mirror of
https://github.com/Bandie/grub2-signing-extension.git
synced 2024-04-01 15:51:26 +00:00
Comments and words.
This commit is contained in:
parent
d37cc28bf0
commit
5e4766cfa8
@ -1,6 +1,6 @@
|
|||||||
# grub2-signing-extension for GRUB2
|
# grub2-signing-extension for GRUB2
|
||||||
|
|
||||||
GRUB2 has got a function which automatically checks if your GRUB2 files are signed and have a good signature. If the files aren't signed or have a bad signature GRUB2 won't run them to prevent running malicious software.
|
GRUB2 has got a function called "check\_signatures" which automatically checks if your GRUB2 files are signed and have a good signature. If the files aren't signed or have a bad signature GRUB2 won't run them to prevent running malicious software.
|
||||||
The GRUB2 signing extension are some scripts which helps you to verify, sign and unsign your GRUB2 bootloader files using gpg.
|
The GRUB2 signing extension are some scripts which helps you to verify, sign and unsign your GRUB2 bootloader files using gpg.
|
||||||
|
|
||||||
|
|
||||||
|
@ -4,6 +4,8 @@
|
|||||||
# Author: Bandie Kojote
|
# Author: Bandie Kojote
|
||||||
# Licence: GNU-GPLv3
|
# Licence: GNU-GPLv3
|
||||||
|
|
||||||
|
|
||||||
|
# Running grub2-verify first to prevent double signing
|
||||||
echo "Running grub2-verify to check if everything is unsigned..."
|
echo "Running grub2-verify to check if everything is unsigned..."
|
||||||
grub2-verify
|
grub2-verify
|
||||||
if [ $? -lt 2 ]
|
if [ $? -lt 2 ]
|
||||||
@ -12,15 +14,21 @@ then
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# Ask for passphrase
|
||||||
echo -n "Passphrase: "
|
echo -n "Passphrase: "
|
||||||
stty -echo
|
stty -echo
|
||||||
read pp
|
read pp
|
||||||
stty echo
|
stty echo
|
||||||
echo -e "\n"
|
echo -e "\n"
|
||||||
|
|
||||||
|
|
||||||
|
# Find GRUB2 datas
|
||||||
for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \
|
for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \
|
||||||
-name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \
|
-name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \
|
||||||
-name "grubenv" -or -name "*.asc" -or -name "*.pf2"`;
|
-name "grubenv" -or -name "*.asc" -or -name "*.pf2"`;
|
||||||
do
|
do
|
||||||
|
# Signing
|
||||||
echo $pp | gpg --batch --detach-sign --passphrase-fd 0 $i
|
echo $pp | gpg --batch --detach-sign --passphrase-fd 0 $i
|
||||||
if [ $? -eq 0 ]
|
if [ $? -eq 0 ]
|
||||||
then
|
then
|
||||||
@ -30,4 +38,6 @@ do
|
|||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
pp=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w 96 | head -n 1`
|
|
||||||
|
# Shredding passphrase
|
||||||
|
pp=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w ${#pp} | head -n 1`
|
||||||
|
@ -4,14 +4,18 @@
|
|||||||
# Author: Bandie Kojote
|
# Author: Bandie Kojote
|
||||||
# Licence: GNU-GPLv3
|
# Licence: GNU-GPLv3
|
||||||
|
|
||||||
|
# Check if something is wrong
|
||||||
grub2-verify
|
grub2-verify
|
||||||
if [ $? -eq 1 ]
|
if [ $? -eq 1 ]
|
||||||
then
|
then
|
||||||
echo -e "grub2-verify has detected a one or more bad signatures.\nPlease check for malicious software before you're unsigning everything!"
|
echo -e "grub2-verify has detected a one or more bad signatures.\nPlease check for malicious software before you're unsigning everything!"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# Then remove the signatures.
|
||||||
for i in `find /boot -name "*.sig"`
|
for i in `find /boot -name "*.sig"`
|
||||||
do
|
do
|
||||||
rm $i
|
rm $i
|
||||||
done
|
done
|
||||||
echo "GRUB2 unsigned."
|
echo "GRUB2 unsigned. WARNING: If you want to deactivate GRUB2's signature feature, change the check_signatures variable in the headers file!"
|
||||||
|
@ -5,7 +5,11 @@
|
|||||||
# Licence: GNU-GPLv3
|
# Licence: GNU-GPLv3
|
||||||
|
|
||||||
errorcounter=0
|
errorcounter=0
|
||||||
c=0
|
filecounter=0
|
||||||
|
|
||||||
|
|
||||||
|
# Signature check part + error counter + file counter + file list
|
||||||
|
|
||||||
echo "Checking signatures in /boot..."
|
echo "Checking signatures in /boot..."
|
||||||
for i in `find /boot -name "*.sig"`
|
for i in `find /boot -name "*.sig"`
|
||||||
do
|
do
|
||||||
@ -15,15 +19,19 @@ do
|
|||||||
((errorcounter++))
|
((errorcounter++))
|
||||||
files[$errorcounter]=$i
|
files[$errorcounter]=$i
|
||||||
fi
|
fi
|
||||||
((c++))
|
((filecounter++))
|
||||||
done
|
done
|
||||||
|
# Nothing to verify? Exit 2.
|
||||||
if [ $c -eq 0 ]
|
if [ $filecounter -eq 0 ]
|
||||||
then
|
then
|
||||||
echo "Nothing to verify."
|
echo "Nothing to verify."
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Message
|
||||||
|
|
||||||
echo -ne "There has been "
|
echo -ne "There has been "
|
||||||
if [ $errorcounter -eq 0 ]
|
if [ $errorcounter -eq 0 ]
|
||||||
then
|
then
|
||||||
@ -38,6 +46,10 @@ else
|
|||||||
echo " bad signatures."
|
echo " bad signatures."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# File list and exit codes
|
||||||
|
|
||||||
if [ $errorcounter -gt 0 ]
|
if [ $errorcounter -gt 0 ]
|
||||||
then
|
then
|
||||||
for(( i=1; i<=${#files[@]}; i++))
|
for(( i=1; i<=${#files[@]}; i++))
|
||||||
|
Loading…
Reference in New Issue
Block a user