Compare commits
11 Commits
Author | SHA1 | Date | |
---|---|---|---|
775b854cd1 | |||
c06b25c54a | |||
023bd8b2de | |||
7c0b3ef862 | |||
dc12c45581 | |||
078f86c732 | |||
326d4a30b6 | |||
7b2e19bdef | |||
7f32a7c5e4 | |||
329095f5fa | |||
c9cbf76701 |
|
@ -18,8 +18,10 @@ steps:
|
||||||
commands:
|
commands:
|
||||||
- rm /etc/apt/apt.conf.d/docker-clean
|
- rm /etc/apt/apt.conf.d/docker-clean
|
||||||
- rm /var/cache/apt/archives/lock
|
- rm /var/cache/apt/archives/lock
|
||||||
|
- echo "APT::Default-Release \"stretch\";" >> /etc/apt/apt.conf.d/00default_release
|
||||||
|
- echo "deb http://deb.debian.org/debian buster main" >> /etc/apt/sources.list.d/buster.list
|
||||||
- apt-get update -q
|
- apt-get update -q
|
||||||
- apt-get install -qy shellcheck
|
- apt-get install -qy -t buster shellcheck
|
||||||
- shellcheck hashboot
|
- shellcheck hashboot
|
||||||
volumes:
|
volumes:
|
||||||
- name: debian-package-cache
|
- name: debian-package-cache
|
||||||
|
|
22
README.md
22
README.md
|
@ -7,34 +7,44 @@ option to restore the file from backup.
|
||||||
If there is a core- or libreboot BIOS and [flashrom](https://flashrom.org/)
|
If there is a core- or libreboot BIOS and [flashrom](https://flashrom.org/)
|
||||||
installed, **hashboot** can check the BIOS for modifications too.
|
installed, **hashboot** can check the BIOS for modifications too.
|
||||||
|
|
||||||
|
We moved our code to
|
||||||
|
[schlomp.space](https://schlomp.space/tastytea/hashboot) but we keep the
|
||||||
|
[GitHub-repo](https://github.com/tastytea/hashboot) as a mirror.
|
||||||
|
|
||||||
# Install
|
# Install
|
||||||
|
|
||||||
## Packages
|
## Packages
|
||||||
|
|
||||||
### Void Linux
|
### Void Linux
|
||||||
|
|
||||||
``` shellsession
|
``` shell
|
||||||
xbps-install -S hashboot
|
xbps-install -S hashboot
|
||||||
```
|
```
|
||||||
|
|
||||||
### Gentoo
|
### Gentoo Linux
|
||||||
|
|
||||||
Ebuilds are available via the
|
Ebuilds are available via the
|
||||||
[tastytea repository](https://schlomp.space/tastytea/overlay).
|
[tastytea repository](https://schlomp.space/tastytea/overlay).
|
||||||
|
|
||||||
``` shellsession
|
``` shell
|
||||||
emerge -a sys-apps/hashboot
|
emerge -a sys-apps/hashboot
|
||||||
rc-update add hashboot boot
|
rc-update add hashboot boot
|
||||||
```
|
```
|
||||||
|
|
||||||
## Manual
|
|
||||||
|
|
||||||
### Arch Linux
|
### Arch Linux
|
||||||
|
|
||||||
Go to [the Arch installation instructions](arch_instructions.md).
|
Use the [package from AUR](https://aur.archlinux.org/packages/hashboot/).
|
||||||
|
|
||||||
|
## Manual
|
||||||
|
|
||||||
### Any distro
|
### Any distro
|
||||||
|
|
||||||
|
The releases on
|
||||||
|
[schlomp.space](https://schlomp.space/tastytea/hashboot/releases) are
|
||||||
|
PGP-signed. The key-ID is `F7301ADFC9ED262448C42B64242E5AC4DA587BF9`
|
||||||
|
(`242E5AC4DA587BF9`). You can fetch it with `gpg --locate-key
|
||||||
|
autosign@tastytea.de`.
