* Initial commit for the migration of mkinitcpio-chkcryptoboot to the new AUR system.

5 files changed, 101 insertions, 0 deletions

diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 000000000000..0eba7d0bd887
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,19 @@
+pkgbase = mkinitcpio-chkcryptoboot
+	pkgdesc = This hook checks for a modified bootloader code, in an encrypted boot setup, and warns the user to not enter his root device password
+	pkgver = 0.0.4
+	pkgrel = 1
+	url = https://github.com/grazzolini/mkinitcpio-chkcryptoboot
+	install = mkinitcpio-chkcryptoboot.install
+	changelog = ChangeLog
+	arch = any
+	license = BSD
+	backup = etc/default/chkcryptoboot.conf
+	source = ChangeLog
+	source = mkinitcpio-chkcryptoboot.install
+	source = https://github.com/grazzolini/mkinitcpio-chkcryptoboot/archive/v0.0.4.tar.gz
+	sha512sums = 1732bce81fc0011a0191731c114cff8c7e50cbf86ffb00d8e9f32840eb5b32923bad731e2711182d39d881a21987d057b6f8d74da5ba1b5721ead1a1473d9505
+	sha512sums = dd1ec73389b65f8772d880ca13ea4298a9a8c2d6b8db0201f0385f1495e370b95e4e50bbd654c51f61db8f1aaca6e8958ce55127361263234a95d0a479c99f5b
+	sha512sums = 2257a89c78f1cbf3e04124f469d30c5f72e1136de62fe43d040573036b91ae63e6f8577bb4065b33b7c94b745a70f23ae68d7ff2952a18e7c3fcddc23e50b712
+
+pkgname = mkinitcpio-chkcryptoboot
+
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 000000000000..183347210978
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+v*.tar.gz
+mkinitcpio-chkcryptoboot-*-any.pkg.tar.xz
+mkinitcpio-chkcryptoboot-*.src.tar.gz
diff --git a/ChangeLog b/ChangeLog
new file mode 100644
index 000000000000..594416401723
--- /dev/null
+++ b/ChangeLog
@@ -0,0 +1,24 @@
+2015-06-08 Giancarlo Razzolini <grazzolini@gmail.com>
+
+	* 0.0.4:
+	- Decouple of the PKGBUILD and other AUR relevant files from the source code for upload in the new AUR system.
+
+2015-04-01 Giancarlo Razzolini <grazzolini@gmail.com>
+
+	* 0.0.3:
+	- The same check of the cmdline is also performed in the initramfs. This indicate a bootloader configuration bypassing.
+	- Added a warning confirmation to make sure the user was warned of a compromised bootloader or configuration bypassing.
+	- Changed the size of the mbr portion that is saved. Was incorrectly also hashing the partition table.
+	- Various changes to the messaging and warning system.
+
+2015-03-31 Giancarlo Razzolini <grazzolini@gmail.com>
+
+	* 0.0.2:
+	- Added a profile for checking the kernel cmdline for a bypassed boot partition.
+	- Changed from sha256 to sha512.
+
+2015-03-12 Giancarlo Razzolini <grazzolini@gmail.com>
+
+	* 0.0.1 :
+	- Initial release
+	- There is no systemd service yet to verify if your boot partition was bypassed.
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 000000000000..9f9c1586bf65
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,22 @@
+# Maintainer: Giancarlo Razzolini <grazzolini@gmail.com>
+pkgname=mkinitcpio-chkcryptoboot
+pkgver=0.0.4
+pkgrel=1
+pkgdesc="This hook checks for a modified bootloader code, in an encrypted boot setup, and warns the user to not enter his root device password"
+arch=('any')
+url="https://github.com/grazzolini/mkinitcpio-chkcryptoboot"
+license=('BSD')
+install=$pkgname.install
+backup=('etc/default/chkcryptoboot.conf')
+source=('ChangeLog' "$pkgname.install" $url/archive/v$pkgver.tar.gz)
+changelog='ChangeLog'
+sha512sums=('1732bce81fc0011a0191731c114cff8c7e50cbf86ffb00d8e9f32840eb5b32923bad731e2711182d39d881a21987d057b6f8d74da5ba1b5721ead1a1473d9505'
+            'dd1ec73389b65f8772d880ca13ea4298a9a8c2d6b8db0201f0385f1495e370b95e4e50bbd654c51f61db8f1aaca6e8958ce55127361263234a95d0a479c99f5b'
+            '2257a89c78f1cbf3e04124f469d30c5f72e1136de62fe43d040573036b91ae63e6f8577bb4065b33b7c94b745a70f23ae68d7ff2952a18e7c3fcddc23e50b712')
+
+package() {
+  install -Dm644 "$srcdir/$pkgname-$pkgver/chkcryptoboot.conf"	   "$pkgdir/etc/default/chkcryptoboot.conf"
+  install -Dm644 "$srcdir/$pkgname-$pkgver/chkcryptoboot_hook"      "$pkgdir/usr/lib/initcpio/hooks/chkcryptoboot"
+  install -Dm644 "$srcdir/$pkgname-$pkgver/chkcryptoboot_install"   "$pkgdir/usr/lib/initcpio/install/chkcryptoboot"
+  install -Dm755 "${srcdir}/$pkgname-$pkgver"/chkcryptoboot-profilealert.sh "${pkgdir}"/etc/profile.d/chkcryptoboot-profilealert.sh
+}
diff --git a/mkinitcpio-chkcryptoboot.install b/mkinitcpio-chkcryptoboot.install
new file mode 100644
index 000000000000..6895743df942
--- /dev/null
+++ b/mkinitcpio-chkcryptoboot.install
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+post_install() {
+    cat<<INSTALLEOF
+    This hook create a hash of your bootloader code and check it on boot to warn
+    you before you type your root container password. It is meant to be used in
+    conjunction with GRUB cryptodisk feature. Also, for it being effective, your
+    boot partition must be outside your root container. And with a different
+    password than it. Configure /etc/default/chkcryptoboot.conf with your values
+    add the "chkcryptoboot" just before the "encrypt" hook in the mkinitcpio conf
+    "/etc/mkinitcpio.conf" and then rebuild your initramfs. Also, you should 
+    rebuild your initramfs every time you run grub-install. Even if you run it 
+    with the same parameters the code might change. Also, this hook introduces a 
+    kernel cmdline parameter, that will try to detect if your boot partition was 
+    bypassed. I suggest you use 2 hashes for this paremeter, one as the name and 
+    other as the value. Running something like:
+    "dd if=/dev/random bs=1024 count=1024 iflag=fullblock | sha256sum", should
+    give your very good values. These should be added both to chkcryptoboot's and
+    your bootloader's configuration.
+INSTALLEOF
+}
+
+post_remove() {
+    cat<<REMOVEEOF
+    Remove the "chkcryptoboot" from the "HOOKS" section in "/etc/mkinitcpio.conf"
+    and rebuild the initramfs. Also, remove the cmdline parameter and regenerate
+    your bootloader configuration.
+REMOVEEOF
+}
+
+post_upgrade() {
+    post_install
+}