You are not logged in.

#1 2019-08-16 13:13:18

sharethewisdom
Member
Registered: 2014-09-22
Posts: 39

mkinitcpio-and-sign (pacman hook)

After following GRUB secure boot with GPG, I ended up writing a hook wrapper to automatically sign the kernels and initramfs images in /boot.

see mkinitcpio-and-sign compress-and-sign

Before thinking of submitting anything to the aur, I'd like others to take a look at it. Does this look useful for you? How would you improve and generalize it? The hooks for the linux and linux-lts packages are put in /etc/pacman.d/hooks in order to overwrite running mkinitcpio with my  mkinitcpio-and-sign. Is this good practice for a package?

edit: Trilby's right, nothing special needs to be done in the initramfs generation. I was worried that my hook would run before the images were properly updated, and I don't know how to make hooks depend on each other.

Last edited by sharethewisdom (2019-08-18 16:06:27)

Offline

#2 2019-08-16 13:31:31

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 22,040
Website

Re: mkinitcpio-and-sign (pacman hook)

EDIT 2: How is this different from your previous question which has much better answers already.

Original answer:

sharethewisdom wrote:

The hooks for the linux and linux-lts packages are put in /etc/pacman.d/hooks in order to overwrite running mkinitcpio with my  mkinitcpio-and-sign. Is this good practice for a package?

No, this is definitely a bad idea as your package will then conflict with the kernel - and even if you force it's install, the next kernel upgrade that is successfully applied will overwrite your hook.

I'm not sure yet the right way to supress another hook.  The number at the start of the name indicates priority, so I suspect you'd want a lower number, then just look for the right way to 'untrigger' the normal hook.

If nothing else, you could use a higher number (lower priority) so that your hook runs after the default one.  This would work - it just means mkinitcpio would be run an extra time for no reason: your hook would overwrite the initramfs of the previous run.

EDIT: is there a reason your hook should replace the normal mkinitcpio?  I've never done this signing, but from what I see in the link you provided, it is assumed that an initramfs already exists.  Nothing special needs to be done in the initramfs generation, right?  So just let the 90-linux.hook handle running mkinitcpio, then have a lower priority 91-boot-sign.hook that will do all the signing.

Last edited by Trilby (2019-08-16 13:51:50)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2019-08-16 16:28:31

sharethewisdom
Member
Registered: 2014-09-22
Posts: 39

Re: mkinitcpio-and-sign (pacman hook)

Thanks for your reply. I could indeed have linked to the other post.

What I ended up with is both a first attempt to notify users and to automatically sign files in /boot (some ignored) for which a signature doesn't match (or is absent). I provided the passphrase in /root/keys/passphrase.

I think of it as a bit of a botch job, but I'm happy with how I'm being notified. This allows me to log in as root to double check signatures in /boot if something went wrong.

the next kernel upgrade that is successfully applied will overwrite your hook.

I don't think that's true: linux{-lts} packages install the hooks in /usr/share/libalpm/hooks/90-linux{-lts}.hook. So there should be no conflicting files. But I know that blindly putting files in /etc/pacman.d/hooks is a bad idea, as it's location depends on pacman's HookDir setting.

is there a reason your hook should replace the normal mkinitcpio? ... Nothing special needs to be done in the initramfs generation, right?

Right. But I'd like to know when mkinitcpio fails... can I get the failed state of the /usr/share/libalpm/hooks/90-linux.hook hook?

I think it's a bit redundant to make my four images twice though.

Offline

#4 2019-08-16 17:13:12

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 22,040
Website

Re: mkinitcpio-and-sign (pacman hook)

Oops, I missed that you were putting yours in /etc, sorry.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#5 2019-08-18 16:06:53

sharethewisdom
Member
Registered: 2014-09-22
Posts: 39

Re: mkinitcpio-and-sign (pacman hook)

(see edit above)

So I'm not using a pacman hook anymore nor am I running mkinitcpio from the script. I'm now wrapping around the compressor command in stead, which can for example be set with mkinitcpio -z gzip. So the idea is to have mkinitcpio -z compress-and-sign to sign the relevant image file, but because mkinitcpio expects the compressor program to write to stdout, it does not know about where the user wants to write the image (i.e. mkinitcpio --generate /some/path/file). The signatures need to be put in that location.

