blob: a9db860899666f5dc3a8f091ff661d4f1fcd8232 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
#!/bin/bash
set -e
set -u
# This script is expected to be called from mkinitcpio, if not...
if [ -z ${BUILDROOT:-} ]; then
# ...then mock out enough of the environment to enable testing
saveOpts=$(set +o | egrep 'xtrace|errexit|nounset')
saveGlob=$(shopt -p | grep extglob)
shopt -s extglob
set +e
set +u
set +x
. "/usr/lib/initcpio/functions"
BUILDROOT=$(initialize_buildroot $(uname -r) $(mktemp -d --tmpdir mkinitcpio.XXXXXX))
_optgenimg=$(find /boot -name '*.img' 2>/dev/null | head -n 1)
_optquiet=1
eval "$saveOpts"
eval "$saveGlob"
fi
assert_ephemeral() {
fsType=$(df "$1" | tail -n 1 | cut -f 1 -d ' ')
if [[ "tmpfs" != "$fsType" ]]; then
(cat <<TMPWARN
"$1" is not on an ephemeral file system. Cowardly aborting in order to avoid
leaking the private key that will authenticate the encrypted boot device.
TMPWARN
) >&2
exit 1
fi
}
assert_boot_part_encrypted() {
fsMnt=$(df "$_optgenimg" | tail -n 1 | egrep -o ' [^ ]+$' | tail -c +2)
isCrypt=$(lsblk -ro TYPE,MOUNTPOINT | egrep "$fsMnt$" | egrep '^crypt' | wc -l)
if [ ! $isCrypt -eq 1 ]; then
(cat <<DESTWARN
Destination location for the initramfs image is not on an encrypted device.
The nannycam software can only protect against Evil Maid style attacks if
the initramfs (and therefore the authentication key) is stored inside an
encrypted boot partition. Cowardly aborting in order to avoid leaking the
private key.
Image location: $_optgenimg
DESTWARN
) >&2
exit 2
fi
}
assert_ephemeral "$BUILDROOT"
assert_ephemeral "/tmp"
assert_boot_part_encrypted
if [ 0 -ne $(id -u) ]; then
echo "Must be running as root" >&2
exit 3
fi
KEYFILE="/tmp/boot_partition_auth.pem"
PUBFILE="/tmp/boot_partition_auth.pub"
touch "$KEYFILE"
chmod 700 "$KEYFILE"
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out "$KEYFILE" 2> /dev/null
openssl rsa -pubout -out "$PUBFILE" -outform DER -in "$KEYFILE" 2> /dev/null
add_file "$KEYFILE"
shred -uf "$KEYFILE"
echo "Scan the following public key into your verification device"
cat "$PUBFILE" | qrencode -8 -t ANSIUTF8 -m 1
read -p "Press ENTER to continue..." pause
rm "$PUBFILE"
|