|
||||||
|
|
||||||
* Make hashboot executable
|
* Make hashboot executable
|
||||||
* Place hashboot anywhere in ${PATH}
|
* Place hashboot anywhere in ${PATH}
|
||||||
* Install the appropriate init script
|
* Install the appropriate init script
|
||||||
|
|
|
@ -1,87 +0,0 @@
|
||||||
# Install hashboot on Arch Linux
|
|
||||||
## Setting up hashboot
|
|
||||||
|
|
||||||
1. Clone the git repository and enter the directory:
|
|
||||||
|
|
||||||
`git clone https://github.com/tastytea/hashboot.git && cd hashboot`
|
|
||||||
|
|
||||||
2. Distribute the files to the proper paths:
|
|
||||||
|
|
||||||
PLEASE NOTE: it's important to know that when using symlinks it's important to NOT delete the original files. DO NOT DELETE THE HASHBOOT GIT FOLDER. If you move the hashboot git folder, you will need to re-link the files before the next boot. The *advantage* to using symlinks is that if the hashboot code on Github is updated, you can pull the changes and not have to re-copy the files.
|
|
||||||
|
|
||||||
If you don't want to use links and therefore want to be able to safely delete the hashboot git folder, replace `ln -sf` with `cp`.
|
|
||||||
|
|
||||||
1. `sudo ln -sf $(readlink -f hashboot) /usr/bin/hashboot`
|
|
||||||
2. `sudo ln -sf $(readlink -f init/systemd/emergency.service) /etc/systemd/system/emergency.service`
|
|
||||||
3. `sudo ln -sf $(readlink -f init/systemd/emergency.target) /etc/systemd/system/emergency.target`
|
|
||||||
4. `sudo ln -sf $(readlink -f init/systemd/hashboot.service) /etc/systemd/system/hashboot.service`
|
|
||||||
|
|
||||||
3. Make the hashboot script executable:
|
|
||||||
|
|
||||||
`sudo chmod a+x /usr/bin/hashboot`
|
|
||||||
|
|
||||||
4. Generate the configuration file and initial files:
|
|
||||||
|
|
||||||
`sudo hashboot index`
|
|
||||||
|
|
||||||
## Setting up systemd
|
|
||||||
Start the hashboot service on boot:
|
|
||||||
|
|
||||||
`sudo systemctl enable hashboot.service`
|
|
||||||
|
|
||||||
## Setting up the pacman hook
|
|
||||||
You may need to first create the hook folder:
|
|
||||||
|
|
||||||
`sudo mkdir -p /etc/pacman.d/hooks`
|
|
||||||
|
|
||||||
Then make the hashboot hook file:
|
|
||||||
|
|
||||||
`sudo nano /etc/pacman.d/hooks/99-hashboot.hook`
|
|
||||||
|
|
||||||
It's important to prefix the file with "99-" because pacman will execute hooks in alphabetical order, and hashboot should be among the last to be executed. Likewise, it's important to suffix the file with ".hook" or pacman won't think it's an alpm hook.
|
|
||||||
|
|
||||||
Give it the following contents:
|
|
||||||
|
|
||||||
```
|
|
||||||
[Trigger]
|
|
||||||
Operation = Install
|
|
||||||
Operation = Upgrade
|
|
||||||
Operation = Remove
|
|
||||||
Type = Package
|
|
||||||
Target = *
|
|
||||||
|
|
||||||
[Action]
|
|
||||||
Description = Regenerating hashboot checksums...
|
|
||||||
When = PostTransaction
|
|
||||||
Exec = /usr/bin/hashboot index
|
|
||||||
```
|
|
||||||
|
|
||||||
Now when you install, upgrade, or remove any package, hashboot will generate new files.
|
|
||||||
|
|
||||||
## Making sure hashboot runs at boot
|
|
||||||
Immediately after booting, you can view the status of the hashboot service with the command
|
|
||||||
|
|
||||||
`sudo systemctl status hashboot.service`
|
|
||||||
|
|
||||||
It should print something like:
|
|
||||||
|
|
||||||
```
|
|
||||||
* hashboot.service - Check for changes made to the boot partition since shutting down
|
|
||||||
Loaded: loaded (/etc/systemd/system/hashboot.service; enabled; vendor preset: disabled)
|
|
||||||
Active: inactive (dead) since Sun 2019-05-12 09:27:48 PDT; 20s ago
|
|
||||||
Process: 1292 ExecStart=/sbin/hashboot check (code=exited, status=0/SUCCESS)
|
|
||||||
Main PID: 1292 (code=exited, status=0/SUCCESS)>
|
|
||||||
|
|
||||||
May 12 09:27:47 hostname systemd[1]: Starting Check for changes made to the boot partition since shutting down...
