Bandie/grub2-signing-extension
1
0
Fork 0
mirror of https://github.com/Bandie/grub2-signing-extension.git synced 2024-04-01 15:51:26 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: Bandie:0.1
Branches Tags
Bandie:master
Bandie:0.1.7 Bandie:0.1.6 Bandie:0.1.5 Bandie:0.1.4 Bandie:0.1.3 Bandie:0.1.2 Bandie:0.1.1 Bandie:0.1
..
compare: Bandie:master
Branches Tags
Bandie:master
Bandie:0.1.7 Bandie:0.1.6 Bandie:0.1.5 Bandie:0.1.4 Bandie:0.1.3 Bandie:0.1.2 Bandie:0.1.1 Bandie:0.1

14 Commits
0.1 ... master

Author SHA1 Message Date
Bandie
c7b049cc96 Usage of shred instead of rm 2021-07-22 23:15:09 +02:00
Bandie
4b42d088eb Excluding the EFI directory. Fixes #10 2021-02-13 13:54:17 +01:00
Bandie
d04a4e5151 gcry_sha512 in README 2020-07-26 21:02:16 +02:00
Bandie
a582827367 gcry_sha512 2020-01-25 11:17:05 +01:00
Bandie
13345bc188 Bug: Changed script name 2020-01-08 17:54:57 +01:00
Bandie
ea242fd0af Removing old scripts and install new one 2019-12-11 19:55:08 +01:00
Bandie
271c8677d8 Renaming script names: grub2-.* to grub-.*, including grub.cfg for update-kernel-signature 2019-12-11 19:49:09 +01:00
Bandie
99a860266a Fallthrough fix 2019-02-17 10:13:22 +01:00
Bandie
dbb133b8f8 Version 0.1.2 2018-08-05 21:57:48 +02:00
Bandie
5b2eece33b Fixing Version 2018-08-05 21:56:19 +02:00
Bandie
67fda5f9f6 Version++ 2018-08-05 21:38:17 +02:00
Bandie
1acb840f94 Remove-Fix. 2018-08-05 21:35:41 +02:00
Bandie
9299f5b00d Using install instead of cp 2018-05-28 14:06:45 +02:00
Bandie
2098b77656 AUR and list form 2018-05-28 12:52:07 +02:00
6 changed files with 103 additions and 105 deletions
Expand all files Collapse all files

14
Makefile
View File

@ -6,14 +6,14 @@ all:
@printf "Nothing to make. Run make install.\n" @printf "Nothing to make. Run make install.\n"
install: install:
cp ./sbin/grub2-verify /usr/sbin/ @printf "Check for old scripts and remove them...\n"
cp ./sbin/grub2-sign /usr/sbin/ rm -f /usr/sbin/grub2-{verify,sign,unsign,update-kernel-signature}
cp ./sbin/grub2-unsign /usr/sbin/ install -D -m744 sbin/grub-verify /usr/sbin/grub-verify
cp ./sbin/grub2-update-kernel-signature /usr/sbin/ install -D -m744 sbin/grub-sign /usr/sbin/grub-sign
chown root:root /usr/sbin/grub2-{verify,sign,unsign,update-kernel-signature} install -D -m744 sbin/grub-unsign /usr/sbin/grub-unsign
chmod 744 /usr/sbin/grub2-{verify,sign,unsign,update-kernel-signature} install -D -m744 sbin/grub-update-kernel-signature /usr/sbin/grub-update-kernel-signature
@printf "Done.\n" @printf "Done.\n"
uninstall: uninstall:
rm /usr/sbin/grub2-{verify,sign,unsign,update-kernel-signature} rm -f /usr/sbin/grub-{verify,sign,unsign,update-kernel-signature}
@printf "Done.\n" @printf "Done.\n"

129
README.md
View File

@ -14,62 +14,57 @@ You need
## Preparation ## Installation
### Arch Linux (AUR)
- Import [Bandie's GPG key](https://bandie.org/assets/bandie.pub.asc) through running `gpg --recv-keys E2D7876915312785DC086BFCC1E133BC65A822DD`.
- Use your favourite AUR helper to install [grub2-signing-extension](https://aur.archlinux.org/packages/grub2-signing-extension/).
Before you can use the signing and verification feature you need to generate a keypair as root. Please use a secure passphrase. ### From github
- Import [Bandie's GPG key](https://bandie.org/assets/bandie.pub.asc) through running `gpg --recv-keys E2D7876915312785DC086BFCC1E133BC65A822DD`.
- Download the [grub2-signing-extension](https://github.com/Bandie/grub2-signing-extension/releases/download/0.1.2/grub2-signing-extension-0.1.2.tar.gz) and it's [signature](https://github.com/Bandie/grub2-signing-extension/releases/download/0.1.2/grub2-signing-extension-0.1.2.tar.gz.asc).
