Add checksum support for dracut-live, add checksum verification menu entries

2024-12-12 20:34:13 -06:00 · 2024-12-12 20:34:13 -06:00 · ca3fda30fe
commit ca3fda30fe
parent 61d2eb3f30
6 changed files with 102 additions and 26 deletions
--- a/debian/control
+++ b/debian/control
@ -35,6 +35,7 @@ Recommends:
 Suggests:
 e2fsprogs,
 git,
+ isomd5sum,
 parted,
 mtd-utils,
 Description: Live System Build Components
--- a/functions/configuration.sh
+++ b/functions/configuration.sh
@ -843,6 +843,11 @@ Validate_config_dependencies ()
 		fi
 	fi

+	if [ "${LB_CHECKSUMS}" != "none" ] && [ "${LB_CHECKSUMS}" != "md5" ] && [ "${LB_INITRAMFS}" = "dracut-live" ]; then
+		Echo_error "You have selected values of LB_CHECKSUMS and LB_INITRAMFS that are incompatible - dracut-live works only with no checksums or md5 checksums."
+		exit 1
+	fi
+
 	Validate_http_proxy
 }

--- a/scripts/build/binary_checksums
+++ b/scripts/build/binary_checksums
@ -35,43 +35,47 @@ Check_stagefile
 # Acquire lock file
 Acquire_lockfile

-for CHECKSUM in ${LB_CHECKSUMS}
-do
-	CHECKSUMS="${CHECKSUM}sum.txt"
+if [ "${LB_INITRAMFS}" = "live-boot" ]; then
+	for CHECKSUM in ${LB_CHECKSUMS}
+	do
+		CHECKSUMS="${CHECKSUM}sum.txt"

-	Echo_message "Begin creating binary ${CHECKSUMS}..."
+		Echo_message "Begin creating binary ${CHECKSUMS}..."

-	# Remove old checksums
-	if [ -f binary/${CHECKSUMS} ]
-	then
-		rm -f binary/${CHECKSUMS}
-	fi
+		# Remove old checksums
+		if [ -f binary/${CHECKSUMS} ]
+		then
+			rm -f binary/${CHECKSUMS}
+		fi

-	# Calculating checksums
-	cd binary
-	find . -type f \
-		\! -path './isolinux/isolinux.bin' \
-		\! -path './boot/boot.bin' \
-		\! -path './boot/grub/stage2_eltorito' \
-		\! -path './*SUMS' \
-		\! -path './*sum.txt' \
-		\! -path './*sum.README' \
-	-print0 | LC_ALL=C sort -z | xargs -0 ${CHECKSUM}sum > ${CHECKSUMS}
+		# Calculating checksums
+		cd binary
+		find . -type f \
+			\! -path './isolinux/isolinux.bin' \
+			\! -path './boot/boot.bin' \
+			\! -path './boot/grub/stage2_eltorito' \
+			\! -path './*SUMS' \
+			\! -path './*sum.txt' \
+			\! -path './*sum.README' \
+		-print0 | LC_ALL=C sort -z | xargs -0 ${CHECKSUM}sum > ${CHECKSUMS}

-cat > ${CHECKSUM}sum.README << EOF
+	cat > ${CHECKSUM}sum.README << EOF
 The file ${CHECKSUMS} contains the ${CHECKSUM} checksums of all files on this medium.

 You can verify them automatically with the 'verify-checksums' boot parameter,
 or, manually with: '${CHECKSUM}sum -c ${CHECKSUMS}'.
 EOF

-	cd "${OLDPWD}"
-done
+		cd "${OLDPWD}"
+	done

-# File list
-cd binary
-find . | sed -e 's|^.||g' | grep "^/" | LC_ALL=C sort > ../${LB_IMAGE_NAME}-${LB_ARCHITECTURE}.contents
-cd "${OLDPWD}"
+	# File list
+	cd binary
+	find . | sed -e 's|^.||g' | grep "^/" | LC_ALL=C sort > ../${LB_IMAGE_NAME}-${LB_ARCHITECTURE}.contents
+	cd "${OLDPWD}"
+elif [ "${LB_INITRAMFS}" = "dracut-live" ]; then
+	Echo_message "Dracut in use, deferring checksum creation to binary_iso"
+fi