|
|
||||||
May 12 09:27:48 hostname systemd[1]: hashboot.service: Succeeded.
|
|
||||||
May 12 09:27:48 hostname systemd[1]: Started Check for changes made to the boot partition since shutting down.
|
|
||||||
```
|
|
||||||
|
|
||||||
systemd prints the hashboot file as residing in `/sbin`, but that's because in Arch Linux (and many other distributions), `/bin` and `/sbin` are both symlinks to `/usr/bin`. You can verify this with `ls -l /sbin`.
|
|
||||||
|
|
||||||
## Notes on pacman hooks
|
|
||||||
Pacman uses [alpm hooks](https://www.archlinux.org/pacman/alpm-hooks.5.html) to facilitate triggering an operation after a file or package has been modified by pacman. System hooks are stored in the `/usr/share/libalpm/hooks` directory, but user hooks are stored in `/etc/pacman.d/hooks` (the directory might not be present on an unmodified Arch installation).
|
|
||||||
|
|
||||||
`hashboot index` *should* be ran after any modification to `/boot`. However, pacman will not trigger a hook that should be triggered if files are modified in `/boot` if the files modified in `/boot` are only modified in a separate hook and not by pacman itself; that is, if the initramfs is modified by a prior hook, a hashboot hook that should be triggered if files are modified in `/boot` is not properly triggered.
|
|
||||||
|
|
||||||
Furthermore, upgrading a package like `btrfs-progs` can trigger an initramfs update. It would be possible to watch the linux modules folders (`/usr/lib/modules/*`), but libalpm does not search for changes in subfolders, and the kernel module folders are hardcoded to the kernel version (e.g. `/usr/lib/modules/5.1.9-arch1-1-ARCH/`), and change with each kernel update. Therefore, it is safest to generate a new hashboot index every time any package is installed, upgraded, or removed.
|
|
81
hashboot
81
hashboot
|
@ -12,6 +12,9 @@
|
||||||
# If we meet some day, and you think this is nice, you can give us a hug. #
|
# If we meet some day, and you think this is nice, you can give us a hug. #
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
|
# Disable warnings about $?.
|
||||||
|
# shellcheck disable=SC2181
|
||||||
|
|
||||||
VERSION="0.9.14"
|
VERSION="0.9.14"
|
||||||
PATH="/bin:/usr/bin:/sbin:/usr/sbin:${PATH}"
|
PATH="/bin:/usr/bin:/sbin:/usr/sbin:${PATH}"
|
||||||
DIGEST_FILE=""
|
DIGEST_FILE=""
|
||||||
|
@ -47,29 +50,31 @@ die ()
|
||||||
rm -f "${DIGEST_FILE_TMP}" "${MBR_TMP}" "${BIOS_TMP}"
|
rm -f "${DIGEST_FILE_TMP}" "${MBR_TMP}" "${BIOS_TMP}"
|
||||||
|
|
||||||
[ -z "${2}" ] || echo "${2}" >&2
|
[ -z "${2}" ] || echo "${2}" >&2
|
||||||
exit ${1}
|
exit "${1}"
|
||||||
}
|
}
|
||||||
|
|
||||||
write_hashes ()
|
write_hashes ()
|
||||||
{
|
{
|
||||||
#Write header to ${1}
|
local file="${1}"
|
||||||
echo "#hashboot ${VERSION} - Algorithm: $(basename ${HASHER})" > ${1}
