Compare commits
8 Commits
Author | SHA1 | Date |
---|---|---|
Bandie | c7b049cc96 | |
Bandie | 4b42d088eb | |
Bandie | d04a4e5151 | |
Bandie | a582827367 | |
Bandie | 13345bc188 | |
Bandie | ea242fd0af | |
Bandie | 271c8677d8 | |
Bandie | 99a860266a |
12
Makefile
12
Makefile
|
@ -6,12 +6,14 @@ all:
|
||||||
@printf "Nothing to make. Run make install.\n"
|
@printf "Nothing to make. Run make install.\n"
|
||||||
|
|
||||||
install:
|
install:
|
||||||
install -D -m744 sbin/grub2-verify /usr/sbin/grub2-verify
|
@printf "Check for old scripts and remove them...\n"
|
||||||
install -D -m744 sbin/grub2-sign /usr/sbin/grub2-sign
|
rm -f /usr/sbin/grub2-{verify,sign,unsign,update-kernel-signature}
|
||||||
install -D -m744 sbin/grub2-unsign /usr/sbin/grub2-unsign
|
install -D -m744 sbin/grub-verify /usr/sbin/grub-verify
|
||||||
install -D -m744 sbin/grub2-update-kernel-signature /usr/sbin/grub2-update-kernel-signature
|
install -D -m744 sbin/grub-sign /usr/sbin/grub-sign
|
||||||
|
install -D -m744 sbin/grub-unsign /usr/sbin/grub-unsign
|
||||||
|
install -D -m744 sbin/grub-update-kernel-signature /usr/sbin/grub-update-kernel-signature
|
||||||
@printf "Done.\n"
|
@printf "Done.\n"
|
||||||
|
|
||||||
uninstall:
|
uninstall:
|
||||||
rm /usr/sbin/grub2-{verify,sign,unsign,update-kernel-signature}
|
rm -f /usr/sbin/grub-{verify,sign,unsign,update-kernel-signature}
|
||||||
@printf "Done.\n"
|
@printf "Done.\n"
|
||||||
|
|
36
README.md
36
README.md
|
@ -27,7 +27,7 @@ You need
|
||||||
- Change into the grub2-signing-extension directory.
|
- Change into the grub2-signing-extension directory.
|
||||||
- Run `make install` as root.
|
- Run `make install` as root.
|
||||||
|
|
||||||
You will now have `grub2-sign`, `grub2-unsign`, `grub2-verify` and `grub2-update-kernel-signature` as runable scripts.
|
You will now have `grub-sign`, `grub-unsign`, `grub-verify` and `grub-update-kernel-signature` as runable scripts.
|
||||||
|
|
||||||
|
|
||||||
## Enabling GRUB2 check\_signatures feature
|
## Enabling GRUB2 check\_signatures feature
|
||||||
|
@ -45,8 +45,8 @@ Before you can use the signing and verification feature you need to generate a k
|
||||||
```
|
```
|
||||||
- Export your public key through running `gpg --export -o ~/pubkey`.
|
- Export your public key through running `gpg --export -o ~/pubkey`.
|
||||||
- `mount /boot` (assuming your /boot partition is in your /etc/fstab)
|
- `mount /boot` (assuming your /boot partition is in your /etc/fstab)
|
||||||
- (Re)install GRUB2. The following command will install root's public key into the core and instruct to load the modules `gcry_sha256` `gcry_dsa` and `gcry_rsa` at start so that GRUB2 will be able to do verifications.
|
- (Re)install GRUB2. The following command will install root's public key into the core and instruct to load the modules `gcry_sha256`, `gcry_sha512` `gcry_dsa` and `gcry_rsa` at start so that GRUB2 will be able to do verifications. GRUB2 will take the right crypto for you then, depending on your system's configuration.
