initial

6 files changed, 140 insertions, 0 deletions

diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 000000000000..f7ff22b6934c
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,22 @@
+pkgbase = checkboot-efi
+	pkgdesc = Verify efi files on boot
+	pkgver = 0.1
+	pkgrel = 1
+	url = https://github.com/dwayne80/checkboot-efi
+	install = checkboot-efi.install
+	arch = any
+	license = GPL
+	depends = bash
+	provides = checkboot-efi
+	backup = etc/checkboot-efi.conf
+	source = checkboot-efi.install
+	source = checkboot-efi.hook
+	source = checkboot-efi.install-hook
+	source = checkboot-efi.conf
+	sha512sums = 5f27cf4a271382c1da5cfd50ad5a8abe0818b990c7c0ff899a09ee751d55f28c5d028a0b1a7fb54e022e3ba5bc61a5b46ad87a27e510764fabc4ad8a5f9e67ca
+	sha512sums = f50eec33926fb0661fb51ec3b6d96fb2a83251ebb9cc1220d45c64d9114a97fcd693ac04f203b191d208a04767275c656f20c1c34d0fca3aacbf629eea2242c4
+	sha512sums = d55428b009b733a2ff40f0d85dab404812cd50ab2a9471337398c2780da5669ba52878ed9b2de50d0134b4f014e4dbc0e75ce2aa28dda9560ca0d1375c94fc91
+	sha512sums = 9df6b4906d32b635c789bb2e0665351977be510d5605889d6ec59ec04ba6abf407a3f762f9bf9ee215185a08cfc1478aa9918802010a505b43e424c23bbd8979
+
+pkgname = checkboot-efi
+
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 000000000000..ffb81421ec21
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,29 @@
+# Maintainer: dwayne
+pkgname=checkboot-efi
+pkgver=0.1
+pkgrel=1
+pkgdesc="Verify efi files on boot"
+arch=('any')
+license=('GPL')
+depends=('bash')
+makedepends=()
+url="https://github.com/dwayne80/checkboot-efi"
+checkdepends=()
+optdepends=()
+provides=('checkboot-efi')
+backup=('etc/checkboot-efi.conf')
+install=$pkgname.install
+source=("$pkgname.install"
+	"checkboot-efi.hook"
+	"checkboot-efi.install-hook"
+	"checkboot-efi.conf")
+sha512sums=('5f27cf4a271382c1da5cfd50ad5a8abe0818b990c7c0ff899a09ee751d55f28c5d028a0b1a7fb54e022e3ba5bc61a5b46ad87a27e510764fabc4ad8a5f9e67ca'
+	    'f50eec33926fb0661fb51ec3b6d96fb2a83251ebb9cc1220d45c64d9114a97fcd693ac04f203b191d208a04767275c656f20c1c34d0fca3aacbf629eea2242c4'
+            'd55428b009b733a2ff40f0d85dab404812cd50ab2a9471337398c2780da5669ba52878ed9b2de50d0134b4f014e4dbc0e75ce2aa28dda9560ca0d1375c94fc91'
+	    '9df6b4906d32b635c789bb2e0665351977be510d5605889d6ec59ec04ba6abf407a3f762f9bf9ee215185a08cfc1478aa9918802010a505b43e424c23bbd8979')
+
+package() {
+  install -Dm644 "$srcdir/checkboot-efi.conf"			"$pkgdir/etc/checkboot-efi.conf"
+  install -Dm644 "$srcdir/checkboot-efi.hook"			"$pkgdir/usr/lib/initcpio/hooks/checkboot-efi"
+  install -Dm644 "$srcdir/checkboot-efi.install-hook"		"$pkgdir/usr/lib/initcpio/install/checkboot-efi"
+}
diff --git a/checkboot-efi.conf b/checkboot-efi.conf
new file mode 100644
index 000000000000..db96449c9bbb
--- /dev/null
+++ b/checkboot-efi.conf
@@ -0,0 +1,16 @@
+# configuration file for checkboot-efi
+# don't forget to refresh your initramfs and also create the checksums with:
+# find /boot/efi/EFI/ -type f -iname '*.efi' -exec sha256sum {} \; > /etc/efi.sums
+