|
#Write header to ${file}
|
||||||
|
echo "#hashboot ${VERSION} - Algorithm: $(basename ${HASHER})" > "${file}"
|
||||||
|
|
||||||
if [ $((${CKMODES} & 001)) -ne 0 ]; then
|
if [ $((CKMODES & 001)) -ne 0 ]; then
|
||||||
#copy mbr to file
|
#copy mbr to file
|
||||||
dd if=${MBR_DEVICE} of=${MBR_TMP} bs=${MBR_SIZE}K count=1 status=${DD_STATUS} || die 8
|
dd if=${MBR_DEVICE} of=${MBR_TMP} bs=${MBR_SIZE}K count=1 status=${DD_STATUS} || die 8
|
||||||
#Write hash of MBR to ${1}
|
#Write hash of MBR to ${file}
|
||||||
${HASHER} ${MBR_TMP} >> ${1}
|
${HASHER} ${MBR_TMP} >> "${file}"
|
||||||
fi
|
fi
|
||||||
if [ $((${CKMODES} & 010)) -ne 0 ]; then
|
if [ $((CKMODES & 010)) -ne 0 ]; then
|
||||||
#Write hashes of all regular files to ${1}
|
#Write hashes of all regular files to ${file}
|
||||||
find /boot -type f -exec ${HASHER} --binary {} >> ${1} +
|
# shellcheck disable=SC2227
|
||||||
|
find /boot -type f -exec ${HASHER} --binary {} >> "${file}" +
|
||||||
fi
|
fi
|
||||||
if [ $((${CKMODES} & 100)) -ne 0 ]; then
|
if [ $((CKMODES & 100)) -ne 0 ]; then
|
||||||
#read bios to file
|
#read bios to file
|
||||||
flashrom --programmer ${PROGRAMMER} -r ${BIOS_TMP} > /dev/null 2>&1
|
flashrom --programmer ${PROGRAMMER} -r ${BIOS_TMP} > /dev/null 2>&1
|
||||||
#and write hashes of bios files to ${1}
|
#and write hashes of bios files to ${file}
|
||||||
${HASHER} ${BIOS_TMP} >> ${1}
|
${HASHER} ${BIOS_TMP} >> "${file}"
|
||||||
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -89,7 +94,9 @@ then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Debian < 8 check
|
# Debian < 8 check
|
||||||
if which lsb_release > /dev/null 2>&1 && [ "$(lsb_release -si)" == "Debian" ] && [ $(lsb_release -sr | cut -d'.' -f1) -lt 8 ]
|
if command -v lsb_release > /dev/null \
|
||||||
|
&& [ "$(lsb_release -si)" == "Debian" ] \
|
||||||
|
&& [ "$(lsb_release -sr | cut -d'.' -f1)" -lt 8 ]
|
||||||
then
|
then
|
||||||
DD_STATUS="noxfer"
|
DD_STATUS="noxfer"
|
||||||
fi
|
fi
|
||||||
|
@ -97,9 +104,10 @@ fi
|
||||||
#Look for config file and set ${MBR_DEVICE}.
|
#Look for config file and set ${MBR_DEVICE}.
|
||||||
if [ -f ${CONFIG_FILE} ]
|
if [ -f ${CONFIG_FILE} ]
|
||||||
then
|
then
|
||||||
|
# shellcheck source=/dev/null
|
||||||
source ${CONFIG_FILE} || die 9 "Error reading config file"
|
source ${CONFIG_FILE} || die 9 "Error reading config file"
|
||||||
#compatibility to old cfg format
|
#compatibility to old cfg format
|
||||||
if [ ! -z "${BACKUP_FILE}" ]; then
|
if [ -n "${BACKUP_FILE}" ]; then
|
||||||
SAVEDIR="/var/lib/hashboot"
|
SAVEDIR="/var/lib/hashboot"
|
||||||
echo "SAVEDIR=${SAVEDIR}" >> ${CONFIG_FILE}
|
echo "SAVEDIR=${SAVEDIR}" >> ${CONFIG_FILE}
|
||||||
mkdir -p ${SAVEDIR}
|
mkdir -p ${SAVEDIR}
|
||||||
|
@ -132,11 +140,11 @@ else
|
||||||
echo "010=files"
|
echo "010=files"