|
||||||
- `grub-install /dev/sda -k /root/pubkey --modules="gcry_sha256 gcry_dsa gcry_rsa"`
|
- `grub-install /dev/sda -k /root/pubkey --modules="gcry_sha256 gcry_sha512 gcry_dsa gcry_rsa"`
|
||||||
- Enable GRUB2's check\_signatures feature:
|
- Enable GRUB2's check\_signatures feature:
|
||||||
- Insert the following content at the end of the file of */etc/grub.d/00_header*
|
- Insert the following content at the end of the file of */etc/grub.d/00_header*
|
||||||
```
|
```
|
||||||
|
@ -55,16 +55,16 @@ Before you can use the signing and verification feature you need to generate a k
|
||||||
EOF
|
EOF
|
||||||
```
|
```
|
||||||
- Run`grub-mkconfig -o /boot/grub/grub.cfg` to make the new configuration valid.
|
- Run`grub-mkconfig -o /boot/grub/grub.cfg` to make the new configuration valid.
|
||||||
- Sign your bootloader running `grub2-sign` and enter your GPG passphrase.
|
- Sign your bootloader running `grub-sign` and enter your GPG passphrase.
|
||||||
|
|
||||||
**It is also recommended to install a password in GRUB2! [See ADDENDUM]**
|
**It is also recommended to install a password in GRUB2! [See ADDENDUM]**
|
||||||
|
|
||||||
|
|
||||||
## How to update the signatures on changes
|
## How to update the signatures on changes
|
||||||
|
|
||||||
On every change at the GRUB2 core files you need to run `grub2-unsign` first before you make your changes. Please notice, if you reinstall GRUB2, you should do it as it is said above. Otherwise the signature check won't work.
|
On every change at the GRUB2 core files you need to run `grub-unsign` first before you make your changes. Please notice, if you reinstall GRUB2, you should do it as it is said above. Otherwise the signature check won't work.
|
||||||
|
|
||||||
If you do some changes or updates for the kernel or initramfs, you may want to use `grub2-update-kernel-signature` instead.
|
If you do some changes or updates for the kernel or initramfs, you may want to use `grub-update-kernel-signature` instead.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -73,15 +73,15 @@ If you do some changes or updates for the kernel or initramfs, you may want to u
|
||||||
|
|
||||||
If you didn't read the instruction above here is what the scripts does:
|
If you didn't read the instruction above here is what the scripts does:
|
||||||
|
|
||||||
* `grub2-sign` is signing the bootloader files with root's keypair.
|
* `grub-sign` is signing the bootloader files with root's keypair.
|
||||||
* `grub2-unsign` is removing the signatures of the bootloader files.
|
* `grub-unsign` is removing the signatures of the bootloader files.
|
||||||
* `grub2-verify` is checking if your signatures are good. If not, you will see which signature is bad.
|
* `grub-verify` is checking if your signatures are good. If not, you will see which signature is bad.
|
||||||
* `grub2-update-kernel-signature` is renewing the signatures in /boot/. (without subdirs) regardless if grub2-verify fails.
|
* `grub-update-kernel-signature` is renewing the signatures in /boot/ (without subdirs) and grub.cfg, regardless if grub-verify fails.
|
||||||
|
|
||||||
|
|
||||||
## Exit codes
|
## Exit codes
|
||||||
|
|
||||||
You might be interested in the exit codes of `grub2-verify` to use it in your monitoring tools:
|
You might be interested in the exit codes of `grub-verify` to use it in your monitoring tools:
|
||||||
|
|
||||||
```
|
```
|
||||||
0 - Everything is okay
|
0 - Everything is okay
|
||||||
|
@ -107,8 +107,8 @@ chown root:root $(tty)
|
||||||
|
|
||||||
### I forgot to run grub2-unsign before I made changes. What now?
|
### I forgot to run grub2-unsign before I made changes. What now?
|
||||||
|
|
||||||
Run `grub2-verify` to see, which signature is bad. Remove the signature and run `grub2-unsign`, after this `grub2-sign`.
|
Run `grub-verify` to see, which signature is bad. Remove the signature and run `grub-unsign`, after this `grub-sign`.
|
||||||
Alternatively, if you just updated your kernel/initramfs, run `grub2-update-kernel-signatures`.
