Hashboot

From Void Linux Wiki
Jump to: navigation, search

Introduction

From hashboot's GitHub:

"hashboot hashes all files in /boot and the MBR to check them during early boot. It is intended for when you have encrypted the root partition but not the boot partition. The checksums and a backup of the contents of /boot are stored in /var/lib/hashboot by default. If a checksum doesn't match, you have the option to restore the file from backup. ... If there is a core- or libreboot BIOS and flashrom installed, hashboot can check the BIOS for modifications too."

This guide describes how to set up hashboot to (1) generate a new hash for all files in /boot and the MBR every time you update the kernel and (2) check the integrity of /boot every time you boot your machine.

Installation

To install hashboot, enter the command

# xbps-install -S hashboot

Set up hashboot

Hashboot automatically adds a post-install kernel hook to automatically generate a new hash for all files in /boot and the MBR. However, if you don't update your kernel immediately after installing hashboot, you don't have a hash for your /boot and MBR files yet. To generate one, enter the command

# hashboot index

Answer the prompts. You can leave the save directory as the default. If you don't have a machine with Libreboot or coreboot, you'll want to enter 011 to verify the /boot files and the MBR. Enter 111 if you have a machine with libreboot or coreboot to verify the /boot, MBR, and BIOS files. The MBR device is probably /dev/sda if you're unsure. Otherwise run the command

# lsblk -f

to see which device your /boot partition is on.

Usage

To verify the integrity of your files, you can enter the command

# hashboot check

If there is no output, the integrity of your files is verified.

Automatically verify on every boot

To allow hashboot to automatically check the integrity of your boot files every time you boot your computer, you'll have to create a hashboot runit service. This is easier than it sounds, since the run script is already written for you. You can access it from hashboot on GitHub: https://github.com/tastytea/hashboot/blob/master/init/voidlinux-coreservice

First, make the hashboot service directory:

# mkdir -p /etc/sv/hashboot

Then make the run file:

# touch /etc/sv/hashboot/run

Then edit it:

# nano /etc/sv/hashboot/run

Make it contain the contents of the linked script on GitHub. For ease of access, the contents of the script are as follows:

# vim: set ts=4 sw=4 et:

msg "Checking boot integrity"
/usr/bin/hashboot check || emergency_shell

Now start the hashboot service you just created:

# ln -s /etc/sv/hashboot /var/service

Every time you start your computer now, hashboot will verify the integrity of your boot files. If they can't be verified, you will be brought to an emergency shell, where you can use the command

# hashboot recover

to replace the corrupted files with the backup hashboot creates.