3b6d96fb2a83251ebb9cc1220d45c64d9114a97fcd693ac04f203b191d208a04767275c656f20c1c34d0fca3aacbf629eea2242c4' + 'd55428b009b733a2ff40f0d85dab404812cd50ab2a9471337398c2780da5669ba52878ed9b2de50d0134b4f014e4dbc0e75ce2aa28dda9560ca0d1375c94fc91' + '9df6b4906d32b635c789bb2e0665351977be510d5605889d6ec59ec04ba6abf407a3f762f9bf9ee215185a08cfc1478aa9918802010a505b43e424c23bbd8979') + +package() { + install -Dm644 "$srcdir/checkboot-efi.conf" "$pkgdir/etc/checkboot-efi.conf" + install -Dm644 "$srcdir/checkboot-efi.hook" "$pkgdir/usr/lib/initcpio/hooks/checkboot-efi" + install -Dm644 "$srcdir/checkboot-efi.install-hook" "$pkgdir/usr/lib/initcpio/install/checkboot-efi" +} diff --git a/checkboot-efi.conf b/checkboot-efi.conf new file mode 100644 index 000000000000..db96449c9bbb --- /dev/null +++ b/checkboot-efi.conf @@ -0,0 +1,16 @@ +# configuration file for checkboot-efi +# don't forget to refresh your initramfs and also create the checksums with: +# find /boot/efi/EFI/ -type f -iname '*.efi' -exec sha256sum {} \; > /etc/efi.sums + +# PARTITION must point to your efi partition +PARTITION="/dev/md/md0p1" + +# MOUNT_PATH must point to where your efi partition is mounted +MOUNT_PATH="/boot/efi" + +# CHECKSUM_TOOL can be any of md5sum, sha1sum, sha256sum or sha512sum +CHECKSUM_TOOL="sha256sum" + +# CHECKSUM_FILE is the file containing the known good checksums +CHECKSUM_FILE="/etc/efi.sums" + diff --git a/checkboot-efi.hook b/checkboot-efi.hook new file mode 100644 index 000000000000..61c2d092c61c --- /dev/null +++ b/checkboot-efi.hook @@ -0,0 +1,32 @@ +#!/usr/bin/ash +# generate /etc/efi.sums with: find /boot/efi/EFI/ -type f -iname '*.efi' -exec sha256sum {} \; > /etc/efi.sums +# dont forget to rebuild the initramfs after updating the checksums + +run_hook() { +if [ -e /etc/checkboot-efi.conf ]; then + source /etc/checkboot-efi.conf +else + echo "CHECKBOOT: Unable to load configuration file, giving up.." + exit 1 +fi +modprobe -a -q vfat > /dev/null 2>&1 +mkdir -p ${MOUNT_PATH} +mount ${PARTITION} ${MOUNT_PATH} +if [ -e ${CHECKSUM_FILE} ] && [ -e ${MOUNT_PATH}/EFI ]; then + cat ${CHECKSUM_FILE} | while read sum file + do + prev_sum=$(${CHECKSUM_TOOL} $file | awk '{print $1}') + if [ "$sum" != "$prev_sum" ] + then + echo -e "\e[01;33mCHECKBOOT:\e[00m \e[01;41mFailed to verify ${file}!\e[00m" + echo -e "\n\e[01;41mOne ore more files failed verification!\nDO NOT ENTER YOUR PASSWORD! \e[00m" + exit 1 + else + echo -e "\e[01;33mCHECKBOOT:\e[00m \e[00;32mSuccessfully verified ${file}\e[00m" + fi + done + umount ${MOUNT_PATH} +else + echo -e "\e[00;31mBOOTCHECK:\e[00m \e[01;41m Unable to verify EFI boot integrity. Files unavailable.\e[00m" +fi +} diff --git a/checkboot-efi.install b/checkboot-efi.install new file mode 100644 index 000000000000..f4f849c9b255 --- /dev/null +++ b/checkboot-efi.install @@ -0,0 +1,22 @@ +#!/bin/bash + +post_install() { + cat<<INSTALLEOF + You will need to manually configure and add the hook. + Look in /etc/checkboot-efi.conf for more information. + Don't forget to create the checksums and update the + initramfs. The name of the hook is "checkboot-efi". Add + it before the encrypt hook. +INSTALLEOF +} + +post_remove() { + cat<<REMOVEEOF + Remove the "checkboot-efi" from the "HOOKS" section in "/etc/mkinitcpio.conf" + and rebuild the initramfs. +REMOVEEOF +} + +post_upgrade() { + post_install +} diff --git a/checkboot-efi.install-hook b/checkboot-efi.install-hook new file mode 100644 index 000000000000..7153f535d954 --- /dev/null +++ b/checkboot-efi.install-hook @@ -0,0 +1,19 @@ +#!/bin/bash + +build() { + source /etc/checkboot-efi.conf + add_module "vfat" + add_file "${CHECKSUM_FILE}" + add_file "/etc/checkboot-efi.conf" + add_runscript +} + +help() { + cat <<HELPEOF +A hook that will verify the integrity of any efi files in your efi partition. +This is only useful if both your boot and root partition is encrypted and lacks +any purpose on non-efi systems. + +The hook must be added before the encrypt hook. +HELPEOF +} |