|
Alternatively, if you just updated your kernel/initramfs/grub.cfg, run `grub-update-kernel-signatures`.
|
||||||
|
|
||||||
|
|
||||||
### How can I switch off GRUB2's check\_signature feature?
|
### How can I switch off GRUB2's check\_signature feature?
|
||||||
|
@ -119,7 +119,7 @@ Open */etc/grub.d/00_header* and remove the part
|
||||||
set check_signatures=enforce
|
set check_signatures=enforce
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
Run `grub2-unsign` and `grub-mkconfig -o /boot/grub/grub.cfg`.
|
Run `grub-unsign` and `grub-mkconfig -o /boot/grub/grub.cfg`.
|
||||||
|
|
||||||
Also you should reinstall grub2, using something like `grub-install /dev/sda`.
|
Also you should reinstall grub2, using something like `grub-install /dev/sda`.
|
||||||
|
|
||||||
|
@ -127,8 +127,8 @@ Also you should reinstall grub2, using something like `grub-install /dev/sda`.
|
||||||
### Suddenly I can't boot! This is YOUR FAULT!
|
### Suddenly I can't boot! This is YOUR FAULT!
|
||||||
|
|
||||||
No. An important signature is bad. So GRUB2 didn't run this part of code/configuration/kernel/whatever.
|
No. An important signature is bad. So GRUB2 didn't run this part of code/configuration/kernel/whatever.
|
||||||
You could do a chroot using an USB dongle with a GNU/Linux distribution on it. If you're chrooted to your system run `grub2-verify`.
|
You could do a chroot using an USB dongle with a GNU/Linux distribution on it. If you're chrooted to your system run `grub-verify`.
|
||||||
If you think this happened through an update shortly done by you, you may want to run `gpg-agent --daemon ; grub2-update-kernel-signatures`.
|
If you think this happened through an update shortly done by you, you may want to run `gpg-agent --daemon ; grub-update-kernel-signatures`.
|
||||||
|
|
||||||
|
|
||||||
### Okay, I really got some bad signatures not caused by me. What do I do now?
|
### Okay, I really got some bad signatures not caused by me. What do I do now?
|
||||||
|
@ -168,6 +168,6 @@ Check your system thoroughly. Check it about malicious software. Check it about
|
||||||
```
|
```
|
||||||
The important changing is the flag *--unrestricted*.
|
The important changing is the flag *--unrestricted*.
|
||||||
|
|
||||||
- Run `grub2-unsign` to unsign the bootloader.
|
- Run `grub-unsign` to unsign the bootloader.
|
||||||
- Run `grub-mkconfig -o /boot/grub/grub.cfg` to write the new config.
|
- Run `grub-mkconfig -o /boot/grub/grub.cfg` to write the new config.
|
||||||
- Run `grub2-sign` to sign the new changings.
|
- Run `grub-sign` to sign the new changings.
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
# Licence: GNU-GPLv3
|
# Licence: GNU-GPLv3
|
||||||
|
|
||||||
function sign(){
|
function sign(){
|
||||||
for f in `find /boot -type f`
|
for f in $(find /boot -iname "efi" -prune -o -type f -print)
|
||||||
do
|
do
|
||||||
if gpg --detach-sign $f
|
if gpg --detach-sign $f
|
||||||
then
|
then
|
||||||
|
@ -20,7 +20,7 @@ function sign(){
|
||||||
|
|
||||||
# Running grub2-verify first to prevent bad people and double signing
|
# Running grub2-verify first to prevent bad people and double signing
|
||||||
echo "Running grub2-verify to check if everything is unsigned..." >&2
|
echo "Running grub2-verify to check if everything is unsigned..." >&2
|
||||||
grub2-verify
|
grub-verify
|
||||||
if (( $? < 2 )); then
|
if (( $? < 2 )); then
|
||||||
echo "Run grub2-unsign first." >&2
|
echo "Run grub2-unsign first." >&2
|
||||||
exit 1
|
exit 1
|
|
@ -5,30 +5,28 @@
|
||||||
# Licence: GNU-GPLv3
|
# Licence: GNU-GPLv3
|
||||||
|
|
||||||
# Check if something is wrong
|
# Check if something is wrong
|
||||||
grub2-verify
|
grub-verify
|
||||||
stat=$?