- Run `gpg --verify grub2-signing-extension*.tar.gz.asc` to make sure that everything is alright.
- Unpack the tar archive. `tar xvf grub2-signing-extension*.tar.gz`
- Change into the grub2-signing-extension directory.
- Run `make install` as root.
`# gpg --gen-key` You will now have `grub-sign`, `grub-unsign`, `grub-verify` and `grub-update-kernel-signature` as runable scripts.
To make gpg able to sign and verify files in a `su` environment we need to activate the gpg-agent for root. ## Enabling GRUB2 check\_signatures feature
Edit the file _/root/.gnupg/gpg.conf_ and add the line `use-agent`. Before you can use the signing and verification feature you need to generate a keypair as root.
Save the file and create _/root/.gnupg/gpg-agent.conf_ with the following content
- Run `gpg --gen-key` as root. Please use a secure passphrase.
- Activate the `gpg-agent` for root so that you are able to sign and verify files in a `su` environment. To do that:
- Edit the file _/root/.gnupg/gpg.conf_ and add the line `use-agent`. Save the file.
- Create _/root/.gnupg/gpg-agent.conf_ with the following content
```
pinentry-program /usr/bin/pinentry-curses pinentry-program /usr/bin/pinentry-curses
no-grab no-grab
default-cache-ttl 1800 default-cache-ttl 1800
```
- Export your public key through running `gpg --export -o ~/pubkey`.
- `mount /boot` (assuming your /boot partition is in your /etc/fstab)
## How to install the GRUB2 check\_signatures feature and using the grub2-signing-extension - (Re)install GRUB2. The following command will install root's public key into the core and instruct to load the modules `gcry_sha256`, `gcry_sha512` `gcry_dsa` and `gcry_rsa` at start so that GRUB2 will be able to do verifications. GRUB2 will take the right crypto for you then, depending on your system's configuration.
- `grub-install /dev/sda -k /root/pubkey --modules="gcry_sha256 gcry_sha512 gcry_dsa gcry_rsa"`
First, export your public key. - Enable GRUB2's check\_signatures feature:
- Insert the following content at the end of the file of */etc/grub.d/00_header*
`# gpg --export -o ~/pubkey` ```
Next step, `mount /boot` and (re)install GRUB2. You need to install the public key into the core and instruct to load the modules `gcry_sha256` `gcry_dsa` and `gcry_rsa` at start. So you need the following arguments to install it this way
`grub-install /dev/sda -k /root/pubkey --modules="gcry_sha256 gcry_dsa gcry_rsa"`
Now download the grub2-signing-extension and run `make install` as root. You will now have `grub2-sign`, `grub2-unsign`, `grub2-verify` and `grub2-update-kernel-signature` as runable scripts.
To _enable_ GRUB2's check\_signatures feature insert the following content at the end of the file of */etc/grub.d/00_header*
cat << EOF cat << EOF
set check_signatures=enforce set check_signatures=enforce
EOF EOF
```
- Run`grub-mkconfig -o /boot/grub/grub.cfg` to make the new configuration valid.
- Sign your bootloader running `grub-sign` and enter your GPG passphrase.
**It is also recommended to install a password in GRUB2! [See ADDENDUM]**
Run `grub-mkconfig -o /boot/grub/grub.cfg` to make the new configuration valid. ## How to update the signatures on changes
Now the time is come to sign your GRUB2 bootloader. Just run `grub2-sign`, enter your passphrase and that's it. On every change at the GRUB2 core files you need to run `grub-unsign` first before you make your changes. Please notice, if you reinstall GRUB2, you should do it as it is said above. Otherwise the signature check won't work.
**It's also recommended to install a password in GRUB2! [See ADDENDUM]** If you do some changes or updates for the kernel or initramfs, you may want to use `grub-update-kernel-signature` instead.
## How to update the signatures on change
On every change at the GRUB2 core files you need to run `grub2-unsign` first before you make your changes. Please notice, if you reinstall GRUB2, you should do it as it is said above. Otherwise the signature check won't work.
If you do some changes or updates for the kernel or initramfs, you may want to use `grub2-update-kernel-signature` instead.
@ -78,15 +73,15 @@ If you do some changes or updates for the kernel or initramfs, you may want to u
If you didn't read the instruction above here is what the scripts does: If you didn't read the instruction above here is what the scripts does:
* `grub2-sign` is signing the bootloader files with root's keypair. * `grub-sign` is signing the bootloader files with root's keypair.
* `grub2-unsign` is removing the signatures of the bootloader files. * `grub-unsign` is removing the signatures of the bootloader files.
