diff options
author | Giancarlo Razzolini | 2015-06-08 11:56:20 -0300 |
---|---|---|
committer | Giancarlo Razzolini | 2015-06-08 11:56:20 -0300 |
commit | e6df1ea83373cb5ee16e1aa58f06f02607035ec3 (patch) | |
tree | 36ffc0a12e003431441f52e7cb74c2116f8d7373 | |
download | aur-e6df1ea83373cb5ee16e1aa58f06f02607035ec3.tar.gz |
* Initial commit for the migration of mkinitcpio-chkcryptoboot to the new AUR system.
-rw-r--r-- | .SRCINFO | 19 | ||||
-rw-r--r-- | .gitignore | 3 | ||||
-rw-r--r-- | ChangeLog | 24 | ||||
-rw-r--r-- | PKGBUILD | 22 | ||||
-rw-r--r-- | mkinitcpio-chkcryptoboot.install | 33 |
5 files changed, 101 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..0eba7d0bd887 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,19 @@ +pkgbase = mkinitcpio-chkcryptoboot + pkgdesc = This hook checks for a modified bootloader code, in an encrypted boot setup, and warns the user to not enter his root device password + pkgver = 0.0.4 + pkgrel = 1 + url = https://github.com/grazzolini/mkinitcpio-chkcryptoboot + install = mkinitcpio-chkcryptoboot.install + changelog = ChangeLog + arch = any + license = BSD + backup = etc/default/chkcryptoboot.conf + source = ChangeLog + source = mkinitcpio-chkcryptoboot.install + source = https://github.com/grazzolini/mkinitcpio-chkcryptoboot/archive/v0.0.4.tar.gz + sha512sums = 1732bce81fc0011a0191731c114cff8c7e50cbf86ffb00d8e9f32840eb5b32923bad731e2711182d39d881a21987d057b6f8d74da5ba1b5721ead1a1473d9505 + sha512sums = dd1ec73389b65f8772d880ca13ea4298a9a8c2d6b8db0201f0385f1495e370b95e4e50bbd654c51f61db8f1aaca6e8958ce55127361263234a95d0a479c99f5b + sha512sums = 2257a89c78f1cbf3e04124f469d30c5f72e1136de62fe43d040573036b91ae63e6f8577bb4065b33b7c94b745a70f23ae68d7ff2952a18e7c3fcddc23e50b712 + +pkgname = mkinitcpio-chkcryptoboot + diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000000..183347210978 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +v*.tar.gz +mkinitcpio-chkcryptoboot-*-any.pkg.tar.xz +mkinitcpio-chkcryptoboot-*.src.tar.gz diff --git a/ChangeLog b/ChangeLog new file mode 100644 index 000000000000..594416401723 --- /dev/null +++ b/ChangeLog @@ -0,0 +1,24 @@ +2015-06-08 Giancarlo Razzolini <grazzolini@gmail.com> + + * 0.0.4: + - Decouple of the PKGBUILD and other AUR relevant files from the source code for upload in the new AUR system. + +2015-04-01 Giancarlo Razzolini <grazzolini@gmail.com> + + * 0.0.3: + - The same check of the cmdline is also performed in the initramfs. This indicate a bootloader configuration bypassing. + - Added a warning confirmation to make sure the user was warned of a compromised bootloader or configuration bypassing. + - Changed the size of the mbr portion that is saved. Was incorrectly also hashing the partition table. + - Various changes to the messaging and warning system. + +2015-03-31 Giancarlo Razzolini <grazzolini@gmail.com> + + * 0.0.2: + - Added a profile for checking the kernel cmdline for a bypassed boot partition. + - Changed from sha256 to sha512. + +2015-03-12 Giancarlo Razzolini <grazzolini@gmail.com> + + * 0.0.1 : + - Initial release + - There is no systemd service yet to verify if your boot partition was bypassed. diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..9f9c1586bf65 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,22 @@ +# Maintainer: Giancarlo Razzolini <grazzolini@gmail.com> +pkgname=mkinitcpio-chkcryptoboot +pkgver=0.0.4 +pkgrel=1 +pkgdesc="This hook checks for a modified bootloader code, in an encrypted boot setup, and warns the user to not enter his root device password" +arch=('any') +url="https://github.com/grazzolini/mkinitcpio-chkcryptoboot" +license=('BSD') +install=$pkgname.install +backup=('etc/default/chkcryptoboot.conf') +source=('ChangeLog' "$pkgname.install" $url/archive/v$pkgver.tar.gz) +changelog='ChangeLog' +sha512sums=('1732bce81fc0011a0191731c114cff8c7e50cbf86ffb00d8e9f32840eb5b32923bad731e2711182d39d881a21987d057b6f8d74da5ba1b5721ead1a1473d9505' + 'dd1ec73389b65f8772d880ca13ea4298a9a8c2d6b8db0201f0385f1495e370b95e4e50bbd654c51f61db8f1aaca6e8958ce55127361263234a95d0a479c99f5b' + '2257a89c78f1cbf3e04124f469d30c5f72e1136de62fe43d040573036b91ae63e6f8577bb4065b33b7c94b745a70f23ae68d7ff2952a18e7c3fcddc23e50b712') + +package() { + install -Dm644 "$srcdir/$pkgname-$pkgver/chkcryptoboot.conf" "$pkgdir/etc/default/chkcryptoboot.conf" + install -Dm644 "$srcdir/$pkgname-$pkgver/chkcryptoboot_hook" "$pkgdir/usr/lib/initcpio/hooks/chkcryptoboot" + install -Dm644 "$srcdir/$pkgname-$pkgver/chkcryptoboot_install" "$pkgdir/usr/lib/initcpio/install/chkcryptoboot" + install -Dm755 "${srcdir}/$pkgname-$pkgver"/chkcryptoboot-profilealert.sh "${pkgdir}"/etc/profile.d/chkcryptoboot-profilealert.sh +} diff --git a/mkinitcpio-chkcryptoboot.install b/mkinitcpio-chkcryptoboot.install new file mode 100644 index 000000000000..6895743df942 --- /dev/null +++ b/mkinitcpio-chkcryptoboot.install @@ -0,0 +1,33 @@ +#!/bin/bash + +post_install() { + cat<<INSTALLEOF + This hook create a hash of your bootloader code and check it on boot to warn + you before you type your root container password. It is meant to be used in + conjunction with GRUB cryptodisk feature. Also, for it being effective, your + boot partition must be outside your root container. And with a different + password than it. Configure /etc/default/chkcryptoboot.conf with your values + add the "chkcryptoboot" just before the "encrypt" hook in the mkinitcpio conf + "/etc/mkinitcpio.conf" and then rebuild your initramfs. Also, you should + rebuild your initramfs every time you run grub-install. Even if you run it + with the same parameters the code might change. Also, this hook introduces a + kernel cmdline parameter, that will try to detect if your boot partition was + bypassed. I suggest you use 2 hashes for this paremeter, one as the name and + other as the value. Running something like: + "dd if=/dev/random bs=1024 count=1024 iflag=fullblock | sha256sum", should + give your very good values. These should be added both to chkcryptoboot's and + your bootloader's configuration. +INSTALLEOF +} + +post_remove() { + cat<<REMOVEEOF + Remove the "chkcryptoboot" from the "HOOKS" section in "/etc/mkinitcpio.conf" + and rebuild the initramfs. Also, remove the cmdline parameter and regenerate + your bootloader configuration. +REMOVEEOF +} + +post_upgrade() { + post_install +} |