diff options
author | mwberry | 2016-11-12 15:21:42 -0800 |
---|---|---|
committer | mwberry | 2016-11-12 18:12:17 -0800 |
commit | d334424416582ded5ede4d8f2dffc8c175aaafd9 (patch) | |
tree | d83ef9ca493aa393aed07ef9370fcbec177ecf14 | |
parent | 1fb6b995965fe27344ee5792b4264b654c3a6b8c (diff) | |
download | aur-d334424416582ded5ede4d8f2dffc8c175aaafd9.tar.gz |
Write hashes during install hook
-rwxr-xr-x | install | 54 | ||||
-rwxr-xr-x | nannycam | 4 |
2 files changed, 46 insertions, 12 deletions
@@ -4,51 +4,82 @@ set -e set -u # Grab functions -source nannycam.functions +[ -f /usr/lib/nannycam/nannycam.functions ] && source /usr/lib/nannycam/nannycam.functions +[ -f nannycam.functions ] && source nannycam.functions # Grab configuration +DEFAULT_CONFIG="/etc/nannycam.conf" if [ -z ${1:-} ]; then - source /etc/nannycam.conf + CONFIG="$DEFAULT_CONFIG" else - source "$1" + CONFIG="$1" fi -AUTH_PUB_KEY_FILE="/tmp$AUTH_KEY_FILE.pub" +source "$CONFIG" +TMP=$(mktemp -d) +AUTH_PUB_KEY_FILE="$TMP$AUTH_KEY_FILE.pub" +TMP_AUTH_KEY_FILE="$TMP$AUTH_KEY_FILE" # This script is expected to be called from mkinitcpio, setup env otherwise ensure_mkcpinitio_environment +# This script calls functions shared with the init hook, so setup that env too +ensure_initramfs_environment + # The BUILDROOT and _optgenimg varibles are set in mkinitcpio and I do feel # fairly bad for relying on the implementation details, but the interface # exposed by init_functions is not really sufficient for determining if the # private key will be safe. Better safe than sorry. assert_ephemeral "$BUILDROOT" -assert_ephemeral "/tmp" +assert_ephemeral "$TMP" assert_encrypted "$_optgenimg" # If any other process on the box reads the private key file then all the # protections are for naught. assert_root -touch "/tmp$AUTH_KEY_FILE" -chmod 700 "/tmp$AUTH_KEY_FILE" +mkdir -p $(dirname "$TMP_AUTH_KEY_FILE") +touch "$TMP_AUTH_KEY_FILE" +chmod 700 "$TMP_AUTH_KEY_FILE" + +# Copy config to a working directory, as hash values will be appended to it +TMPCONFIG="$TMP/nannycam.conf" +cp "$CONFIG" "$TMPCONFIG" + +# Calculate the expected hash values to encode into the initramfs image +# (unless they have been overridden in the config) +if [ -z ${EXPECTED_MBR_HASH:-} ]; then + hash_mbr + echo "EXPECTED_MBR_HASH=\"$ACTUAL_MBR_HASH\"" >> "$TMPCONFIG" +fi + +if [ -z ${EXPECTED_MBR_GAP_HASH:-} ]; then + hash_mbr_gap + echo "EXPECTED_MBR_GAP_HASH=\"$ACTUAL_MBR_GAP_HASH\"" >> "$TMPCONFIG" +fi + +if [ -z ${EXPECTED_EFI_STUB_HASH:-} ]; then + hash_efi_stub + echo "EXPECTED_EFI_STUB_HASH=\"$ACTUAL_EFI_STUB_HASH\"" >> "$TMPCONFIG" +fi +add_file "$TMPCONFIG" "$DEFAULT_CONFIG" # Generate a new public key each time the initramfs is built openssl genpkey \ -algorithm rsa \ -pkeyopt rsa_keygen_bits:$AUTH_KEY_LENGTH \ - -out "/tmp$AUTH_KEY_FILE" \ + -out "$TMP_AUTH_KEY_FILE" \ 2> /dev/null -add_file "/tmp$AUTH_KEY_FILE" "$AUTH_KEY_FILE" +add_file "$TMP_AUTH_KEY_FILE" "$AUTH_KEY_FILE" # Extract the public key openssl rsa \ -pubout \ -out "$AUTH_PUB_KEY_FILE" \ -outform DER \ - -in "/tmp$AUTH_KEY_FILE" \ + -in "$TMP_AUTH_KEY_FILE" \ 2> /dev/null # The private component is no longer required -shred -uf "/tmp$AUTH_KEY_FILE" +shred -uf "$TMP_AUTH_KEY_FILE" # Print a QR-code with the public half echo "Scan the following public key into your verification device" @@ -56,4 +87,5 @@ cat "$AUTH_PUB_KEY_FILE" | qrencode -8 $QR_OPTS read -p "Press ENTER to continue..." pause rm "$AUTH_PUB_KEY_FILE" +rm -rf "$TMP" @@ -4,7 +4,9 @@ set -u set -e # set -x -source nannycam.functions +# Grab functions +[ -f /usr/lib/nannycam/nannycam.functions ] && source /usr/lib/nannycam/nannycam.functions +[ -f nannycam.functions ] && source nannycam.functions # Check if running outside the initramfs environment, setup env otherwise ensure_initramfs_environment |