blob: 0ebbd7320f3c1e5aab61bd018c6fd4c0b8ad0783 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
#!/bin/bash
set -e
set -u
source nannycam.functions
# This script is expected to be called from mkinitcpio, setup env otherwise
ensure_mkcpinitio_environment
# The BUILDROOT and _optgenimg varibles are set in mkinitcpio and I do feel
# fairly bad for relying on the implementation details, but the interface
# exposed by init_functions is not really sufficient for determining if the
# private key will be safe. Better safe than sorry.
assert_ephemeral "$BUILDROOT"
assert_ephemeral "/tmp"
assert_encrypted "$_optgenimg"
# If any other process on the box reads the private key file then all the
# protections are for naught.
assert_root
KEYFILE="/tmp/boot_partition_auth.pem"
PUBFILE="/tmp/boot_partition_auth.pub"
touch "$KEYFILE"
chmod 700 "$KEYFILE"
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out "$KEYFILE" 2> /dev/null
openssl rsa -pubout -out "$PUBFILE" -outform DER -in "$KEYFILE" 2> /dev/null
add_file "$KEYFILE"
shred -uf "$KEYFILE"
echo "Scan the following public key into your verification device"
cat "$PUBFILE" | qrencode -8 -t ANSIUTF8 -m 1
read -p "Press ENTER to continue..." pause
rm "$PUBFILE"
|