-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
109 lines (94 loc) · 5.62 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
verify_some_rootfs_files_during_initramfs
What is this?
This is a tiny program that is desigened to run during the systemd based initramfs(or other kind of initramfs like busybox).
It will read the public key storaged inside the initcpio image and use it to verify some files in the rootfs(like /etc/shadow, /usr/bin/sudo or any other file & program you want to verify).
How does it work?
This program is registered as a initrd systemd service and will run after the initrd-fs.target but before the initrd.target.
This will allow the program read & verify the rootfs files very easily.
According to the systemd document (man bootup), this service will be run like this:
:
v
basic.target
| emergency.service
______________________/| |
/ | v
| initrd-root-device.target emergency.target
| |
| v
| sysroot.mount
| |
| v
| initrd-root-fs.target
| |
| v
v initrd-parse-etc.service
(custom initrd |
services...) v
| (sysroot-usr.mount and
| various mounts marked
| with fstab option
| x-initrd.mount...)
| |
| v
| initrd-fs.target
\______________________ |
\|
|
v
****************
*vsrfdi.service*
****************
|
v
initrd.target
|
v
initrd-cleanup.service
isolates to
initrd-switch-root.target
|
v
______________________/|
/ v
| initrd-udevadm-cleanup-db.service
v |
(custom initrd |
services...) |
\______________________ |
\|
v
initrd-switch-root.target
|
v
initrd-switch-root.service
|
v
Transition to Host OS
Also, the program will do these things:
1. Read the public key storeaged inside the initcpio image (loacted at /etc/vsrfdi/pub)
2. Load the public key and verify the filelist's signature (located at /sysroot/var/lib/vsrfdi/filelist.sig, systemd mounts the rootfs at /sysroot during the initramfs)
3. After verifing the filelist's signature is okay, it will read the content of the filelist(/sysroot/etc/vsrfdi/filelist)
4. The content of the filelist is like this:
1=/etc/shadow
2=/usr/bin/sudo
...
That means the program will try to verify /etc/shadow and /usr/bin/sudo's signature in the rootfs, there signature file is located in the /sysroot/var/lib/vsrfdi/signatures/*.sig (for example 1.sig)
The number in the front is the actuall signature file name.
5. If every signature is okay, the programe will print the "Verification process completed successfully.", otherwise it will exit with 1 and the error messege.
Installation:
Right now this program can only be installed manually, which means you should add these files to the initcpio image:
1. /etc/vsrfdi/pub the public key
2. /usr/lib/vsrfdi/vsrfdi the program binary
3. /usr/lib/systemd/system/vsrfdi.service the service file
4. /usr/lib/systemd/system/sysinit.target.wants/vsrfdi.service symbolic link to /usr/lib/systemd/system/vsrfdi.service, without it the vsrfdi.service might not run during the initramfs
And in the rootfs:
1. /etc/vsrfdi/filelist the filelist (controls which file should be verified)
2. /var/lib/vsrfdi/filelist.sig the signature of the filelist
3. /var/lib/vsrfdi/signatures/*.sig the actual file's signature you want to verify (for example 1.sig 2.sig)
It is recommonded to using unified kernel image with self signed secure boot because it will make sure the baseline trsut of the program itself and the public key inside the initcpio image.
The signing process is not implemented so you have to sign them manually with openssl.
An archlinux PKGBUILD file will be added soon.
Notes:
This program is still in the very early development so there should quite a lot of bugs or error. Issues, pull requests and forks are weclomed.
License:
This program is under GPL-3.0-or-later.