+# PARTITION must point to your efi partition
+PARTITION="/dev/md/md0p1"
+
+# MOUNT_PATH must point to where your efi partition is mounted
+MOUNT_PATH="/boot/efi"
+
+# CHECKSUM_TOOL can be any of md5sum, sha1sum, sha256sum or sha512sum
+CHECKSUM_TOOL="sha256sum"
+
+# CHECKSUM_FILE is the file containing the known good checksums
+CHECKSUM_FILE="/etc/efi.sums"
+
diff --git a/checkboot-efi.hook b/checkboot-efi.hook
new file mode 100644
index 000000000000..61c2d092c61c
--- /dev/null
+++ b/checkboot-efi.hook
@@ -0,0 +1,32 @@
+#!/usr/bin/ash
+# generate /etc/efi.sums with: find /boot/efi/EFI/ -type f -iname '*.efi' -exec sha256sum {} \; > /etc/efi.sums
+# dont forget to rebuild the initramfs after updating the checksums
+
+run_hook() {
+if [ -e /etc/checkboot-efi.conf ]; then
+ source /etc/checkboot-efi.conf
+else
+ echo "CHECKBOOT: Unable to load configuration file, giving up.."
+ exit 1
+fi
+modprobe -a -q vfat > /dev/null 2>&1
+mkdir -p ${MOUNT_PATH}
+mount ${PARTITION} ${MOUNT_PATH}
+if [ -e ${CHECKSUM_FILE} ] && [ -e ${MOUNT_PATH}/EFI ]; then 
+ cat ${CHECKSUM_FILE} | while read sum file
+ do
+	prev_sum=$(${CHECKSUM_TOOL} $file | awk '{print $1}')
+	if [ "$sum" != "$prev_sum" ]
+	then
+		echo -e "\e[01;33mCHECKBOOT:\e[00m \e[01;41mFailed to verify ${file}!\e[00m"
+		echo -e "\n\e[01;41mOne ore more files failed verification!\nDO NOT ENTER YOUR PASSWORD!            \e[00m"
+		exit 1
+	else
+		echo -e "\e[01;33mCHECKBOOT:\e[00m \e[00;32mSuccessfully verified ${file}\e[00m"
+	fi
+ done
+ umount ${MOUNT_PATH}
+else
+ echo -e "\e[00;31mBOOTCHECK:\e[00m \e[01;41m Unable to verify EFI boot integrity. Files unavailable.\e[00m"
+fi
+}
diff --git a/checkboot-efi.install b/checkboot-efi.install
new file mode 100644
index 000000000000..f4f849c9b255
--- /dev/null
+++ b/checkboot-efi.install
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+post_install() {
+    cat<<INSTALLEOF
+    You will need to manually configure and add the hook.
+    Look in /etc/checkboot-efi.conf for more information.
+    Don't forget to create the checksums and update the
+    initramfs. The name of the hook is "checkboot-efi". Add
+    it before the encrypt hook.
+INSTALLEOF
+}
+
+post_remove() {
+    cat<<REMOVEEOF
+    Remove the "checkboot-efi" from the "HOOKS" section in "/etc/mkinitcpio.conf"
+    and rebuild the initramfs.
+REMOVEEOF
+}
+
+post_upgrade() {
+    post_install
+}
diff --git a/checkboot-efi.install-hook b/checkboot-efi.install-hook
new file mode 100644
index 000000000000..7153f535d954
--- /dev/null
+++ b/checkboot-efi.install-hook
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+build() {
+    source /etc/checkboot-efi.conf
+    add_module "vfat"
+    add_file "${CHECKSUM_FILE}"
+    add_file "/etc/checkboot-efi.conf"
+    add_runscript
+}
+
+help() {
+    cat <<HELPEOF
+A hook that will verify the integrity of any efi files in your efi partition.
+This is only useful if both your boot and root partition is encrypted and lacks 
+any purpose on non-efi systems.
+
+The hook must be added before the encrypt hook.
+HELPEOF
+}