|
||||||
echo "100=core-/libreboot bios"
|
echo "100=core-/libreboot bios"
|
||||||
echo "eg. 101 for mbr and bios: "
|
echo "eg. 101 for mbr and bios: "
|
||||||
read CKMODES
|
read -r CKMODES
|
||||||
echo "#001=mbr,010=files,100=bios" >> ${CONFIG_FILE}
|
echo "#001=mbr,010=files,100=bios" >> ${CONFIG_FILE}
|
||||||
echo "CKMODES=$CKMODES" >> ${CONFIG_FILE}
|
echo "CKMODES=$CKMODES" >> ${CONFIG_FILE}
|
||||||
|
|
||||||
if [ $((${CKMODES} & 001)) -ne 0 ]; then
|
if [ $((CKMODES & 001)) -ne 0 ]; then
|
||||||
echo -n "Which device contains the MBR? [/dev/sda] "
|
echo -n "Which device contains the MBR? [/dev/sda] "
|
||||||
read -r MBR_DEVICE
|
read -r MBR_DEVICE
|
||||||
[ -z "${MBR_DEVICE}" ] && MBR_DEVICE="/dev/sda"
|
[ -z "${MBR_DEVICE}" ] && MBR_DEVICE="/dev/sda"
|
||||||
|
@ -144,12 +152,12 @@ else
|
||||||
echo "MBR_DEVICE=${MBR_DEVICE}" >> ${CONFIG_FILE}
|
echo "MBR_DEVICE=${MBR_DEVICE}" >> ${CONFIG_FILE}
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $((${CKMODES} & 100)) -ne 0 ]; then
|
if [ $((CKMODES & 100)) -ne 0 ]; then
|
||||||
if ! which flashrom; then
|
if ! command -v flashrom > /dev/null; then
|
||||||
echo "You need to have flashrom installed!"
|
echo "You need to have flashrom installed!"
|
||||||
echo "Currently it is not installed, don't reboot"
|
echo "Currently it is not installed, don't reboot"
|
||||||
echo "If you need another programmer than internal"
|
echo "If you need another programmer than internal"
|
||||||
echo "use the variable PROGRAMMER in $CONFIG_FILE\!"
|
echo "use the variable PROGRAMMER in ${CONFIG_FILE}!"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -158,7 +166,7 @@ else
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $((${CKMODES} & 001)) -ne 0 ]; then
|
if [ $((CKMODES & 001)) -ne 0 ]; then
|
||||||
# Find out where the first partition starts and set ${MBR_SIZE} in KiB
|
# Find out where the first partition starts and set ${MBR_SIZE} in KiB
|
||||||
sectorsize=$(LC_ALL=C fdisk -l ${MBR_DEVICE} | grep '^Units' | awk '{print $8}' )
|
sectorsize=$(LC_ALL=C fdisk -l ${MBR_DEVICE} | grep '^Units' | awk '{print $8}' )
|
||||||
if [ "${sectorsize}" == "=" ] # Older versions of util-linux
|
if [ "${sectorsize}" == "=" ] # Older versions of util-linux
|
||||||
|
@ -171,7 +179,7 @@ if [ $((${CKMODES} & 001)) -ne 0 ]; then
|
||||||
startsector=$(LC_ALL=C fdisk -l ${MBR_DEVICE} | grep -A1 'Device' | tail -n1 | awk '{print $3}' )
|
startsector=$(LC_ALL=C fdisk -l ${MBR_DEVICE} | grep -A1 'Device' | tail -n1 | awk '{print $3}' )
|
||||||
fi
|
fi
|
||||||
|
|
||||||
MBR_SIZE=$(expr ${sectorsize} \* ${startsector} / 1024)
|
MBR_SIZE=$((sectorsize * startsector / 1024))
|
||||||
|
|
||||||
if [ ${?} != 0 ]
|
if [ ${?} != 0 ]
|
||||||
then
|
then
|
||||||
|
@ -183,10 +191,10 @@ fi
|
||||||
if [ "${1}" == "index" ]
|
if [ "${1}" == "index" ]
