From ca3fda30fe3c3be543ba4c8fcee944b0c4ceb1a5 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Thu, 12 Dec 2024 20:34:13 -0600 Subject: [PATCH] Add checksum support for dracut-live, add checksum verification menu entries --- debian/control | 1 + functions/configuration.sh | 5 +++ scripts/build/binary_checksums | 56 ++++++++++++++++++---------------- scripts/build/binary_grub_cfg | 53 ++++++++++++++++++++++++++++++++ scripts/build/binary_iso | 7 +++++ scripts/build/chroot_hacks | 6 ++++ 6 files changed, 102 insertions(+), 26 deletions(-) diff --git a/debian/control b/debian/control index 544eeeee3..6a08370ea 100644 --- a/debian/control +++ b/debian/control @@ -35,6 +35,7 @@ Recommends: Suggests: e2fsprogs, git, + isomd5sum, parted, mtd-utils, Description: Live System Build Components diff --git a/functions/configuration.sh b/functions/configuration.sh index 712398e37..e00f09f86 100755 --- a/functions/configuration.sh +++ b/functions/configuration.sh @@ -843,6 +843,11 @@ Validate_config_dependencies () fi fi + if [ "${LB_CHECKSUMS}" != "none" ] && [ "${LB_CHECKSUMS}" != "md5" ] && [ "${LB_INITRAMFS}" = "dracut-live" ]; then + Echo_error "You have selected values of LB_CHECKSUMS and LB_INITRAMFS that are incompatible - dracut-live works only with no checksums or md5 checksums." + exit 1 + fi + Validate_http_proxy } diff --git a/scripts/build/binary_checksums b/scripts/build/binary_checksums index 9d77604ed..f86d12c6c 100755 --- a/scripts/build/binary_checksums +++ b/scripts/build/binary_checksums @@ -35,43 +35,47 @@ Check_stagefile # Acquire lock file Acquire_lockfile -for CHECKSUM in ${LB_CHECKSUMS} -do - CHECKSUMS="${CHECKSUM}sum.txt" +if [ "${LB_INITRAMFS}" = "live-boot" ]; then + for CHECKSUM in ${LB_CHECKSUMS} + do + CHECKSUMS="${CHECKSUM}sum.txt" - Echo_message "Begin creating binary ${CHECKSUMS}..." + Echo_message "Begin creating binary ${CHECKSUMS}..." - # Remove old checksums - if [ -f binary/${CHECKSUMS} ] - then - rm -f binary/${CHECKSUMS} - fi + # Remove old checksums + if [ -f binary/${CHECKSUMS} ] + then + rm -f binary/${CHECKSUMS} + fi - # Calculating checksums - cd binary - find . -type f \ - \! -path './isolinux/isolinux.bin' \ - \! -path './boot/boot.bin' \ - \! -path './boot/grub/stage2_eltorito' \ - \! -path './*SUMS' \ - \! -path './*sum.txt' \ - \! -path './*sum.README' \ - -print0 | LC_ALL=C sort -z | xargs -0 ${CHECKSUM}sum > ${CHECKSUMS} + # Calculating checksums + cd binary + find . -type f \ + \! -path './isolinux/isolinux.bin' \ + \! -path './boot/boot.bin' \ + \! -path './boot/grub/stage2_eltorito' \ + \! -path './*SUMS' \ + \! -path './*sum.txt' \ + \! -path './*sum.README' \ + -print0 | LC_ALL=C sort -z | xargs -0 ${CHECKSUM}sum > ${CHECKSUMS} -cat > ${CHECKSUM}sum.README << EOF + cat > ${CHECKSUM}sum.README << EOF The file ${CHECKSUMS} contains the ${CHECKSUM} checksums of all files on this medium. You can verify them automatically with the 'verify-checksums' boot parameter, or, manually with: '${CHECKSUM}sum -c ${CHECKSUMS}'. EOF - cd "${OLDPWD}" -done + cd "${OLDPWD}" + done -# File list -cd binary -find . | sed -e 's|^.