-
Notifications
You must be signed in to change notification settings - Fork 3
/
chkcryptoboot_hook
132 lines (125 loc) · 3.23 KB
/
chkcryptoboot_hook
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
#!/usr/bin/ash
check_mbr ()
{
if [ -n "$BOOTDISK" -a -s /etc/chkcryptoboot/disk-head.sha512 ]; then
dd if=$BOOTDISK of=/etc/chkcryptoboot/disk-head bs=446 count=1
cd /etc/chkcryptoboot
sha512sum -c disk-head.sha512
if [ $? -ne 0 ]; then
echo -e "\nCHKCRYPTOBOOT ALERT!\n"
echo -e "CHANGES HAVE BEEN DETECTED IN THE BOOT LOADER CODE INSTALLED IN YOUR MBR!\n"
cd -
return 1
else
echo "Your boot loader code mbr hash was verified successfully."
cd -
return 0
fi
fi
}
check_core ()
{
if [ -n "$BOOTDISK" -a -s /etc/chkcryptoboot/grub-core.sha512 ]; then
if [ -n "$BOOT_PARTITION" ]; then
dd if=$BOOT_PARTITION of=/etc/chkcryptoboot/grub-core bs=512 count=62
else
dd if=$BOOTDISK of=/etc/chkcryptoboot/grub-core skip=1 bs=512 count=62
fi
cd /etc/chkcryptoboot
sha512sum -c grub-core.sha512
if [ $? -ne 0 ]; then
echo -e "\nCHKCRYPTOBOOT ALERT!\n"
echo -e "CHANGES HAVE BEEN DETECTED IN THE BOOT LOADER CORE!\n"
cd -
return 1
else
echo "Your boot loader core hash was verified successfully."
cd -
return 0
fi
fi
}
check_efi ()
{
if [ -n "$ESP" -a -s /etc/chkcryptoboot/efistub.sha512 ]; then
resolve_device "$ESP"
mount $ESP
sha512sum -c /etc/chkcryptoboot/efistub.sha512
if [ $? -ne 0 ]; then
echo -e "\nCHKCRYPTOBOOT ALERT!\n"
echo -e "CHANGES HAVE BEEN DETECTED IN YOUR BOOT LOADER EFISTUB!\n"
return 1
else
echo "Your boot loader efistub hash was verified successfully."
return 0
fi
fi
}
check_cmdline ()
{
if [ -n "$CMDLINE_NAME" -a -n "$CMDLINE_VALUE" ]; then
#checks if the name value pair was configured and checks for them in the kernel's cmdline
for param in `cat /proc/cmdline` ; do
if [ $param = $CMDLINE_NAME=$CMDLINE_VALUE ]; then
echo "Your kernel cmdline contain the correct parameters."
return 0
fi
done
fi
echo -e "\nCHKCRYPTOBOOT ALERT!\n"
echo -e "YOUR KERNEL CMDLINE DO NOT CONTAIN THE PARAMETERS THAT ARE IN\n"
echo -e "THE CHKCRYPTOBOOT CONFIGURATION!\n"
echo -e "THIS INDICATES YOUR BOOT LOADER CONFIGURATION WAS PROBABLY BYPASSED!\n"
return 1
}
warning_confirm ()
{
while true; do
{
echo -e "YOU ARE STRONGLY ADVISED NOT TO ENTER YOUR ROOT CONTAINER PASSWORD!"
echo -e "\nPlease type uppercase yes to continue:"
read YES
if [ $YES = YES ]; then
break
fi
}
done
}
run_hook ()
{
if [ -s /etc/chkcryptoboot/chkcryptoboot.conf ]; then
source /etc/chkcryptoboot/chkcryptoboot.conf
if [ $BOOTMODE = "mbr" ]; then
check_mbr
mbr_check=$?
check_core
core_check=$?
check_cmdline
if [ $mbr_check -ne 0 -o $core_check -ne 0 -o $? -ne 0 ]; then
warning_confirm
fi
elif [ $BOOTMODE = "efi" ]; then
check_efi
efi_check=$?
check_cmdline
if [ $efi_check -ne 0 -o $? -ne 0 ]; then
warning_confirm
fi
else
echo -e "\nCHKCRYPTOBOOT WARNING!\n"
echo -e "YOUR CHKCRYPTOBOOT CONFIGURATION CONTAIN ERRORS!"
warning_confirm
fi
fi
}
run_cleanuphook ()
{
if [ -s /etc/chkcryptoboot/chkcryptoboot.conf ]; then
source /etc/chkcryptoboot/chkcryptoboot.conf
if [ $BOOTMODE = "efi" ]; then
if [ -n $ESP ]; then
umount $ESP
fi
fi
fi
}