[SCM] live-boot branch, debian-next, updated. debian/3.0_a29-1-6-g9c5ba66

Daniel Baumann daniel at debian.org
Tue Jun 5 15:37:43 UTC 2012 

The following commit has been merged in the debian-next branch:
commit 9c5ba667f13c0036b9e3786c5f614a258eaa717e
Author: Daniel Baumann <daniel at debian.org>
Date:   Tue Jun 5 17:30:25 2012 +0200

    Rewriting live-media checksum verification to work with any SHA and MD5 digests.

diff --git a/initramfs-tools/hooks/live b/initramfs-tools/hooks/live
index cfe1534..57b8063 100755
--- a/initramfs-tools/hooks/live
+++ b/initramfs-tools/hooks/live
@@ -182,7 +182,9 @@ then
 fi
 
 [ "${QUIET}" ] || echo -n " "utils
-# Program: md5sum
+
+# Feature: Verify Checksums
+copy_exec /usr/bin/sha256sum /bin
 copy_exec /usr/bin/md5sum /bin
 
 # Program: memdisk
diff --git a/manpages/en/live-boot.7 b/manpages/en/live-boot.7
index 82450cd..fa5f82b 100644
--- a/manpages/en/live-boot.7
+++ b/manpages/en/live-boot.7
@@ -72,7 +72,7 @@ Look for the specified ISO file on all disks where it usually looks for the .squ
 Allows to use a filesystem from within an iso image that's available on live-media.
 .IP "\fBignore_uuid\fR" 4
 Do not check that any UUID embedded in the initramfs matches the discovered medium. live\-boot may be told to generate a UUID by setting LIVE_GENERATE_UUID=1 when building the initramfs.
-.IP "\fBintegrity\-check\fR" 4
+.IP "\fBverify\-checksums\fR" 4
 If specified, an MD5 sum is calculated on the live media during boot and compared to the value found in md5sum.txt found in the root directory of the live media.
 .IP "\fBip\fR=[\fIDEVICE\fR]:[\fICLIENT_IP\fR]:[\fISERVER_IP\fR]:[\fIGATEWAY_IP\fR]:[\fINETMASK\fR]:[\fIHOSTNAME\fR]:[\fIAUTOCONF\fR] [,[\fIDEVICE\fR]:[\fICLIENT_IP\fR]:[\fISERVER_IP\fR]:[\fIGATEWAY_IP\fR]:[\fINETMASK\fR]:[\fIHOSTNAME\fR]:[\fIAUTOCONF\fR]]" 4
 Let you specify the name(s) and the options of the interface(s) that should be configured at boot time. Do not specify this if you want to use dhcp (default). It will be changed in a future release to mimick official kernel boot param specification (e.g. ip=10.0.0.1::10.0.0.254:255.255.255.0::eth0,:::::eth1:dhcp).
diff --git a/scripts/boot.sh b/scripts/boot.sh
index 90750b5..2fe563e 100755
--- a/scripts/boot.sh
+++ b/scripts/boot.sh
@@ -512,10 +512,11 @@ mountroot ()
 		panic "Unable to find a medium containing a live file system"
 	fi
 
-	if [ "${INTEGRITY_CHECK}" ]
-	then
-		integrity_check "${livefs_root}"
-	fi
+	case "${LIVE_VERIFY_CHECKSUMS}" in
+		true)
+			Verify_checksums "${livefs_root}"
+			;;
+	esac
 
 	if [ "${TORAM}" ]
 	then
diff --git a/scripts/boot/arguments.sh b/scripts/boot/arguments.sh
index 28e07f1..d352c6d 100755
--- a/scripts/boot/arguments.sh
+++ b/scripts/boot/arguments.sh
@@ -7,6 +7,12 @@ Arguments ()
 	for ARGUMENT in $(cat /proc/cmdline)
 	do
 		case "${ARGUMENT}" in
+			live-boot.verify-checksums|verify-checksums)
+				LIVE_VERIFY_CHECKSUMS="true"
+				export LIVE_VERIFY_CHECKSUMS
+				;;
+
+			# parameters below need review
 			read-only)
 				READ_ONLY="true"
 				;;
@@ -101,11 +107,6 @@ Arguments ()
 				export IGNORE_UUID
 				;;
 
-			integrity-check)
-				INTEGRITY_CHECK="true"
-				export INTEGRITY_CHECK
-				;;
-
 			ip=*)
 				STATICIP="${ARGUMENT#ip=}"
 
diff --git a/scripts/boot/integrity-check.sh b/scripts/boot/integrity-check.sh
deleted file mode 100755
index 08f9583..0000000
--- a/scripts/boot/integrity-check.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/sh
-
-#set -e
-
-integrity_check ()
-{
-	media_mountpoint="${1}"
-
-	log_begin_msg "Checking media integrity"
-
-	cd ${media_mountpoint}
-	/bin/md5sum -c md5sum.txt < /dev/tty8 > /dev/tty8
-	RC="${?}"
-
-	log_end_msg
-
-	if [ "${RC}" -eq 0 ]
-	then
-		log_success_msg "Everything ok, will reboot in 10 seconds."
-		sleep 10
-		cd /
-		umount ${media_mountpoint}
-		sync
-		echo u > /proc/sysrq-trigger
-		echo b > /proc/sysrq-trigger
-	else
-		panic "Not ok, a media defect is likely, switch to VT8 for details."
-	fi
-}
diff --git a/scripts/boot/verify-checksums.sh b/scripts/boot/verify-checksums.sh
new file mode 100755
index 0000000..7dd5da3
--- /dev/null
+++ b/scripts/boot/verify-checksums.sh
@@ -0,0 +1,63 @@
+#!/bin/sh
+
+#set -e
+
+Verify_checksums ()
+{
+	_MOUNTPOINT="${1}"
+
+	_DIGESTS="sha512 sha384 sha256 sha224 sha1 md5"
+	_TTY="/dev/tty8"
+
+	log_begin_msg "Verifying checksums"
+
+	cd "${_MOUNTPOINT}"
+
+	for _DIGEST in ${_DIGESTS}
+	do
+		_CHECKSUMS="$(echo ${_DIGEST} | tr [a-z] [A-Z])SUMS"
+
+		if [ -e "${_CHECKSUMS}" ]
+		then
+			echo "Found ${_CHECKSUMS}..." > "${_TTY}"
+
+			if [ -e "/bin/${_DIGEST}sum" ]
+			then
+				echo "Checking ${_CHECKSUMS}..." > "${_TTY}"
+
+				# Verify checksums
+				/bin/${_DIGEST}sum -c "${_CHECKSUMS}" < "${_TTY}" > "${_TTY}"
+				_RETURN="${?}"
+
+				# Stop after first verification
+				break
+			else
+				echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}"
+			fi
+		fi
+	done
+
+	log_end_msg
+
+	case "${_RETURN}" in
+		0)
+			log_success_msg "Verification successfull, rebooting in 10 seconds."
+			sleep 10
+
+			# Unmount live-media
+			cd /
+			umount -f ${_MOUNTPOINT} > /dev/null 2>&1
+			sync
+
+			# Attempt to remount all mounted filesystems read-only
+			echo u > /proc/sysrq-trigger
+
+			# Immediately reboot the system without syncing or unmounting filesystems
+			echo b > /proc/sysrq-trigger
+			;;
+
+		*)
+			panic "Verification failed, $(basename ${_TTY}) for more information."
+			;;
+	esac
+}

-- 
live-boot

More information about the debian-live-changes mailing list