||g' | grep "^/" | LC_ALL=C sort > ../${LB_IMAGE_NAME}-${LB_ARCHITECTURE}.contents -cd "${OLDPWD}" + # File list + cd binary + find . | sed -e 's|^.||g' | grep "^/" | LC_ALL=C sort > ../${LB_IMAGE_NAME}-${LB_ARCHITECTURE}.contents + cd "${OLDPWD}" +elif [ "${LB_INITRAMFS}" = "dracut-live" ]; then + Echo_message "Dracut in use, deferring checksum creation to binary_iso" +fi # Creating stage file Create_stagefile diff --git a/scripts/build/binary_grub_cfg b/scripts/build/binary_grub_cfg index 71929839d..5c1f421c4 100755 --- a/scripts/build/binary_grub_cfg +++ b/scripts/build/binary_grub_cfg @@ -128,12 +128,18 @@ FLAVOUR_LIVE="${DEFAULT_FLAVOUR}" case "${LB_INITRAMFS}" in live-boot) APPEND_LIVE="${LB_BOOTAPPEND_LIVE} findiso=\${iso_path}" + APPEND_CHECKSUM_LIVE="${APPEND_LIVE} verify-checksums" + APPEND_CHECKSUM_LIVE_FAILSAFE="${LB_BOOTAPPEND_LIVE_FAILSAFE} verify-checksums" ;; dracut-live) APPEND_LIVE="${LB_BOOTAPPEND_LIVE} iso-scan/filename=\${iso_path}" + APPEND_CHECKSUM_LIVE="${APPEND_LIVE} rd.live.check" + APPEND_CHECKSUM_LIVE_FAILSAFE="${LB_BOOTAPPEND_LIVE_FAILSAFE} rd.live.check" ;; none) APPEND_LIVE="${LB_BOOTAPPEND_LIVE}" + APPEND_CHECKSUM_LIVE="${APPEND_LIVE} verify-checksums" + APPEND_CHECKSUM_LIVE_FAILSAFE="${LB_BOOTAPPEND_LIVE_FAILSAFE} verify-checksums" ;; esac @@ -164,6 +170,15 @@ if [ "${_AMD64_686_NUMBER}" -ge 2 ] ; then "/${INITFS}/${_686_INITRD}" \ "${APPEND_LIVE}" + if [ "${LB_CHECKSUMS}" != "none" ]; then + Grub_live_autodetect_menu_entry "Live system (autodetect) (verify checksums)" \ + "/${INITFS}/${AMD64_KERNEL}" \ + "/${INITFS}/${AMD64_INITRD}" \ + "/${INITFS}/${_686_KERNEL}" \ + "/${INITFS}/${_686_INITRD}" \ + "${APPEND_CHECKSUM_LIVE}" + fi + if [ "${LB_BOOTAPPEND_LIVE_FAILSAFE}" != "none" ]; then Grub_live_autodetect_menu_entry "Live system (autodetect) (fail-safe mode)" \ "/${INITFS}/${AMD64_KERNEL}" \ @@ -171,6 +186,15 @@ if [ "${_AMD64_686_NUMBER}" -ge 2 ] ; then "/${INITFS}/${_686_KERNEL}" \ "/${INITFS}/${_686_INITRD}" \ "${LB_BOOTAPPEND_LIVE_FAILSAFE}" + + if [ "${LB_CHECKSUMS}" != "none" ]; then + Grub_live_autodetect_menu_entry "Live system (autodetect) (fail-safe-mode) (verify checksums)" \ + "/${INITFS}/${AMD64_KERNEL}" \ + "/${INITFS}/${AMD64_INITRD}" \ + "/${INITFS}/${_686_KERNEL}" \ + "/${INITFS}/${_686_INITRD}" \ + "${APPEND_CHECKSUM_LIVE_FAILSAFE}" + fi fi else