|
||||||
then
|
then
|
||||||
#Try different hashers, use the most secure
|
#Try different hashers, use the most secure
|
||||||
HASHER=$(/usr/bin/which sha512sum 2> /dev/null)
|
HASHER=$(command -v sha512sum)
|
||||||
test -z "${HASHER}" && HASHER=$(/usr/bin/which sha384sum 2> /dev/null)
|
test -z "${HASHER}" && HASHER=$(command -v sha384sum)
|
||||||
test -z "${HASHER}" && HASHER=$(/usr/bin/which sha256sum 2> /dev/null)
|
test -z "${HASHER}" && HASHER=$(command -v sha256sum)
|
||||||
test -z "${HASHER}" && HASHER=$(/usr/bin/which sha224sum 2> /dev/null)
|
test -z "${HASHER}" && HASHER=$(command -v sha224sum)
|
||||||
#If we found no hasher: exit
|
#If we found no hasher: exit
|
||||||
[ -z "${HASHER}" ] && die 5 "No hash calculator found"
|
[ -z "${HASHER}" ] && die 5 "No hash calculator found"
|
||||||
|
|
||||||
|
@ -205,11 +213,11 @@ then
|
||||||
for file in $(diff ${DIGEST_FILE} ${DIGEST_FILE_TMP} | grep -v '#hashboot' | grep '<' | cut -d'*' -f2 | sed 's/\ /\\ /g' );
|
for file in $(diff ${DIGEST_FILE} ${DIGEST_FILE_TMP} | grep -v '#hashboot' | grep '<' | cut -d'*' -f2 | sed 's/\ /\\ /g' );
|
||||||
do
|
do
|
||||||
#delete from tar
|
#delete from tar
|
||||||
tar --delete -v -P -f $BACKUP_FILE $file
|
tar --delete -v -P -f ${BACKUP_FILE} "${file}"
|
||||||
done
|
done
|
||||||
for file in $(diff ${DIGEST_FILE} ${DIGEST_FILE_TMP} | grep -v '#hashboot' | grep '>' | cut -d'*' -f2 | sed 's/\ /\\ /g' );
|
for file in $(diff ${DIGEST_FILE} ${DIGEST_FILE_TMP} | grep -v '#hashboot' | grep '>' | cut -d'*' -f2 | sed 's/\ /\\ /g' );
|
||||||
do
|
do
|
||||||
tar -r -v -P -f $BACKUP_FILE $file
|
tar -r -v -P -f $BACKUP_FILE "${file}"
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
#nur, wenn das updaten des Backups geklappt hat. *im Hinterkopf behalt*
|
#nur, wenn das updaten des Backups geklappt hat. *im Hinterkopf behalt*
|
||||||
|
@ -231,28 +239,28 @@ elif [ "${1}" == "check" ]
|
||||||
then
|
then
|
||||||
[ -f ${DIGEST_FILE} ] || die 9 "No digestfile"
|
[ -f ${DIGEST_FILE} ] || die 9 "No digestfile"
|
||||||
HASHER=$(head -n1 ${DIGEST_FILE} | awk '{print $5}')
|
HASHER=$(head -n1 ${DIGEST_FILE} | awk '{print $5}')
|
||||||
if [ $((${CKMODES} & 001)) != 0 ]; then
|
if [ $((CKMODES & 001)) != 0 ]; then
|
||||||
dd if=${MBR_DEVICE} of=${MBR_TMP} bs=${MBR_SIZE}K count=1 status=${DD_STATUS} || die 8
|
dd if=${MBR_DEVICE} of=${MBR_TMP} bs=${MBR_SIZE}K count=1 status=${DD_STATUS} || die 8
|
||||||
grep ${MBR_TMP} ${DIGEST_FILE} | ${HASHER} --check --warn --quiet --strict | tee ${LOG_FILE}
|
grep ${MBR_TMP} ${DIGEST_FILE} | ${HASHER} --check --warn --quiet --strict | tee ${LOG_FILE}
|
||||||
if [ ${PIPESTATUS[2]} -ne 0 ]
|
if [ "${PIPESTATUS[2]}" -ne 0 ]
|
||||||
then
|
then
|
||||||
echo " !! TIME TO PANIK: MBR WAS MODIFIED !!"
|
echo " !! TIME TO PANIK: MBR WAS MODIFIED !!"
