syslinux: process @rescue_hash@ (forensic mode)

This value is used to authenticate rescue rootfs image by verifying the squashfs file's sha256sum before use (propagator-20140419+). Looks like this check might be useful for other stage2 images as well but let's get started with this one. Thanks Maxim Suhanov <suhanov/group-ib.ru> for both http://www.forensicswiki.org/wiki/Forensic_Live_CD_issues and propagator patches.
2014-04-18 13:26:15 +04:00 · 2014-04-18 13:26:15 +04:00 · a2fcc601c9
commit a2fcc601c9
parent 635018aa86
2 changed files with 15 additions and 1 deletions
--- a/features.in/syslinux/cfg.in/83rescue_fm.cfg
+++ b/features.in/syslinux/cfg.in/83rescue_fm.cfg
@ -1,5 +1,5 @@
 label rescue_forensic
  menu label ^Forensic mode (leave disks alone)
  kernel alt0/vmlinuz
-  append initrd=alt0/full.cz fastboot live showopts automatic=method:cdrom ramdisk_size=@rescue_size@ stagename=rescue forensic
+  append initrd=alt0/full.cz fastboot live showopts automatic=method:cdrom ramdisk_size=@rescue_size@ stagename=rescue forensic hash=@rescue_hash@

--- a/features.in/syslinux/scripts.d/20-propagator-rescue-hash
+++ b/features.in/syslinux/scripts.d/20-propagator-rescue-hash
@ -0,0 +1,14 @@
+#!/bin/sh
+# postprocess isolinux configuration
+# to add rescue image hash, if any
+# (for propagator in forensic mode)
+
+cd "$WORKDIR"
+
+grep -qs "@rescue_hash@" syslinux/*.cfg || exit 0
+
+find -maxdepth 1 -type f -name rescue \
+| while read image; do
+	rescue_hash="$(sha256sum -b "$image" | cut -f1 -d' ')"
+	sed -i "s,@rescue_hash@,$rescue_hash," syslinux/*.cfg
+done