diff options
author | mwberry | 2016-11-12 15:21:41 -0800 |
---|---|---|
committer | mwberry | 2016-11-12 18:12:08 -0800 |
commit | ba6b34efbf480e8cb528a22b50fd30c6d780418c (patch) | |
tree | 2dedde0fa01879ebeb53fb5edaff6325975395dd /nannycam.functions | |
parent | 5e3dbf7cc7110217239017879c49287d6cd633fa (diff) | |
download | aur-ba6b34efbf480e8cb528a22b50fd30c6d780418c.tar.gz |
extract common functions from install
Diffstat (limited to 'nannycam.functions')
-rwxr-xr-x | nannycam.functions | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/nannycam.functions b/nannycam.functions index 8db1d6191ffc..9bdc02dacdf5 100755 --- a/nannycam.functions +++ b/nannycam.functions @@ -12,6 +12,25 @@ ensure_initramfs_environment() { fi } +ensure_mkcpinitio_environment() { + # This script is expected to be called from mkinitcpio, if not... + if [ -z ${BUILDROOT:-} ]; then + # ...then mock out enough of the environment to enable testing + saveOpts=$(set +o | egrep 'xtrace|errexit|nounset') + saveGlob=$(shopt -p | grep extglob) + shopt -s extglob + set +e + set +u + set +x + . "/usr/lib/initcpio/functions" + BUILDROOT=$(initialize_buildroot $(uname -r) $(mktemp -d --tmpdir mkinitcpio.XXXXXX)) + _optgenimg=$(find /boot -name '*.img' 2>/dev/null | head -n 1) + _optquiet=1 + eval "$saveOpts" + eval "$saveGlob" + fi +} + nannycam_usage () { cat <<HELPEOF nannycam -k keyfile -m hash -p hash [-e hash] @@ -170,3 +189,34 @@ assert_root() { exit 4 fi } + + +assert_ephemeral() { + fsType=$(df "$1" | tail -n 1 | cut -f 1 -d ' ') + if [[ "tmpfs" != "$fsType" ]]; then + (cat <<TMPWARN +"$1" is not on an ephemeral file system. Cowardly aborting in order to avoid +leaking the private key that will authenticate the encrypted boot device. +TMPWARN +) >&2 + exit 1 + fi +} + +assert_encrypted() { + fsMnt=$(df "$1" | tail -n 1 | egrep -o ' [^ ]+$' | tail -c +2) + isCrypt=$(lsblk -ro TYPE,MOUNTPOINT | egrep "$fsMnt$" | egrep '^crypt' | wc -l) + if [ ! $isCrypt -eq 1 ]; then + (cat <<DESTWARN +Destination location for the initramfs image is not on an encrypted device. +The nannycam software can only protect against Evil Maid style attacks if +the initramfs (and therefore the authentication key) is stored inside an +encrypted boot partition. Cowardly aborting in order to avoid leaking the +private key. +Image location: $_optgenimg +DESTWARN +) >&2 + exit 2 + fi +} + |