Maybe the easiest solution would be to simply patch mkinitcpio it when it updated.

Offline

#6 2019-08-19 01:26:49

Allan
Member
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,875
Website

Re: mkinitcpio-and-sign (pacman hook)

sharethewisdom wrote:

I was worried that my hook would run before the images were properly updated, and I don't know how to make hooks depend on each other.


Just as a FYI:

"man alpm-hooks" wrote:

Hooks are run in alphabetical order of their file name, where the ordering ignores the suffix.

Online

#7 2019-09-09 14:45:35

sharethewisdom
Member
Registered: 2014-09-22
Posts: 39

Re: mkinitcpio-and-sign (pacman hook)

sharethewisdom wrote:

Maybe the easiest solution would be to simply patch mkinitcpio it when it updated.

ok this is definitely is the way to go. Sorry for the long-winded thread.

So, for clarity:

# file /boot/boot.key
/boot/boot.key: PGP/GPG key public ring (v4) created Wed Aug 29 14:43:15 2018 RSA (Encrypt or Sign) 2048 bits MPI=0xd0b8b08d26be857f...
# tree -L 2 /root
/root
├── keys
│   ├── gpg-agent.conf
│   ├── openpgp-revocs.d
│   ├── passphrase
│   ├── private-keys-v1.d
│   ├── pubring.kbx
│   ├── random_seed
│   ├── S.gpg-agent
│   ├── S.gpg-agent.browser
│   ├── S.gpg-agent.extra
│   ├── S.gpg-agent.ssh
│   ├── S.scdaemon
│   └── trustdb.gpg
├── libreboot.rom
└── mkinitcpio.patch

/root/mkinitcpio.patch (edit 14/09/2019 you may want to add "etc/mkinitcpio.conf" to NoUpgrade in /etc/pacman.conf when reinstalling mkinitcpio for testing this to prevent suprises)

--- /usr/bin/mkinitcpio	2019-09-14 21:10:15.000000000 +0200
+++ mkinitcpio	2019-09-14 21:10:15.000000000 +0200
@@ -241,6 +241,26 @@
         error "Image generation FAILED: %s" "$errmsg"
     elif (( _builderrors == 0 )); then
         msg "Image generation successful"
+        sleep .1
+        if [ ! -f $out.sig ] || \
+          ! `gpg --homedir /root/keys --verify "$out.sig" 1>/dev/null 2>&1`; then
+          msg "Signing updated $out ..."
+          /usr/bin/gpg --yes --no-options --disable-dirmngr \
+            --detach-sign --pinentry loopback --batch \
+            --passphrase-file /root/keys/passphrase --homedir /root/keys "$out"
+          [ $? -gt 0 ] && error "$out is not signed!"
+        fi
+        kernelimg=/boot/vmlinuz-${out#*-} 
+        kernelimg=${kernelimg%.img} 
+        kernelimg=${kernelimg%-fallback} 
+        if [ ! -f ${kernelimg}.sig ] || \
+          ! `gpg --homedir /root/keys --verify ${kernelimg}.sig 1>/dev/null 2>&1`; then
+          msg "Signing updated kernel $kernelimg ..."
+          /usr/bin/gpg --yes --no-options --disable-dirmngr \
+            --detach-sign --pinentry loopback --batch \
+            --passphrase-file /root/keys/passphrase --homedir /root/keys $kernelimg
+          [ $? -gt 0 ] && error "$kernelimg is not signed!"
+        fi
     fi
 }
 

/etc/pacman.d/hooks/80-mkinitcpio-patch.hook

[Trigger]
Type = File
Operation = Install
Operation = Upgrade
Target = usr/bin/mkinitcpio

[Action]
Description = Patching /usr/bin/mkinitcpio
When = PostTransaction
Exec = /usr/bin/patch /usr/bin/mkinitcpio /root/mkinitcpio.patch

Last edited by sharethewisdom (2019-09-14 19:38:16)

Offline

Board footer

Powered by FluxBB