|
stat=$?
|
||||||
if (( $stat == 1 ))
|
case "$stat" in
|
||||||
then
|
1)
|
||||||
printf '%s\n' "grub2-verify has detected a one or more bad signatures." "Please check for malicious software before you're unsigning everything!" >&2
|
printf '%s\n' "grub2-verify has detected a one or more bad signatures." "Please check for malicious software before you're unsigning everything!" >&2
|
||||||
exit 1
|
exit 1
|
||||||
elif (( $stat == 2 ))
|
;;
|
||||||
then
|
2)
|
||||||
printf 'Everything is unsigned already.\n'
|
printf 'Everything is unsigned already.\n'
|
||||||
exit 0
|
exit 0
|
||||||
elif (( $stat == 3 ))
|
;;
|
||||||
then
|
3)
|
||||||
printf 'Ignoring missing signatures...\n'
|
printf 'Ignoring missing signatures...\n'
|
||||||
elif (( $stat == 0 ))
|
;&
|
||||||
then
|
0|3)
|
||||||
# Then remove the signatures.
|
# Then remove the signatures.
|
||||||
find /boot -name '*.sig' -exec rm {} +
|
find /boot -iname "efi" -prune -o -name '*.sig' -exec shred --remove=unlink {} +
|
||||||
|
|
||||||
echo "GRUB2 unsigned. WARNING: If you want to deactivate GRUB2's signature feature, change the check_signatures variable in the headers file!"
|
echo "GRUB2 unsigned. WARNING: If you want to deactivate GRUB2's signature feature, change the check_signatures variable in the headers file!"
|
||||||
exit 0
|
exit 0
|
||||||
|
;;
|
||||||
else
|
*)
|
||||||
printf 'Something unknown happened!\n'
|
printf 'Something unknown happened!\n'
|
||||||
exit 99
|
exit 99
|
||||||
fi
|
esac
|
||||||
|
|
||||||
|
|
|
@ -14,11 +14,18 @@ function sign(){
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
if gpg --detach-sign "/boot/grub/grub.cfg"
|
||||||
|
then
|
||||||
|
echo /boot/grub/grub.cfg signed.
|
||||||
|
else
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
rm /boot/*.sig
|
shred --remove=unlink /boot/*.sig
|
||||||
|
shred --remove=unlink /boot/grub/grub.cfg.sig
|
||||||
|
|
||||||
if ! sign
|
if ! sign
|
||||||
then
|
then
|
|
@ -22,7 +22,7 @@ do
|
||||||
error_files+=( "$i" )
|
error_files+=( "$i" )
|
||||||
fi
|
fi
|
||||||
all_files+=( "$i" )
|
all_files+=( "$i" )
|
||||||
done < <(find /boot -type f -name "*.sig" -print0)
|
done < <(find /boot -iname "efi" -prune -o -type f -name "*.sig" -print0)
|
||||||
|
|
||||||
echo "Checking missing signatures in /boot..." >&2
|
echo "Checking missing signatures in /boot..." >&2
|
||||||
while IFS= read -r -d '' i
|
while IFS= read -r -d '' i
|
||||||
|
@ -31,7 +31,7 @@ do
|
||||||
then
|
then
|
||||||
missing_files+=( "$i" )
|
missing_files+=( "$i" )
|
||||||
fi
|
fi
|
||||||
done < <(find /boot -type f -not -name "*.sig" -print0)
|
done < <(find /boot -iname "efi" -prune -o -type f -not -name "*.sig" -print0)
|
||||||
|
|
||||||
# Nothing to verify? Exit 2.
|
# Nothing to verify? Exit 2.
|
||||||
if (( ${#all_files[@]} == 0 ))
|
if (( ${#all_files[@]} == 0 ))
|
Loading…
Reference in New Issue