diff options
| -rw-r--r-- | .SRCINFO | 10 | ||||
| -rw-r--r-- | PKGBUILD | 18 | ||||
| -rwxr-xr-x | hook | 32 | ||||
| -rwxr-xr-x | install | 188 | ||||
| -rwxr-xr-x | test_hook | 11 | ||||
| -rwxr-xr-x | test_install | 7 |
6 files changed, 175 insertions, 91 deletions
@@ -10,6 +10,16 @@ pkgbase = mkinitcpio-nannycam depends = qrencode depends = bash depends = coreutils + source = config + source = hook + source = install + source = nannycam + source = nannycam.functions + md5sums = SKIP + md5sums = SKIP + md5sums = SKIP + md5sums = SKIP + md5sums = SKIP pkgname = mkinitcpio-nannycam @@ -13,11 +13,23 @@ conflicts=() replaces=() backup=() install='' -source=() -md5sums=() +source=('config' 'hook' 'install' 'nannycam' 'nannycam.functions') +md5sums=( + 'SKIP' 'SKIP' 'SKIP' 'SKIP' 'SKIP' +) # No build step because all sources are shell scripts -# Nothing to install yet +package() { + + install -D "${srcdir}/hook" "${pkgdir}/usr/lib/initcpio/hooks/nannycam" + install -D "${srcdir}/install" "${pkgdir}/usr/lib/initcpio/install/nannycam" + + install -D "${srcdir}/config" "${pkgdir}/etc/nannycam.conf" + + install -D "${srcdir}/nannycam" "${pkgdir}/usr/lib/nannycam/nannycam" + install -D "${srcdir}/nannycam.functions" "${pkgdir}/usr/lib/nannycam/nannycam.functions" + +} # vim:set ts=2 sw=2 et: @@ -0,0 +1,32 @@ +#!/bin/ash + +# +# nannycam init hook +# + +run_hook () { + + set -e + set -u + + # Grab configuration + if [ -z ${1:-} ]; then + source /etc/nannycam.conf + else + source "$1" + fi + + # Invoke the nannycam script + NANNYCAM="/usr/lib/nannycam/nannycam" + if [ ! -f "$NANNYCAM" ]; then + NANNYCAM="$(pwd)/nannycam" + fi + + source $NANNYCAM \ + -k "$AUTH_KEY_FILE" \ + -h "$HASH_ALG" \ + -q "$QR_OPTS" \ + -m "$EXPECTED_MBR_HASH" \ + -p "$EXPECTED_MBR_GAP_HASH" \ + -e "$EXPECTED_EFI_STUB_HASH" +} @@ -1,91 +1,103 @@ #!/bin/bash -set -e -set -u - -# Grab functions -[ -f /usr/lib/nannycam/nannycam.functions ] && source /usr/lib/nannycam/nannycam.functions -[ -f nannycam.functions ] && source nannycam.functions - -# Grab configuration -DEFAULT_CONFIG="/etc/nannycam.conf" -if [ -z ${1:-} ]; then - CONFIG="$DEFAULT_CONFIG" -else - CONFIG="$1" -fi -source "$CONFIG" -TMP=$(mktemp -d) -AUTH_PUB_KEY_FILE="$TMP$AUTH_KEY_FILE.pub" -TMP_AUTH_KEY_FILE="$TMP$AUTH_KEY_FILE" - -# This script is expected to be called from mkinitcpio, setup env otherwise -ensure_mkcpinitio_environment - -# This script calls functions shared with the init hook, so setup that env too -ensure_initramfs_environment - -# The BUILDROOT and _optgenimg varibles are set in mkinitcpio and I do feel -# fairly bad for relying on the implementation details, but the interface -# exposed by init_functions is not really sufficient for determining if the -# private key will be safe. Better safe than sorry. -assert_ephemeral "$BUILDROOT" -assert_ephemeral "$TMP" -assert_encrypted "$_optgenimg" - -# If any other process on the box reads the private key file then all the -# protections are for naught. -assert_root -mkdir -p $(dirname "$TMP_AUTH_KEY_FILE") -touch "$TMP_AUTH_KEY_FILE" -chmod 700 "$TMP_AUTH_KEY_FILE" - -# Copy config to a working directory, as hash values will be appended to it -TMPCONFIG="$TMP/nannycam.conf" -cp "$CONFIG" "$TMPCONFIG" - -# Calculate the expected hash values to encode into the initramfs image -# (unless they have been overridden in the config) -if [ -z ${EXPECTED_MBR_HASH:-} ]; then - hash_mbr - echo "EXPECTED_MBR_HASH=\"$ACTUAL_MBR_HASH\"" >> "$TMPCONFIG" -fi - -if [ -z ${EXPECTED_MBR_GAP_HASH:-} ]; then - hash_mbr_gap - echo "EXPECTED_MBR_GAP_HASH=\"$ACTUAL_MBR_GAP_HASH\"" >> "$TMPCONFIG" -fi - -if [ -z ${EXPECTED_EFI_STUB_HASH:-} ]; then - hash_efi_stub - echo "EXPECTED_EFI_STUB_HASH=\"$ACTUAL_EFI_STUB_HASH\"" >> "$TMPCONFIG" -fi -add_file "$TMPCONFIG" "$DEFAULT_CONFIG" - -# Generate a new public key each time the initramfs is built -openssl genpkey \ - -algorithm rsa \ - -pkeyopt rsa_keygen_bits:$AUTH_KEY_LENGTH \ - -out "$TMP_AUTH_KEY_FILE" \ - 2> /dev/null -add_file "$TMP_AUTH_KEY_FILE" "$AUTH_KEY_FILE" - -# Extract the public key -openssl rsa \ - -pubout \ - -out "$AUTH_PUB_KEY_FILE" \ - -outform DER \ - -in "$TMP_AUTH_KEY_FILE" \ - 2> /dev/null - -# The private component is no longer required -shred -uf "$TMP_AUTH_KEY_FILE" - -# Print a QR-code with the public half -echo "Scan the following public key into your verification device" -cat "$AUTH_PUB_KEY_FILE" | qrencode -8 $QR_OPTS -read -p "Press ENTER to continue..." pause - -rm "$AUTH_PUB_KEY_FILE" -rm -rf "$TMP" +build () { + + set -e + set -u + + # Grab functions + [ -f /usr/lib/nannycam/nannycam.functions ] && source /usr/lib/nannycam/nannycam.functions + [ -f nannycam.functions ] && source nannycam.functions + + # Grab configuration + DEFAULT_CONFIG="/etc/nannycam.conf" + if [ -z ${1:-} ]; then + CONFIG="$DEFAULT_CONFIG" + else + CONFIG="$1" + fi + source "$CONFIG" + TMP=$(mktemp -d) + AUTH_PUB_KEY_FILE="$TMP$AUTH_KEY_FILE.pub" + TMP_AUTH_KEY_FILE="$TMP$AUTH_KEY_FILE" + + # This script is expected to be called from mkinitcpio, setup env otherwise + ensure_mkcpinitio_environment + + # This script calls functions shared with the init hook, so setup that env too + ensure_initramfs_environment + + # The BUILDROOT and _optgenimg varibles are set in mkinitcpio and I do feel + # fairly bad for relying on the implementation details, but the interface + # exposed by init_functions is not really sufficient for determining if the + # private key will be safe. Better safe than sorry. + assert_ephemeral "$BUILDROOT" + assert_ephemeral "$TMP" + assert_encrypted "$_optgenimg" + + # If any other process on the box reads the private key file then all the + # protections are for naught. + assert_root + mkdir -p $(dirname "$TMP_AUTH_KEY_FILE") + touch "$TMP_AUTH_KEY_FILE" + chmod 700 "$TMP_AUTH_KEY_FILE" + + # Copy config to a working directory, as hash values will be appended to it + TMPCONFIG="$TMP/nannycam.conf" + cp "$CONFIG" "$TMPCONFIG" + + # Calculate the expected hash values to encode into the initramfs image + # (unless they have been overridden in the config) + if [ -z ${EXPECTED_MBR_HASH:-} ]; then + hash_mbr + echo "EXPECTED_MBR_HASH=\"$ACTUAL_MBR_HASH\"" >> "$TMPCONFIG" + fi + + if [ -z ${EXPECTED_MBR_GAP_HASH:-} ]; then + hash_mbr_gap + echo "EXPECTED_MBR_GAP_HASH=\"$ACTUAL_MBR_GAP_HASH\"" >> "$TMPCONFIG" + fi + + if [ -z ${EXPECTED_EFI_STUB_HASH:-} ]; then + hash_efi_stub + echo "EXPECTED_EFI_STUB_HASH=\"$ACTUAL_EFI_STUB_HASH\"" >> "$TMPCONFIG" + fi + add_file "$TMPCONFIG" "$DEFAULT_CONFIG" + + # Generate a new public key each time the initramfs is built + openssl genpkey \ + -algorithm rsa \ + -pkeyopt rsa_keygen_bits:$AUTH_KEY_LENGTH \ + -out "$TMP_AUTH_KEY_FILE" \ + 2> /dev/null + add_file "$TMP_AUTH_KEY_FILE" "$AUTH_KEY_FILE" + + # Extract the public key + openssl rsa \ + -pubout \ + -out "$AUTH_PUB_KEY_FILE" \ + -outform DER \ + -in "$TMP_AUTH_KEY_FILE" \ + 2> /dev/null + + # The private component is no longer required + shred -uf "$TMP_AUTH_KEY_FILE" + + # Print a QR-code with the public half + echo "Scan the following public key into your verification device" + cat "$AUTH_PUB_KEY_FILE" | qrencode -8 $QR_OPTS + read -p "Press ENTER to continue..." pause + + rm "$AUTH_PUB_KEY_FILE" + rm -rf "$TMP" +} + +help () { + cat <<HELPEOF +nannycam helps defend against some Evil Maid attacks. Check the output +of /usr/lib/nannycam/nannycam --help for more details. The configuration +file lives at /etc/nannycam.conf +HELPEOF +} + diff --git a/test_hook b/test_hook new file mode 100755 index 000000000000..b49c6e5722df --- /dev/null +++ b/test_hook @@ -0,0 +1,11 @@ +#!/bin/bash + +# Simply a test harness to execute the init hook +# while developing + + +/usr/lib/initcpio/busybox ash <<TEST_HARNESS + source ./hook + + run_hook "$1" +TEST_HARNESS diff --git a/test_install b/test_install new file mode 100755 index 000000000000..5cfa519500bd --- /dev/null +++ b/test_install @@ -0,0 +1,7 @@ +#!/bin/bash + +# Simply a test harness to execute the install hook +# while developing + +source ./install +build "$1" |