* `grub2-verify` is checking if your signatures are good. If not, you will see which signature is bad. * `grub-verify` is checking if your signatures are good. If not, you will see which signature is bad.
* `grub2-update-kernel-signature` is renewing the signatures in /boot/. (without subdirs) regardless if grub2-verify fails. * `grub-update-kernel-signature` is renewing the signatures in /boot/ (without subdirs) and grub.cfg, regardless if grub-verify fails.
## Exit codes ## Exit codes
You might be interested in the exit codes of `grub2-verify` to use it in your monitoring tools: You might be interested in the exit codes of `grub-verify` to use it in your monitoring tools:
``` ```
0 - Everything is okay 0 - Everything is okay
@ -112,8 +107,8 @@ chown root:root $(tty)
### I forgot to run grub2-unsign before I made changes. What now? ### I forgot to run grub2-unsign before I made changes. What now?
Run `grub2-verify` to see, which signature is bad. Remove the signature and run `grub2-unsign`, after this `grub2-sign`. Run `grub-verify` to see, which signature is bad. Remove the signature and run `grub-unsign`, after this `grub-sign`.
Alternatively, if you just updated your kernel/initramfs, run `grub2-update-kernel-signatures`. Alternatively, if you just updated your kernel/initramfs/grub.cfg, run `grub-update-kernel-signatures`.
### How can I switch off GRUB2's check\_signature feature? ### How can I switch off GRUB2's check\_signature feature?
@ -124,7 +119,7 @@ Open */etc/grub.d/00_header* and remove the part
set check_signatures=enforce set check_signatures=enforce
EOF EOF
Run `grub2-unsign` and `grub-mkconfig -o /boot/grub/grub.cfg`. Run `grub-unsign` and `grub-mkconfig -o /boot/grub/grub.cfg`.
Also you should reinstall grub2, using something like `grub-install /dev/sda`. Also you should reinstall grub2, using something like `grub-install /dev/sda`.
@ -132,8 +127,8 @@ Also you should reinstall grub2, using something like `grub-install /dev/sda`.
### Suddenly I can't boot! This is YOUR FAULT! ### Suddenly I can't boot! This is YOUR FAULT!
No. An important signature is bad. So GRUB2 didn't run this part of code/configuration/kernel/whatever. No. An important signature is bad. So GRUB2 didn't run this part of code/configuration/kernel/whatever.
You could do a chroot using an USB dongle with a GNU/Linux distribution on it. If you're chrooted to your system run `grub2-verify`. You could do a chroot using an USB dongle with a GNU/Linux distribution on it. If you're chrooted to your system run `grub-verify`.
If you think this happened through an update shortly done by you, you may want to run `gpg-agent --daemon ; grub2-update-kernel-signatures`. If you think this happened through an update shortly done by you, you may want to run `gpg-agent --daemon ; grub-update-kernel-signatures`.
### Okay, I really got some bad signatures not caused by me. What do I do now? ### Okay, I really got some bad signatures not caused by me. What do I do now?
@ -146,35 +141,33 @@ Check your system thoroughly. Check it about malicious software. Check it about
## How to install a GRUB2 password ## How to install a GRUB2 password
Run `grub-mkpasswd-pbkdf2` and type a password. Please take care because in the GRUB2 standard installation the keyboard layout is set to en\_US. - Generate a GRUB2 password string through running `grub-mkpasswd-pbkdf2`. Please take care because in the GRUB2 standard installation the keyboard layout is set to en\_US.
Copy the content of *grub.pbkdf2.[...]* to your clipboard. Open the file */etc/grub.d/00_header* and insert this at the end of the file - Copy the generated *grub.pbkdf2.[...]* string to your clipboard.
- Open the file */etc/grub.d/00_header* and insert this at the end of the file
```
cat << EOF cat << EOF
set superusers="yourUsername" set superusers="yourUsername"
export superusers export superusers
password_pbkdf2 yourUsername grub.pbkdf2.[...this string from the clipboard...] password_pbkdf2 yourUsername [...this grub.pbkdf2.* string from the clipboard...]
EOF EOF
```
To boot GNU/Linux automatically and without authentication open */etc/grub.d/10_linux* and change the following lines like this - To boot GNU/Linux automatically and without authentication open */etc/grub.d/10_linux* and change the following lines from
```
echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
else else
echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
fi fi
```
to
to ```
echo "menuentry '$(echo "$title" | grub_quote)' --unrestricted ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" echo "menuentry '$(echo "$title" | grub_quote)' --unrestricted ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
else else
echo "menuentry '$(echo "$os" | grub_quote)' --unrestricted ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" echo "menuentry '$(echo "$os" | grub_quote)' --unrestricted ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
fi fi
```
The important changing is the flag *--unrestricted*.