Grub_live_menu_entry "Live system (${_FLAVOUR})" \ @@ -178,11 +202,26 @@ else "/${INITFS}/${DEFAULT_INITRD}" \ "${APPEND_LIVE}" \ "l" + + if [ "${LB_CHECKSUMS}" != "none" ]; then + Grub_live_menu_entry "Live system (${_FLAVOUR}) (verify checksums)" \ + "/${INITFS}/${DEFAULT_KERNEL}" \ + "/${INITFS}/${DEFAULT_INITRD}" \ + "${APPEND_CHECKSUM_LIVE}" + fi + if [ "${LB_BOOTAPPEND_LIVE_FAILSAFE}" != "none" ]; then Grub_live_menu_entry "Live system (${_FLAVOUR} fail-safe mode)" \ "/${INITFS}/${DEFAULT_KERNEL}" \ "/${INITFS}/${DEFAULT_INITRD}" \ "${LB_BOOTAPPEND_LIVE_FAILSAFE}" + + if [ "${LB_CHECKSUMS}" != "none" ]; then + Grub_live_menu_entry "Live system (${_FLAVOUR} fail-safe mode) (verify checksums)" \ + "/${INITFS}/${DEFAULT_KERNEL}" \ + "/${INITFS}/${DEFAULT_INITRD}" \ + "${APPEND_CHECKSUM_LIVE_FAILSAFE}" + fi fi fi @@ -200,11 +239,25 @@ if [ $_COUNT -gt 1 ]; then "/${INITFS}/initrd.img-${VERSION}" \ "${APPEND_LIVE}" + if [ "${LB_CHECKSUMS}" != "none" ]; then + Grub_live_menu_entry "Live system, kernel ${VERSION} (verify checksums)" \ + "/${INITFS}/$(basename "${KERNEL}")" \ + "/${INITFS}/initrd.img-${VERSION}" \ + "${APPEND_CHECKSUM_LIVE}" + fi + if [ "${LB_BOOTAPPEND_LIVE_FAILSAFE}" != "none" ]; then Grub_live_menu_entry "Live system, kernel ${VERSION} (fail-safe mode)" \ "/${INITFS}/$(basename ${KERNEL})" \ "/${INITFS}/initrd.img-${VERSION}" \ "${LB_BOOTAPPEND_LIVE_FAILSAFE}" + + if [ "${LB_CHECKSUMS}" != "none" ]; then + Grub_live_menu_entry "Live system, kernel ${VERSION} (fail-safe mode) (verify checksums)" \ + "/${INITFS}/$(basename "${KERNEL}")" \ + "/${INITFS}/initrd.img-${VERSION}" \ + "${APPEND_CHECKSUM_LIVE_FAILSAFE}" + fi fi done fi diff --git a/scripts/build/binary_iso b/scripts/build/binary_iso index 6fc03aebf..460c2ad5b 100755 --- a/scripts/build/binary_iso +++ b/scripts/build/binary_iso @@ -212,6 +212,13 @@ case "${LB_BUILD_WITH_CHROOT}" in ;; esac +# Handle checksumming for dracut-live +if [ "${LB_CHECKSUMS}" != "none" ] && [ "${LB_INITRAMFS}" = "dracut-live" ] +then + Echo_message "Embedding md5sum into ISO for dracut verification" + implantisomd5 ${IMAGE} +fi + # Set the timestamp of the image touch -d@${SOURCE_DATE_EPOCH} ${IMAGE} echo "f ${IMAGE}" >> binary.modified_timestamps diff --git a/scripts/build/chroot_hacks b/scripts/build/chroot_hacks index d16732a8c..89c2a1a4f 100755 --- a/scripts/build/chroot_hacks +++ b/scripts/build/chroot_hacks @@ -59,6 +59,12 @@ case "${LB_IMAGE_TYPE}" in ;; esac +# Dracut checksum support requires isomd5sum +if [ "${LB_CHECKSUMS}" != "none" ] && [ "${LB_INITRAMFS}" = "dracut-live" ] +then + Apt chroot install isomd5sum +fi + # Update initramfs (always, because of udev rules in initrd) case "${LB_INITRAMFS}" in live-boot)