Write hashes during install hook

2 files changed, 46 insertions, 12 deletions

diff --git a/install b/install
index 35b68bdbfda6..433d4710fecf 100755
--- a/install
+++ b/install
@@ -4,51 +4,82 @@ set -e
 set -u
 
 # Grab functions
-source nannycam.functions
+[ -f /usr/lib/nannycam/nannycam.functions ] && source /usr/lib/nannycam/nannycam.functions
+[ -f nannycam.functions ] && source nannycam.functions
 
 # Grab configuration
+DEFAULT_CONFIG="/etc/nannycam.conf"
 if [ -z ${1:-} ]; then
-  source /etc/nannycam.conf
+  CONFIG="$DEFAULT_CONFIG"
 else
-  source "$1"
+  CONFIG="$1"
 fi  
-AUTH_PUB_KEY_FILE="/tmp$AUTH_KEY_FILE.pub"
+source "$CONFIG"
+TMP=$(mktemp -d)
+AUTH_PUB_KEY_FILE="$TMP$AUTH_KEY_FILE.pub"
+TMP_AUTH_KEY_FILE="$TMP$AUTH_KEY_FILE"
 
 # This script is expected to be called from mkinitcpio, setup env otherwise
 ensure_mkcpinitio_environment
 
+# This script calls functions shared with the init hook, so setup that env too
+ensure_initramfs_environment
+
 # The BUILDROOT and _optgenimg varibles are set in mkinitcpio and I do feel
 # fairly bad for relying on the implementation details, but the interface
 # exposed by init_functions is not really sufficient for determining if the
 # private key will be safe. Better safe than sorry.
 assert_ephemeral "$BUILDROOT"
-assert_ephemeral "/tmp"
+assert_ephemeral "$TMP"
 assert_encrypted "$_optgenimg"
 
 # If any other process on the box reads the private key file then all the
 # protections are for naught.
 assert_root
-touch "/tmp$AUTH_KEY_FILE"
-chmod 700 "/tmp$AUTH_KEY_FILE"
+mkdir -p $(dirname "$TMP_AUTH_KEY_FILE")
+touch "$TMP_AUTH_KEY_FILE"
+chmod 700 "$TMP_AUTH_KEY_FILE"
+
+# Copy config to a working directory, as hash values will be appended to it
+TMPCONFIG="$TMP/nannycam.conf"
+cp "$CONFIG" "$TMPCONFIG"
+
+# Calculate the expected hash values to encode into the initramfs image
+# (unless they have been overridden in the config)
+if [ -z ${EXPECTED_MBR_HASH:-} ]; then
+  hash_mbr
+  echo "EXPECTED_MBR_HASH=\"$ACTUAL_MBR_HASH\"" >> "$TMPCONFIG"
+fi
+
+if [ -z ${EXPECTED_MBR_GAP_HASH:-} ]; then
+  hash_mbr_gap
+  echo "EXPECTED_MBR_GAP_HASH=\"$ACTUAL_MBR_GAP_HASH\"" >> "$TMPCONFIG"
+fi
+
+if [ -z ${EXPECTED_EFI_STUB_HASH:-} ]; then
+  hash_efi_stub
+  echo "EXPECTED_EFI_STUB_HASH=\"$ACTUAL_EFI_STUB_HASH\"" >> "$TMPCONFIG"
+fi
+add_file "$TMPCONFIG" "$DEFAULT_CONFIG"
 
 # Generate a new public key each time the initramfs is built
 openssl genpkey \
   -algorithm rsa \
   -pkeyopt rsa_keygen_bits:$AUTH_KEY_LENGTH \
-  -out "/tmp$AUTH_KEY_FILE" \
+  -out "$TMP_AUTH_KEY_FILE" \
   2> /dev/null
-add_file "/tmp$AUTH_KEY_FILE" "$AUTH_KEY_FILE"
+add_file "$TMP_AUTH_KEY_FILE" "$AUTH_KEY_FILE"
 
 # Extract the public key 
 openssl rsa \
   -pubout \
   -out "$AUTH_PUB_KEY_FILE" \
   -outform DER \
-  -in "/tmp$AUTH_KEY_FILE" \
+  -in "$TMP_AUTH_KEY_FILE" \
   2> /dev/null
 
 # The private component is no longer required
-shred -uf "/tmp$AUTH_KEY_FILE"
+shred -uf "$TMP_AUTH_KEY_FILE"
 
 # Print a QR-code with the public half
 echo "Scan the following public key into your verification device"
@@ -56,4 +87,5 @@ cat "$AUTH_PUB_KEY_FILE" | qrencode -8 $QR_OPTS
 read -p "Press ENTER to continue..." pause
 
 rm "$AUTH_PUB_KEY_FILE"
+rm -rf "$TMP"
 
diff --git a/nannycam b/nannycam
index 9b957c166a3d..95d7c63c98c1 100755
--- a/nannycam
+++ b/nannycam
@@ -4,7 +4,9 @@ set -u
 set -e
 # set -x
 
-source nannycam.functions
+# Grab functions
+[ -f /usr/lib/nannycam/nannycam.functions ] && source /usr/lib/nannycam/nannycam.functions
+[ -f nannycam.functions ] && source nannycam.functions
 
 # Check if running outside the initramfs environment, setup env otherwise
 ensure_initramfs_environment