From hashboot's GitHub:
"hashboot hashes all files in /boot and the MBR to check them during early boot. It is intended for when you have encrypted the root partition but not the boot partition. The checksums and a backup of the contents of /boot are stored in /var/lib/hashboot by default. If a checksum doesn't match, you have the option to restore the file from backup. ... If there is a core- or libreboot BIOS and flashrom installed, hashboot can check the BIOS for modifications too."
This guide describes how to set up hashboot to (1) generate a new hash for all files in /boot and the MBR every time you update the kernel and (2) check the integrity of /boot every time you boot your machine.
To install hashboot, enter the command
# xbps-install -S hashboot
Set up hashboot
Hashboot automatically adds a post-install kernel hook to automatically generate a new hash for all files in /boot and the MBR. However, if you don't update your kernel immediately after installing hashboot, you don't have a hash for your /boot and MBR files yet. To generate one, enter the command
# hashboot index
Answer the prompts. You can leave the save directory as the default. If you don't have a machine with Libreboot or coreboot, you'll want to enter 011 to verify the /boot files and the MBR. Enter 111 if you have a machine with libreboot or coreboot to verify the /boot, MBR, and BIOS files. The MBR device is probably /dev/sda if you're unsure. Otherwise run the command
# lsblk -f
to see which device your /boot partition is on.
To verify the integrity of your files, you can enter the command
# hashboot check
If there is no output, the integrity of your files is verified.
Automatically verify on every boot
To allow hashboot to automatically check the integrity of your boot files every time you boot your computer, you'll have to create a hashboot runit service. This is easier than it sounds, since the run script is already written for you. You can access it from hashboot on GitHub: https://github.com/tastytea/hashboot/blob/master/init/voidlinux-coreservice
First, make the hashboot service directory:
# mkdir -p /etc/sv/hashboot
Then make the run file:
# touch /etc/sv/hashboot/run
Then edit it:
# nano /etc/sv/hashboot/run
Make it contain the contents of the linked script on GitHub. For ease of access, the contents of the script are as follows:
# vim: set ts=4 sw=4 et: msg "Checking boot integrity" /usr/bin/hashboot check || emergency_shell
Now start the hashboot service you just created:
# ln -s /etc/sv/hashboot /var/service
Every time you start your computer now, hashboot will verify the integrity of your boot files. If they can't be verified, you will be brought to an emergency shell, where you can use the command
# hashboot recover
to replace the corrupted files with the backup hashboot creates.