|
||||||
COUNTER=$((COUNTER + 1))
|
COUNTER=$((COUNTER + 1))
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ $((${CKMODES} & 010)) -ne 0 ]; then
|
if [ $((CKMODES & 010)) -ne 0 ]; then
|
||||||
grep -v ${MBR_TMP} ${DIGEST_FILE} | grep -v ${BIOS_TMP} | ${HASHER} --check --warn --quiet --strict | tee -a ${LOG_FILE}
|
grep -v ${MBR_TMP} ${DIGEST_FILE} | grep -v ${BIOS_TMP} | ${HASHER} --check --warn --quiet --strict | tee -a ${LOG_FILE}
|
||||||
if [ ${PIPESTATUS[2]} -ne 0 ]
|
if [ "${PIPESTATUS[2]}" -ne 0 ]
|
||||||
then
|
then
|
||||||
echo " !! TIME TO PANIK: AT LEAST 1 FILE WAS MODIFIED !!"
|
echo " !! TIME TO PANIK: AT LEAST 1 FILE WAS MODIFIED !!"
|
||||||
COUNTER=$((COUNTER + 2))
|
COUNTER=$((COUNTER + 2))
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ $((${CKMODES} & 100)) -ne 0 ]; then
|
if [ $((CKMODES & 100)) -ne 0 ]; then
|
||||||
flashrom --programmer ${PROGRAMMER} -r ${BIOS_TMP} > /dev/null 2>&1
|
flashrom --programmer ${PROGRAMMER} -r ${BIOS_TMP} > /dev/null 2>&1
|
||||||
#if we set an programmer chip in config, find line with hash for bios and compare. if smthg wrong, panic
|
#if we set an programmer chip in config, find line with hash for bios and compare. if smthg wrong, panic
|
||||||
grep ${BIOS_TMP} ${DIGEST_FILE} | ${HASHER} --check --warn --quiet --strict | tee -a ${LOG_FILE}
|
grep ${BIOS_TMP} ${DIGEST_FILE} | ${HASHER} --check --warn --quiet --strict | tee -a ${LOG_FILE}
|
||||||
if [ ${PIPESTATUS[2]} -ne 0 ]
|
if [ "${PIPESTATUS[2]}" -ne 0 ]
|
||||||
then
|
then
|
||||||
echo " !! TIME TO PANIK: BIOS WAS MODIFIED !!"
|
echo " !! TIME TO PANIK: BIOS WAS MODIFIED !!"
|
||||||
COUNTER=$((COUNTER + 10))
|
COUNTER=$((COUNTER + 10))
|
||||||
|
@ -268,15 +276,16 @@ then
|
||||||
echo "Restoring files from backup... (type yes or no for each file)"
|
echo "Restoring files from backup... (type yes or no for each file)"
|
||||||
|
|
||||||
#For each failed file: ask if it should be recovered from backup
|
#For each failed file: ask if it should be recovered from backup
|
||||||
|
# shellcheck disable=2013
|
||||||
for file in $(cut -d: -f1 ${LOG_FILE})
|
for file in $(cut -d: -f1 ${LOG_FILE})
|
||||||
do
|
do
|
||||||
tar -xpPvwf ${BACKUP_FILE} ${file}
|
tar -xpPvwf ${BACKUP_FILE} "${file}"
|
||||||
[ $? != 0 ] && echo "Error restoring ${file} from backup, continuing" >&2
|
[ ${?} != 0 ] && echo "Error restoring ${file} from backup, continuing" >&2
|
||||||
#If the MBR is to be recovered, copy to ${MBR_DEVICE}
|
#If the MBR is to be recovered, copy to ${MBR_DEVICE}
|
||||||
if [ "${file}" == ${MBR_TMP} ]
|
if [ "${file}" == ${MBR_TMP} ]
|
||||||
then
|
then
|
||||||
cp ${MBR_TMP} ${MBR_DEVICE}
|
cp ${MBR_TMP} ${MBR_DEVICE}
|
||||||
[ $? != 0 ] && echo "Error restoring MBR from backup, continuing" >&2
|
[ ${?} != 0 ] && echo "Error restoring MBR from backup, continuing" >&2
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
|
|
Loading…
Reference in New Issue
Block a user