blob: a9e81261b1ef4ad90b9926ce8ddd5ce1869e3de3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
#!/bin/bash
build () { (
set -e
set -u
# Grab functions
[ -f /usr/lib/nannycam/nannycam.functions ] && source /usr/lib/nannycam/nannycam.functions
[ -f nannycam.functions ] && source nannycam.functions
# Grab configuration
DEFAULT_CONFIG="/etc/nannycam.conf"
if [ -z ${1:-} ]; then
CONFIG="$DEFAULT_CONFIG"
else
CONFIG="$1"
fi
source "$CONFIG"
TMP=$(mktemp -d)
AUTH_PUB_KEY_FILE="$TMP$AUTH_KEY_FILE.pub"
TMP_AUTH_KEY_FILE="$TMP$AUTH_KEY_FILE"
# This script is expected to be called from mkinitcpio, setup env otherwise
ensure_mkcpinitio_environment
# This script calls functions shared with the init hook, so setup that env too
ensure_initramfs_environment
# The BUILDROOT and _optgenimg varibles are set in mkinitcpio and I do feel
# fairly bad for relying on the implementation details, but the interface
# exposed by init_functions is not really sufficient for determining if the
# private key will be safe. Better safe than sorry.
assert_ephemeral "$BUILDROOT"
assert_ephemeral "$TMP"
assert_encrypted "$_optgenimg"
# If any other process on the box reads the private key file then all the
# protections are for naught.
assert_root
mkdir -p $(dirname "$TMP_AUTH_KEY_FILE")
touch "$TMP_AUTH_KEY_FILE"
chmod 700 "$TMP_AUTH_KEY_FILE"
# Copy config to a working directory, as hash values will be appended to it
TMPCONFIG="$TMP/nannycam.conf"
cp "$CONFIG" "$TMPCONFIG"
# Calculate the expected hash values to encode into the initramfs image
# (unless they have been overridden in the config)
if [ -z ${EXPECTED_MBR_HASH:-} ]; then
hash_mbr
echo "EXPECTED_MBR_HASH=\"$ACTUAL_MBR_HASH\"" >> "$TMPCONFIG"
fi
if [ -z ${EXPECTED_MBR_GAP_HASH:-} ]; then
hash_mbr_gap
echo "EXPECTED_MBR_GAP_HASH=\"$ACTUAL_MBR_GAP_HASH\"" >> "$TMPCONFIG"
fi
if [ -z ${EXPECTED_EFI_STUB_HASH:-} ]; then
hash_efi_stub
echo "EXPECTED_EFI_STUB_HASH=\"$ACTUAL_EFI_STUB_HASH\"" >> "$TMPCONFIG"
fi
add_file "$TMPCONFIG" "$DEFAULT_CONFIG"
# Generate a new public key each time the initramfs is built
openssl genpkey \
-algorithm rsa \
-pkeyopt rsa_keygen_bits:$AUTH_KEY_LENGTH \
-out "$TMP_AUTH_KEY_FILE" \
2> /dev/null
add_file "$TMP_AUTH_KEY_FILE" "$AUTH_KEY_FILE"
# Extract the public key
openssl rsa \
-pubout \
-out "$AUTH_PUB_KEY_FILE" \
-outform DER \
-in "$TMP_AUTH_KEY_FILE" \
2> /dev/null
# The private component is no longer required
shred -uf "$TMP_AUTH_KEY_FILE"
# Print a QR-code with the public half
echo "Scan the following public key into your verification device"
cat "$AUTH_PUB_KEY_FILE" | qrencode -8 $QR_OPTS
read -p "Press ENTER to continue..." pause
rm "$AUTH_PUB_KEY_FILE"
rm -rf "$TMP"
) }
help () {
cat <<HELPEOF
nannycam helps defend against some Evil Maid attacks. Check the output
of /usr/lib/nannycam/nannycam --help for more details. The configuration
file lives at /etc/nannycam.conf
HELPEOF
}
|