diff options
author | mwberry | 2016-11-12 15:21:42 -0800 |
---|---|---|
committer | mwberry | 2016-11-12 18:12:10 -0800 |
commit | da6c732a4db991b917a49b4333ef2a7deea38a9d (patch) | |
tree | 2ec70b70dfece88cfdb7eb11d67de22106228143 | |
parent | ba6b34efbf480e8cb528a22b50fd30c6d780418c (diff) | |
download | aur-da6c732a4db991b917a49b4333ef2a7deea38a9d.tar.gz |
install reads config file
-rw-r--r-- | config | 17 | ||||
-rwxr-xr-x | install | 51 |
2 files changed, 45 insertions, 23 deletions
@@ -9,20 +9,25 @@ # completely replaced with one created by the attacker # Where to store the file in the initramfs -auth_key_file=/boot_partition_auth.pem +AUTH_KEY_FILE=/boot_partition_auth.pem # RSA key size, in bits # Note: The size of the key determines the size of the # signature. The size of the signature determines the # size of the QR code that will be printed to the terminal. # Pick the largest key size that fits on your monitor -auth_key_length=4096 +AUTH_KEY_LENGTH=4096 +# Options to pass to QR encoder +# Use these in case your terminal can't output UTF8 or +# you need to fiddle with the settings to make the QR +# code fit on your screen +QR_OPTS="-t ANSIUTF8 -m 1" # Hashes of important boot programs # The hashing algorithm to use -hash_alg=sha256 +HASH_ALG=sha256 # Expected hash values # Note: These are calculated for you each time mkinitcpio @@ -32,15 +37,15 @@ hash_alg=sha256 # The hash of the MBR # (first 512 bytes of disk housing partition with boot flag set) -# expected_mbr_hash= +# EXPECTED_MBR_HASH= # The hash of the Post-MBR Gap # (bytes from the end of the MBR to the start of the first partition) -# expected_mbr_gap_hash= +# EXPECTED_MBR_GAP_HASH= # The hash of the EFI stub used to boot # (hash of the file invoked by the UEFI firmware, likely /EFI/grub/grubx64.efi) # Note: Only checked when booting via UEFI # Note: MBR and Post MBR Gap are still checked when booting via UEFI -# expected_efi_stub_hash= +# EXPECTED_EFI_STUB_HASH= @@ -3,12 +3,20 @@ set -e set -u +# Grab functions source nannycam.functions +# Grab configuration +if [ -z ${1:-} ]; then + source /etc/nannycam.conf +else + source "$1" +fi +AUTH_PUB_KEY_FILE="/tmp$AUTH_KEY_FILE.pub" + # This script is expected to be called from mkinitcpio, setup env otherwise ensure_mkcpinitio_environment - # The BUILDROOT and _optgenimg varibles are set in mkinitcpio and I do feel # fairly bad for relying on the implementation details, but the interface # exposed by init_functions is not really sufficient for determining if the @@ -20,23 +28,32 @@ assert_encrypted "$_optgenimg" # If any other process on the box reads the private key file then all the # protections are for naught. assert_root - -KEYFILE="/tmp/boot_partition_auth.pem" -PUBFILE="/tmp/boot_partition_auth.pub" - -touch "$KEYFILE" -chmod 700 "$KEYFILE" - -openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out "$KEYFILE" 2> /dev/null -openssl rsa -pubout -out "$PUBFILE" -outform DER -in "$KEYFILE" 2> /dev/null - -add_file "$KEYFILE" - -shred -uf "$KEYFILE" - +touch "/tmp$AUTH_KEY_FILE" +chmod 700 "/tmp$AUTH_KEY_FILE" + +# Generate a new public key each time the initramfs is built +openssl genpkey \ + -algorithm rsa \ + -pkeyopt rsa_keygen_bits:$AUTH_KEY_LENGTH \ + -out "/tmp$AUTH_KEY_FILE" \ + 2> /dev/null +add_file "/tmp$AUTH_KEY_FILE" "$AUTH_KEY_FILE" + +# Extract the public key +openssl rsa \ + -pubout \ + -out "$AUTH_PUB_KEY_FILE" \ + -outform DER \ + -in "/tmp$AUTH_KEY_FILE" \ + 2> /dev/null + +# The private component is no longer required +shred -uf "/tmp$AUTH_KEY_FILE" + +# Print a QR-code with the public half echo "Scan the following public key into your verification device" -cat "$PUBFILE" | qrencode -8 -t ANSIUTF8 -m 1 +cat "$AUTH_PUB_KEY_FILE" | qrencode -8 $QR_OPTS read -p "Press ENTER to continue..." pause -rm "$PUBFILE" +rm "$AUTH_PUB_KEY_FILE" |