-
Notifications
You must be signed in to change notification settings - Fork 3
/
safety_checks
executable file
·112 lines (97 loc) · 3.3 KB
/
safety_checks
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#! /bin/bash
SYSTEMD_STUB=/usr/lib/systemd/boot/efi/linuxx64.efi.stub
CHECKS=( root arch no_separate_boot mounted_efi root_luks systemd_stub tpm tpm_futurepcr packages binaries cryptsetup_version )
APPDIR=.
. ./bash_functions
check_root() {
if test "$(id -u)" != 0; then
echo "Must run as root (e.g., using sudo)" >&2
return 1
fi
}
check_arch() {
if test "$(uname -m)" != "x86_64"; then
echo "Unsupported architecture $(uname -m)" >&2
return 1
fi
}
check_no_separate_boot() {
if test "$(stat -c '%m' /boot)" != "/"; then
echo "/boot not on root device unsupported" >&2
return 1
fi
}
check_mounted_efi() {
if test "$(stat -c '%m' /boot/efi)" != "/boot/efi"; then
echo "EFI system partition must be mounted at /boot/efi" >&2
return 1
elif test "$(stat -f -c '%T' /boot/efi)" != "msdos" -o \
"$(mount | awk '$3 == "/boot/efi" { print $5; }')" != "vfat"; then
echo "Filesystem mounted at /boot/efi must be mounted as type vfat" >&2
return 1
fi
}
check_root_luks() {
cryptdev=( $(get_crypttab_entry $(get_device_info / | awk '{print $2;}') ) )
if (( ${#cryptdev[@]} == 0 )); then
echo "Root has no parent crypttab entry" >&2
return 1
fi
if [[ ${cryptdev[3]} != *luks* ]]; then
echo "crypttab entry missing luks option: ${cryptdev[3]}" >&2
return 1
fi
if ! cryptsetup isLuks "${cryptdev[1]}" --type luks2; then
echo "Root must be hosted on a LUKS2 partition"
return 1
fi
}
check_systemd_stub() {
if ! test -r "$SYSTEMD_STUB"; then
echo "systemd EFI stub $SYSTEMD_STUB not available: install systemd-boot-efi" >&2
return 1
fi
}
check_tpm() {
if ! tpm2_pcrread -Q 2>/dev/null; then
echo "TPM does not appear to be available or working" >&2
return 1
fi
}
check_packages() {
if (( $(dpkg-query -W -f='${Status}\n' cryptsetup-initramfs 2>/dev/null | grep -c "ok installed") < 1 )); then
echo "cryptsetup-initramfs required" >&2
return 1
fi
if (( $(dpkg-query -W -f='${Status}\n' initramfs-tools 2>/dev/null | grep -c "ok installed") < 1 )); then
echo "initramfs-tools required (dracut is not supported)" >&2
return 1
fi
}
check_binaries() {
for bin in sgdisk efibootmgr cryptsetup sed awk tr grep sort uniq diff basename dirname mount tpm2_create tpm2_createprimary tpm2_flushcontext tpm2_load tpm2_nvdefine tpm2_nvincrement tpm2_nvread tpm2_nvreadpublic tpm2_pcrread tpm2_policynv tpm2_policypcr tpm2_shutdown tpm2_startauthsession tpm2_unseal lsblk objcopy pipx update-initramfs dd jq; do
if [ -z "$(type -Pt "$bin")" ]; then
echo "Cannot find $bin in path" >&2
return 1
fi
done
}
check_cryptsetup_version() {
cver=$(cryptsetup -V | awk '{print $2;}')
if compare_versions "$cver" 2.4.0 || (( $? == 1 )); then
echo "cryptsetup version must be >= 2.4.0 (for --dump-json-metadata support)" >&2
return 1
fi
}
check_tpm_futurepcr() {
if [ ! -r tpm_futurepcr/setup.py ]; then
echo "tpm_futurepcr/setup.py does not exist; did you forget to clone --recurse?" >&2
return 1
fi
}
set -e
for c in "${CHECKS[@]}"; do
echo -n "$c..." >&2
eval "check_$c"
echo "SUCCESS" >&2
done