 # Creating stage file
 Create_stagefile
--- a/scripts/build/binary_grub_cfg
+++ b/scripts/build/binary_grub_cfg
@ -128,12 +128,18 @@ FLAVOUR_LIVE="${DEFAULT_FLAVOUR}"
 case "${LB_INITRAMFS}" in
 	live-boot)
 		APPEND_LIVE="${LB_BOOTAPPEND_LIVE} findiso=\${iso_path}"
+		APPEND_CHECKSUM_LIVE="${APPEND_LIVE} verify-checksums"
+		APPEND_CHECKSUM_LIVE_FAILSAFE="${LB_BOOTAPPEND_LIVE_FAILSAFE} verify-checksums"
 		;;
 	dracut-live)
 		APPEND_LIVE="${LB_BOOTAPPEND_LIVE} iso-scan/filename=\${iso_path}"
+		APPEND_CHECKSUM_LIVE="${APPEND_LIVE} rd.live.check"
+		APPEND_CHECKSUM_LIVE_FAILSAFE="${LB_BOOTAPPEND_LIVE_FAILSAFE} rd.live.check"
 		;;
 	none)
 		APPEND_LIVE="${LB_BOOTAPPEND_LIVE}"
+		APPEND_CHECKSUM_LIVE="${APPEND_LIVE} verify-checksums"
+		APPEND_CHECKSUM_LIVE_FAILSAFE="${LB_BOOTAPPEND_LIVE_FAILSAFE} verify-checksums"
 		;;
 esac

@ -164,6 +170,15 @@ if [ "${_AMD64_686_NUMBER}" -ge 2 ] ; then
 		"/${INITFS}/${_686_INITRD}" \
 		"${APPEND_LIVE}"

+	if [ "${LB_CHECKSUMS}" != "none" ]; then
+		Grub_live_autodetect_menu_entry "Live system (autodetect) (verify checksums)" \
+			"/${INITFS}/${AMD64_KERNEL}" \
+			"/${INITFS}/${AMD64_INITRD}" \
+			"/${INITFS}/${_686_KERNEL}" \
+			"/${INITFS}/${_686_INITRD}" \
+			"${APPEND_CHECKSUM_LIVE}"
+	fi
+
 	if [ "${LB_BOOTAPPEND_LIVE_FAILSAFE}" != "none" ]; then
 		Grub_live_autodetect_menu_entry "Live system (autodetect) (fail-safe mode)" \
 			"/${INITFS}/${AMD64_KERNEL}" \
@ -171,6 +186,15 @@ if [ "${_AMD64_686_NUMBER}" -ge 2 ] ; then
 			"/${INITFS}/${_686_KERNEL}" \
 			"/${INITFS}/${_686_INITRD}" \
 			"${LB_BOOTAPPEND_LIVE_FAILSAFE}"
+
+		if [ "${LB_CHECKSUMS}" != "none" ]; then
+			Grub_live_autodetect_menu_entry "Live system (autodetect) (fail-safe-mode) (verify checksums)" \
+				"/${INITFS}/${AMD64_KERNEL}" \
+				"/${INITFS}/${AMD64_INITRD}" \
+				"/${INITFS}/${_686_KERNEL}" \
+				"/${INITFS}/${_686_INITRD}" \
+				"${APPEND_CHECKSUM_LIVE_FAILSAFE}"
+		fi
 	fi
 else
 	Grub_live_menu_entry "Live system (${_FLAVOUR})" \
@ -178,11 +202,26 @@ else
 		"/${INITFS}/${DEFAULT_INITRD}" \
 		"${APPEND_LIVE}" \
 		"l"
+
+	if [ "${LB_CHECKSUMS}" != "none" ]; then
+		Grub_live_menu_entry "Live system (${_FLAVOUR}) (verify checksums)" \
+			"/${INITFS}/${DEFAULT_KERNEL}" \
+			"/${INITFS}/${DEFAULT_INITRD}" \
+			"${APPEND_CHECKSUM_LIVE}"
+	fi
+
 	if [ "${LB_BOOTAPPEND_LIVE_FAILSAFE}" != "none" ]; then
 		Grub_live_menu_entry "Live system (${_FLAVOUR} fail-safe mode)" \
 			"/${INITFS}/${DEFAULT_KERNEL}" \
 			"/${INITFS}/${DEFAULT_INITRD}" \
 			"${LB_BOOTAPPEND_LIVE_FAILSAFE}"
+
+		if [ "${LB_CHECKSUMS}" != "none" ]; then
+			Grub_live_menu_entry "Live system (${_FLAVOUR} fail-safe mode) (verify checksums)" \
+				"/${INITFS}/${DEFAULT_KERNEL}" \
+				"/${INITFS}/${DEFAULT_INITRD}" \
+				"${APPEND_CHECKSUM_LIVE_FAILSAFE}"
+		fi
 	fi
 fi

