Verified Commit 2a0e6d62 authored by Kyle Rankin's avatar Kyle Rankin Committed by Matt Devillier
Browse files

Make root disk hashing settings configurable

The root device and the list of root directories to hash is a
configurable option and this change adds hooks into the config-gui.sh
script as well as all the librem board configs to allow a user to
customize this setting.

Additionally, add option to automatically check root hashes at boot

This is an optional feature (and disabled by default) but some have
already expressed interest in being able to automatically check the root
filesystem hashes at each boot. This adds that feature to the config gui
tool as well as adds a simple hook into kexec-select-boot where it scans
boot hashes.

I also added an option to pass an argument to root-hashes-gui.sh to
perform a standalone check without enabling the full GUI.
parent d40895ff
......@@ -38,3 +38,6 @@ export CONFIG_BOOT_DEV="/dev/nvme0n1p1"
export CONFIG_BOARD_NAME="Librem 13 v2/v3"
export CONFIG_FLASHROM_OPTIONS="-p internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5
export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
export CONFIG_ROOT_CHECK_AT_BOOT="n"
......@@ -38,3 +38,6 @@ export CONFIG_BOOT_DEV="/dev/nvme0n1p1"
export CONFIG_BOARD_NAME="Librem 13 v4"
export CONFIG_FLASHROM_OPTIONS="-p internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5
export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
export CONFIG_ROOT_CHECK_AT_BOOT="n"
......@@ -39,3 +39,6 @@ export CONFIG_BOARD_NAME="Librem 14"
export CONFIG_FLASHROM_OPTIONS="-p internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5
export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
export CONFIG_ROOT_CHECK_AT_BOOT="n"
......@@ -38,3 +38,6 @@ export CONFIG_BOOT_DEV="/dev/nvme0n1p1"
export CONFIG_BOARD_NAME="Librem 15 v3"
export CONFIG_FLASHROM_OPTIONS="-p internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5
export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
export CONFIG_ROOT_CHECK_AT_BOOT="n"
......@@ -38,3 +38,6 @@ export CONFIG_BOOT_DEV="/dev/nvme0n1p1"
export CONFIG_BOARD_NAME="Librem 15 v4"
export CONFIG_FLASHROM_OPTIONS="-p internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5
export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
export CONFIG_ROOT_CHECK_AT_BOOT="n"
......@@ -39,3 +39,6 @@ export CONFIG_BOARD_NAME="Librem Server L1UM"
export CONFIG_AUTO_BOOT_TIMEOUT=5
export CONFIG_FLASHROM_OPTIONS="-p internal"
export CONFIG_USB_KEYBOARD=y
export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
export CONFIG_ROOT_CHECK_AT_BOOT="n"
......@@ -39,3 +39,6 @@ export CONFIG_BOARD_NAME="Librem Mini"
export CONFIG_FLASHROM_OPTIONS="-p internal"
export CONFIG_USB_KEYBOARD=y
export CONFIG_AUTO_BOOT_TIMEOUT=5
export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
export CONFIG_ROOT_CHECK_AT_BOOT="n"
......@@ -39,3 +39,6 @@ export CONFIG_BOARD_NAME="Librem Mini v2"
export CONFIG_FLASHROM_OPTIONS="-p internal"
export CONFIG_USB_KEYBOARD=y
export CONFIG_AUTO_BOOT_TIMEOUT=5
export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
export CONFIG_ROOT_CHECK_AT_BOOT="n"
......@@ -17,8 +17,11 @@ while true; do
whiptail $BG_COLOR_MAIN_MENU --clear --title "Config Management Menu" \
--menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 20 90 10 \
'b' ' Change the /boot device' \
's' ' Save the current configuration to the running BIOS' \
'r' ' Clear GPG key(s) and reset all user settings' \
'R' ' Change the root device for hashing' \
'D' ' Change the root directories to hash' \
'B' ' Check root hashes at boot' \
's' ' Save the current configuration to the running BIOS' \
'x' ' Return to Main Menu' \
2>/tmp/whiptail || recovery "GUI menu failed"
......@@ -134,6 +137,88 @@ while true; do
exit 0
fi
;;
"R" )
CURRENT_OPTION=`grep 'CONFIG_ROOT_DEV=' /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'`
fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist.txt
# filter out extraneous options
> /tmp/root_device_list.txt
for i in `cat /tmp/disklist.txt`; do
# remove block device from list if numeric partitions exist, since not bootable
DEV_NUM_PARTITIONS=$((`ls -1 $i* | wc -l`-1))
if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then
echo $i >> /tmp/root_device_list.txt
else
ls $i* | tail -${DEV_NUM_PARTITIONS} >> /tmp/root_device_list.txt
fi
done
file_selector "/tmp/root_device_list.txt" \
"Choose the default root device.\n\nCurrently set to $CURRENT_OPTION." \
"Root Device Selection"
if [ "$FILE" == "" ]; then
return
else
SELECTED_FILE=$FILE
fi
replace_config /etc/config.user "CONFIG_ROOT_DEV" "$SELECTED_FILE"
combine_configs
whiptail --title 'Config change successful' \