The important changing is the flag *--unrestricted*. - Run `grub-unsign` to unsign the bootloader.
- Run `grub-mkconfig -o /boot/grub/grub.cfg` to write the new config.
- Run `grub-sign` to sign the new changings.
Run `grub2-unsign` to unsign the bootloader.
Then run `grub-mkconfig -o /boot/grub/grub.cfg` to write the new config.
After this run `grub2-sign` again to sign the new changings.

4
sbin/grub2-sign → sbin/grub-sign
View File

@ -5,7 +5,7 @@
# Licence: GNU-GPLv3 # Licence: GNU-GPLv3
function sign(){ function sign(){
for f in `find /boot -type f` for f in $(find /boot -iname "efi" -prune -o -type f -print)
do do
if gpg --detach-sign $f if gpg --detach-sign $f
then then
@ -20,7 +20,7 @@ function sign(){
# Running grub2-verify first to prevent bad people and double signing # Running grub2-verify first to prevent bad people and double signing
echo "Running grub2-verify to check if everything is unsigned..." >&2 echo "Running grub2-verify to check if everything is unsigned..." >&2
grub2-verify grub-verify
if (( $? < 2 )); then if (( $? < 2 )); then
echo "Run grub2-unsign first." >&2 echo "Run grub2-unsign first." >&2
exit 1 exit 1

28
sbin/grub2-unsign → sbin/grub-unsign
View File

@ -5,30 +5,28 @@
# Licence: GNU-GPLv3 # Licence: GNU-GPLv3
# Check if something is wrong # Check if something is wrong
grub2-verify grub-verify
stat=$? stat=$?
if (( $stat == 1 )) case "$stat" in
then 1)
printf '%s\n' "grub2-verify has detected a one or more bad signatures." "Please check for malicious software before you're unsigning everything!" >&2 printf '%s\n' "grub2-verify has detected a one or more bad signatures." "Please check for malicious software before you're unsigning everything!" >&2
exit 1 exit 1
elif (( $stat == 2 )) ;;
then 2)
printf 'Everything is unsigned already.\n' printf 'Everything is unsigned already.\n'
exit 0 exit 0
elif (( $stat == 3 )) ;;
then 3)
printf 'Ignoring missing signatures...\n' printf 'Ignoring missing signatures...\n'
elif (( $stat == 0 )) ;&
then 0|3)
# Then remove the signatures. # Then remove the signatures.
find /boot -name '*.sig' -exec rm -- '{}' + find /boot -iname "efi" -prune -o -name '*.sig' -exec shred --remove=unlink {} +
echo "GRUB2 unsigned. WARNING: If you want to deactivate GRUB2's signature feature, change the check_signatures variable in the headers file!" echo "GRUB2 unsigned. WARNING: If you want to deactivate GRUB2's signature feature, change the check_signatures variable in the headers file!"
exit 0 exit 0
;;
else *)
printf 'Something unknown happened!\n' printf 'Something unknown happened!\n'
exit 99 exit 99
fi esac

9
sbin/grub2-update-kernel-signature → sbin/grub-update-kernel-signature
View File

@ -14,11 +14,18 @@ function sign(){
return 1 return 1
fi fi
done done
if gpg --detach-sign "/boot/grub/grub.cfg"
then
echo /boot/grub/grub.cfg signed.
else
return 1
fi
return 0 return 0
} }
rm /boot/*.sig shred --remove=unlink /boot/*.sig
shred --remove=unlink /boot/grub/grub.cfg.sig
if ! sign if ! sign
then then

4
sbin/grub2-verify → sbin/grub-verify
View File

@ -22,7 +22,7 @@ do
error_files+=( "$i" ) error_files+=( "$i" )
fi fi
all_files+=( "$i" ) all_files+=( "$i" )
done < <(find /boot -type f -name "*.sig" -print0) done < <(find /boot -iname "efi" -prune -o -type f -name "*.sig" -print0)
echo "Checking missing signatures in /boot..." >&2 echo "Checking missing signatures in /boot..." >&2
while IFS= read -r -d '' i while IFS= read -r -d '' i
@ -31,7 +31,7 @@ do
then then
missing_files+=( "$i" ) missing_files+=( "$i" )
fi fi
done < <(find /boot -type f -not -name "*.sig" -print0) done < <(find /boot -iname "efi" -prune -o -type f -not -name "*.sig" -print0)
# Nothing to verify? Exit 2. # Nothing to verify? Exit 2.
if (( ${#all_files[@]} == 0 )) if (( ${#all_files[@]} == 0 ))