summarylogtreecommitdiffstats
path: root/install
blob: a9db860899666f5dc3a8f091ff661d4f1fcd8232 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

#!/bin/bash

set -e
set -u

# This script is expected to be called from mkinitcpio, if not...
if [ -z ${BUILDROOT:-} ]; then
  # ...then mock out enough of the environment to enable testing
  saveOpts=$(set +o | egrep 'xtrace|errexit|nounset')
  saveGlob=$(shopt -p | grep extglob)
  shopt -s extglob
  set +e
  set +u
  set +x
    . "/usr/lib/initcpio/functions"
  BUILDROOT=$(initialize_buildroot $(uname -r) $(mktemp -d --tmpdir mkinitcpio.XXXXXX))
  _optgenimg=$(find /boot -name '*.img' 2>/dev/null | head -n 1)
  _optquiet=1
  eval "$saveOpts"
  eval "$saveGlob"
fi

assert_ephemeral() {
  fsType=$(df "$1" | tail -n 1 | cut -f 1 -d ' ')
  if [[ "tmpfs" != "$fsType" ]]; then
    (cat <<TMPWARN
"$1" is not on an ephemeral file system. Cowardly aborting in order to avoid
leaking the private key that will authenticate the encrypted boot device.
TMPWARN
) >&2
    exit 1
  fi
}

assert_boot_part_encrypted() {
  fsMnt=$(df "$_optgenimg" | tail -n 1 | egrep -o ' [^ ]+$' | tail -c +2)
  isCrypt=$(lsblk -ro TYPE,MOUNTPOINT | egrep "$fsMnt$" | egrep '^crypt' | wc -l)
  if [ ! $isCrypt -eq 1 ]; then
    (cat <<DESTWARN
Destination location for the initramfs image is not on an encrypted device.
The nannycam software can only protect against Evil Maid style attacks if
the initramfs (and therefore the authentication key) is stored inside an
encrypted boot partition. Cowardly aborting in order to avoid leaking the
private key.
Image location: $_optgenimg
DESTWARN
) >&2
    exit 2
  fi 
}

assert_ephemeral "$BUILDROOT"
assert_ephemeral "/tmp"
assert_boot_part_encrypted

if [ 0 -ne $(id -u) ]; then
  echo "Must be running as root" >&2
  exit 3
fi

KEYFILE="/tmp/boot_partition_auth.pem"
PUBFILE="/tmp/boot_partition_auth.pub"

touch "$KEYFILE"
chmod 700 "$KEYFILE"

openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out "$KEYFILE" 2> /dev/null
openssl rsa -pubout -out "$PUBFILE" -outform DER -in "$KEYFILE" 2> /dev/null

add_file "$KEYFILE"

shred -uf "$KEYFILE"

echo "Scan the following public key into your verification device"
cat "$PUBFILE" | qrencode -8 -t ANSIUTF8 -m 1
read -p "Press ENTER to continue..." pause

rm "$PUBFILE"