Git-Mirrors/reliant-system
1
0
Fork 0
mirror of https://codeberg.org/andersonarc/reliant-system.git synced 2025-11-13 12:50:38 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
reliant-system/dracut/99reliant/scripts/reliant-initramfs.sh

122 lines
3.7 KiB
Bash
Executable file
Raw Blame History

#!/usr/bin/sh
set -eu
. /usr/local/share/scripts/reliant-common.sh
export RELIANT_INITRAMFS=$RELIANT_TRUE
# Upon encountering issues, prompt the user for the next course of action
reliant_prompt_user() {
while true; do
REPLY=$(plymouth ask-question --prompt="System might be compromised. Proceed? [Y(es)/N(o)/S(kip)]")
case $REPLY in
[Yy]*)
# User confirmed the system is safe to boot
plymouth display-message --text="Proceeding under user responsibility."
sleep 1
plymouth hide-message --text="Proceeding under user responsibility."
return 0 ;;
[Nn]*)
# User denied that the system is safe to boot
plymouth display-message --text="Aborted. Emergency shutdown in 15 seconds."
sleep 15
reliant_emergency_shutdown ;;
[Ss]*)
# User prompted to boot in unsafe mode
plymouth display-message --text="Skipped. Booting in unsafe mode."
sleep 1
plymouth hide-message --text="Skipped. Booting in unsafe mode."
exit 0 ;;
*)
plymouth display-message --text="Invalid response."
sleep 1
plymouth hide-message --text="Invalid response."
;;
esac
done
}
# Ensures the canary files have been wiped by previous shutdown
reliant_security_initramfs_check_canaries() {
# /rootfs.canary
if [ -f /rootfs.canary ]; then
reliant_error "reliant_initramfs_check_canaries: /rootfs.canary exists!"
return $RELIANT_SECURITY_FAIL
fi
# /run/run.canary
if [ -f /run/run.canary ]; then
reliant_error "reliant_initramfs_check_canaries: /run/run.canary exists!"
return $RELIANT_SECURITY_FAIL
fi
# /tmp/tmp.canary
if [ -f /tmp/tmp.canary ]; then
reliant_error "reliant_initramfs_check_canaries: /tmp/tmp.canary exists!"
return $RELIANT_SECURITY_FAIL
fi
# /sysroot/sysroot.canary
if [ -f /sysroot/sysroot.canary ]; then
reliant_error "reliant_initramfs_check_canaries: /sysroot/sysroot.canary exists!"
return $RELIANT_SECURITY_FAIL
fi
# Only after previous ones have been confirmed absent, create the new canaries
echo "initramfs" > /rootfs.canary
echo "initramfs" > /run/run.canary
echo "initramfs" > /tmp/tmp.canary
echo "initramfs" > /sysroot/sysroot.canary
return 0
}
# Verifies that the initramfs cannot leak information via non-volatile media, logs or network
reliant_security_check_initramfs() {
# Run the common checks first
status_common=$RELIANT_OK
reliant-security /sysroot || status_common=$?
# No need to report, already done
# Check canaries
status_canaries=$RELIANT_OK
reliant_security_initramfs_check_canaries || status_canaries=$?
echo "[CANARIES]: $(reliant_err2str $status_canaries)"
# Calculate and return the verdict
echo -n "[VERDICT]: "
if [ $status_common -eq $RELIANT_OK ] && [ $status_canaries -eq $RELIANT_OK ]; then
echo "SAFE TO BOOT"
return $RELIANT_OK
else
echo "POTENTIALLY COMPROMISED"
return $RELIANT_SECURITY_FAIL
fi
}
# Main function
main() {
# Run the security check
reliant_security_check_initramfs || {
plymouth display-message --text="Reliant failed to verify security of the early boot environment."
sleep 1
reliant_prompt_user
# If we reach here, this means that the user has answered with Y(es),
# otherwise the script would have exited - so we can proceed as planned.
}
export RELIANT_SECURE=$RELIANT_TRUE
# Open and mount the Shufflecake device
reliant-mount "$RELIANT_SECURE_DEVICE"
# Run the surgeon script to fix qubes.xml
surgeon-suture
# Seal all volumes
for path in '/run/shufflecake/'*; do
name="${path##*/}"
reliant-seal "$name" &>/dev/null
done
}
main
Reference in a new issue View git blame Copy permalink