@ -200,11 +239,25 @@ if [ $_COUNT -gt 1 ]; then
 			"/${INITFS}/initrd.img-${VERSION}" \
 			"${APPEND_LIVE}"

+		if [ "${LB_CHECKSUMS}" != "none" ]; then
+			Grub_live_menu_entry "Live system, kernel ${VERSION} (verify checksums)" \
+				"/${INITFS}/$(basename "${KERNEL}")" \
+				"/${INITFS}/initrd.img-${VERSION}" \
+				"${APPEND_CHECKSUM_LIVE}"
+		fi
+
 		if [ "${LB_BOOTAPPEND_LIVE_FAILSAFE}" != "none" ]; then
 			Grub_live_menu_entry "Live system, kernel ${VERSION} (fail-safe mode)" \
 				"/${INITFS}/$(basename ${KERNEL})" \
 				"/${INITFS}/initrd.img-${VERSION}" \
 				"${LB_BOOTAPPEND_LIVE_FAILSAFE}"
+
+			if [ "${LB_CHECKSUMS}" != "none" ]; then
+				Grub_live_menu_entry "Live system, kernel ${VERSION} (fail-safe mode) (verify checksums)" \
+					"/${INITFS}/$(basename "${KERNEL}")" \
+					"/${INITFS}/initrd.img-${VERSION}" \
+					"${APPEND_CHECKSUM_LIVE_FAILSAFE}"
+			fi
 		fi
 	done
 fi
--- a/scripts/build/binary_iso
+++ b/scripts/build/binary_iso
@ -212,6 +212,13 @@ case "${LB_BUILD_WITH_CHROOT}" in
 		;;
 esac

+# Handle checksumming for dracut-live
+if [ "${LB_CHECKSUMS}" != "none" ] && [ "${LB_INITRAMFS}" = "dracut-live" ]
+then
+	Echo_message "Embedding md5sum into ISO for dracut verification"
+	implantisomd5 ${IMAGE}
+fi
+
 # Set the timestamp of the image
 touch -d@${SOURCE_DATE_EPOCH} ${IMAGE}
 echo "f ${IMAGE}" >> binary.modified_timestamps
--- a/scripts/build/chroot_hacks
+++ b/scripts/build/chroot_hacks
@ -59,6 +59,12 @@ case "${LB_IMAGE_TYPE}" in
 		;;
 esac

+# Dracut checksum support requires isomd5sum
+if [ "${LB_CHECKSUMS}" != "none" ] && [ "${LB_INITRAMFS}" = "dracut-live" ]
+then
+	Apt chroot install isomd5sum
+fi
+
 # Update initramfs (always, because of udev rules in initrd)
 case "${LB_INITRAMFS}" in
 	live-boot)