--msgbox "The root device was successfully changed to $SELECTED_FILE" 16 60
;;
"D" )
CURRENT_OPTION=`grep 'CONFIG_ROOT_DIRLIST=' /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'`
echo "The current list of directories to hash is $CURRENT_OPTION"
echo -e "\nEnter the new list of directories separated by spaces, without any beginning forward slashes:"
echo -e "(Press enter with the list empty to cancel)"
read -r NEW_CONFIG_ROOT_DIRLIST
# strip any leading forward slashes in case the user ignored us
NEW_CONFIG_ROOT_DIRLIST=$(echo $NEW_CONFIG_ROOT_DIRLIST | sed -e 's/^\///;s/ \// /g')
#check if list empty
if [ -s $NEW_CONFIG_ROOT_DIRLIST ] ; then
whiptail --title 'Config change canceled' \
--msgbox "Root device directory change canceled by user" 16 60
break
fi
replace_config /etc/config.user "CONFIG_ROOT_DIRLIST" "$NEW_CONFIG_ROOT_DIRLIST"
combine_configs
whiptail --title 'Config change successful' \
--msgbox "The root directories to hash was successfully changed to:\n$NEW_CONFIG_ROOT_DIRLIST" 16 60
;;
"B" )
CURRENT_OPTION=`grep 'CONFIG_ROOT_CHECK_AT_BOOT=' /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'`
if [ "$CURRENT_OPTION" = "n" ]; then
if (whiptail --title 'Enable Root Hash Check at Boot?' \
--yesno "This will enable checking root hashes each time you boot.
\nDepending on the directories you are checking, this might add
\na minute or more to the boot time.
\n\nDo you want to proceed?" 16 90) then
replace_config /etc/config.user "CONFIG_ROOT_CHECK_AT_BOOT" "y"
combine_configs
whiptail --title 'Config change successful' \
--msgbox "The root device will be checked at each boot." 16 60
fi
else
if (whiptail --title 'Disable Root Hash Check at Boot?' \
--yesno "This will disable checking root hashes each time you boot.
\n\nDo you want to proceed?" 16 90) then
replace_config /etc/config.user "CONFIG_ROOT_CHECK_AT_BOOT" "n"
combine_configs
whiptail --title 'Config change successful' \
--msgbox "The root device will not be checked at each boot." 16 60
fi
fi
;;
esac
done
......
......@@ -64,6 +64,19 @@ verify_global_hashes()
fi
die "$TMP_HASH_FILE: boot hash mismatch"
fi
# If user enables it, check root hashes before boot as well
if [ "$CONFIG_ROOT_CHECK_AT_BOOT" = "y" ]; then
if root-hashes-gui.sh -c; then
echo "+++ Verified root hashes, continuing boot "
else
# root-hashes-gui.sh handles the GUI error menu, just die here
if [ "$gui_menu" = "y" ]; then
whiptail $BG_COLOR_ERROR --title 'ERROR: Root Hash Mismatch' \
--msgbox "The root hash check failed!\nExiting to a recovery shell" 16 60
fi
die "root hash mismatch, see /tmp/hash_output_mismatches for details"
fi
fi
}
verify_rollback_counter()
......
......@@ -174,6 +174,23 @@ unmount_root_device()
cryptsetup luksClose rootdisk
}
checkonly="n"
while getopts ":hc" arg; do
case $arg in
c) checkonly="y" ;;
h) echo "Usage: $0 [-c|-h]"; exit 0 ;;
esac
done
if [ "$checkonly" = "y" ]; then
check_root_checksums
if [ -e /tmp/hash_output_mismatches ]; then # if this file exists, there were errors
exit 1
else
exit 0
fi
fi
while true; do
unset menu_choice
......@@ -187,17 +204,22 @@ while true; do
fi
fi
if [ "$CONFIG_ROOT_CHECK_AT_BOOT" = "y" ]; then
AT_BOOT="enabled"
else
AT_BOOT="disabled"
fi
if [ -e "$HASH_FILE" ]; then
HASH_FILE_DATE=$(stat -c %y ${HASH_FILE})
whiptail --title "Root Disk Verification Menu" \
--menu "This feature lets you detect tampering in files on your root disk.\n\nHash file last updated: ${HASH_FILE_DATE}\n\nYou can check and update hashes for files in:\n $CONFIG_ROOT_DIRLIST_PRETTY\n\nSelect the function to perform:" 20 90 10 \
--menu "This feature lets you detect tampering in files on your root disk.\n\nHash file last updated: ${HASH_FILE_DATE}\n\nYou can check and update hashes for files in:\n $CONFIG_ROOT_DIRLIST_PRETTY\n\nAutomatic checks are ${AT_BOOT} at boot.\n\nSelect the function to perform:" 20 90 10 \
'c' ' Check root hashes' \
'u' ' Update root hashes' \
'x' ' Exit' \
2>/tmp/whiptail || recovery "GUI menu failed"
else
whiptail --title "Root Disk Verification Menu" \
--menu "This feature lets you detect tampering in files on your root disk.\n\nNo hash file has been created yet\n\nYou can create hashes for files in:\n $CONFIG_ROOT_DIRLIST_PRETTY\n\nSelect the function to perform:" 20 90 10 \
--menu "This feature lets you detect tampering in files on your root disk.\n\nNo hash file has been created yet\n\nYou can create hashes for files in:\n $CONFIG_ROOT_DIRLIST_PRETTY\n\nAutomatic checks are ${AT_BOOT} at boot.\n\nSelect the function to perform:" 20 90 10 \
'u' ' Create root hashes' \
'x' ' Exit' \
2>/tmp/whiptail || recovery "GUI menu failed"
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment